Sandboxing Partitions

[Tsaar]

I have become increasingly leery of games and the malware…I mean DRM/anti-cheating applications they like to install. I have read that software such as GameGuard installs itself like a rootkit and is essentially a keylogger on your machine. This may or may not be true, but I still do not trust these companies.

I currently have a Samsung 830 256GB SSD and a 1TB WD Black HDD. I have split each drive essentially in half. On the SSD I have installed and fully patched Windows 8 Pro x64. On the second half I have left unallocated, but will be installing Windows 7 Pro x64 tonight when I get home from work. I also split my data drive in half.

I will be removing drive letters using Disk Management from each of the OS/Data partitions so each OS will only “see” its boot partition on the SSD and its data partition on the HDD. On the Windows 8 machine I will only install VMware Player, Adobe products, 7-zip, and Norton Internet Security. The Windows 7 machine will be my gaming machine where I will happily install all of my games, potentially shady mods, etc.

I know that simply removing a drive letter is not sufficient security, as sophisticated malware can cross these boundaries. Can anyone outline the best way to essentially sandbox these two operating systems and their respective data drives from each other? Possibly disk encryption? I have never used BitLocker before, so not sure if this is the correct path. Any advice is appreciated.

 

[PrincessFrosty]

Full partition encryption using something like truecrypt will work. It's capable of encrypting an entire partition (so the partition doesn't even appear formatted to the OS, no file table etc) or entire disks so even the partition table itself is hidden when not decrypted.

You can even do it with the OS drive if you use the truecrypt boot loader which bootstraps the OS partition just after POST.

I think support for Win8 isn't official in truecrypt yet, it has some features such as kernal parking which can be a bit hinky with boot drives, there's unofficial advice on their forums for getting that working which I've used successfully on my win8 laptop, but just be aware it's all unofficial at the moment so proceed at your own risk.

 

[Tsaar]

Thanks for the reply. How would it work dual booting two versions of Windows with the TrueCrypt boot loader?

 

[Tsaar]

I am thinking of using something like the following.

SSD (The first 3 partitions are created by default during Windows 8 installation) :
Partition 1 – 300mb Recovery Partition
Partition 2 – 100mb System Partition
Partition 3 – 128mb MSR Partition
Partition 4 – 100gb Windows 8 (BitLocker)
Partition 5 – 140gb Windows 7 (Unencrypted)

HDD :
Partition 1 – 128mb MSR Partition
Partition 2 – 475gb Gaming (Unencrypted)
Partition 3 – 475gb Storage (TrueCrypt)

Basically, I want Windows 8 with Storage to be its own computer and Windows 7 with Gaming to be its own computer. I don’t need Windows 7 or the Gaming partition to be encrypted because they are meant to have potentially risky software installed, but I do not want them to even know that Windows 8 / Storage exist.

If I want to transfer any data between Gaming and Storage (I don’t keep any important files on the boot partitions) I can use an Ubuntu Live Disk, install TrueCrypt, and mount Storage to then transmit any files between partitions.

I am guessing this would leave some vulnerabilities open (such as boot loaders, etc)?