Digital Forensics and Windows Sandbox as Anti-forensics tool

Abstract

Digital forensics is facing new challenges with rise in new anti-forensics techniques and tools including virtualization. Virtualization can be used as shield against different types of attacks, at the same time it can be leveraged by attackers as anti-forensics tool. Forensic investigators face enormous challenges while collecting the digital evidences in case where virtualization is used by an attacker. Virtualization comes in different forms, one of the difficulty form is light weight virtualization. Microsoft windows operating system offers sandbox light weight virtualization. Microsoft windows sandbox is an isolated testing environment to run programs or open files without affecting the application, system, or platform on which they run. After closing the sandbox nothing persists on the device, everything is discarded. This paper reveals the anti-forensics capabilities of sandbox and possible solutions to collect the forensics artefacts using windows registry. Registry analysis revealed that only use of sandbox on host operating system is discoverable and activities and data inside the sandbox are discarded permanently.