Deleting files without closing Sandboxed Firefox

Discussion in 'sandboxing & virtualization' started by zmechys, Mar 22, 2013.

Thread Status:
Not open for further replies.
  1. zmechys

    zmechys Registered Member

    Joined:
    Dec 29, 2012
    Posts:
    471
    Location:
    usa
    Just need some understanding about Sandboxie.
    (Nothing to do with Privacy Paranoia, just knowledge)

    When I use Firefox with Sandboxie, Sandboxie creates a new sandboxed Firefox - Profile folder with various files in it.

    Does it creates a copy of Recycle Bin? (I doubt).

    Nothing (let's assume) leaves the sandboxed area.

    What happens when I delete my browsing history, cookies, etc... without closing Firefox and Sandboxie?

    Do the deleted files stay in the sandboxed memory on the drive or Sandboxie lets the deleted information leave the sandbox area in the memory and go into the "wild" free space on the hard drive?

    In other words, I deleted (let's say, with Click&Clean Add-on) my browsing history, web pages, cache, etc., while still on-line using sandboxed Firefox. Firefox does not see/have that info anymore.

    (We know that when we delete a file, the file does not go anywhere.
    The system changes the first letter of the file and that file is easily recoverable.)

    Does that deleted file stay in the sandboxed area or no?
    If the file (not visible) stays in the sandboxed area, Eraser will securely shred everything, including the deleted file.

    If the file is released by Sandboxie, Eraser will not delete that file, and the file - your browsing history, web-pages, cookies, etc. - could be easily recovered by a simple app.

    Just an academic question. Nothing to do with paranoia.
    In my young days, the OOP C++ teacher used to say, "Where are variables in the memory", "What happens in the memory when you to this or that?"
     
  2. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    I read your post a couple of times, if you want to know if files that are in a sandbox can be recovered with recovery programs after they are deleted, the answer is yes. I am not sure this is what you are asking but that's how it is unless you secure delete the files with programs like Eraser.

    Bo
     
  3. Techwiz

    Techwiz Registered Member

    Joined:
    Jan 5, 2012
    Posts:
    539
    Location:
    United States
    Your computer keeps track of data stored in physical memory and data stored in virtual memory in much the same way arrays keep track of information in files. Depending on the type of memory involved, the standard deletion process simply erases the computer's index of where that data is stored in memory. Something to consider, most modern operating systems manage limited physical memory (RAM) by relocating unused application data to virtual space created on the hard drive. Physical memory such as RAM is considered volatile because data stored in memory is presumably lost when you power-down the computer. But because most current operating system relocate this data to long-term memory storage on the hard drive. Powering down your computer is simply not enough to remove data. You have to securely write over existing data in memory to erase it. Otherwise, typical data deletion removes only the index of where that data is stored in virtual memory. Now presuming file deletion requires the application data be inactive, which it should. Then no you can not securely delete the active data in virtual memory. At least, not to my knowledge. Keep in mind though, that I've just begun diving into computer mechanics and operating systems. I am in no way an expert.
     
  4. zmechys

    zmechys Registered Member

    Joined:
    Dec 29, 2012
    Posts:
    471
    Location:
    usa
    I decided to open Firefox with Sandboxie.
    The program is loaded into RAM. It's possible that Sandboxie loaded only the essential parts of the program initially and then would load other pieces as needed.
    At this moment, let's forget about RAM, ROM, CACHE, Dynamic RAM, Static RAM, Virtual Memory, Video Memory, etc., and call it just “MEMORY.”
    We can use a drawing from Sandboxie.

    SandboxieMemory.PNG

    Sandboxie temporarily "borrowed" a contiguous (not scattered, not fragmented), clearly marked and fenced piece of land, called "Memory."( Simplify)
    I decided to download one file, "Sandboxie Manual.pdf". (Does not exist)

    After I finished reading it, I decided to delete it.

    http://www.sandboxie.com/index.php?SecureDeleteSandbox
    "By default, Sandboxie deletes the sandbox using a standard Windows command to delete folders -- RMDIR. This makes sure the contents of the sandbox (including malicious software) are properly removed from the operating system. But as mentioned above, it leaves the data vulnerable to inspection and recovery by forensics experts."

    I figured out that I made a mistake by deleting that file with RMDIR, re-started Sandboxie, and configured Sandboxie to
    "Invoke Eraser by Heidi Computers to delete the contents securely".

    I closed Sandboxie again and Eraser securely deleted everything.

    My question.

    Did Eraser securely delete "Sandboxie Manual.pdf", the file that was deleted by Sandboxie using RMDIR after I closed Sandboxie the first time?

    I would say, NO, because
    Eraser does not care about any "Memory" that was allocated previously for Sandboxie.

    I opened Firefox with Sandboxie third time and downloaded one file "Privacy Agreement" from WILDERSSECURITY.COM
    After reading it, I decided to delete that file without closing/terminating Sanboxie.
    The file was deleted using RMDIR, and I continued my browsing on-line using sandboxed Firefox.
    After one hour, I clicked the command "Terminate All Programs".

    http://www.sandboxie.com/index.php?StartCommandLine#delete
    "The delete operation occurs in two phases:
    Phase 1 scans the contents of the sandbox and processes files which could pose a problem during the second phase:
    • Junctions (also known as reparse points) are removed.
    • Read-only files and directories are made fully accessible"
    Is Eraser going to see and securely delete the previously deleted file "Privacy Agreement"?

    1. Yes, because I did not let that file leave Sandboxie's clearly marked and fenced piece land, called "Memory"; therefore, Eraser shreds/plows each and every inch of Sandboxie's Memory without any exceptions, including Sandboxie's free memory space.

    2. No, because Eraser cannot see/find that deleted file (the pointer telling Eraser where to find that file is erased and the file was moved from Sandboxie's Memory into a free memory area)
     
  5. Techwiz

    Techwiz Registered Member

    Joined:
    Jan 5, 2012
    Posts:
    539
    Location:
    United States
    The answer to your question is no, presuming sandboxies default deletion is the same as standard file deletion in windows. If this is indeed the case, than the data could still be on your system (depending on memory type) and someone with more forensics knowledge would be needed to find it and remove it from memory. In this case, the already deleted pdf is inactive data in memory so deletion would be possible even if sandboxie is actively running. All new content that you put into sandboxie is going to be securely deleted from virtual memory. There were some threads a while back that suggested some issues with certain versions of eraser and s-delete not properly removing data. So unless you are a student of forensics than its possible you could have other data in memory not being erased. I'm confident that eraser is doing the job, but there is no such thing as an absolute guarantee.
     
  6. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    I think you are asking two questions here. In my opinion, the answer to the first question is no and yes to the second one. Zmechys, I know very little about this stuff but that's what my instincts and what I know about SBIE tells me. The reasons for the answers being what you are saying. Good questions zmechys, you are making me think.:)

    Bo
     
  7. zmechys

    zmechys Registered Member

    Joined:
    Dec 29, 2012
    Posts:
    471
    Location:
    usa
    Bo,

    In my opinion, the answer to the second question is NO.
    Let's take a look at the drawing for "Dummies" from Sandboxie.com

    SandboxieDrawing.PNG

    It clearly says, "HARD DISK (With Sandbox)". Before we move to a more realistic memory model, I'd like to ask:
    1. What about the fragmentation of the Sandboxie Hard Disk area?
    2. Are the Sandboxie fragmented files kept inside the yellow fence or scattered all over the disk?
    3. Is Sandboxie responsible for remembering the addresses for its files?

    "Disk Geometry: How Data is Organized on a Hard Disk Drive":
    http://www.forensicswiki.org/w/images/7/79/Maxtor_Disk_Geometry.pdf

    Let's take a look at what happens when you retrieve data from a hard disk drive. When
    you issue a command to open an existing file, the application program you're running
    prompts you to enter the name of the file to open. It then passes the file name to the
    operating system, which determines where the file is located on the disk drive - the head
    number, cylinder, and sector identification. The operating system transfers this
    information to the disk controller, which drives an actuator motor connected to the
    actuator arm to position the heads over the right track. As the disk rotates, the appropriate
    head reads the address of each sector on the track. When the desired sector appears under
    the read/write head, the entire contents of the sector containing the necessary data are
    read into a special, ultra-fast memory, called cache, on the drive's PCB. Then, the disk
    drive interface chip sends the necessary information to the computer's main memory.
    Storing data on a hard drive is a similar process to
    retrieving data, only reversed. The host computer operating system is responsible for
    remembering the addresses for each file on the disk and which sectors are available for
    new data. If the file you want to store is large - for example, a 10 MB CAD/CAM
    drawing - the operating system instructs the controller where to begin writing information
    to the disk. The controller moves the read/ write heads to the appropriate track and
    writing begins. When the first track is full, the heads write to the same track on
    successive platter surfaces. If still more track capacity is required to store all the data, the
    head moves to the next available track with sufficient contiguous space and writes the
    data there."

    The Operating System (Not Sandboxie) is responsible for storing and retrieving any information on the hard disk.

    Let's look at the more realistic memory model that includes RAM.

    MemoryManagement.PNG

    http://computer.howstuffworks.com/computer-memory1.htm
    "When you open an application, it is loaded into RAM. To conserve RAM usage, many applications load only the essential parts of the program initially and then load other pieces as needed.
    After an application is loaded, any files that are opened for use in that application are loaded into RAM.
    When you save a file and close the application, the file is written to the specified storage device, and then it and the application are purged from RAM."

    What unit is responsible for it?

    The Kernel.
    http://en.wikipedia.org/wiki/Kernel_(computing)

    Kernel.PNG
    The kernel's primary function is to manage the computer's resources and allow other programs to run and use these resources.
    Memory management

    The kernel has full access to the system's memory and must allow processes to safely access this memory as they require it. Often the first step in doing this is virtual addressing, usually achieved by paging and/or segmentation. Virtual addressing allows the kernel to make a given physical address appear to be another address, the virtual address. Virtual address spaces may be different for different processes; the memory that one process accesses at a particular (virtual) address may be different memory from what another process accesses at the same address. This allows every program to behave as if it is the only one (apart from the kernel) running and thus prevents applications from crashing each other.[3]

    On many systems, a program's virtual address may refer to data which is not currently in memory. The layer of indirection provided by virtual addressing allows the operating system to use other data stores, like a hard drive, to store what would otherwise have to remain in main memory (RAM). As a result, operating systems can allow programs to use more memory than the system has physically available. When a program needs data which is not currently in RAM, the CPU signals to the kernel that this has happened, and the kernel responds by writing the contents of an inactive memory block to disk (if necessary) and replacing it with the data requested by the program. The program can then be resumed from the point where it was stopped. This scheme is generally known as demand paging.

    Virtual addressing also allows creation of virtual partitions of memory in two disjointed areas, one being reserved for the kernel (kernel space) and the other for the applications (user space). The applications are not permitted by the processor to address kernel memory, thus preventing an application from damaging the running kernel. This fundamental partition of memory space has contributed much to current designs of actual general-purpose kernels and is almost universal in such systems, although some research kernels (e.g. Singularity) take other approaches."

    I'm sorry for providing so much info.
     
  8. Techwiz

    Techwiz Registered Member

    Joined:
    Jan 5, 2012
    Posts:
    539
    Location:
    United States
    This feels like a review of my CIS 206 class. :)

    1. What about the fragmentation of the Sandboxie Hard Disk area?
    2. Are the Sandboxie fragmented files kept inside the yellow fence or scattered all over the disk?

    These questions cover the same topic, so I'll only give one response for both. Typically the application's data is stored on the physical hard drive in non-virtual space. Some of this data is also loaded into RAM during installation and execution. But at no point is the data virtualized by the application permitted to leave the virtual space (yellow fenced area), except for auto- and manual recovery. When you choose to recover a file, it moves from virtual memory to physical memory on the hard drive. So the answer to your two questions is yes data is stored in different locations, but the data in question is very specific. The application has some control when it writes data to the registry. This permits it to specify how memory should be set up, hence the creation of the virtual space on the C drive. It also can specify what external hardware is to be used presuming you had to connect something, say a projector. Remember that applications add to the functionality of the operating system and processor.

    3. Is Sandboxie responsible for remembering the addresses for its files?

    Physical memory and virtual memory is managed by the operating system. When you install and application, most application write data to the registry. The registry is going to include data from what type of hardware is connected to the system, how memory should be setup, etc. The operating system still manages this, but applications can add additional functionality beyond what the OS and the processor perform. For example, you can control/specify the access between virtual and physical memory. The OS maintains virtual memory by managing a page map for each process, which it then uses to translate virtual addresses into corresponding physical addresses. Sandboxie does play some role though, in that it can expand how this virtual data is deleted from the hard drive.


    "After an application is loaded, any files that are opened for use in that application are loaded into RAM."

    Yes and No. First, this depends on the availability of physical memory in RAM. Secondly, most application data is read from the hard drive where it is stored for long term access. Application data marked as critical is loaded into RAM, such as core application components. When you sandbox that application nothing changes, except the data that application processes is stored in virtual memory on the hard drive. For example, the word processor on your computer is not stored in virtual memory itself, but the word document is contained in the sandbox when you downloaded it from the internet. The only exception to this, would be if you installed an application inside the sandbox itself. This data would be stored in virtual memory, instead of on the hard drive and it would not be protected by any of the settings limiting access to physical memory because the application isn't being accessed from physical memory. It's perfectly accessible to any other agents running inside the sandbox.


    "When you save a file and close the application, the file is written to the specified storage device, and then it and the application are purged from RAM."

    When you save a word document (outside the sandbox) or recover it from virtual memory it is saved to the hard drive for long term storage. As for that second part, remember I mentioned earlier that memory management moves unused data from RAM to virtual memory. While it's true that powering down your computer should purge data from RAM. Modern operating systems actually move this data to virtual memory on the hard drive, to make space for other applications you might be running. So technically, memory is given back to the system, but your data isn't really deleted. You'd have to securely delete the virtual memory to get rid of this data. Another reason why ccleaner and such applications should be run on computers. Not only does it help you securely remove a file yourself, but remove the data that the operating system is trying so very hard to hold on to. It should be mentioned that Windows makes a lot of effort to retain this data in other places (i.e. back up program, certain files, etc.). So from a forensic standpoint, it would be difficult to erase everything without a better understanding of forensic analysis.

    What unit is responsible for it?
    The operating system has several primary functions: processor, memory, storage, device, and user interface management. In this case the operating system is utilized effective memory and storage management to allocate data to available memory and to organize that data when you save a file to your computer.
     
    Last edited: Mar 24, 2013
Loading...
Thread Status:
Not open for further replies.