NAILS: a NixOS anti-forensics tool

Hi,

I’d like to share a project I developed

TL;DR (click for more details)

ELI5 (click for more details)

NAILS (NixOS Anti-forensics Isolation & Layering System) is a NixOS CLI that uses OverlayFS in combination with a mounted volume that can be anything from a VeraCrypt hidden volume to a network share to a hidden drive in something like a coin. All that matters is that it provides a mount. This was done in order to be independent from the volume. All this plus a declarative NixOS configuration enables it to layer a hidden environment on top of a normal looking decoy NixOS install.

While the hidden session is active, the kinds of artifacts an OS leaves behind (shell history, files, browser usage, SSH entries, thumbnails, logs) get redirected into a storage location you prepared and mounted. After running nails deactivate, the decoy returns to its previous state.

The threat model targets journalists or people in oppressive regimes which might need to hide sensible data or the use of certain software when they get controlled by police/border control etc. It is not a defense against a live, privileged attacker on a running system, an attacker with memory access, network-level observation, hardware implants, or coercion (depending on the volume you might be relatively safe though).

I developed NAILS as part of my master’s thesis. The evaluation was done in a VirtualBox VM with a VeraCrypt hidden volume, where the artifact categories listed above weren’t recoverable from the decoy after deactivation. That’s a promising result inside a narrow, well-defined scope BUT it’s not a general claim of deniability. I (or the tools I used) might have missed something so take that info with a grain of salt.

GitHub Repo: github.com/WitteShadovv/nails Site: nails.run

I’d really value feedback.

Thanks for reading!