Recoverable traces from a VirtualBox session?

Discussion in 'sandboxing & virtualization' started by dialxdrop, Sep 22, 2010.

Thread Status:
Not open for further replies.
  1. dialxdrop

    dialxdrop Registered Member

    Joined:
    Sep 21, 2010
    Posts:
    35
    We all know Sandboxie sessions are recoverable from the standard deleting of the sandbox. The only way to make the session untraceable is to securely wipe the sandbox contents.

    Now If I were to start a Virtualbox session and turn it off and restore the previous snapshot, would anything in that session be recoverable?

    For Example:
    Let's say I start up Virtualbox session and inside my VM I create a few document files using Microsoft office. I would then turn off the session and restore to the last snapshot. (Which in theory should erase all the contents of that session)

    Now would these documents be recoverable using file recovery programs or would terminating a session pretty much securely wipe all the history and contents?
     
  2. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    Anything that happens on the harddisk is recoverable. Although vbox simulates another computer, it should be clear that its really using your real harddisk - so yeah stuff is recoverable.
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Hi, yes it's a problem, and if someone had commercial secrets etc, it could be a BIG problem if their comp fell into the wrong hands.

    I don't think the vendors have given enough/Any thought to this glaring omission :thumbd:

    The good thing about Returnil 2008 was/is that you can choose to only use RAM for sessions = :thumb: This totally eliminates any data being saved to disk = :thumb: :thumb:

    Also v2008 has a wipe/delete option on shutdown if you used HD caching = :thumb: The later versions ONLY wipe on rebooting = :thumbd:

    I hope more vendors take notice of this, and Very soon, and include such essential option/s = :thumb:
     
  4. dialxdrop

    dialxdrop Registered Member

    Joined:
    Sep 21, 2010
    Posts:
    35
    V2008 as in returnil 2008?

    So what you are saying is that during a VirtualBox session, it is being saved in real time onto the hard disk vs memory? See I didn't know that but thanks for pointing that out.

    Then, as you have stated above, this would mean that the session is recoverable.

    So I am assuming that VirtualBox has no option to only use the memory as Returnil has, or to wipe on terminated session... Hmm someone should request that to VirtualBox. But I am wondering, any other reputable VM has this function? I am thinking if there is another way to make sessions unrecoverable.

    But what if I were to do a system encryption on the VM, would this make any difference in the session recovery? I am guessing it doesn't because it will be mounted during use.....
     
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ dialxdrop

    I havn't used VB, i was talking generically about data retention problems with any such software.

    Returnil v.2008 = yes
     
  6. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    You can create a ramdrive and set Sandboxie to store it's working folder there for secure deletion.

    You can even copy/paste an XP VM/VHD to the ramdrive and run it from there if you have the ram to spare.

    I use Returnil 2008 here as well and it will write to the hard drive if memory runs low.
     
  7. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Also, keep your system drive as small as possible. OS and apps works great with data on separate partition. Other than making it very easy if you need to restore a system image, the other advantage is having a very small partition to wipe free space. I keep a streamlined XP system partition with minimal installed programs and it comes to about 3gb....that leaves minimal free space to wipe.

    But the real bottom line to me is why worry about all this? Just encrypt your entire computer with strong cryptography.
     
  8. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Even if you set it not to ?
     
  9. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
  10. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Franklin

    Thanks for the link :thumb: It's a while since i used Returnil :'( so i must have forgotten that bit :( Not good though if people select RAM and get Disk, it's not what they expect, or want :eek:

    I see doveman is still waiting for answers since September 4th :D
     
  11. Jav

    Jav Guest

  12. dialxdrop

    dialxdrop Registered Member

    Joined:
    Sep 21, 2010
    Posts:
    35
    Hey yeah, thanks for the link. I figured out something very similar to the above and was going to post it as a solution but its all there. I think the only difference is my .VirtualBox folder with the xml's is still in C but theres nothing from the sessions that tie to that file. No logs, history etc...
     
  13. dialxdrop

    dialxdrop Registered Member

    Joined:
    Sep 21, 2010
    Posts:
    35
    Lockbox, this is very intriguing. I have a 20 gig system c: drive partition that I use for all my installs and programs. All my data is stored in other drives.

    If I were to shrink down to 5 gigs, would you say there would be a significant difference in performance? Like over 20% increase in overall speed?

    So I would just install all my applications to let's say D: drive instead of C: ?
     
Loading...
Thread Status:
Not open for further replies.