Sandboxie/Eraser test with Recuva

Thank You Scoobs!

 

Create a ramdrive and set Sandboxie to store it's working folder there.

 

Yup, I went back to Ramdrive yesterday after doing this testing, not because of the wiping problems but because it's an approach I used to use, but just didn't get round to setting up when I rebuilt my PC last time.

 

I found a Sandboxie folder in program files and I also see an icon. What exactly would I delete?

 

I did an experiment with a huge number of several folders while Returnil was enabled. I right clicked on the folders and wiped them with R-wipe. Not one single picture from the folders was visible after a restart and a deep scan with Recuva. However, images that were viewed from within the browser were still visible after a restart and a deep scan.

So you can wipe the images, and that works. But images from within the browser are another story altogether.

The closest thing I have found so far to actually wiping browsing data is using BCwipe transparent wiping. It passed completely in 2 tests but in 3 other tests there were a few images left. But it prevented most of them.

 

So that actually does the trick? Are you talking about wiping the entire Sandboxie folder in program files?

 

Yes, it appears to. I'm talking about wiping the sub-folders of the Sandboxie directory. So unless you've renamed you Sandbox, the primary one will be called "Defaultbox".

Also bear in mind that my testing was quick and unscientific. Where I could recover images then the testing is 'valid' (until somebody proves otherwise), but just because I couldn't recover an image where I performed a direct directory wipe it doesn't mean it's not possible. My sample size may not have been large enough and I could have just got lucky.

 

So you can make Sandboxie run on RAM only? How difficult is that to do?

 

I can't find anything that says "defaultbox". I found a Sandboxie icon and a folder in program files. Where else should I look in Windows 7?

 

I ran 3 successful tests with Returnil enabled and with BCwipe's transparent wiping enabled. I viewed tons and tons of images inside of my sandboxed browser. I then opened up an empty tab and X'd out of the other one. I let it set there about 5 minutes and then deleted the sandbox. I wanted to give it plenty of time so that if any images did show up I wouldn't have to wonder if maybe it didn't have time to finish.

I had Returnil enabled upon restart. So after Sandboxie was finished wiping, I restarted the computer. I let it set for a few minutes, unchecked the "start virtual mode upon restart" and restarted again. I then deleted the transparent wiping option in BCwipe to make sure that it did not interfere with Recuva's ability to recover the images. I ran Recuva and not one single image showed up.

Also, I had already tried BCwipe's transparent wiping with Returnil diabled inside of Firefox (unsandboxed). All of the images showed up. So BCwipe doesn't work by itself, Sandboxie with Eraser does not work by itself, and Returnil does not work by itself. However, in 3 tests viewing tons and tons of images inside of a browser, the combination of all 3 has worked perfectly....as far as Recuva is concerned anyway.

 

By default Sandboxie stores it's working/storage folder at C:\Sandbox\Administrator or USERNAME\DefaultBox - Win 7

or C:\Sandbox\DefaultBox - XP.

Here I create a ramdrive which is allocated a new drive letter (Drive H in my case) and then set Sandboxie to store it's working folder there which as easy as pie.

 

@Franklin

Which ramdrive software do you use?

Thanks!

 

http://memory.dataram.com/products-and-services/software/ramdisk

With 8 gig of ram here and using a 32 bit system this ramdrive can utilize the 4 gig of ram that Win 7 32 bit can't use.

That feature doesn't seem to be available when using XP 32 bit?

I create a ramdrive of around 3.6 gig of the ram above 32 bit then set Sandboxie to store it's working folder there, copy/paste/run an nLited XP VM which sits at around 1.6 gig and even allocate a gig or so to readyboost just for the heck of it not that I notice much of a difference.

 

hey caspian, how come your sandbox yellow icon has a lock on it? mine doesnt have that

 

Hey thanks for that. I found it. I did a search for Casper the friendly ghost in Google images. I looked at a bunch. I wiped the default box and ran Recuva. Casper was there all over the place. So it doesn't work. Do you think the RAM idea will work?

 

I have absolutely no idea. Are you running Windows 7?

 

vista

 

My Vista computer does not show the lock. Just my Windows 7.

 

i think it has something to do with windows 7 applocker feature.