2

Question 1:

If you open a password protected rar archive, enter the correct password, and then doubleclick (open) a textfile in to read the content:

is it in reality in the background written to the disk in some cache directory OR does everything stay in the RAM?

Example: User sometimes views a textfile (for example with his sensitive passwords) in a password protected rar archive. Then his laptop gets stolen. Although the attacker does not known the password to the rar file, he could still view the textfile with some recovery tools, because winrar temporarely wrote it to the disk to view it? So he could recover it?

Question 2:

Is a container with Veracrypt any different? Does it 100% stay in RAM there?

Thank you in advance for your answers!

Hao
  • 29
  • 1

1 Answers1

1

Short answer: there are no guarantees that it will be "100% in RAM" in any case.

Long answer:

With RAR/ZIP/7Zip you usually have to extract file to a temp folder to open it with another application. This is how passing files works (in Windows, and many other OSes). So, it is always extracted to some kind of temp storage. Worse yet, even if you drag&dropped it in windows, it will still go to a temp directory first, only then windows will copy it to where you wanted it to go (drag&drop doesn't tell application where the file has to go, only that is has to go [except for windows explorer, it does things without temp]).

With Veracrypt, it does decryption on fly, system doesn't see any kind of encryption. But this doesn't give you any guarantees. System can be low on RAM and decide that some pages that contain unencrypted data can go to swap. So unless your swap is encrypted too, you have no guarantees. But if you use application that has this unencrypted data, chances are system won't write that data to swap. For OS, all storage mediums are equal, it won't care that it saves data from encrypted volume to unencrypted volume.

axapaxa
  • 201
  • 1
  • 6