Digital Forensics and Windows Sandbox as Anti-forensics tool

Mohammed Yousuf uddin; Mohammad Mazhar Afzal; Sultan Ahmad

doi:10.47392/IRJAEH.2024.0049

Authors

Mohammed Yousuf uddin Computer Science, Glocal University, Saharanpur, Uttar Pradesh, India. Author https://orcid.org/0000-0002-3220-9541
Mohammad Mazhar Afzal Computer Science, Glocal University, Saharanpur, Uttar Pradesh, India. Author
Sultan Ahmad University Center for Research and Development (UCRD), Department of Computer Science and Engineering, Chandigarh University, Punjab, India. Author

DOI:

https://doi.org/10.47392/IRJAEH.2024.0049

Keywords:

disposable virtual machines, virtualization, anti-forensics, digital forensics, Windows sandbox

Abstract

Digital forensics is facing new challenges with rise in new anti-forensics techniques and tools including virtualization. Virtualization can be used as shield against different types of attacks, at the same time it can be leveraged by attackers as anti-forensics tool. Forensic investigators face enormous challenges while collecting the digital evidences in case where virtualization is used by an attacker. Virtualization comes in different forms, one of the difficulty form is light weight virtualization. Microsoft windows operating system offers sandbox light weight virtualization. Microsoft windows sandbox is an isolated testing environment to run programs or open files without affecting the application, system, or platform on which they run. After closing the sandbox nothing persists on the device, everything is discarded. This paper reveals the anti-forensics capabilities of sandbox and possible solutions to collect the forensics artefacts using windows registry. Registry analysis revealed that only use of sandbox on host operating system is discoverable and activities and data inside the sandbox are discarded permanently.