Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Week 10: Problem Based Learning Lab - Software Artefacts

PBL Activity: Reverse engineering the Sandboxie software

Group Size: 3-5 students

Time: 60 minutes

Lab Tool: Sandboxie Investigation Workspace

Background

At 00:05 on 12 September 2025, Vladimir NAVALNY, a high-ranking member of the Russian Glavnoje Razvedyvatel'noje Upravlenije (GRU), was arrested in a joint operation involving the National Crime Agency (NCA) and Kent Police at the Port of Dover, Kent, while attempting to enter the UK from Russia under the false identity of Viktor YELTSIN, posing as a journalist.

He was found in possession of:

  • a forged passport (Exhibit EV/1)
  • an iPhone 6S mobile phone (Exhibit EV/2)
  • a laptop computer believed to be running Windows 10 (Exhibit EV/3)
  • €20,000 in cash (Exhibit EV/4)

Intelligence indicates that NAVALNY was attempting to meet a contact within the UK power network, Michael JAMES, and deliver a specially developed virus reportedly capable of disrupting two thirds of the UK power network.

During interview, NAVALNY stated that the laptop was not his and claimed he was transporting it for a friend to pass to JAMES. When asked to account for the €20,000, he replied with no comment.

Intelligence also suggests that NAVALNY used specialist software called "Sandboxie" to obfuscate his activities and may have removed all or part of this software from the laptop before travelling to the UK.

Important Context

You are not being provided with recovered evidence from EV/3 for this exercise.

Instead, your task is to carry out a controlled practical investigation of Sandboxie in a test environment in order to understand:

  • how the software works
  • what artefacts it creates during installation, use, and removal
  • what evidential opportunities or challenges it may present to an investigator

You should then use what you learn from your own testing to explain how you would approach the examination of EV/3 in the case scenario.

This means your group must generate and document its own artefacts by installing and testing the software, while keeping clear notes on methodology, observations, interpretation, and conclusions.

Learning Aim

This lab is designed to help you investigate software artefacts in a digital forensic context using a structured group workflow and a dedicated web-based tool.

You will use the Sandboxie Investigation Workspace to:

  • record group details
  • plan your methodology before testing
  • document unknowns, approaches, rationale, and findings
  • track Windows artefacts across the software lifecycle
  • apply your findings to the hypothetical examination of EV/3
  • generate a summary analysis note
  • prepare a short presentation

Task Description

Your group must address the following questions:

  1. Identify and explain the threats to an investigation posed by the use of Sandboxie software.
  2. Explain how the software operates in a form suitable for court.
  3. Considering the entire lifecycle of software on a computer, where might you look for evidence that software is or was located on a Windows computer?
  4. What artefacts can be identified through controlled testing of Sandboxie?
  5. What challenges might you expect to face in testing such software, and how might these be addressed?

For each question, your group should record in the lab tool:

  • what you do not yet know
  • how you intend to address it
  • your rationale for that approach
  • any evidence, artefacts, or observations identified during testing

1. Case Brief

Review the case scenario and enter:

  • your group number
  • the names of all students in your group

2. Methodology Plan

Before testing Sandboxie, complete the Methodology Plan section and record:

  • the test environment
  • the tools you will use
  • the steps you plan to perform
  • any risks or constraints
  • how you will capture observations and evidence

3. Controlled Testing

Install and test Sandboxie in a controlled environment, observing artefacts created during installation, use, configuration, and removal.

4. Record Findings

Use the Investigation Board and Artefact Tracker to record problems, approaches, rationale, evidence, and relevant Windows artefacts.

5. Output Generator

Use the Output Generator to produce your summary analysis note and presentation snapshot.

Expected Output

By the end of the lab, each group should have produced within the tool:

  • a methodology plan
  • investigation entries and artefact records
  • a generated summary and presentation output

Method Guidance

Before testing, agree and document a methodology for studying Sandboxie across its lifecycle. Record your actions clearly and distinguish between observation, interpretation, and conclusion.

Take notes throughout the process. Think ACPO.

Presentation Guidance

After one hour, each group will give a brief presentation summarising the key problems, approaches, artefacts, challenges, and conclusions.

Best,

Ali.

Copyright © 2026 • Created by Ali Jaddoa

Page last updated: Tuesday 21 April 2026 @ 07:28:28 | Commit: e7be396