Returnil leaving browsing traces

Discussion in 'General Returnil discussions' started by topguynow, Oct 31, 2010.

Thread Status:
Not open for further replies.
  1. topguynow

    topguynow Registered Member

    Joined:
    Feb 17, 2010
    Posts:
    43
    After using Returnil for about a year I decided to actually test its claim to leave no browsing trace behind at reboot after having run it in Virtual Mode.(I had it set to drop all changes) To my surprise Recuva in its deep scan recovered 321 images that should not have been there. Number one,it appears Returnil has failed in their claim-unless I have done something wrong.Number two, for security as well as privacy reasons, how do I remove these pictures before I sell this laptop? BTW, this issue seems to be mentioned by others from time to time but never fully addressed. Thank You
     
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
  3. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    We have the reports and are investigating. One thing everyone should be aware of and is something we have discussed extensively in the past during the RVS 2008 series: privacy is not a core goal of RVS/RSS, but security is.

    For those who are sensitive to privacy issues where the wiping of free/unused space on the real disk is a priority, we strongly suggest looking into a more robust option that can also provide wiping of the Windows Pagefile. RSS/RVS virtualization does not include the Windows PageFile or Hibernation file to ensure proper functioning of Windows as well as to keep minutia out of the change tracking.

    Like the Windows PageFile, the RSS/RVS virtualization cache starts at the beginning and overwrites what was there from a previous virtual session. This means that sensitive information that may be retrievable via forensic disk examination techniques only last as long as it takes to be overwritten.

    Like the pagefile in Windows however, this may not be a complete overwrite.

    Mike
     
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    I'm very disapointed to hear that :( as it's NOT what i thought happened, or was led to believe happened !

    My impression was that for eg with v2008 on shutdown it Completely wiped the session cache with one FULL wipe, before shutting down, and on boot started out with a fresh cleaned/deleted new cache.

    1 - Did v2008 actually do the FULL wipe etc as stated by yourself, and in the specs ?

    2 - Does this Non wiping, but ONLY overwriting the cache happen on later versions ?

    TIA
     
  5. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Relax CR...

    1. Yes and should as well in the current versions. As stated, the issue is being investigated and will be corrected if an issue is found.

    2. The overwriting is done automatically as part of the dynamic caching feature and in older versions as well...

    Mike
     
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Re - "Did v2008 actually do the FULL wipe etc"

    But that appears contrary to this ?

    "If found" ? There is an Obvious issue, it/they Don't WIPE as stated !

    That's also contrary to a FULL wipe etc, on shutdown or boot !

    As you've said several times, you come from a Privacy/Security background, and believe Strongly in such matters, i would expect these things to be High priority ! Maybe they are with you, but not within the RVS group ? Or high enough anyway, which IMO they should/must be.

    Just imagine what a unique & superior product you would have if/when you sort it :) You could proudly proclaim it was a world beater :thumb:

    It's too important a matter to relax about :(
     
  7. topper10

    topper10 Registered Member

    Joined:
    Jan 22, 2010
    Posts:
    15
    Location:
    There
    CloneRanger could not be more spot-on correct. The "politicians" at Returnil evidently believes a cursory use of carefully thought out semantics will be able to alleviate the suspicion that is increasingly directed toward what are being revealed at best inadequacies in their product and at worst simple outright deception and double-talk. It is all there as CR has documented. I am totally disillusioned with this product and company. What are some reliable and recommended Returnil alternatives that Wilders readers have used? I am interested in WonderShare Time Freeze....Thank You
     
  8. March Hare

    March Hare Registered Member

    Joined:
    Nov 8, 2010
    Posts:
    7
    Having seen this thread, I checked the freespace allocation on my system partition before and after activating RSS virtual mode. As expected, RSS reserved the percentage of freespace that I had specified. However, when I copied additional files to the system partition, the remaining free space was further reduced (by the size of the copied files). Is it possible that data are not being written to the designated cache but to residual freespace instead?

    I uninstalled / reinstalled with the same result. Using Win 7 x64.
     
  9. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Just to be sure everyone understands, the cache wipe is not activated by default. If you want to turn it on, you need to activate the Virtual Mode > Settings > Advanced section > "Wipe all disk changes at computer startup" option.

    This may increase the time to boot the computer depending on the amount of content. Another thing to keep in mind is that what is wiped is what is there after you activate it and is limited to the space that was reserved for that session. If there is data outside of this space that was there from a previous session where the wipe was not used or the cache size changed, you may see some of that data remaining after a forensic investigation.

    The third thing to keep in mind is that the Windows pagefile is not virtualized - this means that Window's "stream of conscienceless" is not interrupted, interfered with, or removed by an RSS/RVS cache wipe...

    March Hare asked:
    The cache is dynamic and made from existing free space on the HDD and may have different physical start/end points depending on what changes are made during and after a Virtual Mode session. Windows will report the space you specify (default setting is 50% of existing free space) as used when in most likelihood, it is not. Windows does not make the distinction so believes the space is actually used and this can cause confusion about what is happening and where the changes are tracked.

    Kind Regards
    Mike
     
  10. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Coldmoon

    Hello Sir.

    "may" ? From the tests done by members on here, it's more likely will :eek:

    I like your description WSOC :D

    What is the reason the WPF is not virtualized ?

    In spite of that, if people have set their comp to wipe the PF on shutdown, would this interfere in ANY way's with RVS ?

    Also in v2008 that a LOT of people prefer, we can "supposedly" wipe changes on shutdown, as opposed to boot, & i was thinking there might be a conflict there ?

    That should be changed to "Might wipe some, but not all disk changes at computer startup"
     
  11. March Hare

    March Hare Registered Member

    Joined:
    Nov 8, 2010
    Posts:
    7
    Mike, thanks for your explanation. I am comfortable with the idea that the specified cache/workplace might not all be used in a virtual mode session. My concern was that data copied to the visualized partition appeared to end up outside the specified 50% cache.
     
  12. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    So that Windows works properly with good performance. It also keeps the cache from being filled up with trivia and taking space better used for more productive purposes such as tracking the changes you just made in that presentation you need to give the next day ;)

    As long as the Virtual Mode is not active and you are wiping free space, you should be good to go...

    The cache wipe at shutdown caused file damage for a small number of customers in rare cases. Once moved to startup, this issue no longer occurred.

    Mike
     
  13. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    UPDATE

    Hi All,
    The next release should resolve issues some have been having with the cache wipe not working properly. When announced, I need all reporting this to upgrade and then let us know the results so we have direct confirmation that the issue is closed. This fix is for RSS Pro and RVS Pro 2011 (3.2x versions).

    Thanks in advance
    Mike
     
  14. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Coldmoon

    Well that sounds like VERY good long awaited news :thumb:

    It appears though it's ONLY for the Pro versions :(

    Will you be incorporating this MUCH needed fix across the Full range ?

    1 - If so when ?

    2 - If not WHY ?

    TIA
     
  15. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    When I did my experiments, I wiped my hard disk first. The "Wipe All Disk Changes" was selected and virtual mode was set to start with Windows.. I checked twice just to be 100% sure. I went to google and chose a cartoon character, like spongebob. I viewed a few pages of images and enlarged a few. I then restarted my computer.

    The second time that I tried this experiemt I just left the computer for a while after I restarted it. I went in and did some dishes and came back in 20 minutes or so. So then just to make sure, I restarted it again. I let it set again for another 15 minutes or so. The reason I did this was to absolutely give Returnil plenty of opportunity to wipe the data. So I then unchecked the "Start virtual mode when I start Windows" option and restarted my computer again.

    I then ran Recuva (deep scan) and it appeared that all of the images that I had viewed were there. Several dozen.

    I did this experiment with Returnil active and with Sandboxie with Eraser configured to wipe the leftovers. I deleted the Sandbox so that eraser could wipe. I restarted the computer twice, as before. And guess what. The images were still there. I repeated these experiments on XP, Windows 7, Vista 32 bit, and Vista 64 bit....all with the same results. The reason that I added Sandboxie with Returnil was because it (Sandboxie) failed on it's own. But I thought that maybe with Returnil active and Sandboxie/Eraser it might work.

    Only 2 things worked to prevent this. If I am running BCwipe transparant wiping while Returnil is active (but not while inactive), nothing is pulled up when I run Recuva. But BCwipe causes problems with Returnil. So I trashed that idea.

    So I tried these same experiments with Firefox portable running from a USB stick, and in a TrueCrypt folder on my desktop. Recuva is unable to pull up anything with or without Returnil after I run a portable browser. So for now, I am running my browsers from a TrueCrypt folder on my desktop. I assume that a virtual machine would prevent data from collecting and accumulation too, but I really don't know.

    One more thing. I wiped my computer and started virtual mode with "Wipe disk changes" selected. And virtual mode to start upon restart. I collect animated gifs and art and I have many folders that are all organized by category. So I chose a couple of folders and moved them to my desktop. This way I know all of the images and which folder that they belong to. I actually performed about 3 or 4 experiments like this. But the result is that if I wipe a folder, even while virtual mode is enabled, the files will not show up with Recuva. But of course all of the other files are recoverable.. So what this proves is that wiping files while the virtual mode is enabled *does* in fact work. However I did not try wiping free space with virtual mode active.

    I love Returnil. But I think that people should know that it in no way gets rid of personal information with "wipe all disk changes" enabled. And it concerns me that people like the Chinese guy that asked about this might have a false sense of security. So I do not know if it is really possible to add a feature like this to Returnil. It may be too much to ask. I don't know much about computers. But I do think that it would be nice if Returnil would perform all of these functions plus do my dishes too.:argh: Or maybe even create a Returnil privacy browser. That would really be cool. Of course Returnil is already very cool. But some additional privacy features like that would be ultra cool.
     
    Last edited: Nov 16, 2010
  16. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi caspian,
    As posted previously, we will be releasing a fix in the next build. We are a bit behind the original estimate, but will hopefully have it available for download sometime next week.

    Mike
     
  17. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,953
    Location:
    USA
    I read some of this thread, but I didn't have time to read it all. Did Returnil leave any traces behind that did not have to be restored with Recuva? Is this only a privacy issue? If Retunil left traces that did not have to be restored with recueva then that points to a much bigger problem. That would suggest there is a big security hole leaving room for infection. From what i gathered it appears that this is pointing to a problem with Returnil not secure wiping the cache before reboot. Is this the only issue that has been discovered or is there more to it? Also, does returnil still have the option for memory cache method? If Returnil does have memory cache method then does it have any affect on system performance vs disk cache?
     
  18. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Yes, this is not a security issue.

    Why? Do you see the Windows Pagefile as a security risk as well? The cache wipe is simply a privacy feature. There was an issue with it not working properly for some and the development team has reported fixing the bug which will be included in the next public release.

    How? Have you been infected by something in the Windows Pagefile? As this would not be possible unless you were to forensically examine the PF, extract something malicious from it, and then activate it; I fail to see where it rises to the level of a security problem. Though different, this is also true of the virtualization cache in RSS/RVS so there is no security issue whatsoever...

    No, the order of the cache wipe in reference to startup or shutdown is irrelevant as far as security is concerned.

    The only issue is that the information tracked within the cache (for those effected) is not wiped at startup. What is there from a previous Virtual Mode session is simply overwritten which is similar to the single-pass overwrite of the cache wipe expect the wipe is writing a "1" over the entire cache rather than recording new information to be tracked within a specific area of the available cache space.

    This is only a privacy issue and there will be a fix for it with the next release (as stated already).

    Mike
     
  19. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    Thanks Mike. I love Returnil and that particular improvement will certainly be icing on the cake.
     
  20. VanguardLH

    VanguardLH Registered Member

    Joined:
    Sep 10, 2007
    Posts:
    96
    The datestamps on this thread are back mid-November. It's now the end of December. I'm wondering if the update got applied yet and was available in current downloads. When I go to download RSS, it shows:

    rss-3.2.10853.exe

    Does this build include the mentioned update/patch?

    This was for the non-Pro version. I'm not interested in using the TrialPay-like scheme to obtain a Pro version nor in getting the Pro giveaway that would expire after a year and I'd be back to the non-Pro version. From comments here, it appears the update will only be for the Pro version. Is that correct?
     
  21. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    The fix was included quite some time ago and the installer is universal for RSS; meaning that the registration or non-registration dictates what features will be available.

    Mike
     
  22. VanguardLH

    VanguardLH Registered Member

    Joined:
    Sep 10, 2007
    Posts:
    96
    So is the update a "feature" of the non-Pro version? Looking at:

    http://www.returnilvirtualsystem.com/products#compare

    doesn't clue users in whether or not the "wipe disk changes" option is available in which versions. Is it available in all versions (so this update would apply to all versions, including the non-Pro versions)? Or do I have to read the online manuals to determine if this option is only available in which versions? That's why I'm doing now to read the manuals to see if this option is mentioned in all manuals or only in some of them for some versions.

    I'm also not clear on when the "wipe disk changes" option is usable. Is it only applied if Returnil is configured to load on Windows startup? Or, after a System Safe session and reboot, will the "wipe disk changes" be applied whether or not Returnil is loaded again? Typically I used Returnil on-the-fly (i.e., do NOT configure it to load on Windows startup).
     
  23. VanguardLH

    VanguardLH Registered Member

    Joined:
    Sep 10, 2007
    Posts:
    96
    Well, that won't work. I've only found one online manual and it is for the non-Pro version.

    http://www.returnilvirtualsystem.com/files/manuals/en_us/rss/index.html

    In Chapter 5, Settings, Advanced, it mentions the the "wipe disk changes" so supposedly it is a feature available in the non-Pro and Pro versions. It doesn't seem a feature that is dependent on registration or the lack thereof.
     
  24. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    You miss my meaning. The installer itself is universal so is the unregistered free, Free, Trial, and paid Pro versions all in the same installation file. What features are available are determined by the type of license you choose:

    1. Unregistered free = Free as far as features are concerned
    2. Trial = paid for the duration of the trial period and then the software reverts to the Free version feature sets if you do not purchase a full version license.
    3. Paid = all features for the period of the subscription and then reverts to the Free version without license renewal.

    As for product manuals, see the following page:

    http://www.returnilvirtualsystem.com/resource-center

    Mike
     
    Last edited: Dec 29, 2010
  25. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Open Virtual Mode > Settings > Advanced section. If the option to "Wipe all disk changes..." is present and accessible, then it is available. A further indication of a feature's availability is to see the beginning of the description in the manual (see the resources link above) as this will detail what versions of the software support the specific feature/option (Ex: "All versions")

    Mike
     
Thread Status:
Not open for further replies.