Title (deu)
WSL2 Forensics: Detection, Analysis & Revirtualization
Author
Description (deu)
The development and integration of the Windows Subsystem for Linux, version 2 (WSL2) into Microsoft’s operating systems has brought together two worlds that were, from a consumer’s perspective, previously disjunct. This comes with new challenges for incident handling and computer forensics in particular, since workflows rarely had to consider both ecosystems at time same time. With WSL2 now becoming an integral part of Windows 10 and 11, tools and techniques have to be revisited with the new environment in mind.
In this paper, we look at the detection, acquisition and post-mortem analysis of WSL2 instances. We explore through experimentation how WSL2 guests can be quickly identified and provide investigators with an easy means to automate the process. Since it can also be helpful to an investigation to revirtualize an acquired image, the process of getting up and running a WSL2 instance on another host is discussed as well. This is complemented by a surface analysis of the extracted data, where we assess whether current open-source suites are compatible with Microsoft’s take on Linux.
Ultimately, this work provides a concise guide for investigators dealing with WSL2 instances and updates the current state-of-the-art, which predominantly focuses on the first iteration of WSL.
Keywords (deu)
digital forensicswindowslinuxwslvirtual machine
Type (eng)
Type (eng)
Language
[eng]
Persistent identifier
Is in series
Title
ARES '22: Proceedings of the 17th International Conference on Availability, Reliability and Security
Issued
2022-08-23
{
"@value": {
"@type": "ids:isbn",
"@value": "978-1-4503-9670-7"
}
}
Publication
ACM , 2022
License
- Citable links
- Other links
https
//phaidra.fhstp.ac.at/o:5177 - Content
- RightsLicense
- Details
- Usage statistics--
- Metadata
- Export formats