Forensics Analysis of Sandboxie Artifacts

SandBox is an isolated environment nowadays being used as an anti-forensics tool by many (criminals) to perform malicious activity. The paper investigates the effectiveness of sandbox environment in widely used tool named as Sandboxie, and outline how to perform investigation when this tool is used to perform a criminal or illegal act. For the purpose of experimental investigation we have considered two test cases and several scenarios. In the first case we assumed that user simply used sandboxie and terminated it, while in second case we assumed the user also deleted the sandboxie contents after using it. In this investigation process, first common places where evidences are usually found in general scenarios are examined, and then other locations in local machine are examined using special forensics tools. Also the main/physical memory (RAM) is captured and examined for traces. Through these experiments we showed that no trails could be found in common places for any activity if a user deletes his sandboxie content. However, the complete isolation does not occur and some traces can be found into the main memory (RAM) as well as in unallocated clusters on the disks. This is a valuable evidence for digital investigator.