Forensic Backups

In response to CVE-2025-24889, SecureDrop Workstation 1.0.2 rebuilds the sd-log VM and preserves a backup of the original VM on affected systems. The backup is created using the Qubes Backup tool and stored in a dedicated, non-networked VM called sd-retain-logvm.

Access the sd-log system image

To recover the backup for inspection or forensic analysis, use the Qubes Backup Restore tool to transfer the backup to external storage media, then transfer it to another machine.

The backup is stored in /home/user/SDLog_Backups in the sd-retain-logvm VM and is a compressed archive with filename qubes-backup-YYYY-MM-DDTHHMMSS.

It has a hard-coded passphrase of SDW_SDLOG (This is not a security measure, but was set in order to automate the backup process).

Warning

Do not restore the backup on your SecureDrop Workstation machine.

Qubes OS provides documentation for recovering backups both on Qubes OS and on other operating systems.

• On other operating systems

• On Qubes

The target volume (relevant for non-Qubes recovery instructions) is sd-log/private.img.

Use caution if restoring on a Qubes OS machine, since the entire VM will be restored. We are not aware of anyone exploiting CVE-2025-24889, but in theory, the VM could contain malicious code, which is why it was rebuilt.

Artifact Retention

The archive VM sd-retain-logvm and its contents will be deleted in a subsequent SecureDrop Workstation update, planned for two months from the release of this announcement (planned removal early April 2025). To retain the archive for a longer period, follow the steps above to transfer it off SecureDrop Workstation.

If you have any questions, please contact Support.