sesa 20(25): e2

Research Article

Evaluating the Impact of Sandbox Applications on Live Digital Forensics Investigation

Download201 downloads
  • @ARTICLE{10.4108/eai.8-4-2021.169179,
        author={Reem Bashir and Helge Janicke and Wen Zeng},
        title={Evaluating the Impact of Sandbox Applications on Live Digital Forensics Investigation},
        journal={EAI Endorsed Transactions on Security and Safety},
        volume={7},
        number={25},
        publisher={EAI},
        journal_a={SESA},
        year={2021},
        month={4},
        keywords={sandbox applications, live forensics, Cyber security, security investigation, security forensics},
        doi={10.4108/eai.8-4-2021.169179}
    }
    
  • Reem Bashir
    Helge Janicke
    Wen Zeng
    Year: 2021
    Evaluating the Impact of Sandbox Applications on Live Digital Forensics Investigation
    SESA
    EAI
    DOI: 10.4108/eai.8-4-2021.169179
Reem Bashir1, Helge Janicke2, Wen Zeng3,*
  • 1: HORIBA MIRA Ltd, Watling Street, Nuneaton Warwickshire CV10 0TU U.K.
  • 2: Cyber Security Cooperative Research Centre, Perth, Australia
  • 3: School of Computer Science and Informatics, De Montfort University, Leicester LE1 9BH U.K.
*Contact email: wen.zeng.wz@gmail.com

Abstract

Sandbox applications can be used as anti-forensics techniques to hide important evidence in the digital forensics investigation. There is limited research on sandboxing technologies, and the existing researches on sandboxing are focusing on the technology itself. The impact of sandbox applications on live digital forensics investigation has not been systematically analysed and documented. In this study, we proposed a methodology to analyse sandbox applications on Windows systems. The impact of having standalone sandbox applications on Windows operating systems image was evaluated. Experiments were conducted to examine the artefacts of three sandbox applications: Sandboxie, BufferZone and ToolWiz Time Freeze on Windows 7, Windows Server12 R2 and Windows XP operating systems in 2018. We found that (1) only the installed applications can be found after deleting the ToolWiz Time Freeze content. Unlike Sandboxie, the data can be retrieved from the memory images even after deleting the application’s content if the system was not restated; (2) not all the sandbox applications data will be deleted after restarting the systems, e.g., BufferZone’s content can be retrieved even after restarting the system.