Wiping traces of the system virtualization

We know that Sandboxie has a feature where it is possible to set up Eraser or SDelete to securely erase the contents of the sandbox.

I wonder would it be possible to configure Eraser to wipe everything from a system virtualization session of Returnil or Shadow Defender?

I know everything is gone on reboot but I suppose it's just deleted and not securely erased and it must end up somewhere on the disk, therefore a forensic analysis could reveal traces of the previous session (correct me if I am wrong).

Can anyone point out where exactly system virtualization progs keep their tracks and how could they be wiped?

 

You need an professional cleaning utility like CyberScrub Privacy Suite v5.1 that also wipes the free space, shadow copies, and Master File Table to mention an few.
This program is very powerful and very professional. Custom wipes for sensitive areas is one of CyberScrubs prime features:

Main features:
http://www.cyberscrub.com/products/privacysuite/

More features:
http://www.cyberscrub.com/products/privacysuite/features.php


HKEY1952

 

Currently Returnil has a 'Erase Change Remnants' option if you use drop all changes and disc caching. This uses a one pass random pattern to overwrite the Returnil container that stores all the session changes.

Remember the page file and hyberfil are not cloned by Returnil so they would need to be wiped too.

You can also consider memory caching that stores the changes in memory (with some limited disc writes if memory cannot cope that are deleted at the end of the session). Again page file and hyberfil are not cloned so they would need to be wiped along with a free space wipe to overwrite any disc write that might have taken place.

The new beta version has some form of dynamic memory/disc caching routine rather than offering you the choice between the 2 but again you can use 'Erase Change Remnants' option.

Not sure about the other vitualisation progs but if they have deleted the changes wouldn't a free space wipe be enough?

Cheers

 

To further elaborate on chris1341 post re the new Beta Returnil 2010 see screen shot below. I personally have found the current beta to be extremely stable so far.

 

Yes, I had a license for CyberScrub Privacy Suite, but when I wanted to upgrade it it just didn't work. I even paid again for the renewal (although I didn't have to as upgrades are free for one year), but I couldn't register it. The customer support is non-existant (no contact email), so eventually I had to ditch the program I paid twice for.

It's a shame this otherwise good program is ruined by lousy businnes policy.

 

Chris, thanks for the useful reply.

Does anyone know if ShadowDefender has similar feature?

 

i think imaging is a way of virtualizing so to speak and its erased completely amiright?
your motives to this question arouse suspicion to me

 

Deleted and erased is not the same thing.

So, I am a suspect. Like anyone using Eraser, CCleaner etc...

 

dont want to sound like a bit of a dick but, if my parents saw my history, they wouldnt be that happy, but most teenagers do that and its not illegal, however wiping your disk of forensic examination seems like some one is up to some no good. just what it seems like from here is all...

 

Not necessarily.....Wiping the free space with the proper tool can also wipe the Master File Table of orphaned files.
The Master File Table stores an one kilobyte link to every file on the hard drive, deleting files does not delete the one kilobyte link.
Over time the Mater File Table can become bloated with orphaned files and is one of the contributing factors of Windows slowing down over time.
The slow down occurs because of fragmentation of the Master File Table. The Master File Table will expand as needed to house the one kilobyte files,
the fragmentation occurs because by default there is not enough free space within the Master File Table, and the Master File Table will never contract its self.
Wiping the Master File Table of orphaned files provides some free space for new files, however fragmentation still occurs. The solution to this is:

01)- Use an special tool such as Diskeeper to expand the Master File Table in accordance to Microsoft standards to provide more free space within the
Master File Table. This is called Padding the Master File Table.

02)- Use an special tool such as Diskeeper to perform an Boot Time Defragmentation. The Boot Time Defragmentation will Defrag the Master File Table.
The added free space provided by Padding the Master File Table will insure an through defragmentation of the files.

03)- Wiping the free space also removes file slack, file slack is the unused portion of an sector that contains deleted data unrelated to the active data occupying
the sector. This can play heavy on file fragmentation, and in rare cases cause Cross-Linked Files.


HKEY1952

 

You could set Sandboxie's container folder within a ramdrive then there should be no need for any secure deletions.

 

Can you give specific instructions on how to do it, please?

 

Here I use Gavotte Ramdisk with GUI

Depending on how ram you have and what type of surfing you do will detemine how big the ram drive should be.

Here 128 or 256 meg is suffice even though I have created a ram drive up to 2 gig on occasion.

Once it's created open Sandboxie's Control and go to Sandbox - Set Container Folder.

 

I haven't used those two apps you mention, but if neither allow the invocation of a 3rd party deleter, you could try a batch file command to wipe the particular files using Eraser. Eraser has scheduled erasing but it is for specific times/daily/weekly. I'm not experienced with batch files but I imagine you could use it as a command prompt to wipe as an when needed.

The ramdrive Franklin posted is the one I use for Sandboxie. The max you can go with a ramdrive is 1/4 of your ram size - and if you ever download quite large files it's worth going max. I once made the mistake of downloading UBCD in the ramdrive sandbox and of course it ran out of space at 500mb.

 

Franklin and Keyboard_Commando,

thanks for the advice.

 

Wiping the free space does no good when using Returnil. Returnil is always running. The only way that it might help is to turn Returnil OFF on reboot and then wipe the space. However, I don't believe that would even work as the Returnil .dat file is always there and can't be deleted without breaking the program. Returnil's developers have the best method which involves more than we've talked about here. Returnil was meant to be simply a security program and they are doing good by taking it a step further as a privacy application as well. I applaud them for taking on the challenge.