You are not logged in.
Hi,
If one used VirtualBox with some guest OS for online/blogging anonymity, would there be any "spill over" into the host OS? I realize the IP might be known, but I just mean would any cache, other communication, etc. be occurring between the guest and host OS regarding the actual browser/history/logging data occurring in the guest?
Perhaps another way to put it: if x occurs in guest OS and the VirtualBox virtual image file is removed... are any signs of x to exist in the host OS? Or is it completely contained in the .vdi file?
If it is not contained, what spills over?
Thanks.
Last edited by jwhendy (2010-10-03 21:27:23)
Offline
My understanding (but I am not an expert in security). All external site will be able to find your real IP. The host OS might log internet connection in which case it can be read in the log of your host OS (this is common for inbound connections, not for outbound connections). You might find trace in your host OS cache. Moreover even if you delete a file (the hard disk of your guest OS or any other file), trace may remains of it. Usually, the file is not physically deleted but the space is simply marked as empty for new data. Tools exists to recover deletes files. Deleting a file permanently is not an easy thing. You might use "shred" (that physically write random 0 and 1 on the file several time to be sure that no trace remains). This works well if you shred a whole partition but for a single file, traces may remains if you use a journalling filesystem (such as ext3, ext4 but not ext2).
Offline
@Olive:
Thanks. I was mainly getting at the remnants of virtualbox file question. If I were using a public wifi spot, I would not be worried about IP issues, though I suppose I could use TOR and have VirtualBox use that as well from my home.
My understanding is that unless ext3/4 are configured to use journaling, shred works the same as in ext2. I have seen this on a few different sites, like this one: http://ubuntuforums.org/archive/index.p … 11007.html
So, I guess this has expanded into three questions:
- Is the IP discoverable via guest OS: answer (as I already thought) is yes
- Is actual activity (sites, history, DNS info of sites visited, downloads) recorded in host OS? Unsure on this still
- If the previous question is NO, will shred/wipe/secure-delete of the .vdi erase all signs of whatever network activity took place in the guest OS? Answer depends on #2, but if that is taken care of, it appears that shred will work on ext4 very well.
What do you think of these expanded thoughts? Thanks for the input.
Offline
- Is the IP discoverable via guest OS: answer (as I already thought) is yes
Try visiting this site from a browser in the VM http://www.whatismyip.com
Offline
@Olive:
Thanks. I was mainly getting at the remnants of virtualbox file question. If I were using a public wifi spot, I would not be worried about IP issues, though I suppose I could use TOR and have VirtualBox use that as well from my home.
The wifi spot might record the MAC address of your wireless card (this would be possibly changed though, must depend of your card).
My understanding is that unless ext3/4 are configured to use journaling, shred works the same as in ext2. I have seen this on a few different sites, like this one: http://ubuntuforums.org/archive/index.p … 11007.html
ext3 is just ext2 with journalling. Ext3 without journalling is ext2.
So, I guess this has expanded into three questions:
- Is the IP discoverable via guest OS: answer (as I already thought) is yes
- Is actual activity (sites, history, DNS info of sites visited, downloads) recorded in host OS? Unsure on this still
- If the previous question is NO, will shred/wipe/secure-delete of the .vdi erase all signs of whatever network activity took place in the guest OS? Answer depends on #2, but if that is taken care of, it appears that shred will work on ext4 very well.What do you think of these expanded thoughts? Thanks for the input.
As all network of the guest goes through the host, this depends of the logs of your host. It is current for an OS to log the inbound connection. Outbound connection are not normally logged, though. So I think that the answers are yes/no/yes for the third question, you can be identified if the wifi spot record the MAC address of your wireless card. For the journalling ext3 and ext4 use journal (otherwise it is just ext2); of course just erasing the journal will not be sufficient for the same reason as before. You must be sure that the partition as always been ext2 (otherwise you will have to shred and reformat it) and that you have never moved / delete the file without shredding it. You must also shred the swap of the host OS.
But what would you like to hide? If it is trade secret then it's fine but it is not the purpose of this forum to help people in criminal activities.
Last edited by olive (2010-10-03 18:34:14)
Offline
The wifi spot might record the MAC address of your wireless card (this would be possibly changed though, must depend of your card).
This doesn't bother me as much, though I am aware of macchanger and such if I were.
ext3 is just ext2 with journalling. Ext3 without journalling is ext2.
True, though it seems that only in journaling mode does ext3 have the issue with not being able to securely delete. Ordered and Writeback modes seem to be okay. See me link or search for it. From that I've seen, only the "metadata" is journaled. Not sure how much info is contained in that.
As all network of the guest goes through the host, this depends of the logs of your host. It is current for an OS to log the inbound connection. Outbound connection are not normally logged, though. So I think that the answers are yes/no/yes for the third question, you can be identified if the wifi spot record the MAC address of your wireless card. For the journalling ext3 and ext4 use journal (otherwise it is just ext2); of course just erasing the journal will not be sufficient for the same reason as before. You must be sure that the partition as always been ext2 (otherwise you will have to shred and reformat it) and that you have never moved / delete the file without shredding it. You must also shred the swap of the host OS.
But what would you like to hide? If it is trade secret then it's fine but it is not the purpose of this forum to help people in criminal activities.
Groovy. Thanks for the input. For the record, I replaced WIn XP with Arch for my work computer which has been fantastic. It is a large, international company and heavily involved in Intellectual Property. I have only traveled a little bit with my laptop so far, but have been looking into encryption and network security topics to become familiar with them. My current install of Arch is not protected at all, though like I said I have not had to travel much with it and not out of the US. Should that occur, I need to be aware of my options, especially if, say, I need to delete a folder of sensitive documents or cached network activity somehow before traveling. I was wondering if using VirtualBox as a "container within a container" would make this easier/cleaner for things like that.
That being said, this research endeavor has made me more interested in securing my personal computers as well. I can't believe the number of lawsuits I have read about recently having to do with what seems to me to be silly things like writing the wrong things on a blog and then having your ISP subpoenaed for libel/slander! The connected cases I've come across when reading people's howtos on disk encryption and such have been eye opening.
I guess most of my questions are answered, though there's still a question of exactly how information-containing "metadata" is on Ext4 with writeback/ordered modes enabled and what exactly is "logged" by the host OS: just IP addresses visited or anything more?
Offline
I guess most of my questions are answered, though there's still a question of exactly how information-containing "metadata" is on Ext4 with writeback/ordered modes enabled and what exactly is "logged" by the host OS: just IP addresses visited or anything more?
It's depend on how the host OS is configured and I am not an expert on this point. But honestly to be sure that no trace remains I would use more radical methods (it's so easy to forget something leaving a trace). For example reboot your computer on an OS you have installed on a USB key and don't touch the hard disk at all (be sure it is not even mounted; some desktop mount it automatically, using hal, do not start it to be sure). In this way you are sure that nothing is written on your computer. To destroy the data, shred (or more securely burn) the USB key.
Offline
Ah -- yes. USB key OS. That could be a definite option. I'll keep that in mind.
Offline