Why wipe Sandboxie

I have Sandboxie configured with eraser to wipe "something" when I delete the sandbox.But what is that "something"? What is it that is left and what types of information can be recovered from it?

 

Does anyone here have any idea what Sandboxie leaves behind that needs to be wiped?

 

ordinary info like it is left behind any other prog, that can be simply deleted but using the term wipe is more potent

 

The reason I do it is to definitively kill any malware that might have snuck in the sandbox. Delete the sandbox, delete all bad stuff...

 

Simply deleting the contents of the sandbox, leaves electronic traces of the files (browser cache, etc) on the disk which could potentially be recovered using forensic tools designed for the purpose. Wiping the contents of the sandbox prior to deletion by first overwriting them, using a secure deletion utility such as SDelete or Eraser, prevents any possibility of recovery later.

Not really a security issue in the malware sense, more of a privacy issue to prevent any evidence of a browser session (for example) remaining on disk.

 

The way it was explained to me was that a normal delete just changes a flag indicating that the portion of the hard disk occupied by the file is now available for other use. The file contents are otherwise unchanged.

A more stringent deletion process actually over-writes the file contents with gibberish.

 

But wouldn't just simply deleting the sandbox toss the malware out of the picture?

 

Ah ha! So the files would not be there and the contents of the files would not be recoverable, but the file names and a list of internet searches could be seen. Is this correct?

Lets say that someone (like my Mother) sends me one of those power points with the music and the pretty pictures. I open and view it but never recover it. I then delete the sandbox. So the actual music files and stuff would no longer exist anywhere, as they would had I recovered the power point and deleted it from my desktop. But there would still be a little file left that may contain the name of the power point and info that shows I went to Yahoo or wherever. Is this the way it works?

 

No, not really. It's as vasa1 says. Deleting a file just marks it as deleted within the Windows file system so that the space occupied by the file can be reused. The file itself remains on disk but no longer catalogued as active by Windows. Over time the file gets overwritten as Windows reallocates the disk sectors it occupied but fragments of a deleted file can persist for sometime until all of the disk sectors it occupied have been reallocated to other files.

Normal deletion means that all of the files within the sandbox initially still exist on disk when the sandbox is emptied, and this includes the browser cache which stores images viewed during web browsing, downloaded files, etc. Although these files will over time get physically destroyed as Windows starts to overwrite the disk sectors they occupy, it may still be possible to recover a substantial portion of them sometime after they have been deleted. Using special tools that bypass the Windows file system and examine the disk directly, it may be possible to see what images you've been viewing, files you've been downloading, etc.

It's a bit like throwing unwanted bank statements, personal correspondence, etc, in the rubbish bin without first shredding them. Anybody who went through the contents of the bin would be able to piece together quite a lot of information about you.

Unlike normal deletion via Windows, a secure deletion utility such as SDelete or Eraser deletes files by overwriting them with garbage in order to prevent any part of them from being recovered later. Emptying the sandbox by wiping (i.e shredding) the contents using a secure deletion utility is a privacy measure that prevents the possibility of anything within the sandbox from being recovered later.

 

I guess I have completely misunderstood Sandboxie. I thought that nothing touched the hard drive when using Sandboxie.. I thought that it used virtual memory or something. So what you are saying is that all of the images and stuff are still there in the system and on the disk when the sandbox is deleted, just as they would be if you had used an ordinary browser?

 

Yes, exactly!

The sandbox is nothing more than a folder on the disk (default location C:\Sandbox). Sandboxie intercepts all changes to the file system and registry and writes them to the sandbox folder in order to contain and isolate them within the sandboxed environment. The programs running in the sandboxed environment are of course unaware of this redirection as Sandboxie creates the illusion that they are making the changes within the real file system outside of the sandbox folder.

The whole process is clearly described on the Sandboxie website: http://www.sandboxie.com/

 

For a person like me with a very limited understanding of how computers work, the website is not very clear. But your description is the best I have seen. I truly appreciate it. Thanks. And thanks to all of the other people who responded. It has been very helpful.

 

You're most welcome.

Regards