Returnil the page file & security/privacy

Discussion in 'Returnil releases' started by chris1341, Dec 30, 2008.

Thread Status:
Not open for further replies.
  1. chris1341

    chris1341 Guest

    I have been using Returnil for some time now and am very pleased with it. However I've recently switched from disc cache to running (as I thought anyway) from memory.

    I've been advised that in actual fact most of the changes are not stored in RAM but in the pagefile. It's caused me to consider the content of this file more closely than I have before. Before deciding what to do can someone advise:

    1. Is Returnil without disc caching reliant on the pagefile? If so does that mean the pagefile cannot be turned off if you want to use Returnil?

    2. What, if any privacy/security issues are associated with the pagefile? Can malware survive in it? Can privacy related data be recovered from it?

    3. What performance issues accrue from turning the pagefile off?

    I have changed the registry settings to delete the pagefile at shutdown but it slows shutdown significantly.

    On this set-up I have 4 GIG (2 x 2 core duo) RAM and T9300 processor.

    Would have went to CastleCops with this one normally but alas no more.
    Any help from the experts at Wilders would therefore be much appreciated.

    Thanks
     
  2. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Re: Returniil the page file & security/privacy

    Hi Chris :)

    No, RVS is not dependent upon the pagefile while in memory caching mode. There should not be any issues but you should test this configuration and let us know if there are and we will investigate.

    Forensically, there are implcations to the pagefile as Windows does not wipe it by default. Windows writes to the file continuously until you restart your computer or run out of disk space. When you restart, Windows simply starts writting to the file at the begining, overwritting anything that was there previously but does not wipe what was there previously. this means that it is possible to discover information before that content is overwritten.

    you can relax however regarding malware as it is impossible for for the user to access the file while it is being used by Windows (Ex: see your latest AV scan report to see that the AV could not open the pagefile because it was in use by another program...) This means that malware would not be activated from withn the pagefile. Think of the pagefile as a "Stream of consciousness" trash can...

    The pagefile can become very large and as a result, it may significantly effect the shutdown performance of your system when deleting it (Ex: try deleting a 20+ MB file from your Recycle Bin in Win Vista and you will get a good feeling for the time this may take Windows...). Additionally, if you use the cache wipe option when using the Disk caching mode in RVS, your shut down time may be longer depending on the amount of changes RVS had to track during the current boot session and the physical speed of your HDD

    Mike

    Edit: clarification
     
  3. chris1341

    chris1341 Guest

    Re: Returniil the page file & security/privacy

    Thanks Mike,

    I'll try running without pagefile and advise if their are any issues.

    Cheers
     
  4. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Re: Returniil the page file & security/privacy

    Chris,

    Mike has clarified this in the past, but didn't with your particular question. While RVS may not be dependant on the pagefile, it DOES leave a large deleted (not wiped) file that he has admitted (to his credit) can be examined forensically and info on the previous sessions can be retrieved from this file. So, while your question mentioned the pagefile, I think it had more to do with privacy than anything. No worries about malware, as he said, but privacy is another question all together. Of course, you're perfectly safe from keeping things hidden from your children or something, but I don't know the threat model you are under. If you're trying to keep info from the Chinese government or something, that big file is on your disk - even though you used memory caching.

    At any rate, it's a great piece of software.
     
  5. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Re: Returniil the page file & security/privacy

    Hi Gerard :) and thanks as I missed that possibility in my reading of the original question. You are correct that remnants will remain and can be found using advanced techniques and tools.

    We have added a cache wipe in the 2.01 Beta series that should help. The option is included in the Advanced options menu (Main status screen > Advanced section).

    I did brush the subject but did not expand on it - apologies for any confusion:
    Mike

    Edit: Clarification with quotation
     
  6. chris1341

    chris1341 Guest

    Re: Returniil the page file & security/privacy

    Thanks Gerard I agree it's excellent and as I use it primarily as an anti-malware programme the privacy issues are not really at the forefront of my reasons for using it, they were though I believed an added bonus.

    I was (and believe others are as well from posts over this and other forums) under the impression memory caching meant just that and that no data was written to the hard drive.

    It's suggested a few other questions (sorry Coldmoon!)

    1) What impact do wiping utilities such as EE or Cyberscrub have when Returnil session lock is on? Will the Firefox browsing cache (presumably written in this deleted file Gerard mentions or stored in memory) be overwritten by the wiping utility or is it simply a waste of time with session lock on?

    2) Is a better solution to wipe the free space and slack with Returnil off?

    3) How stable is the beta version that includes cache wiping on Vista? What wiping method is used and is there any post wipe check?

    Again any help would be appreciated.

    Thanks
     
  7. chris1341

    chris1341 Guest

    Re: Returniil the page file & security/privacy

    Unusually no response from Coldmoon on these. Anyone aware of where I might get the answers to these?

    Thanks
     
  8. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi Chris,
    Sorry for missing your original post on the 31st.

    No need to apalogize to me; rather I should apologize for not being clearer in my replies. The reason we call it Memory caching is that it does have to make use of the disk in a temporary way for the "heavy lifting" but RAM is where the important work takes place. Just from a physical perspective, you cannot clone an 80 GB file with less than 3 GB available at any given time on most x32 systems for example. As available RAM goes up in the future however, there will be less and less need for assistance from the disk drive to make it happen...

    It would be a waste of time. This also applies to attempting to perform a defrag on the System Partition while protection is on. The best advice here is to schedule a maintenance day to perform these tasks - perhaps on the same day that Microsoft releases the monthly patches...

    Yes, as above, if we are discussing the System Partition you are wasting your time trying to do that. Again, use the concept of a maintenance day to perform these tasks.

    Extremely stable :D :cool: But keep in mind that it is a Beta and unexpected things can still happen when using a Beta. If you are not comfortable running Beta software you should wait for the final release version unless that Beta is the only way to resolve an issue you are having.

    The cache wipe uses a singlle pass, random sector overwrite at system shut down.

    Mike

    Edit: Grammar
     
  9. chris1341

    chris1341 Guest

    Thanks Mike, Beta version is great and running very well.

    I'll also take on board the maintenance day idea.

    Cheers
     
Thread Status:
Not open for further replies.