@inproceedings{boigner_wsl2_2022, address = {Vienna, Austria}, series = {{ARES} 2022}, title = {{WSL2} {Forensics}: {Detection}, {Analysis} \& {Revirtualization}}, copyright = {CC-BY}, doi = {https://doi.org/10.1145/3538969.3544439}, abstract = {The development and integration of the Windows Subsystem for Linux, version 2 (WSL2) into Microsoft’s operating systems has brought together two worlds that were, from a consumer’s perspective, previously disjunct. This comes with new challenges for incident handling and computer forensics in particular, since workflows rarely had to consider both ecosystems at time same time. With WSL2 now becoming an integral part of Windows 10 and 11, tools and techniques have to be revisited with the new environment in mind. In this paper, we look at the detection, acquisition and postmortem analysis of WSL2 instances. We explore through experimentation how WSL2 guests can be quickly identified and provide investigators with an easy means to automate the process. Since it can also be helpful to an investigation to revirtualize an acquired image, the process of getting up and running a WSL2 instance on another host is discussed as well. This is complemented by a surface analysis of the extracted data, where we assess whether current open-source suites are compatible with Microsoft’s take on Linux. Ultimately, this work provides a concise guide for investigators dealing with WSL2 instances and updates the current state-of-theart, which predominantly focuses on the first iteration of WSL.}, booktitle = {The 17th {International} {Conference} on {Availability}, {Reliability} and {Security}}, publisher = {Association for Computing Machinery}, author = {Boigner, Philipp and Luh, Robert}, year = {2022}, keywords = {FH SP Cyber Security, Institut für IT Sicherheitsforschung, Konferenz-Paper, Open Access, Vortrag, best, peer-reviewed, ⚠️ Invalid DOI}, }