Where does Sandboxie & Returnil keep data they imaged?

Discussion in 'sandboxing & virtualization' started by spider_darth, Dec 14, 2008.

Thread Status:
Not open for further replies.
  1. spider_darth

    spider_darth Registered Member

    Joined:
    Dec 30, 2006
    Posts:
    82
    Both sandboxie and returnil creates a virtual space which reads and writes data in. But, where is this virtual 'space' saved if it doesn't write to our HDD?
     
  2. glentrino2duo

    glentrino2duo Registered Member

    Joined:
    May 8, 2006
    Posts:
    310
    Sandboxie creates a user-specified "Sandbox" folder, default is C:\Sandbox\%USER%\%SANDBOX%

    I believe, by default, Returnil keeps it in the memory and/or PageFile... unless you create a Disk Cache..
     
  3. spider_darth

    spider_darth Registered Member

    Joined:
    Dec 30, 2006
    Posts:
    82
    which means.. data previously written in sandboxie and returnil can be retrieved even though we have started a new session?
     
  4. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi spider_darth,
    I apologize for missing this earlier. Traces can be found using forensics tools and techniques as RVS will simply overwrite previous change traces with each new session. You can use the Advanced option to wipe change remnants in the current 2.01 Beta when using the Disk cache for better privacy results...

    Mike
     
  5. LenC

    LenC Registered Member

    Joined:
    Jul 25, 2006
    Posts:
    846
    Location:
    CT, USA
    With regard to sandboxie, all data in the sandbox is retaineded after the program session is ended, unless you open sandboxie and request that all files in the sandbox be deleted. Alternatively, you can - as I have done - set a preference in the program to empty the sandbox when you exit a sandboxed program (and no other active programs are sandboxed)
     
  6. Doodler

    Doodler Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    219
    Like LenC, I have my sandboxes (except those that I use to test new software) set to autodelete as well. It's an easy setting to make and very convenient.

    But the resulting file deletion doesn't really wipe data from the hard drive; it merely makes it inaccessible to the operating system. Experts can still get the data off the hard drive. So, for those with higher security concerns, Sandboxie also contains a feature that lets you plug in third-party secure deletion software that most likely makes data irretrievable by anyone. I have not used this feature yet, but more information can be obtained here: http://www.sandboxie.com/index.php?SecureDeleteSandbox
     
  7. LenC

    LenC Registered Member

    Joined:
    Jul 25, 2006
    Posts:
    846
    Location:
    CT, USA
    Hey Doodler -

    Excellent point - I wouldn't want to give anyone a false sense of security. I want sandbox files to be deleted primarily to save diskspace (and to be neat like my mother taught me:cautious:). Normaly, I wouldn't be overly concerned that someone could undelete those files - only because they are not terribly confidential.

    I guess if I have sandboxed files that I am more concerned about from a privacy perspective, I would exit the program and use a file shredding program to render the files unrecoverable - I assume I would be able to do that by locating appropriate folders just using windows explorer.

    (When it comes time to do my taxes for 2008 - I'll be sure that no one can recover files that are riddled with Social security numbers and other turly confidential information.)
     
  8. Doodler

    Doodler Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    219
    CCleaner has a secure deletion option with several overwrite settings. http://docs.piriform.com/ccleaner/ccleaner-settings/changing-ccleaner-settings Since I already have CCleaner on my system, for those rare times when I want to make the deletion irretrievable, I do what you described -- i.e., locate the sandboxed folder in windows explorer, drag it into my recycle bin, and shred it via CCleaner's secure delete option.
     
  9. bman412

    bman412 Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    261
    @Doodler

    You can just add the Sandbox folder to CCleaner's includes list and enable Custom Files and Folders.
     
  10. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Thanks Mike for that concise to the point clarification on the upcoming beta. I personally favor MEMORY caching as opposed to disk so i feel more confident that the new feature can only add even more privacy resolution.

    EASTER
     
  11. Doodler

    Doodler Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    219
    Thanks bman. Simple and practical. :) Why didn't I think of that? I'll try it out and check back in if I have any problems.
     
  12. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    For me delete files done by Sandboxie in default way is sufficient,but then i'm the only user on the boxes,it seems to me that some folks has the idea that the whole world is spying on them...a bit paranoia ? :D
     
  13. LenC

    LenC Registered Member

    Joined:
    Jul 25, 2006
    Posts:
    846
    Location:
    CT, USA
    I'm not paranoid - I have real enemies;)
     
  14. Doodler

    Doodler Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    219
    But, another reason to have an ad hoc process in place to securely delete a sandbox is if one suspects it contains malware. As I understand it, such malware automatically gets backed up by Windows into System Restore if the sandbox is deleted using the conventional Sandboxie Control settings. However, securely deleting the suspicious sandbox via CCleaner, Eraser, SDelete, or some other such program pre-empts Windows from backing up the contents into SR.

    I believe any sandboxed malware backed up into SR is harmless unless it is restored and somehow executed. So my guess is the risk factor is minimal. But, if it can be easily avoided altogether, then that's optimal.

    I suppose another option is to turn off SR, although that has its downside too.
     
  15. RedDawn

    RedDawn Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    125
    Location:
    Ireland
    Hi,

    I'm thinking of trying Sandboxie soon and just want to make sure I'm clear on the above.

    If I delete the sandbox using the settings in Sandboxie, the contents of that sandbox will be backed up to system restore(SR), rendering SR unsafe to use.

    If I use Explorer to navigate to the sandbox and securely delete its contents using CCleaner, I can then safely use SR.

    Is this correct?

    I don't use SR much, but I do use it and if using Sandboxie meant I could no longer safely use SR, this would be a major factor in my decision on whether to use Sandboxie or not.


    Thanks.:)
     
  16. MitchE323

    MitchE323 Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    156
    Hello Red, System Restore ignores 'temp' folders, so you can trick it with the Sandbox location;
    [Example]
    C:\Sandbox\%USER%\%SANDBOX%
    Change to:
    C:\Temp\Sandbox\%USER%\%SANDBOX%

    http://sandboxie.com/phpbb/viewtopic.php?p=14656#14656
    Mitch
     
  17. RedDawn

    RedDawn Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    125
    Location:
    Ireland
    Thanks Mitch, much appreciated, and thanks too for the link.:)
     
  18. Doodler

    Doodler Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    219
    Good idea, but it may not be quite that simple. I'm wondering about tangent issues with that edit. For instance, CCleaner's default settings result in the deletion of temporary files. So, would not Sandboxie itself be deleted when CCleaner is run unless Temporary Files was unchecked (but that would mean NO temp files would be cleaned) or an exception was made -- Options >> Exclude >> Add Folder >> C:\Temp\Sandbox\%USER%\%SANDBOX% ?
     
  19. MitchE323

    MitchE323 Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    156
    It's easy enough to test with Ccleaner. I don't have it here. You're welcome Red. np.
     
  20. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Thats what I did,every now and then I give it a CC 7 pass clean.
     
  21. MitchE323

    MitchE323 Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    156
    Ok, I am home now and tested with Ccleaner and it does not delete anything from that temp folder, checked all the options in Ccleaner. So it should be a good workaround. (other cleaners may differ)
     
  22. Doodler

    Doodler Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    219
    Thanks for checking. Interesting results. I would have guessed c:\Temp\Sandbox would be vulnerable to CCleaner with "Temporary Files" checked. Based on your test, apparently not -- but it causes me to wonder what CCleaner looks for when Temporary Files is checked.

    Since I already compulsively use CCleaner each browsing sesssion, I followed bman's suggestion to add my sandboxes to CCleaner's list. I also checked "Add 'Run CCleaner' option to Recycle Bin context menu". So it's a simple right click on the Recycle Bin >> Run CCleaner, and my sandboxes get a secure delete and System Restore is left out of the loop.

    Still, c:\Temp\Sandbox option has my interest too. So many choices....;)

    ***********

    Edit: Curiousity got the better of me, so I reviewed the Piriform/CCleaner web site and found this information related to cleaning of the temp files: Temporary Files - CCleaner will delete the Windows temporary files which are not in use. By default it only removes files that have not been accessed in 48 hours. This can be changed to clean all temp files in the Advanced Settings.

    MitchE323, in your test, does the 48 hours come into play?
     
    Last edited: Jan 12, 2009
  23. MitchE323

    MitchE323 Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    156
    Well, I didn't wait the 48 hours but in the Options > Advanced settings of Ccleaner, I unchecked the box that says "only delete those not in use for 48 hours" - so it looks good. Also, if someone is using a different cleaner and finds that folder is deleted I am pretty sure (not 100%) that Sandboxies' "Never Delete This Sandbox" settings would overcome that and not allow the deletion. But as far as Ccleaner... all looks good.
     
  24. RedDawn

    RedDawn Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    125
    Location:
    Ireland
    I've just learned that System Restore is different in Vista (which I use) than in previous Windows OS'.

    Does anybody know if the above solutions (to prevent SR from possibly being infected when the sandbox is deleted) would apply or are effective in Vista too?


    Thanks.:)
     
  25. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    If secure delete is of any concern,why not using SBIE in a RamDisk.
    A thread over at SBIE forum explain how to use it.
    Advantages are : remarkable faster browsing and secure delete,you can't get any better ! :D
     
Loading...
Thread Status:
Not open for further replies.