Document Type
Journal Article
Publication Title
EAI Endorsed Transactions on Security and Safety
Volume
7
Issue
18
Publisher
EAI
School
School of Science / ECU Security Research Institute
RAS ID
35514
Abstract
Sandbox applications can be used as anti-forensics techniques to hide important evidence in the digital forensics investigation. There is limited research on sandboxing technologies, and the existing researches on sandboxing are focusing on the technology itself. The impact of sandbox applications on live digital forensics investigation has not been systematically analysed and documented. In this study, we proposed a methodology to analyse sandbox applications on Windows systems. The impact of having standalone sandbox applications on Windows operating systems image was evaluated. Experiments were conducted to examine the artefacts of three sandbox applications: Sandboxie, BufferZone and ToolWiz Time Freeze on Windows 7, Windows Server12 R2 and Windows XP operating systems in 2018. We found that (1) only the installed applications can be found after deleting the ToolWiz Time Freeze content. Unlike Sandboxie, the data can be retrieved from the memory images even after deleting the application’s content if the system was not restated; (2) not all the sandbox applications data will be deleted after restarting the systems, e.g., BufferZone’s content can be retrieved even after restarting the system.
DOI
10.4108/eai.8-4-2021.169179
Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 License.
Comments
Bashir, R., Janicke, H., Zeng, W. (2021). Evaluating the impact of sandbox applications on live digital forensics investigation. EAI Endorsed Transactions on Security and Safety, 7(25), article e2. https://doi.org/10.4108/eai.8-4-2021.169179