Recoverable traces from a VirtualBox session?

[Dialxdrop]

There is a program called Sandboxie which traps all your activities into a sandbox. These Sandboxie sessions are recoverable from the standard deleting of the sandbox. The only way to make the session untraceable is to securely wipe the sandbox contents.

Now If I were to start a Virtualbox session and turn it off and restore the previous snapshot, would anything in that session be recoverable?

For Example:
Let's say I start up Virtualbox session and inside my VM I create a few document files using Microsoft office. I would then turn off the session and restore to the last snapshot. (Which in theory should erase all the contents of that session)

Now would these documents be recoverable using file recovery programs or would terminating a session pretty much securely wipe all the history and contents?

[Dialxdrop]

A better angle to look at this would be to understand whether or not the session data is saved onto the hard disk, which most likely means the session and contents CAN be recoverable.

Whereas if the session was purely memory, it would just "evaporate?" and all the session contents wiped forever?

This is from my understanding and I am not 100% sure....Anyone know for sure?

[mpack]

What kind of tools does the technician doing the recovery have? If you are talking about Forensic recovery then yes, the content of your discarded current state is recoverable by an expert, at least in part (and probably in large part, if the deletion was recent). Basically the deleted difference file can be recovered from the host like any other deleted file, then it and the parent image(s) can be used to piece together a likely complete image.

If you are talking about Joe Smoe with off the shelf tools then it can't be done AFAICS.

[Dialxdrop]

What kind of tools does the technician doing the recovery have? If you are talking about Forensic recovery then yes, the content of your discarded current state is recoverable by an expert, at least in part (and probably in large part, if the deletion was recent). Basically the deleted difference file can be recovered from the host like any other deleted file, then it and the parent image(s) can be used to piece together a likely complete image.

If you are talking about Joe Smoe with off the shelf tools then it can't be done AFAICS.

So what you are saying is that during a VirtualBox session, it is being saved in real time onto the hard disk vs memory?

Then, as you have stated above, this would mean that the session is recoverable.

Now if that is the case, is there any way to make the sessions not use the hard disk but to only use memory so it would evaporate without any traces?

But what if I were to do a system encryption on the VM, would this make any difference in the session recovery?

[mpack]

So what you are saying is that during a VirtualBox session, it is being saved in real time onto the hard disk vs memory?

Yes, if you are using any of the variations on the difference disk idea.

Now if that is the case, is there any way to make the sessions not use the hard disk but to only use memory so it would evaporate without any traces?

The alternative media would potentially need the same amount of space as a the base drive it shadows, so no, I don't know of a practical method. If you need to emulate the storage capacity of a hard disk drive then nothing quite fits the bill like a file on an actual hard disk drive. If you emulate a small drive then I suppose you might consider locating the difference file in RAMdisk, but that may not leave much RAM for the host OS. Depends on the PC I suppose.

[ripjacker]

I dont know how linux works but anything you put in memory on windows is probably going to be written to the virtual disk anyway.
Microsoft have gone to extreme lengths to ensure there are a myriad of copies, links and unnecessary "logs" all over your system.
You might want to wonder why when a simple folder structure would keep all relevant data in one simple to delete tree.
The "wondering why" bit is what people never bother with. Pity really.
Its not just a matter of "history" as some would have you believe. There is a deliberate policy at work.
Their entire operation now reeks of organised international corporate hacking in everything they do.

The only real way to have a secure system (as you aren't allowed by law to have encryption that actually works) is to understand how
these things work and find ways around them yourself.

Learning to low level format you hard drives is a prime skill for the very secure minded and would make a first step.
If this sounds paranoid - it isn't. Just simple fact anyone can verify.

What I suggest you do if you really want this is to have an external hard drive with a bit copied clone of your clean running drive on it.
Do your VM work and copy your data to a third external destination.
Low level format your hard drive then use a repeat shredder to clean up the sidewalls.
Then do a bit copy of your clean system back off the external drive.

Of course the data on your third drive is unprotected which is a shame. If you could get hold of an early
copy of PGP BEFORE it was tampered with by law you could do a pretty good encryption job though.

You can have security but the first thing to remember is the companies selling it to you are providing
you with exactly the reverse.

The word "firewall" is now a sick joke for instance.

Most people think these things don't matter. Untill they find they have a mortgadge and debts tey never even heard
of and are about to be arrested for crimes they have no knowlegse of.
After all "they" don't have anything to hide. Do they?

"To help you remember your password please state your mothers maiden name" ... the first chink in the wall...

[Dialxdrop]

What I suggest you do if you really want this is to have an external hard drive with a bit copied clone of your clean running drive on it.
Do your VM work and copy your data to a third external destination.
Low level format your hard drive then use a repeat shredder to clean up the sidewalls.
Then do a bit copy of your clean system back off the external drive.

Of course the data on your third drive is unprotected which is a shame. If you could get hold of an early
copy of PGP BEFORE it was tampered with by law you could do a pretty good encryption job though.

Hey thanks, that is actually a really good idea. Now instead of an external HD I am going to use an encrypted mounted drive. (TrueCrypt)

So I am assuming that the session worked save goes to the default machine folder? So basically I would change that location to the encrypted mounted drive (or the external hd), is this correct?

[Dialxdrop]

In terms of file recovery, is there a difference between dynamically expanding storage vs fixed-size storage?

I am currently using dynamic size + running my sessions off of snapshots, and I noticed that during my session the file sizes of the VDI or snapshots etc don't change.... so this leaves me confused to where the actual hard disk writing is actually taking place. Although I am assuming that regardless of dynamic or fixed size storage that all the hard disk writing is taking place in the default machine folder and nowhere else, is this correct?

So basically, regardless of dynamic or fixed, as long as I have saved the machine folder to the encrypted mounted drive, as soon as dismount, my session would be untraceable and no other traces anywhere else on my pc?

[mpack]

Be warned that relocating the working virtual image to an external drive can result in terrible performance, if it's a USB drive, and/or if its a flash drive. A real HDD on an e-SATA connection is allegedly very good, but I've never used one.

In answer to your other questions: a fixed sized drive is easier to recover, but to a someone willing to write their own tools and invest a bit of time the extra difficulty of recovering a dynamic plus snapshotted drive will not be much of an obstacle: especially if the goal is extraction of files instead of complete recovery to a working drive state.

The current state of a differencing image only gets larger if the OS writes to areas of the disk it hasn't written to already since the current state file was created.

[ripjacker]

So I am assuming that the session worked save goes to the default machine folder? So basically I would change that location to the encrypted mounted drive (or the external hd), is this correct?

No that would not be secure.
You need to have a totally blank space and clean install running. Do your work and copy the data off. Then low level format and put
your previous system back on. You may want to clear the bios flash and any other motherboard/card memory while you're at it and
ensure you don't have any ramsticks etc plugged in while you are working. You must not use an internal drive.

Windows is specifically designed to make secure computing impossible if you don't do it this way.
True crypt is not very good encryption - its not allowed to be by law. Hence my PGP comments.
If you just want to stop the guy down the street reading your data it's probably fine for now though.

If you want to prevent commercial espionage or any other determined attempt you are not allowed by law to buy
encryption that will work so you'd better buy a good metal safe and keep your entire machine (remember flash ram?)
inside it and the combination in your head.

In some situations thats all paranoid of course. In others it would be minimum procedures.
It just depends on who you are and what you're doing.

[ripjacker]

To start with get yourself a copy of PartedMagic with a copy of clonezilla built in.
Work out what you can do with that and I think you'll get the basic idea.

I'd suggest you never install Linux with any of the recent releases however.
It seems they upload your data to someone elses computer (commonly known as criminal hacking)
without even notifying you. Use a linux host at least 12 months old for this.

I have now removed Linux from all my machines as the developers can't be trusted
anymore.