Recoverable traces from a VirtualBox session?

We all know Sandboxie sessions are recoverable from the standard deleting of the sandbox. The only way to make the session untraceable is to securely wipe the sandbox contents.

Now If I were to start a Virtualbox session and turn it off and restore the previous snapshot, would anything in that session be recoverable?

For Example:
Let's say I start up Virtualbox session and inside my VM I create a few document files using Microsoft office. I would then turn off the session and restore to the last snapshot. (Which in theory should erase all the contents of that session)

Now would these documents be recoverable using file recovery programs or would terminating a session pretty much securely wipe all the history and contents?

 

Anything that happens on the harddisk is recoverable. Although vbox simulates another computer, it should be clear that its really using your real harddisk - so yeah stuff is recoverable.

 

Hi, yes it's a problem, and if someone had commercial secrets etc, it could be a BIG problem if their comp fell into the wrong hands.

I don't think the vendors have given enough/Any thought to this glaring omission

The good thing about Returnil 2008 was/is that you can choose to only use RAM for sessions = This totally eliminates any data being saved to disk =

Also v2008 has a wipe/delete option on shutdown if you used HD caching = The later versions ONLY wipe on rebooting =

I hope more vendors take notice of this, and Very soon, and include such essential option/s =

 

V2008 as in returnil 2008?

So what you are saying is that during a VirtualBox session, it is being saved in real time onto the hard disk vs memory? See I didn't know that but thanks for pointing that out.

Then, as you have stated above, this would mean that the session is recoverable.

So I am assuming that VirtualBox has no option to only use the memory as Returnil has, or to wipe on terminated session... Hmm someone should request that to VirtualBox. But I am wondering, any other reputable VM has this function? I am thinking if there is another way to make sessions unrecoverable.

But what if I were to do a system encryption on the VM, would this make any difference in the session recovery? I am guessing it doesn't because it will be mounted during use.....

 

@ dialxdrop

I havn't used VB, i was talking generically about data retention problems with any such software.

Returnil v.2008 = yes

 

You can create a ramdrive and set Sandboxie to store it's working folder there for secure deletion.

You can even copy/paste an XP VM/VHD to the ramdrive and run it from there if you have the ram to spare.

I use Returnil 2008 here as well and it will write to the hard drive if memory runs low.

 

Also, keep your system drive as small as possible. OS and apps works great with data on separate partition. Other than making it very easy if you need to restore a system image, the other advantage is having a very small partition to wipe free space. I keep a streamlined XP system partition with minimal installed programs and it comes to about 3gb....that leaves minimal free space to wipe.

But the real bottom line to me is why worry about all this? Just encrypt your entire computer with strong cryptography.

 

Even if you set it not to ?

 

Have a read through below:
https://www.wilderssecurity.com/showthread.php?t=280064

 

@ Franklin

Thanks for the link It's a while since i used Returnil so i must have forgotten that bit Not good though if people select RAM and get Disk, it's not what they expect, or want

I see doveman is still waiting for answers since September 4th

 

Have a look at this, it shows you how can you make VM private:
https://www.wilderssecurity.com/showthread.php?t=282773

 

Hey yeah, thanks for the link. I figured out something very similar to the above and was going to post it as a solution but its all there. I think the only difference is my .VirtualBox folder with the xml's is still in C but theres nothing from the sessions that tie to that file. No logs, history etc...

 

Lockbox, this is very intriguing. I have a 20 gig system c: drive partition that I use for all my installs and programs. All my data is stored in other drives.

If I were to shrink down to 5 gigs, would you say there would be a significant difference in performance? Like over 20% increase in overall speed?

So I would just install all my applications to let's say D: drive instead of C: ?