WSL2 Forensics: Detection, Analysis & Revirtualization.

International Conference on Availability, Reliability and Security (ARES)(2022)

引用 0|浏览0
暂无评分
摘要
The development and integration of the Windows Subsystem for Linux, version 2 (WSL2) into Microsoft’s operating systems has brought together two worlds that were, from a consumer’s perspective, previously disjunct. This comes with new challenges for incident handling and computer forensics in particular, since workflows rarely had to consider both ecosystems at time same time. With WSL2 now becoming an integral part of Windows 10 and 11, tools and techniques have to be revisited with the new environment in mind. In this paper, we look at the detection, acquisition and post-mortem analysis of WSL2 instances. We explore through experimentation how WSL2 guests can be quickly identified and provide investigators with an easy means to automate the process. Since it can also be helpful to an investigation to revirtualize an acquired image, the process of getting up and running a WSL2 instance on another host is discussed as well. This is complemented by a surface analysis of the extracted data, where we assess whether current open-source suites are compatible with Microsoft’s take on Linux. Ultimately, this work provides a concise guide for investigators dealing with WSL2 instances and updates the current state-of-the-art, which predominantly focuses on the first iteration of WSL.
更多
查看译文
关键词
forensics,detection
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络
Chat Paper
正在生成论文摘要