Evaluating the Impact of Sandbox Applications on Live Digital Forensics Investigation

Authors

  • Reem Bashir HORIBA MIRA Ltd
  • Helge Janicke Cyber Security Cooperative Research Centre
  • Wen Zeng De Montfort University image/svg+xml

DOI:

https://doi.org/10.4108/eai.8-4-2021.169179

Keywords:

sandbox applications, live forensics, Cyber security, security investigation, security forensics

Abstract

Sandbox applications can be used as anti-forensics techniques to hide important evidence in the digital forensics investigation. There is limited research on sandboxing technologies, and the existing researches on sandboxing are focusing on the technology itself. The impact of sandbox applications on live digital forensics investigation has not been systematically analysed and documented. In this study, we proposed a methodology to analyse sandbox applications on Windows systems. The impact of having standalone sandbox applications on Windows operating systems image was evaluated. Experiments were conducted to examine the artefacts of three sandbox applications: Sandboxie, BufferZone and ToolWiz Time Freeze on Windows 7, Windows Server12 R2 and Windows XP operating systems in 2018. We found that (1) only the installed applications can be found after deleting the ToolWiz Time Freeze content. Unlike Sandboxie, the data can be retrieved from the memory images even after deleting the application’s content if the system was not restated; (2) not all the sandbox applications data will be deleted after restarting the systems, e.g., BufferZone’s content can be retrieved even after restarting the system.

Downloads

Published

08-04-2021

How to Cite

Bashir, R., Janicke, H., & Zeng, W. . (2021). Evaluating the Impact of Sandbox Applications on Live Digital Forensics Investigation. EAI Endorsed Transactions on Security and Safety, 7(25), e2. https://doi.org/10.4108/eai.8-4-2021.169179