booting the decoy system. This is required to clear the memory, which may contain
sensitive data. For more information, see the section Unencrypted Data in RAM in the
chapter Security Requirements and Precautions.
o The computer may be connected to a network (including the internet) only when the
decoy operating system is running. When the hidden operating system is running, the
computer should not be connected to any network, including the internet (one of the
most reliable ways to ensure it is to unplug the network cable, if there is one). Note that
if data is downloaded from or uploaded to a remote server, the date and time of the
connection, and other data, are typically logged on the server. Various kinds of data are
also logged on the operating system (e.g. Windows auto-update data, application logs,
error logs, etc.) Therefore, if an adversary had access to the data stored on the server
or intercepted your request to the server (and if you revealed the password for the
decoy operating system to him), he might find out that the connection was not made
from within the decoy operating system, which might indicate the existence of a hidden
operating system on your computer.
Also note that similar issues would affect you if there were any filesystem shared over a
network under the hidden operating system (regardless of whether the filesystem is
remote or local). Therefore, when the hidden operating system is running, there must be
no filesystem shared over a network (in any direction).
o Any actions that can be detected by an adversary (or any actions that modify any data
outside mounted hidden volumes) must be performed only when the decoy operating
system is running (unless you have a plausible alternative explanation, such as using a
"live-CD" system to perform such actions). For example, the option 'Auto-adjust for
daylight saving time' option may be enabled only on the decoy system.
o If the BIOS, EFI, or any other component logs power-down events or any other events
that could indicate a hidden volume/system is used (e.g. by comparing such events with
the events in the Windows event log), you must either disable such logging or ensure
that the log is securely erased after each session (or otherwise avoid such an issue in
an appropriate way).
In addition to the above, you must follow the security requirements and precautions listed in the
following chapters:
Security Requirements and Precautions
How to Back Up Securely
