|
How to Use a USB Flash Drive and VeraCrypt to Maximize Privacy for Your Favorite Browser Without the Annoyance of Incognito/Private ModeBy BrainWizardPhD (aka BWiz) |
The approach described here will permit you to run browsers and other programs and keep the associated data and downloads from those programs on an encrypted USB flash drive. The instructions provided here make this all very easy to do. You can remove the flash drive to hide and/or take to another computer. Primary candidates for such use are browsers like Chrome, Firefox, or Opera and an office suite like LibreOffice. These are all available in portable versions that can be put on a USB Flash Drive. That includes their associated cookies and other caches.
This is a pre-publication, incomplete version for some friends. There are some holes and incomplete thoughts here. Use at your own risk.
While the browsers all have private instance options, (e.g., new incognito window in Chrome), the use of these is problematic. They erase all new cookies and cached files when closed and may not allow one to install new plug-ins, extensions, or favorites. You also cannot review your browsing history, which is sometimes very useful. By putting a portable version of your browser onto an encrypted USB flash drive, all this data remains very secure and so you may not need to use the incognito/private mode to protect the aforementioned data. You can use the normal mode and rest easier knowing that it would be almost impossible for anyone with access to your computer to determine the sites you have been visiting and files you have downloaded, unless you provide the right password or leave the USB mounted.
If you are not concerned about using a USB flash drive (so you can remove it to either hide it or take it to another computer), then you can still follow these instructions, except put the VeraCrypt volumes (explained below) on a hard disk or SSD for better performance.
Before starting the cookbook approach below, you should skim through it once, including the section Variations at the end. Then come back here to begin. Be certain to read the Caveats section as well, especially the need for a virtual private network (VPN) server. The VeraCrypt volume will only protect local data, not data that travels out of your computer, so you will need a VPN server and several other measures described below for more privacy.
|
NOTE: Nothing here is intended to help you get away with breaking any US laws. Although we believe that all significant browsing artifacts on your personal machine can be hidden by these techniques, nothing is guaranteed. Use at your own risk. In addition, the article suggests some techniques to significantly lower your risk of exposing your identity to the Internet, but there are too many ways for this to happen to cover here; in fact, that may be impossible. If you are a dissident in a repressive country and want to visit prohibited sites, or you intend to break US laws, the techniques here will not adequately help you. ALL RECIPIENTS AND USERS OF THIS ARTICLE AND ANY INFORMATION ON THIS WEBSITE AGREE THAT THE INFORMATION IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHOR(S) OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE INFORMATION OR THE USE OR OTHER DEALINGS IN THE INFORMATION. |
|
Before we begin there is something you need to know about your AVS even though it is not a browser, given that you are obviously concerned with privacy. AVS can indeed increase your privacy with respect to third parties, but your AVS almost certainly spies on you like nothing else. While the data it collects is probably very safe from ordinary hackers and trackers, it is not safe from government agencies. To see what data your AVS might be collecting, see the table on page 3 of http://www.av-comparatives.org/wp-content/uploads/2014/04/avc_datasending_2014_en.pdf, especially the lines "Is a unique identification number transmitted?" and "Are visited URLs transmitted?". The "unique identification number" is most likely your computers MAC address, which is totally unique. See also the discussions of the AV Comparative in the previous link here: makeuseof.com/tag/antivirus-tracking-youd-surprised-sends/ and also malwaretips.com/threads/which-antivirus-respects-the-user-privacy-the-most.75382/. The AVS vendors claim that the unique identification numbers are sent separately and delinked from the other data to protect your privacy.
The most privacy-conscious AV seems to be EmsiSoft. See blog.emsisoft.com/en/17153/antivirus-software-protecting-your-files-at-the-price-of-your-privacy/
You do not need these old technologies and they are serious security risks, so just uninstall them if you still have them. Running Java applets in browsers is also a security risk, but Internet Explorer is the only major browser that still allows that, and you should not be using Internet Explorer. You do not need to uninstall Java itself.
Create the folder C:\ZDrive. This is a temporary folder that you will later copy to two VeraCrypt volumes and then delete. C:\ZDrive is so named because in this article the VeraCrypt volumes will ultimately be mounted to Z:. You need not use Z: if you prefer something else.
Install the PortableApps Platform from portableapps.com/download to C:\ZDrive. You can do this even if you already have a PortableApps Platform installed elsewhere. Run the downloaded file "As Administrator". Specify "Select a custom location..." on this dialog:
Click Next and then enter C:\ZDrive:B
Once installed, click Apps -> Get More Apps -> By Category.
Check off VeraCryptPortable (in Security section), a browser, and anything else you think might be handy. For the rest of the article, let's assume you picked Google Chrome because that is what you have been using. Click on Next to get VeraCryptPortable and ChromePortable installed. Do not run ChromePortable just yet, and when you do, do not log into your Google account if you have one. In fact, you should not create a Google account in ChromePortable, even a fake one; if you must have a fake Google account, make certain you use a VPN and have it turned on at the time.
The ChromePortable you will soon be using will almost certainly ask if you want to make it your default browser and in fact it might even do so without even asking. You do not want this because it will make an entry in the registry pointing to your VeraCrypt volumes. Google does not make it easy to override this annoyance, but overriding it is only a simple registry setting. Just click the following link and download to any folder. Then in a file explorer, right click the reg file and select Merge or Run: StopChromeAskingToBeDefault.reg. If you want to see the contents first or you want to do it manually, just see this link: brainwizardphd.com/src/tools/StopChromeAskingToBeDefault.reg. After making that registry change Chrome will not be able to make itself the default.
As just explained, there is an exception that PortableApps programs keep all their data within the PortableApps folder. Some programs, ChromePortable included, will use a system temporary folder (%TEMP% or %TMP%). These two environment variables need to be reset before any PortableApps program is started from the PortableAppsPlatform menu. This can be accomplished by starting the PortableAppsPlatform using a simple batch script that sets %TEMP% and %TMP% to the TEMPDIR folder within C:\ZDrive or inside the two VeraCrypt volumes to which it will be copied. Click the following link and save the script to C:\ZDrive: START_PORTABLEAPPS.bat. If you want to see the file contents first, just click brainwizard/tools/START_PORTABLEAPPS.bat
To avoid confusion, delete C:\ZDrive\Start.exe and C:\ZDrive\Autorun.inf since you should always start PortableApps using Z:\START_PORTABLEAPPS.bat. At this point C:\ZDrive should just contain the following at the top level:
· Documents folder
· PortableApps folder
· START_PORTABLEAPPS.bat
If you have not already done so, close PortableAppsPlatform.
Now run C:\ZDrive\START_PORTABLEAPPS.bat by double-clicking it in your file explorer, you will see the PortableAppsPlatform GUI, which looks something like this:
Always start Chrome from that script. Never start Chrome from Z:\PortableApps\GoogleChromePortable\GoogleChromePortable.exe. If you do the latter, then the temp files will not be put in your hidden folder Z:\TEMPDIR, and will leak out to an unprotected drive.
There are ways to copy your previous Chrome profile to your ChromePortable. Forget about doing that; you don't want any old cookies copied over, and some of the extensions you may have been using could be tracking you. You will just need to install the minimum number of extensions, including tracker blockers, from scratch. More on this below.
However, it is safe to copy your existing bookmarks. Just copy
"C:\Users\<YourAccount>\AppData\Local\Google\Chrome\User Data\Default\Bookmarks"
to
C:\ZDrive\PortableApps\GoogleChromePortable\Data\profile\Default\Bookmarks
Run ChromePortable from the PortableAppsPlatform menu to create your initial profile. If you have a Google account do not log into ChromePortable. Then use Windows file explorer to look at C:\ZDrive\PortableApps\GoogleChromePortable\Data\profile. This is where the various caches with cookies, sites visited, etc. are stored. This is what makes ChromePortable portable, and that is what makes the approach described herein feasible.
Also, open C:\ZDrive\TEMPDIR. You should see it is populated. Data in that folder would have leaked out to an unprotected drive had you not used C:\ZDrive\START_PORTABLEAPPS.bat to start the PortableAppsPlatform. Chrome will usually clean its entries from that folder, but if your computer crashes it would still be there. But since you used C:\ZDrive\START_PORTABLEAPPS.bat that data will be protected even if your computer crashes.
Open the chrome://settings page. I.e., type “chrome://settings” in your ChromePortable address/search bar.
Scroll down to Themes. Select a theme that is much different than your current one. This is to help you avoid confusion in case you alternate between your old Chrome and your new encrypted ChromePortable. The Red Mountains theme is what we use.
Scroll down to Search Engine / Manage search engines and click ►. Select a private one like https://www.startpage.com/. This actually uses google.com, but via a proxy so Google will not know who submitted the search or from where it came. Duckduckgo.com is also popular, but the results are sometimes not as good as StartPage. On the other hand, Duckduckgo.com does not filter results, so DuckDuckGo could be better if you want to search for a controversial subject.
Scroll down to Default Browser. You should see "Google Chrome cannot determine or set the default browser". This is due to having used brainwizardphd.com/src/tools/StopChromeAskingToBeDefault.reg. This is what you want.
Scroll down to Advanced and click that to open up more choices. Under privacy and security turn everything off except Safe Browsing and Send a "Do Not Track" request. The Safe Browsing feature will not compromise your privacy according to https://www.google.com/chrome/browser/privacy/whitepaper.html#malware. Double check that you have turned off Allow Chrome sign-in (top item); you do not want ChromePortable to be sending anything back to your regular Chrome if you log into a Google site such as Gmail. That assumes you are going to log into a Google account (despite having been warned not to).
In the Privacy and Security section open Content Settings. Then open Cookies and turn on (blue) Block third-party cookies. A few sites (e.g., evernote.com) need third-party cookies, so add them to the whitelist on the Cookies page as you find sites that appear broken.
Under Location turn off "Ask before accessing" so it says "Blocked".
Scroll down to Flash and turn off “ask first”, which will block sites from running Flash.
In Content Settings scroll down to Unsandboxed plugin access. Turn off “Ask when a site …”. This will disallow any site from using a plugin to access your computer.
In Content Settings scroll down to Payment Handlers. Turn off "Allow sites to install …"
Back out of Content Settings. In Advanced/Downloads turn off “Ask where to save each file before downloading”.
If you do turn off “Ask where to save each file before downloading”, you can be certain that anything you download will remain contained in your encrypted flash drive; otherwise you are taking a chance of leaking a download to some other place on you computer since the default location for the next download will be your previous download’s location. Once you get the Z: drive mounted, you will change the downloads location to Z:\Downloads, but you will not be able to do that until later. We will remind you to do this in a later section.
In Advanced/System turn off “Continue running background apps when Google Chrome is closed”.
Because you don't want trackers to see what hyperlinks you click on, go to chrome://flags and disable Hyperlink auditing:
In chrome://flags enable Strict site isolation. This prevents one site from stealing data from forms in a different tab. This will cause a small increase in RAM usage. See also chromium.org/Home/chromium-security/site-isolation
In chrome://flags disable NoState Prefetch. This prevents silent requests to download pages that Chrome guesses you might want to use later. That should reduce the chances of being tracked or loading malware.
In chrome://flags set Extension Content Verification to Enforce strict. This will ensure that no extension files have been tampered with.
In chrome://flags enable AppContainer Lockdown and GPU AppContainer Lockdown for better security.
Tracking can be effected by normal browser cookies, fingerprinting, or so-called evercookies. These subjects will be addressed in this and the next two sections.
Go to chrome://extensions. Some extensions will send sensitive information like your browsing history to sites on the Internet (e.g., see zdnet.com/article/industrial-espionage-fears-arise-over-chrome-extension-caught-stealing-browsing-history/ or zdnet.com/article/use-this-popular-chrome-firefox-add-on-google-mozilla-just-banished-it/).
Another extension you certainly need to eliminate is "Web of Trust"; see http://www.pcworld.com/article/3139814/software/web-of-trust-browser-extensions-yanked-after-proving-untrustworthy.html. Another is Ghostery; see https://www.technologyreview.com/s/516156/a-popular-ad-blocker-also-helps-the-ad-industry/.
Furthermore, according to the-digital-reader.com/2015/11/19/chrome-extensions-2/, you should eliminate these extensions:
· HoverZoom
· SpeakIt
· Free Smileys & emoticons
· EagleGet Free Downloader
· ProxFlow
· Emoji Input
· Instant Translate
· FB Color Changer
· Flash Player+
· SuperBlock Adblocker
· SafeBrowse (it installs a cryptocurrency miner per bleepingcomputer.com/news/security/using-the-chrome-task-manager-to-find-in-browser-miners/)
· JavaScript Errors Notifier
In addition, some extensions are even malicious. See for example, blog.trendmicro.com/trendlabs-security-intelligence/malicious-chrome-extensions-found-chrome-web-store-form-droidclub-botnet/.
A good sampling of extension issues is provided at the bottom of this page: extensionpolice.com. The Extension Police extension, however, is not one we recommend.
Try this Google search: dangerous chrome extensions.
For good general discussions, see howtogeek.com/188346/why-browser-extensions-can-be-dangerous-and-how-to-protect-yourself/ and https://the-digital-reader.com/2015/11/19/chrome-extensions-2/ and bdtechtalks.com/2018/06/25/chrome-extension-safety-privacy-security/ and ghacks.net/2015/11/21/verify-google-chrome-extensions-before-you-install-them/. One of the points made in the preceding articles is that you should not allow extensions to have access to all your data. This is a fairly useless suggestion because most really useful extensions really do need to access all your data.
Unfortunately, there does not seem to be an easy-to-use tool or extension that will specifically identify bad extensions based on actual behavior. There is Extension Police, but it seems to be very inaccurate, has numerous bad reviews, and does not seem to be based on actual behavior. You should just reduce the number of extensions as much as you can and do some research on the ones you choose to leave on.
In addition consider installing the Extensity extension. Extensity allows you to very quickly activate and deactivate your other extensions. With this, you can install some special-purpose extensions and only turn them on just when you need them.
Websites can and do fingerprint you. This is how tracking is actually implemented in many cases. Fingerprinting works for tracking even when cookies are turned off. Tracking is done by querying numerous properties of your computer such as screen size, time zone, operating system version, your "do not track" setting, list of fonts, and precisely how your computer handles drawing images that they ask it to draw offscreen where you cannot see it. Combining several of those properties results in a fingerprint that might only be shared by a handful of others in your time zone. For example, BrainWizardPhD's browser is unique among 2,871,292 browsers tested by panopticlick.eff.org on 12/18/18. There are more properties that can factor into a fingerprint than those shown by panopticlick.eff.org, and fingerprinters use algorithms other than what is used by panopticlick.eff.org. See for example youtu.be/p0doExrQwY0?t=230. According to that video, panopticlick.eff.org, amiunique.org, browpanopserleaks.com, and other sources the properties that could be used for fingerprinting include (but are not limited to):
· List of plugins (which can identify your browser, but Chrome usually has the same three ones)
· Name of your browser (User Agent) [amiunique.org, browserleaks.com/javascript, browserleaks.com/ip, uniquemachine.org]
· List of fonts [browserleaks.com/fonts, audiofingerprint.openwpm.com (audio and fonts both)]
· Audio Hardware & Software [audiofingerprint.openwpm.com]
· Language(s) [browserleaks.com/javascript, uniquemachine.org]
· Screen resolution [amiunique.org]
· Time zone [amiunique.org, browserleaks.com/ip, uniquemachine.org]
· Content Language (e.g., English, English-US, French, French-Canada, etc.) [amiunique.org]
· HTTP Headers including the User Agent (browser version + platform info)
· Platform (e.g., Win32) [amiunique.org, browserleaks.com/javascript]
· Canvas fingerprint (hash of actual pixels drawn for a 2D test pattern, which varies by machine and browser) [amiunique.org, browserleaks.com/canvas, uniquemachine.org]
· WebGL fingerprint (hash of actual pixels drawn for a 3D test pattern, which varies by machine, but not browser)
· WebGL Vendor [amiunique.org]
· WebGL Renderer/GPU (name of graphics card) [amiunique.org, uniquemachine.org]
· Number of CPU cores (hardwareConcurrency) [browserleaks.com/javascript, uniquemachine.org]
· Amount of RAM [browserleaks.com/javascript]
· Public Internet Protocol (IP) Address [browserleaks.com/ip]
· Local Internet Protocol (IP) Address [browserleaks.com/ip]
· Domain Name Server (DNS) [browserleaks.com/ip]
There are Chrome extensions can alter your fingerprint. An alleged problem with these is that they make you stand out even more because your fingerprint will be even more rare. However, chances are that you are already close to being unique anyway, so using these fingerprint-altering extensions is not going to be detrimental to you. Avoiding this issue with the fingerprint-altering extensions requires using expensive software like Multilogin or setting up a virtual machine. The virtual machine approach is very cumbersome and really does not solve the uniqueness problem because the virtual machines run versions of Linux, and that makes you stand out even more.
Evercookies consist of bits of information stored in unusual locations by devious JavaScript software that uses features not intended for the purpose of creating cookies. Even if Silverlight and Adobe Flash are uninstalled and Java Applets are prevented from running, this JavaScript still has 8 different mechanisms for setting cookies on an unprotected browser:
The above is a screenshot after having clicked “Click to create an evercookie” twice at evercookie and then having restarted an unprotected Chrome browser. The number 885 is the contents of the cookie. The 885 survived the restart.
Repeating the same experiment with an incognito Chrome browser, we get this initially:
And after restarting the incognito Browser and clicking “Click to rediscover cookies”:
In other words, using the incognito mode will defeat this evercookie approach. Does that mean you need to be using incognito mode all the time? This is not needed if you are careful to follow the approach in this article and, especially, always use a VPN and never use any accounts in your ChromePortable that can in any way (name, birthdate, location, phone number, etc.) be tied to you.
· uBlock Origin. Without any adjustments this is set up to be in vanilla Easy Mode, which provides reasonable security without breaking very many websites. Plus, it is very easy to whitelist a broken site. An enhancement to Easy mode (described at the bottom the Easy mode page) is to just open the dashboard (settings page), check off “I am an advanced user”, and then globally block 3rd-party frames. This stops one of the common ways that malware can be injected into your computer (e.g., see arstechnica.com/information-technology/2016/03/big-name-sites-hit-by-rash-of-malicious-ads-spreading-crypto-ransomware/). Blocking 3rd-party frames will break sites with embedded YouTube videos, but that can be easily fixed as explained at github.com/gorhill/uBlock/wiki/Dynamic-filtering:-Benefits-of-blocking-3rd-party-iframe-tags. To block all those annoying GDPR cookie notices, add Fanboy’s Cooke List in the uBlock Origin Filter Lists tab. Also select the Anti-Facebook List. This is all very easy to do and is the minimum we recommend. If you want even more protection, see Medium Mode or even Hard Mode. See also www.dailywoke.com/how-to-use-ublock-origin-to-block-all-ads-complete-guide/. www.reddit.com/r/uBlockOrigin can also help with specific questions.
· uBlock Origin Extra. This is by the same author as uBlock Origin and can only be useful if installed along with uBlock Origin. It specifically defeats anti-blocking software on a number of specific websites. One of these is Cnet. We toggled uBlock Origin Extra on and off and noticed that it substantially reduced the amount of garbage that Cnet.com downloads after displaying the page. Watch the status bar in the lower left of the screen to see this effect.
· Privacy Badger. This extension does not specifically block ads, but determines which sites are not obeying your “Do Not Track” requests and shuts them off, either completely or at least as far as storing cookies. It can be used in conjunction with uBlock Origin. According to www.eff.org/privacybadger/faq:
“uBlock Origin is an excellent privacy tool. uBlock Origin and Privacy Badger should work well together. Similar to adblockers, uBlock Origin protects using blacklists. Privacy Badger protects by automatically learning about trackers as you browse, which means Privacy Badger might catch things that uBlock Origin doesn't know about. Privacy Badger will learn about far fewer trackers when used together with uBlock Origin, but that's OK.”
· Blend-in-and-spoof-.... Changed font list from 161 fonts to just 60 fonts on our test machine according to browserleaks.com/fonts. Changed GPU from our actual NVIDIA model to “Google Swiftshader” according to uniquemachine.org/. It did not change the canvas fingerprint. According to panopticlick.eff.org it did change the WebGL fingerprint, but according to browserleaks.com/webgl it did not change its WebGL hash, but it did change information about the WebGL features. It did not change the screen resolution. It did not change the number of CPU cores per uniquemachine.org/ despite its documentation to the contrary. Changing the GPU description and the font list according to browserleaks.com/fonts, however, are sufficient reasons to use this extension.
Now browse to a few sites in ChromePortable that would make you somewhat embarrassed about if caught. Let's say you browsed to http://cowudders.com because you like looking at cow udders but don't want anybody knowing about it. Of course, do not visit anything yet that would be truly embarrassing, just sufficiently embarrassing to create a good cover story.
Insert your flash drive. Let's say it is assigned to drive J:. You are going to be creating a file larger than 4 GB. Files that large are not supported by a FAT32 file system, which is most likely what your flash drive is. So it must be changed to an NTFS type. If there are important files on you flash drive already, then copy them to a temporary place on another drive just in case there is an error in the conversion and files get damaged (not likely). Then just enter these two commands in a command prompt window:
chkdsk J:
convert J: /fs:ntfs
If any preexisting file on J: is damaged or missing, restore it from the backup you just made.
Copy C:\ZDrive\PortableApps\VeraCryptPortable to J:\VeraCryptPortable. You will need a copy of VeraCryptPortable on your flash drive to use your flash drive on another computer. You do not need to copy anything else yet.
You are going to create a VeraCrypt volume named PrivateBrowser on your J: flash drive and map the VeraCrypt volume to the Z: drive. Do not try to be secretive at this point; the camouflage part comes later when you will create a hidden inner volume within PrivateBrowser.
Open VeraCrypt and select "Volumes/Create new volume" from the menu (dropdown menu upper left). Then you will see this:
Just click Next since a file container is needed. You do not want to encrypt a whole flash drive because if you take it to a different computer, you will not be able to open it unless you install VeraCrypt on it, and that might not be possible. On the next dialog, select Hidden VeraCrypt volume, like this:
Click Next. Then you will see this:
Just leave Normal mode selected and click Next. On the next dialog, enter J:\PrivateBrowser in the Volume Location box:
Click Next three times, which will get you to the Outer Volume Size dialog. Specify a generous amount of space, but, since formatting your volume takes quite a bit of time, do not get carried away:
Click Next and then you will see this:
Enter a fairly long password, but something you can easily recall. Remember that you might not be able to look at your password manager if you are trying to use your flash drive on another machine. This password will just provide access to the decoy files that will be put in your volume, so you only need to make it plausibly secure. Enter the password and click Next to see:
Leave No selected and click Next to see:
You need to move your mouse randomly over this dialog until the Randomness bar is all green. Then click Format. The formatting may take quite a few minutes. For the example above it took 18 min to complete via USB 3 (blue tab), including 2 min after the time Left box said 0. The VeraCrypt time left estimator significantly underestimates the time left. After that you will see something like this:
Do not follow the instructions in the dialog box above. When we followed those instructions, the version we ran did not calculate the used space correctly and only allowed us a very small amount of space for the inner (hidden) volume. Instead, just click Next three times to get to this:
Before choosing, you need to check how much space the outer volume will require. In File Explorer, right click on C:\ZDrive and select Properties. That will show you how much space that your outer volume will require for your decoy browser installation. In our case we saw this:
We could use up to 6.77 GB for the inner volume, but to allow some room for error, we chose to allocate just 6 GB. That allows room in the hidden volume for downloading some files or for adding other portable applications. After entering 6 GB and clicking Next, we saw this:
We intend to be careful and not use the outer volume and we have 770 MB extra there anyway, so we clicked Yes here. Then this:
Enter your inner password. Make certain it is very much different from the outer password, and also more secure. Before you choose, you might want to Google this: how to choose memorable passphrases. Click Next to see this:
Leave No selected and then click Next. Then you will see this:
Move your mouse over the dialog box until the Randomness bar is all green. Then click Format. This formatting will not take long. Then you will see this:
Read the above dialog box carefully. Click OK and then click Exit or Cancel on the next dialog.
You will then see the VeraCrypt main dialog again. Enter J:\PrivateBrowser in the file entry box and select a drive to which it is to be mounted from the drive list. You should then see something like this:
Now click Mount to show this:
We will fill the hidden inner volume first, so enter your inner password and click OK. You will then see this:
Note that the size of the hidden volume is shown and also its type (Hidden). It is obvious from this that there is a hidden volume inside the outer volume. So when you are not actively using your hidden volume, it may be wise to Dismount it. Leave VeraCrypt running so you can Dismount Z: when done.
Now make certain your original portable browser in C:\ZDrive\... is closed, and then copy
file C:\ZDrive\START_PORTABLEAPPS.bat,
folder C:\ZDrive\Downloads,
folder C:\ZDrive\Documents, and
folder C:\ZDrive\PortableApps
to Z:\
Now run Z:\START_PORTABLEAPPS.bat and when the PortableAppsPlatform opens, click Google Chrome.
Open your Chrome settings. If you have a Google account, verify that you are not signed in.
At the bottom of Settings open the Advanced settings and then scroll down to Downloads. Using the Change button, set the Downloads location to Z:\Downloads. Also, double check that "Ask where to save each file before downloading" is off, as you do not want to take the chance of saving something to somewhere else than your hidden VeraCrypt volume. Download something to test that you have set this up correctly. E.g., download the very small file ShortcutLauncher.pl from https://www.rtbaileyphd.com/download/ and verify it ended up in Z:\Downloads.
Optional: Near the top of settings under Appearance, select a different theme, probably from the minimalist section. The objective is to avoid confusion if you run Chrome from your unencrypted disk. It is a good idea to not run your public Chrome and your hidden Chrome at the same time. You do not want to accidently visit a site in your public Chrome that you intended to visit in your hidden Chrome.
Close the browser on your inner volume. Then Dismount Z:. You are likely to see this:
This always seems to happen. Just click Yes.
Now Mount Z: again. This time, however, enter your outer password. You should see something like this:
Note that the size is 8 GB, not 2 GB. This dialog will not reveal that there is a hidden volume inside your outer volume. In a File Explorer, right-click Z: and select properties. You should see something like this:
Again, there is no clue here about the hidden volume. Do not do anything to this volume such as defragging it. Just leave it alone, except for completing the setup.
To complete the setup, just follow the instructions above for setting up the inner volume, except you should probably use a different theme.
Close the browser on your outer volume, and close any File Explorers that have Z: opened. Then Dismount Z:. Click Yes to force a dismount, if needed.
Now click Mount in the VeraCrypt main dialog, and then enter the inner password. Verify that you see the Hidden volume under the Type column. Open your browser to verify that it is working OK. Look to see that all your extensions are active.
Close the browser and any File Explorers that have Z: opened. Then Dismount Z:. Click Yes to force a dismount, if needed. Remove the USB flash drive and take it to another computer. Test it there to make certain it works.
The process described above will only protect some of the data that resides on your computer. This section describes some other artifacts and what you can do about them.
Your private browser will leave artifacts in RAM and hence in your paging file (pagefile.sys). For Windows 8-10 there is also swapfile.sys. If hibernation is enabled, then hiberfil.sys will also include artifacts. These artifacts can reveal information about your activities. The RAM will be cleared by shutting down your machine. To clear the paging and swap files on shutdown you simply need to change one entry in your registry. See brainwizardphd.com/src/tools/ClearPageFileAtShutdown.reg. To make the change easily, just click this link to download this reg file and then run/merge it: ClearPageFileAtShutdown.reg This registry setting will slow down your shutdown, and the files can still be examined prior to shutdown.
An alternative is to eliminate these files altogether. If you search the Internet, you will find that this is not advisable (and some who say you are simply stupid for thinking such thoughts), but you will find instructions on how to do it. Moreover, it is smart to do so if you have enough RAM (8 Gb is enough in many cases). See, for example, www.howtogeek.com/225143/what-is-swapfile.sys-and-how-do-you-delete-it/. However, if you are, say, a dissident in Iran and you visit prohibited websites, you will not have a choice but to turn these files off. You are less likely to have problems if you have a lot of RAM. What you will need to do is to install a copy of Process Explorer (procexp.exe) from Microsoft at docs.microsoft.com/en-us/sysinternals/downloads/process-explorer. Then run your computer and open up procexp.exe and the programs you ordinarily use. Open up the maximum number of browser tabs you think you will need. Open up the procexp memory window by clicking the rectangular icon on the top. This is the one with the salmon color stripe. Then check if the Peak Commit Charge is less than 80% of the available Physical Memory. If so, then you can try eliminating pagefile.sys. Reboot your machine and you will see pagefile.sys and swapfile.sys are gone. Then run procexp.exe again and keep an eye on the Current/Limit number. If it gets to 90%, then close something. You can significantly reduce your Chrome memory usage by installing "The Great Suspender" and "XTab" extensions if you frequently get close to the 90% mark. 8 GB of RAM should allow you to safely run a browser, virus checker, messenger, procexp.exe, and several more programs.
To turn off hibernation, execute "powercfg.exe -h off" from a cmd window started using "Run as Administrator". Then you can delete C:\hiberfil.sys, and it should not come back.
Another artifact is your Domain Name Server (DNS) cache. Whenever your browser uses an address like www.somesite.com, it must first get the 4-part numeric address like 110.120.130.140 and then actually query the latter. It gets that number from your DNS. To help performance, Windows will put www.somesite.com and 110.120.130.140 into the DNS cache to avoid another query to your DNS. In reality it does not help much. This is because Chrome has its own internal cache. The Chrome cache will reside on your hidden volume, so it is safe, but the Windows DNS cache can reveal sites you might have visited. If you are not running Windows 10 (1709 or later), you can easily disable the DNS cache. Open a cmd window with "Run as Administrator" and flush the DNS cache with this: ipconfig /flushdns. Then enter services.msc. Scroll down to DNS Client and double click that line. Stop it by clicking Stop. Then for Startup type select Disabled. Then after rebooting try ipconfig /flushdns again. If you did everything right you should get an error message.
If you are running Windows 10 from Sept 2017 or later, you will not be able to easily disable the DNS cache feature. “net stop dnscache” will not work and if you change the registry and reboot, Windows 10 will just turn it back on. This is evidently because there are now other services that depend on the DNS cache service, whereas older versions of Windows did not have any such dependent services. One of these services is Remote Access Connection Manager. Most likely you will not want to disable the DNS cache service. If you are running a recent version of Windows 10 one thing you can do is to set the two cache age times MaxCacheEntryTtlLimit and NegativeCacheTime to some small values (e.g., 120 sec) per itprotoday.com/cloud-computing/how-can-i-configure-how-long-dns-cache-stores-positive-and-negative-responses. Also set up a scheduled task to run ipconfig /flushdns at the logon of any user and every so often after that.
However, if you really feel you must disable the DNS cache feature, see http://winhelp2002.mvps.org/hosts.htm and follow the instructions after the text “Microsoft has done it again”.
Yet another type of artifact consists of certain registry keys, called "shellbags", that maintain folder usage information. Shellbags allow one to reopen the same folder at a later time with the settings from the previous time. This information can persist for years after the covered folders are deleted or their devices are removed from your system. As a result, you should never create a folder anywhere whose name itself is revealing. For more info see www.ghacks.net/2014/06/09/remove-old-shellbag-entries-windows-privacy/. If you want to see what is on your computer, download and run privazer.com/download-shellbag-analyzer-shellbag-cleaner.php. That tool can also be used to remove shellbags. You could unmount your Z: drive and then tell the tool to remove all shellbags for missing folders. Shellbags are also recoverable from previous System Restore Points, so you might want to delete those as well. Just run SystemPropertiesProtection.exe and click Configure.
Your antivirus may be responsible for artifacts as well. This study shows that almost all AV programs send browsing data to their servers: http://www.av-comparatives.org/wp-content/uploads/2014/04/avc_datasending_2014_en.pdf. Given that, it seems likely that they would leave logs behind on your machine as well.
Of course, if you take your flash drive to another computer that you cannot control, then you are stuck with these artifacts being left behind.
Other artifacts include the files that could be left behind in the temp file directories specified by the environment variables %TEMP% and %TMP%. However, we have already dealt with these via the brainwizardphd.com/src/tools/START_PORTABLEAPPS.bat script described above. That script will work even if you take your flash drive to another computer.
Checking for Artifact Leaks Out of Your VeraCrypt Volumes. You can check if registry entries or files are leaking out of your VeraCrypt volumes by using the free Procmon.exe from Microsoft: docs.microsoft.com/en-us/sysinternals/downloads/procmon. Procmon will collect detailed statistics of every registry entry, every file operation, and other I/O events for all processes on your machine. This can be a huge amount of data, so before starting it you should close as many programs and processes on your machine as possible. Also, you will need to set up filters to eliminate showing irrelevant data.
VeraCrypt on your USB Flash Drive. You were instructed to put it there for convenience in case you take your flash drive to another computer. However, having it there will make it obvious what type of file is PrivateBrowser. You could instead put VeraCrypt on a different flash drive and remember to take both with you, or you could install VeraCrypt on your flash drive after you get to the 2nd computer and then uninstall it when done.
Naming your VeraCrypt Volume PrivateBrowser. Perhaps that is too revealing. Name it something else and think of a cover story different than cowudders.com.
Google Account for your private browser. If you think you need a completely separate account, you will need to supply a phone number. You can get an anonymous number from smsreceivefree.com and other sources and more sources.
VPN service. The process described above will not protect your IP address from being collected by sites you visit or services you use. To prevent that, you will need a VPN service that specializes in privacy and specifically states that the service will not keep logs. Test your VPN using ipleak.net to see if it stops all 4 types of leaks (normal, DNS server, WebRTC, geolocation). You need to click the "Manual geolocation" button to check the latter. IPleak.net shows a location using the IP, but that is not the same as "Geolocation detection", so check both. If your location is revealed even though you have turned off location revealing in your browser, then install a location faker extension such as "Manual Geolocation" and try again.
Some VPN services do not support emailing from a local email client such as MS Outlook, so check that before signing up. Also check other services such as SSH and Skype.
If this person had a hidden volume as described above, he would not be illegally jailed: bleepingcomputer.com/news/legal/man-who-refused-to-decrypt-hard-drives-still-in-prison-after-two-years/. He could have just surrendered his outer volume password and nobody would have been able to prove he had a hidden inner volume. Another similar situation: https://theintercept.com/2017/09/25/muhammad-rabbani-guilty-of-terror-offense-for-not-giving-passwords-to-uk-police/
This page was last modified Tue Apr 30 18:19:09 2019