I've recently managed to isolate and archive a few files that managed to wreak havoc on one of my client's systems. So I was wondering what software and techniques make the best sandbox for isolating the code and digging into it to find out how it works.

Usually, up to this point in time I would just fire up a new VMWare or QEMU instance and dig away, but I am well aware that some well-written malware can break out of a VM relatively easily. So I am looking for techniques (Like using a VM with a different emulated CPU architecture for example.) and software (Maybe a sandbox suite of the sorts?) to mitigate the possibility of the code I am working on "breaking out".

What techniques do you all use? What software do you all use?