Initialization vectors: Quick DFIR analysis using a sandbox

Monday, October 8, 2018

Quick DFIR analysis using a sandbox

The concept of a sandbox is not new in computing. Sandboxes are found everywhere. The browser you are reading this with uses a sandbox in some way or fashion. In malware analysis sandboxing is one of the most useful ways to understand how such software works while preventing the host system from getting infected by it. Using virtual machines (VM) for digital forensic work can be considered to be like sandbox. This post will discuss a simple and quick way of looking at Windows applications with the use of a sandbox for digital forensics work.

The case

Let say we just received a system where it is alleged that a peer-to-peer (P2P) software was used to download contraband and share intellectual property. You decide to look at what P2P software was in use to determine what forensic artifacts can be recovered. The forensic tool used does not know how to parse some of these potentially evidentiary artifacts you found. Others, like the 'AC_SearchStrings.dat' artifact, has content consistent with how it is named. Do we really know the contents of the file are searches done by the user? How can we verify?  What about the items the tool does not understand and which contents are not in clear text?

The substitution process

One way of looking at data is by using the tool that created it as the viewer of it. If you can determine what software and version was in use, or recover the installation file from the target system, you can install the software in your analysis workstation. It becomes trivial to substitute the files created by the just installed program with artifacts recovered from the target system. The idea is that when the program re-starts it will read the substituted artifacts and show you the state of the program as it was on the target system at acquisition time. Neat, right?

Be aware that installing software from a case on your work system can cause problems. Here is where a sandbox comes in.

Sandbox vs VMs

If you have a VM available you can install the software, do the substitution, and see what you get. After you are done you can revert to a previous snapshot and be ready for the next case. Nice. But ask yourself, how do you know you got everything? Do you know what changes did the software make to the system in its entirety? Do you know if you actually substituted everything there is to substitute about the software? There are software tools you can use to keep track of changes to the system made by the targeted software but they come with increased complexity. A sandbox might be a better alternate solution for this particular scenario.

The case in toto

One of the P2P software packages in use for this case was eMule. You were able to extract the eMule executable from the downloads folder as well as the corresponding configuration files in use at the time of extraction. Instead of using a VM we will use a sandbox. One of the oldest and most well know sandbox implementations is the Sandboxie software for Windows.

After installation the program will have created the following directory structure:

C:\Sandbox\{User Account Name}\DefaultBox

Now we are ready to start.

1. Install the software by right-clicking on the executable and press the 'Run Sandboxed' option.

4th option from the top.
2. Notice how all the files the program writes to disk are contained within the sandbox.

Registry files!!!!

3. Since you will only find files associated with the program in the sandbox it is easy be to determine if there are any other locations related to it where evidence may be found in the target device. Also you can see what locations might be needed to successfully complete artifact substitution for viewing.

AppData - Substitution happens here.

4. We are going to focus on the 'AC_SearchStrings.dat' artifact that we believe contains user generated search terms. After the installation there are no search terms available. This make sense since it is a clean install of the software in the sandbox.

You can tell it is sandboxed.

Sandboxie gives you two visual cues so you know that the software is running from the sandbox. The first one is the yellow border around the whole software window. I cropped it for the sake of space but it is clearly visible above. Also notice the second visual cue which is the [#] symbols surrounding the application name.

Now let's view the contents of the 'AC_SearchStrings.dat' artifact before substitution.

Obvious search terms are obvious. Still need to confirm.

5 . Great. Now lets substitute the contents of the AppData folder in our sandbox installation with those extracted from the target device. First shutdown the sanboxed application. Here is how the sanboxed installation looks before substitution.

Before with a few files.

This is how it looks after substitution.

After with a bunch of files.

6. Run the program from the sandbox.

Right-click. Run Sandboxed.

7. Look at the searches history portion of the application.

The program is your viewer.

Few things create as big of an impact in stakeholders as seeing the data as the user would have seen it in the application that used or generated it.

8. Go through the application and see what else can you see. In this particular instance one can find historical statistics of how much data was transferred and how many files completed transfer among many other potentially important data points. 

9. After preserving the contents of the sandbox as part of your work you can delete it simply right-clicking and selecting 'Delete Contents' form the Sandboxie icon in the system tray.

Benefits of sandboxing

This analysis confers the following benefits:

1. All writes done by the program to storage are kept within the sandbox.

2. No need for third party software tracking of program interactions with storage.

3. If the program has additional bloatware it will not affect the host system you use for analysis.

4. It makes it easy to identify locations where configuration and file substitution will be needed for this type of application as a viewer analysis.

5. It reduces the need to virtualize a whole target system if only a few limited apps are of interest.


The application as a viewer is one of the most effective ways of understanding and presenting digital forensic artifacts. The use of a sandbox is one simple and quick method that may help you achieve those desired results.

As always I can be reached on twitter @alexisbrignoni and email 4n6[at]abrignoni[dot]com.