RSS 2011 / Wipe All Disk Changes...

Discussion in 'Returnil releases' started by philby, Aug 21, 2010.

Thread Status:
Not open for further replies.
  1. philby
    Offline

    philby Registered Member

    Hello

    I've just switched from RVS 2010 to RSS 2011 and am interested in understanding the 'Wipe All Disk Changes at Computer Startup' feature.

    If this option is checked under 'Virtual Mode' > 'Settings' > 'Advanced', what happens that is different to simply rebooting with 'Drop All Changes' selected?

    (I have virtual mode set to start with Windows, have not created a VP and have checked 'Wipe All Disk Changes' under 'Advanced').

    Thanks in advance.

    philby

    EDIT: I've just rebooted and noticed a quick notification box headed 'Saving Files' and showing 'Mount Real Partition' > 'Dismount Real Partition', so what's happening here that didn't happen in previous RVS versions?
    Last edited: Aug 22, 2010
  2. Coldmoon
    Offline

    Coldmoon Returnil Moderator

    The wipe simply overwrites the cache at restart. The saving files message appears when you have chosen to save content to disk.

    Mike
  3. philby
    Offline

    philby Registered Member

    The saving files message appears when you have chosen to save content to disk

    Ok - that was what's been confusing me: That message is coming up even with 'Drop All Changes' selected, ie when I've not chosen to save any content to disk.

    Thanks

    philby
  4. Coldmoon
    Offline

    Coldmoon Returnil Moderator

    Please describe the steps to get the result you are describing as the wipe does not save anything to disk.

    Mike
  5. philby
    Offline

    philby Registered Member

    That message - 'Saving Files' showing 'Mount Real Partition' > 'Dismount Real Partition' pops up every time I invoke shutdown.

    Settings (on Win7 64): Start Virtual Mode with Windows / Drop All Changes / Wipe All Disk Changes

    I'm using the free version of RSS, which I installed over the top of RVS 2010.

    I might be being dopey, but all I really want to understand is what the setting in question actually does, what the cache actually refers to and how adding this cache-clearing changes how returnil works - ie:

    What's the material difference between rebooting with the setting checked or without the setting checked, assuming I'm in Virtual Mode + Drop All Changes in both cases.

    Thanks for your help.

    philby
  6. Coldmoon
    Offline

    Coldmoon Returnil Moderator

    Either way, the cache is reset at restart of the computer with the cache being where attempted changes to the real system were tracked during the current virtual mode session. This information, like the data in the Windows pagefile, can be discovered and retrieved using forensics tools and techniques but cannot be discovered through casual inspection.

    When the cache wipe is turned off (default), RVS/RSS simply starts at the beginning of the cache and overwrites what is there. When the cache wipe is active, the program overwrites the cache with a single pass to destroy whatever data was there before the normal overwrite at the beginning of the cache for that virtual session begins (IOW - wipe at restart of the computer).

    Mike
  7. philby
    Offline

    philby Registered Member

    OK - understand the cache now - thanks Mike!

    I think if the notification had said Overwriting Cache or something to that effect, I would have understood.

    I was foxed (easily done) by getting the Saving Files wording when I had 'Drop All' checked.

    philby
  8. fosl
    Offline

    fosl Registered Member

    I also get the following msg during shutdown
    'Saving Files' and showing 'Mount Real Partition' > 'Dismount Real Partition'

    I have not selected wipe all disk changes but have selected drop all changes. I guess its safe to assume nothing is being saved to the real disk.
  9. Coldmoon
    Offline

    Coldmoon Returnil Moderator

    It should be saving signature and/or policy updates updates downloaded during the virtual session.

    Mike
Thread Status:
Not open for further replies.