Topic: Trezor-Suite and OS tracks? (Read 134 times)

Thought I would add some depth by posting a VERBOSE report to better see the wiped content.  Remember I added the -v command to always see what is happening during the process.  This process was run on a brand new unused Trezor-Suite app image.  I let it mount/run and then it asked to connect the Trezor.  I didn't do that so this is the minimum zero wipe for this script.  Of course once someone starts using Suite it will add even more data to be wiped.

Secure-delete is old school stating that reducing the # of passes from 38 is insecure,LOL.  A one pass of zero's is plenty using today's drives for the purpose we are aiming at here.

"A picture is worth a thousand words" so here is the picture:

Using /dev/urandom for random input.
Wipe mode is insecure (one pass [zero])
Wiping suite-desktop DIRECTORY (going recursive now)
Wiping Network Persistent State * Removed file Network Persistent State ... Done
Wiping Cookies * Removed file Cookies ... Done
Wiping config.json * Removed file config.json ... Done
Wiping Preferences * Removed file Preferences ... Done
Wiping blob_storage DIRECTORY (going recursive now)
Wiping 06a4aa46-d645-445a-82e8-2bb39fb9d97e DIRECTORY (going recursive now)
Removed directory 06a4aa46-d645-445a-82e8-2bb39fb9d97e ... Done
Removed directory blob_storage ... Done
Wiping TransportSecurity * Removed file TransportSecurity ... Done
Wiping Cache DIRECTORY (going recursive now)
Wiping 24b53bcee349c0c7_0 * Removed file 24b53bcee349c0c7_0 ... Done
Wiping index-dir DIRECTORY (going recursive now)
Wiping the-real-index * Removed file the-real-index ... Done
Removed directory index-dir ... Done
Wiping f3a6eb276b5284a0_0 * Removed file f3a6eb276b5284a0_0 ... Done
Wiping index * Removed file index ... Done
Wiping 5da8bdabc36b61c1_0 * Removed file 5da8bdabc36b61c1_0 ... Done
Removed directory Cache ... Done
Wiping Local Storage DIRECTORY (going recursive now)
Wiping leveldb DIRECTORY (going recursive now)
Wiping MANIFEST-000001 * Removed file MANIFEST-000001 ... Done
Wiping LOCK * Removed file LOCK ... Done
Wiping 000003.log * Removed file 000003.log ... Done
Wiping CURRENT * Removed file CURRENT ... Done
Wiping LOG * Removed file LOG ... Done
Removed directory leveldb ... Done
Removed directory Local Storage ... Done
Wiping QuotaManager * Removed file QuotaManager ... Done
Wiping Session Storage DIRECTORY (going recursive now)
Wiping MANIFEST-000001 * Removed file MANIFEST-000001 ... Done
Wiping LOCK * Removed file LOCK ... Done
Wiping 000003.log * Removed file 000003.log ... Done
Wiping CURRENT * Removed file CURRENT ... Done
Wiping LOG * Removed file LOG ... Done
Removed directory Session Storage ... Done
Wiping Crash Reports DIRECTORY (going recursive now)
Removed directory Crash Reports ... Done
Wiping Code Cache DIRECTORY (going recursive now)
Wiping wasm DIRECTORY (going recursive now)
Wiping index-dir DIRECTORY (going recursive now)
Wiping the-real-index * Removed file the-real-index ... Done
Removed directory index-dir ... Done
Wiping index * Removed file index ... Done
Removed directory wasm ... Done
Wiping js DIRECTORY (going recursive now)
Wiping index-dir DIRECTORY (going recursive now)
Wiping the-real-index * Removed file the-real-index ... Done
Removed directory index-dir ... Done
Wiping index * Removed file index ... Done
Removed directory js ... Done
Removed directory Code Cache ... Done
Wiping Dictionaries DIRECTORY (going recursive now)
Wiping en-US-9-0.bdic * Removed file en-US-9-0.bdic ... Done
Removed directory Dictionaries ... Done
Wiping GPUCache DIRECTORY (going recursive now)
Wiping data_0 * Removed file data_0 ... Done
Wiping data_3 * Removed file data_3 ... Done
Wiping index * Removed file index ... Done
Wiping data_2 * Removed file data_2 ... Done
Wiping data_1 * Removed file data_1 ... Done
Removed directory GPUCache ... Done
Wiping QuotaManager-journal * Removed file QuotaManager-journal ... Done
Wiping .updaterId * Removed file .updaterId ... Done
Wiping Cookies-journal * Removed file Cookies-journal ... Done
Wiping IndexedDB DIRECTORY (going recursive now)
Wiping file__0.indexeddb.leveldb DIRECTORY (going recursive now)
Wiping MANIFEST-000001 * Removed file MANIFEST-000001 ... Done
Wiping LOCK * Removed file LOCK ... Done
Wiping 000003.log * Removed file 000003.log ... Done
Wiping CURRENT * Removed file CURRENT ... Done
Wiping LOG * Removed file LOG ... Done
Removed directory file__0.indexeddb.leveldb ... Done
Removed directory IndexedDB ... Done
Removed directory suite-desktop ... Done
*** WIPED ---- @Trezor ---- WIPED ***

Excellent thread... and thanks for posting the scripts! Anything which helps users to enhance their privacy and/or security should be commended.

Also, kudos for the info on secure-delete


And just FYI, if anyone goes looking for similar data on Windows, it should be found in your "AppData" directory. Specifically: C:\Users\\AppData\Roaming\@trezor\suite-desktop\

After further consideration I EDITED post #5 on this thread to add $USER in my scripts for overall better flexibility.  I should not have assumed $USER would confuse linux users in the first place.  These small but effective scripts work amazingly well.

Good point.

That is what I do, but I thought it might confuse folks looking for where to enter their user name.  By the way the T Suite script using secure-delete does a good job of finding most of the connected files.  I am not looking for forensic perfection just a mostly thorough bye bye to the obvious files.  My VM's are all on encrypted drives hiding inside LUKS containers when closed!

You can replace joe with $USER for flexibility.

EDIT
**** This post had a script edit to insert $USER in place of joe.  Nice suggestion providing better flexibility for all users instead of one specific one. ****


You guys really helped me get a handle on this.  I ran through this and created some helpful executable shell scripts to completely wipe both Trezor-Suite and Electrum app image created files with one click of a button.  I know lots of people retain their crypto history on their systems and I understand why.  I am not one of those.  When I am finished working with T Suite I want the activity removed from my system beyond a simple delete.  Same with Electrum.  Of course I have my Electrum wallets backed up elsewhere and can import them in seconds when needed in the future.

I hope some may find these scripts I am pasting below to be of assistance if you like simplicity.
--------------------------------------------------

#! /bin/sh
cd /home/$USER/.config/@trezor  && srm -llvz -r * && cd /home/$USER/.config  && rm -r @trezor
read -p "*** WIPED ---- @Trezor ---- WIPED ***" nothing

# $USER is added so this script will run for any user in a terminal
#installed secure-delete (very small program) (sudo apt-get install secure-delete)
# srm -- means secure remove
# -r recursive to allow all folder/directory contents
# z for Zero's during overwrite
# v for verbose to display the progress as it runs (These files are very small and the task will complete in just a few seconds)
# * wildcard to include all contents in directory
# secure delete uses 38 passes by default -- UNLESS you use -l for only two passes (urandom followed by zero's), or -ll for only #one pass which is Zero's once over the original folder content.  I elected for one pass of zero's ---  -ll
# paste this entire script into a new document on Linux Desktop and then right click and make it executable after naming it #whatever you want.
------------------------------------------

#! /bin/sh
cd /home/$USER/.electrum && srm -llvz -r * && cd /home/$USER && rm -r .electrum
read -p "*** WIPED ---- .electrum ---- WIPED ***" nothing

# $USER is added so this script will run for any user in a terminal
#installed secure-delete (very small program) (sudo apt-get install secure-delete)
# srm -- means secure remove
# -r recursive to allow all folder/directory contents
# z for Zero's during overwrite
# v for verbose to display the progress as it runs (These files are very small and the task will complete in just a few seconds)
# * wildcard to include all contents in directory
# secure delete uses 38 passes by default -- UNLESS you use -l for only two passes (urandom followed by zero's), or -ll for only #one pass which is Zero's once over the original folder content.  I elected for one pass of zero's ---  -ll
# paste this entire script into a new document on Linux Desktop and then right click and make it executable after naming it #whatever you want.



--------------------------------------

It will only take a few minutes to set these up and then you zero WIPE your actions in seconds.  Enjoy!

Aside from @bob123 suggestion, you could use lsof command to see directory/file accessed by Trezor-suite. But it's not recommended since the output from lsof is big.

It is not surprising that the AppImage itself isn't modified.

Did you check the folder /home//.config/@trezor/suite-desktop/
and /home//.config/@trezor/suite-desktop/ as mentioned in the notes from trezor regarding the trezor suite?

If no files are stored there, you might also just run your software and then check in your home folder for recent file system changes with the following command:

This command will find files inside the home folder which change within the last minute.

I'm not sure that you can compare Trezor Suite with Electrum in an apples to apples type of way.  Electrum requires that you save wallet files locally, which is why it creates a hidden user directory.  Suite just reads the derivation paths from the hardware wallet to populate the information.  I would assume that any runtime environment files it needs will temporarily populate in the /run directory.

Admittedly, I've only used Suite with Windows, and used the installer.  I've never ran it in Ubuntu (my preferred Linux distro,) so I have no experience with the appimage. 

Trying to keep myself and other users safe while using Suite.  I am using Suite app image on my Desktop - Debian Bullseye.  As is typical the app image file itself doesn't change size while being used. sha256 example below:

user@debian:~$ cd Desktop && sha256sum Trezor-Suite-21.8.1
6d63979643af0469abffa51fec799080fdf2386f53ddc17cd3d0d857e0e42787  Trezor-Suite-21.8.1

Just to verify I repeated the sha256sum a few times after using Suite with my Trezor(s).  Of course no changes.

That brings the next question.  WHERE does Suite store any activity on my filesystem in the VM it is running on?  As a reference the Electrum app image stores its activity in the .electrum folder.  You can observe wallets, etc... in that folder.  You can also delete that folder upon exit and then Bleachbit the VM so there is no trace of Electrum's use if desired.

So we can all attempt to keep each other safe and just generally to know what is happening under the hood, where are Suite's activities stored on my system?  Perhaps nothing is stored but I wanted to run this by other members here that might be in the know.

Observations and thoughts?