Re: [Tails-dev] Tails forensics at SANS

Marco A. Calamari:
>I wonder if this talk of SANS summit 2025 is already know.
>But maybe can be of some interest to make Tails better.

thanks, that's a useful read. I'm not sure I get the context, though. Do
you have more info about the context? Am I correct in saying they assume
all of those things:

1. they have their hands on a *running* Tails
2. that Tails has a Persistent Storage enabled
3. they don't know the passphrase of the Persistent Storage
4. Tails was run with an administration password
5. They know the administration password.

?

Like, what's the context in which this is realistic?
A SWAT operation which can grab your laptop before the user has time to
unplug the USB stick?
And if the administration password was obtained through user
collaboration, couldn't they ask the Persistent Storage password
instead? This would remove requirements 1 and 4.

And why are they copying the raw device when they could copy the
decrypted files?

I guess there must be a rationale for all of that, and understanding it
would help us design Tails better.

--
boyska