How to avoid leaving any local trace that I went to a website?

Question

I want to visit a web site, but I want to ensure there is no trace left on my computer that I did so. How do I do that?

This question is not concerned with anonymity or detection on the network side, but on the local side. I am familiar with the major browsers safe browsing modes, private browsing, etc. However, that can still leave artifacts in some cases, e.g. from plugins. Also, this question is not concerned with malware, rootkits, keyloggers, etc. I won't be uploading or downloading files. I'm not concerned about preventing eavesdropping of files. Assume that I am already using Tor, a VPN, or a similar mechanism to prevent eavesdroppers, ISPs, and web servers from identifying me.

Instead, my question is how to eliminate local evidence on my machine that I went to a particular website. For example, maybe I want to check political websites but have no record stored on my local machine, even if I am using plugins, etc.

I do not want to boot a Live CD. While I realize a Live CD could be used for this purpose, the idea is you are doing your normal Windows stuff then you want to do banking, political activities, or "leisure" browsing for a few minutes.

I was wondering if there is any real value to a setup like this:

1. Create a ramdisk
2. Install sandbox software
3. Get a "portable" version of the browser
4. Run the sandboxed version of the portable browser on the ramdisk.

My thought being, you can just kill the ram disk to delete all traces. Would you even need to use a private mode at this point? If the sandbox is prevented from writing outside of the ramdisk I would imagine you'd be safe.

The other issue would be how much of a pain would it be to set this up. Ideally, the sandbox is destroyed when the portable browser is closed; when you open the app it creates the sandbox and copies the portable version to the ramdisk-sandbox from the original version.

Does this work? Is this an effective way to solve the problem? Any thoughts on how to actually set this up?

Revision history: At first there was some confusion; some folks interpreted the original version of this question to be asking about how to protect yourself from malware. That's not what I'm looking for. Instead, I'm looking to prevent leaving evidence on my hard disk of what web site I visited, for a particular web site, and with as little inconvenience as possible.

Answer 1

There are some security benefits to running the browser in a sandbox. If the browser gets compromised, then the sandbox can limit the damage.

However, there are also serious usability implications of running your browser in a sandbox. For instance, say you want to download a document off the web and save it somewhere for later use. Nope, sorry, no can do: a proper sandbox will isolate the browser and prevent it from writing to the rest of the filesystem. Or, suppose you want to take one of your documents or pictures and upload it to a website. A sandbox has to choose between allowing this (supporting a common use scenario, but also raising the risk that a compromised browser could start exfiltrating files of yours over the network) vs denying it (preventing you from getting useful work done or limiting your ability to use certain web services). When you try building and using a browser sandbox, you run into many tradeoffs like this.

So, a sandbox can be useful in especially security-sensitive situations, but just be aware that it comes with some tradeoffs.

One commonly-used way to run the browser in a sandbox is to run the browser in a virtual machine. You can isolate the VM from the rest of your activities, providing isolation. Also, if you wish, you can use a throwaway VM that restores back to a known-good checkpoint after each use, so that a compromise that occurs during one session cannot harm you in future sessions.

There is no particular security benefit to running in a ramdisk, per se. (A ramdisk does not prevent a compromised browser from writing to the rest of your filesystem, leaving malware on your system, or doing other damage.) I suspect you may be thinking of running the browser in a throwaway VM or some other sandbox technology that reverts back to the initial state after each session.

The simplest way to set this up is with a VM. Another simple way is to use, as you suggest, a LiveCD. There are also commercial products out there that focus on sandboxing browsers. (See, e.g., Sandboxie; there are probably many others. There used to be a company called GreenBorder that sold a browser sandbox, but it was not a commercial success and no longer exists.) See also Is using a “Red” and a “Green” browser to balance LOB requirements and security a good approach?.

Answer 2

Your edit clarifies that you are talking about privacy and anonymity: "eliminate local evidence that you went to the website". That changes the question a bit, as it clarifies you are talking about anonymity, not protection from malware.

The best way to achieve those privacy and anonymity goals is as follows:

• For web browsing, use Tor. For chat, use OTR.

• Boot from a LiveCD. The name is confusing, but this refers to a Linux distribution that is stored on a DVD or USB, and you boot from it. If it is configured to avoid writing anything to the hard disk, then it leaves no permanent traces on your hard disk once you reboot or power down, so it is exactly what you are looking for.

• I recommend using a Tor LiveCD, one that comes with Tor (and ideally other privacy and anonymity tools). Here are some recommendations:

  • I recommend Tails, which provides pre-bundled Tor, HTTPS Everywhere, OTR, and OpenPGP. Tails is configured so you can boot to it, and so it will never write to the computer's hard disk, so after you power down or reboot, there are no traces left on your computer.

  • Another alternative is the Ubuntu Privacy Remix. It is intended for local processing of documents, without storing anything on your hard disk. It is not for web browsing or any other network-connected activity; use Tails for that.

  • There are some others, e.g., Privatix, Polippix, and Sabayon, but I don't know as much about them. Personally, I would recommend Tails for your needs.

I know you said you don't want to boot to a Live CD, as it is inconvenient, but that is the most reliable way to protect yourself. Anything else will be at least a little bit risky and might end up leaving a trace on your local machine.

If you insist on not using a Live CD, then here's what I'd suggest (but again, this is not something I recommend, as there are any number of things that could go wrong):

• Set up a virtual machine. Install a browser and a Tor bundle inside the machine. I suggest installing HTTPS Everywhere, too, if you are using Firefox. Don't install any plugins, unless you really need them.

• Configure the virtual machine so that it does not have access to any shared filesystem or to your local filesystem.

• Boot the system inside the virtual machine. Take a checkpoint.

• When you want to browse a site and you want no persistent state left, launch the virtual machine from the checkpoint. Inside the VM, open the browser, enable your browser's private browsing mode, make sure Tor is enabled, and go to the web site.

• When you are done browsing the web site, close the browser inside the VM, close the VM, and revert to the prior checkpoint.

There are still some risks in this strategy:

• It is possible that the virtual machine might make copies of the updated state somewhere on the filesystem. One possible way to mitigate this would be to make a copy of the entire virtual machine image over to a ramdisk, then run from there. I don't know if that'd actually help or not, though.

• It is possible that the virtual machine might end up swapped out at some point, which could cause temporary data to be written to your swap partition on your hard drive.

• There might be other risks, too.

The Live CD distributions I recommended have taken special steps to defend against these risks, which is one reason they are the most effective way to protect your privacy. However, if you don't use the Live CD, there are some steps you could take that might mitigate these risks: encrypt your hard drive with full disk encryption (e.g., Truecrypt), using a good passphrase that you don't tell anyone else; configure your machine to encrypt swap; periodically do a secure erase of the free space on your hard drive (assuming it is not a SSD, you can write all-zero bytes to a file until you've filled all available space, then delete the file, or use some other secure erase tool that is designed for this purpose).

Also, you might want to check the configuration of your local router / access point. Some of them keep logs of all web pages you visit. Check the web console to see whether yours is doing so, and if so, configure it to not do that.

See also the following questions on this site:

• What do the various browser “private modes” do?

• Different strategies for online anonymity and their +/-s?

• How much can I trust Tor?

• Surfing anynomously

• How to browse the Internet safely?

• How to be completely anonymous online?

• Anonymous web browser. Is it real?

• What steps should one take to provide “reasonable” levels of privacy from a government?

• What are the pros and cons of a VPN

• How can I use a VPN to protect my privacy

• How do I pick a VPN provider?

• How anonymous is my setup?

• How can I keep my identity anonymous as a website owner/administrator?

• Whats the best way to make my internet traffic anonymous?

In the future, you might want to try exploring this site using the "Search" feature on the upper-right -- there's lots of good information on this topic already available!

Answer 3

The security value of your sandbox depends on the type of sandbox you're talking about. The better you can isolate your writable hardware from the vulnerable software, the better off you are.

Virtualization is theoretically a better option than an API-isolation sandbox because engineering an exploit for the sandbox itself is more difficult to do if it's a VM. A sandbox is not 100% exploit-proof, but then again, even virtualization can theoretically be exploited. That's not to say that any of the popular software today is known to be critically vulnerable, but you can't count on things to stay that way.

Better still is to boot from read-only media on a computer that doesn't have any permanent storage attached at all. Clearly a BIOS exploit is still theoretically possible, and you could potentially mitigate that threat by adding virtualization on TOP of such a platform, running, say a Linux live-CD which runs Virtualbox, which then runs your suspect operating system which runs your vulnerable program. It's not the simplest solution, but it's not an uncommon one either.

You only get an advantage by using a ramdisk if it's coupled with read-only storage (such as a CD or HD with write disabled in BIOS). The ramdisk allows for data persistence within your session, but forces any changes to be wiped out when you're done.

Using a ramdisk while at the same time using persistent storage doesn't offer a whole heap of safety because it's the unexpected changes OUTSIDE your little sandbox that you'd be worried about anyway.

Answer 4

This question is not concerned with anonymity or detection on the network side, but on the local side

...

Also, while I realize a live cd could be used for this purpose, the idea is you are doing your normal Windows stuff then you want to do banking, political activities, or "leisure" browsing for a few minutes.

I can't think of any ways running the browser from a Ramdisk (or in VM where you reset after each session or a live CD environment) makes you safer for banking, political, or leisure activities like downloading copyrighted things in any fundamental way. The major thing this does is not allow persistent changes to be stored on the local machine, so nothing is kept from previous sessions after you fully power off your computer.

However, the major threats in these situations are:

• people eavesdropping on your web traffic (mostly avoided by encryption like HTTPS -- though eavesdroppers can still observe what web servers, when and how much traffic was sent),
• running a (hardware/software) keylogger on your local machine (steal passwords),
• an online attack that occurs while browsing and requires no persistent storage (e.g., while browsing in your ramdisk you fall for a phishing/XSS/CSRF attack)
• or a setup pre-configured for an attack (e.g., you installed a browser extension in addition to giving you weather forecasts also steals your banking passwords, or an adversary with direct access to your machine added fake trusted CAs to your browser and redirects network traffic to their malicious servers with fake-certificates your browser trusts to get your passwords to break into your bank account).

None of these are prevented in your ramdisk setup as an attacker can still monitor traffic, or install a keylogger at the host OS level (e.g., in windows and still captures keystrokes in the guest OS), or alter your safe-initial VM and add the malware to it in the same way.

This reset-to-original-setup after use accomplishes two things:

1. makes it safer to investigate potential malware and be able to reset the machine afterward to a safe state, and
2. hide all traces of a browsing session from someone who has full access to your local computer after the fact, but you do not suspect they are monitoring keystrokes, network activity, etc, while you are actually browsing.

I see a ramdisk setup as slightly better than private browsing for (2) in that private browsing potentially misses some things (like how flash cookies used to still be stored during private browsing pre ~2010) or leaves remnants of your activity on the hard disk (even if the temporary file is deleted when the session closes; its data is not necessarily overwritten).