University of Roehampton

Week 10 PBL Support App

Sandboxie Investigation Workspace

A local lab companion for capturing hypotheses, tracing Windows artefacts, and turning group work into presentation-ready outputs inside one hour.

Lab Focus

Note: do not close this tab. Keep it open until you finish your task.

  • Threats to investigation
  • Software operation for court
  • Windows software lifecycle artefacts
  • Artefacts from controlled testing
  • Testing challenges and mitigations

Group Details

Report Header

How to Use This Lab

Student Workflow
  1. Enter your group number and student names.
  2. Read the case scenario and agree what you do not yet know.
  3. Complete a methodology plan before installing or testing Sandboxie.
  4. Install and test Sandboxie in a controlled environment.
  5. Record unknowns, approaches, rationale, and observations in the Investigation Board.
  6. Track likely Windows artefacts across the software lifecycle.
  7. Generate your report and presentation summary from the Output Generator.

Important Context

Controlled Testing

You are not being given recovered evidence in this exercise. Your group must install and test Sandboxie in a controlled environment and generate your own artefacts for analysis.

Scenario

Operational Brief

At 00:05 on 12 September 2025, Vladimir NAVALNY was arrested at Dover while entering the UK under the false identity Viktor YELTSIN. He was carrying a forged passport, an iPhone 6S, a Windows 10 laptop (EV/3), and €20,000. Intelligence suggests he intended to pass malware to a UK power-network contact.

Investigators also suspect use of Sandboxie to hide or isolate activity and that all or part of the software may have been removed from the laptop before travel.

Exhibits

Evidence Index
  • EV/1 Forged passport
  • EV/2 iPhone 6S
  • EV/3 Windows 10 laptop
  • EV/4 €20,000 cash

Primary technical target

EV/3 is the main artefact source for software lifecycle evidence.

Investigation Questions

Task Set
  1. What threats does Sandboxie pose to an investigation?
  2. How does it operate in a form suitable for court?
  3. Where might you find evidence that software is or was on Windows?
  4. What artefacts can be identified through controlled testing of Sandboxie?
  5. What testing challenges will arise, and how can they be addressed?

Method Reminder

ACPO-Oriented
  • Agree methodology before installing or testing software.
  • Document unknowns, assumptions, and rationale continuously.
  • Track actions against the entire software lifecycle.
  • Preserve provenance of screenshots, notes, and extracted artefacts.
  • Separate observations, interpretation, and tentative conclusions.

Plan Before Testing

Methodology Plan

Collaborative Note Taking

Investigation Board

Saved Entries

0 entries

Windows Lifecycle View

Artefact Tracker

Use this checklist to track where evidence of Sandboxie installation, execution, persistence, or removal may appear during controlled testing.

Presentation Ready

Output Generator

University of Roehampton

Week 10 PBL - Sandboxie Investigation Report

Summary Analysis Note

Table 1 Style

Presentation Snapshot

Table 2 Style