Returnil

Hi Blue,

If you are saving data within the VP (surfing activity?) then that data will be saved after a reboot with System Protection ON. In the case of data or changes made to the %s, then these changes should be gone with a reboot.

Maybe a better line of investigation should start with what you are saving within the VP.

Mike

Edit: forgot to spell check

 

Mike,

Short answer is yes, but let me verify as well under more controlled conditions.

The experiment I performed was a simple one.

1. Initialize free and slack space of drive using WinHex
2. Identify a few sites with URL's that are unlikely to correspond to data on the HDD. Foreign universities are a good choice, as would obscure blogs. Collect the URL's and perform a text seach of the system partition to verify that reasonable fragements of the URL's are not found
3. Reboot with System Protection on
4. Surf to a number of the sites identified in step 2.
5. Reboot and search for the URL text fragments on the HDD.

When I performed this test last night I noticed a number of examples of links that I had just surfed with Protection on, so I would be able to cull a record of at least some prior activity. I didn't dig any deeper than this.

An obvious comment to all - this doesn't involve the primary function of the software - just it's potential side benefit that was mentioned in a privacy context. However, it's primary function seems to work great.

Let me see if I can reproduce this observation in a more controlled test.

Blue

 

Basic observations confirmed in a controlled evaluation, including being able to read the content of webmails accessed during a session. Again, as far as I can see, the information is located in clusters identified as free or occupied by deleted files. Note - this should not be a concern unless you had planned to use this as a privacy tool.

Blue

 

I'm a little confused as to how there is anything left on the disk - deleted in the freespace or otherwise. If the system partition is in a virtual memory with System Protection "on" how is there anything, at all, to see with WinHex or whatever else?

I have done a lot of surfing with SP "on" and index.dat is filled, but after reboot, index.dat is empty.

Blue, How did anything get written to the disk with SP "on"?

I know I am probably just missing something, but I am lost as to how that happens if Returnil operates as advertised in memory.

Thanks!

Genady

 

I'd say that's true for most folks as well (including me by the way).

I thought it best to put some rough boundaries around Genady's general observation that

If one wishes to delve into the disk, there will be plenty of traces to examine. A casual, or even somewhat intrusive user will not locate them, while someone looking for specific information will readily identify the tracks.

It is basically somewhat better than performing a cleanup of system activity via a simple OS deletion as opposed to a secure deletion. Further, to re-emphasize one point, this is not the prime purpose of this program. It's main functionality - system protection - is very well done and ready for the masses.

Blue

 

Hi Blue! We must have been on the same wave-length! Posting at about the same time. Did you see my question posted a minute or so before yours?

 

I'll let the developers handle that one in detail...

Blue

 

Thanks to Peter and Coldmoon for the replies.

@ Coldmoon.
There are several aspects of this program which are curious to say the least, even after reading the FAQ's. Maybe more will become clear after a period of using it.

Thanks again.

 

Mike,

I'm not actively saving anything in the exercise. This is simple system usage where you develop the usual TIF residuals and so on. What I am specifically talking about is content from web accesses including webmail accesses.

What sticks out in my mind is the seeming lack of association with RVSYSTEM.IMG. This is something I really don't understand.

Let me emphasize that system changes are absolutely gone with respect to being within currently active files - the expected program functionality is working as desired.

I wouldn't label what I've mentioned as a bug or even a functional problem. However, I would say that a potential user contemplating to take advantage of Returnil's side benefits as a means to achieve privacy should clearly understand what the program does and does not accomplish. As Peter noted, for many this will be sufficient.

Overall I believe this is an extremely solid application that every user should consider - that's really the first time I've said that of a virtualization tool and that would be true even if it were not free.

Blue

 

Welcome to the virtual side Blue!

Just kidding.

 

I don't know. Forget the "side benefits" issue and whether it was designed for privacy or not. If it works as Mike has stated it does - and how it is marketed on their website - then there is no reason at all that anything in the Temp Internet Files should be there upon reboot (even deleted and thereby recoverable). This cuts to the issue if it really does it all in memory or not. If the System Partition is in memory while it is "on" then there should be NO TRACE of the TIF. So, whether or not it was or was not designed with privacy in mind - it cuts to the chase of does the application truly operate as marketed? I am hoping that Returnil and Mike are correct in that it DOES operate in memory. Bottom line: It has to be one way or the other. It can't be in memory and traces still be recoverable by Blue. So, it's HOW it really works that is at issue.

ON EDIT: Just to be clear, I think it is an excellent program and is very effective at what it says it does. The only issue is ----- does it do it all HOW they claim. But otherwise, it's a great app and Mike has been super helpful here at Wilders!

 

The program runs great like i already mentioned whether protection On/OFF or even SessionLock. Everything takes place as expected as in dismissing the session upon reboot w/ protection ON. All that is just peachy.

The problem i'm encountering is that upon simple reboot from Windows there is a definite "stall"/"delay". Now then, this is more pronounced upon booting up and in fact several times last evening it took a 2nd boot (manually reset) that subsequently brings up the "START WINDOWS NORMALLY" screen, and then proceeds to enter Windows.

With all that said please keep in mind i am using the non-vista updated FD-ISR program which still resides in the MBR. Perhaps that might be suspect, i dunno.

As far as custom set-up let me draw that for you. SSM + Snoopfree + Kerio 2.15 = basic ACTIVE security. Stardock's LogOn Studio + Bootscreen handles the upboot dressings.

I'll switch snapshots to try again and after that even go as far as open a "raw" uncustomized hard drive to test if this delay continues or abates.

Somewhere in the back of my mind i suspect MEMORY as another likely possibility, i keep a conservative 512MB.

Regards EASTER

 

Genady,

I believe the descriptions on the website, and provided by Mike, are accurate.

When you reboot, there are no (observable) changes to your system. There is no obvious trace of a deleted TIF either - I knew what to look for, and found it embedded in clusters labelled free and associated with previously deleted files. The only way to locate this stuff is to look at the bare clusters of the drive. You don't see a bunch of newly deleted files that can be readily resurrected - it is free space and the cluster level content of previously deleted files - which is a little different - at least from my perspective.

Blue

 

Hello Blue,

Sorry for the late reply and not completely understanding what the issue was myself. I have talked with the lead dev and he agrees that this is not a priority issue at the moment and that the program is working properly.

What is occurring is due to Windows and pagefile.sys as well as the fact this file and RVSYSTEM.img are not cloned within memory. Therefore, this may leave some history traces as you have found.

I think the confusion is in how you think of an image file. Don't let that hang you up as the RVSYSTEM.img file has nothing to do with the cloning being used in the System Protection feature. The VP is independent of the System Protection/Session Lock feature.

Mike

 

OK - got it now.

Blue

 

I guess the only disadvantage to this application, would be that it encourages rebooting (unless of course it's left on continuously) which is supposed to be hard on your HD. Or, even whilst just using SessionLock, would you just leave the program enabled for several days before a boot? Also, even with ample RAM, doesn't Windows still sometimes write to the drive?

 

Hello ratchet,
It is not any harder on your system then simply shutting down for the night and turning your system back on in the morning. You do not always have to reboot and many like to use the Session Lock instead of defaulting to have System Protection always ON.

If you choose to run with protection always on, it would not be taxing to your HDD. But lest this become a rehash of the disk-wear debate, I think it is sufficient to refer you to the earlier part of this thread where it was discussed.

Yes, Windows will write to the drive as RVS does not clone pagefile.sys. The thing to remember here is that all active changes are lost with a reboot as expected, but this process leaves some trace, inactive remnants that need forensics techniques to find...

So, IOW, RVS will ensure permanent change does not occur to your %s as designed, but is not a 100% perfect privacy solution; which afterall is not the core mission of the program...

Mike

 

All active changes that is except the Virtual Drive right?

I found the SessionLock feature an ideal way to manage control to your preferences. Some like myself favor interaction with ANY security/rollback/virtual program where YOU can have a say in those matters.

With that being said, we now have yet another VIRTUAL solution that helps make our computer experience safer yet again.

Returnil appears a sound choice for ALL users. A novice can rest assured when they get hammered they can dump the intruder, those users usually fall into the category of solely depending on commercial signature based (automatic) AV's and the like.
For other more knowledgable and informed users, our front-line DEFENSE shieldings (HIPS), is likely formidable enough to stave off the fiercest of attempts to invade the system at any level (Ring0,3), so with Returnil we can randomly select the appropriate time to engage SessionLock for times we feel the need as well as storage any data to it's Virtual drive for safekeeping later.

 

Just wondering.. Does Returnil mark the "end" of DeepFreeze with RVS being free and support "shadow" without reboot..

I assume DeepFreeze holds no advantage over Returnil other than the Memory/Disk Debate?

Interesting..

 

Of course not, always room. Also the editions of Deep Freeze have many different features to RVS. It'll be interesting to see what additions RVS come up with in the future.

 

Hi Coldmoon! I wonder why there is no support to protect all partitions rather than OS partition only.

Thanks

 

Yes I was wondering about that too. AFAIK PowerShadow in full mode protects all harddisks/partitions, in single mode PS only protects the system partition, just like Returnil.
After all, I consider Returnil as a competition of PowerShadow and I prefer rather English support, than Chinese support.
My suggestion : let the user choose, which partitions need RVS protection.