Safe Sandboxes

Let's say that, in your forensics adventure, you have an executable that you know is committing the crime :). Obviously, you want to investigate further by executing it and understanding all the changes that it does. This let's us understand the behavior in depth. But you can't (or at least shouldn't) run that on your main workstation. You could create a VM and use that to run the application -- at least that keeps the changes isolated to that VM and you can take snapshots and rollback to your hearts content.

While this is not a bad strategy and managing the VM snapshots and rollbacks isn't that much of an hassle, you're still left with the monitoring and figuring out what on earth changed while the executable was doing its nefarious deeds. There's a better way. Introducing Sandboxie.

Sandboxie falls into the "sandbox" category of applications. In the security context, a sandbox is a mechanism that isolates application so that they can be restricted from doing bad things to real systems. Sandboxie does exactly that:

• it isolates applications from the host system
• it also lets you isolate the web browser and email clients so that you can run web-based attacks
• it tracks the changes that the sandboxed application is doing and lets you investigate them after the run is complete

You can read all about it here and there are plenty of help topics here to help you get started. But the concept is super simple. Once you've installed it on your system, you:

• run any application in the sandbox
• let it do its thing while Sandboxie monitors and audits everything it does
• and then, you can browse all the changes it did

Here's what we want to do:

• we'll run a sandboxed copy of "notepad"
• we'll enter some text and save the file
• you'll see that the file isn't saved on the root of the c-drive but in the sandbox

Here's how you do it:

• you run the notepad application from the system tray, using the Sandboxie -> "Run Any Program"

• we enter some text and save the file in the root of the c-drive

• you'll notice that the file isn't in the root of the actual c-drive

• but you can explore the changes via Sandboxie and you can see it in the sandboxed environment along with all the other system changes that might have happened due to the notepad execution (which would be none for this simple experiment)

Go ahead and have fun! You can safely run applications that are malicious or suspicious and then explore all the changes that were made by the application. It is a great way to hone your forensics skills. Enjoy :)