Featured Post

Welcome to the Forensic Multimedia Analysis blog (formerly the Forensic Photoshop blog). With the latest developments in the analysis of m...

Friday, November 15, 2019

Windows Sandbox vs Virtual Machine

Recently, I spent a week in New Jersey teaching a week-long course on forensic multimedia analysis with Amped FIVE. On day four of the class, we spent the morning installing, configuring, and working within virtual machines.

I've been using Oracle's Virtual Box for a while now. It's what we were working with in the course. It's easy to set-up and use. Plus, it's free.

But, the inevitable question came up. Why not use the new Windows Sandbox feature instead of Virtual Box, or other VM?

In their specific case, the answer was easy - the computers in their training room would not support Sandbox. To use Sandbox, your computer must meet minimum specifications.

  • Windows 10 Pro or Enterprise build 18305 or later
  • AMD64 architecture
  • Virtualization capabilities enabled in BIOS
  • At least 4GB of RAM (8GB recommended)
  • At least 1 GB of free disk space (SSD recommended)
  • At least 2 CPU cores (4 cores with hyperthreading recommended).
If your computer is capable of running Sandbox, setting it up is as simple as turning the feature on in the Windows Features dialog box.
Turn Windows Sandbox on in the Windows Features dialog box.
The training machines at this agency were 32bit with only 4GB of RAM. 

Yes, ICYMI, FIVE will run in a VM. I've installed FIVE in the popular VMs out there and it works just fine. The nice thing about FIVE is that it runs off a license key (dongle). With a VM, I can assign the USB port with the dongle to the VM to let FIVE run in the VM. Some of the other analysis programs out there require machine codes on installation, which will complicate matters. Some vendors allow only a single installation per license. With FIVE, you can install it everywhere. The dongle is portable. The software installation is quite agile.

FIVE running inside of Windows Sandbox
In my laboratory work, I have VMs set up for specific cases. I also have VMs set up for specific codecs / players (like Walmart's Verint / March Networks codecs). I can save these VMs. I can share these VMs for discovery.

Not so with Sandbox. Sandbox is volatile. Once you shut it down, everything you were just doing is gone for good. But, don't worry about accidents. Microsoft warns you of this.

Windows Sandbox warning about losing everything once you close the window.
My worry with Sandbox is that I've created something for a case. Then, when I shut it down, I necessarily destroy it. I'm just not comfortable with that. Thus, I still use Virtual Box.

Additionally, with a Virtual Box, I set things up once. Then, in the case of test/validate, I can use the space multiple times if needed. With Sandbox, I must set things up from scratch each time. Such a waste IMHO.

That's not even considering Windows stability issues and crashes. There's no "auto recovery" feature to Sandbox if the host OS crashes.

The other nice thing about VirtualBox are extension packs. The main extension pack from Oracle extends USB functionality within your VM. "VirtualBox Extension Pack" adds support for USB 2.0 & 3.0 devices such as network adapters, flash drives, hard disks, web cams, etc., that are inserted into physical USB ports of the host machine. These can then be attached to the VM running on VirtualBox. As a result, you can use a physical USB device in a guest operating system. There are other extension packs, with new ones being developed all the time.

If you haven't tried working in virtual machines, give it a go for yourself. If you'd like hands-on guidance, you're welcome to sign up for one of our upcoming training sessions. Check the calendar on our web site for available dates. We teach VMs within the Advanced Processing Techniques course. If you don't see a date that works for you on our calendar, but want to schedule a class, contact us about bringing a course to your agency or adding a course to our local training calendar ... or about our new micro learning options for self-directed learners.

Have a great day, my friends.

No comments: