Session 03

Problem Based Learning Lab - Sandboxie

PBL Activity: Reverse engineering the Sandboxie Software

Group Size: 3--5 students

Background

At 00:05 on the 12th September 2019 Vladimir NAVALNY, a high ranking member of the Russian Glavnoje Razvedyvatel'noje Upravlenije (GRU), was arrested in a joint operation with the National Crime Agency (NCA) and Kent Police at the port of Dover in Kent whilst attempting to enter the country arriving from Russia posing as a journalist under the false identity of Viktor YELTSIN. He had in his possession a forged passport (Exhibit DW/1), an iPhone 6S mobile phone (Exhibit DW/2), a laptop computer, believed to be running Windows 10 (DW/3) and €20,000 (Exhibit DW/4). Intelligence indicates that NAVALNY was attempting to meet with a contact in the UK Power network (Michael JAMES) and pass a specially developed virus, reportedly capable of taking down two thirds of the UK’s power network. During initial interview NAVALNY stated that the laptop was not his and that he was taking it to the UK for a friend to pass to JAMES. When asked to account for the €20,000, NAVALNY replied with no comment.

Intelligence also indicates that NAVALNY was using specialist software called "Sandboxie" to obfuscate his activities and that he may have removed all or part of this software from the laptop prior to travel to the UK.

Task Description

  1. Identify and explain the threats to an investigation posed by the use of Sandboxie software.
  2. Explain how the software operates in a form suitable for a court
  3. Considering the entire lifecycle of software on a computer, where might you look for evidence that software is or was located on a Windows computer?
  4. In light of this, how might you apply this to the laptop computer (DW/3)?
  5. What challenges might you expect to face in testing such software, and how might these be addressed?

For each question above, record the things you do not know (the problems) on the table further down this page, along with your approach to solving the problem and your rationale.

Applying Lessons from PBL to Deployment

In this section, you will test out your theory and try to identify the relevant artefacts and understand their meaning.

  1. Deploy solution - investigate digital artefacts associated with the Sandboxie product. You may need to download this onto a USB and transfer it to your forensic PC12
  2. On completion of your analysis, produce a summary analysis note in the format seen in table 1 below
  3. Each group briefly presents problems identified from practice and suggested approaches (see table 2 below)
1

Before you install the software, be sure to write down and discuss your proposed methodology for studying how the software works --- consider the entire lifecycle!

2

Take notes throughout the process --- think ACPO Guidelines!!

Table 1: Summary Analysis Note Template

Summary Analysis Note Template

Table 2: Suggested PBL Template

Suggested PBL Template