Overview This paper discusses detection, acquisition, and post-mortem analysis of WSL2 instances. The paper explores how WSL2 forensics integrates into existing forensic investigation processes and which tools can be used to extract & analyse WSL2 images. Background Windows ships Linux kernel along with Windows NT kernel. Windows uses HyperV to virtualize WSL2 instances. This allows running multiple instances of multiple Linux distributions using WSL2. MS has created their own Linux kernel by forking original one from kernel.

Overview Depending upon when does a threat actor gain access to the evidence, their level of effort required to tamper with the evidence and the probability of tamper detection can change. For this discussion, let’s talk about volatile memory analysis and evidence tampering in volatile memory images. Before we move forward, let’s set some expectations Threat actor gets access to memory image before its hash is generated Threat actor understands memory forensics to some degree Now this threat actor have several options to tamper with the memory image.

Let’s start by establishing some ground rules. A file system is just a data structure. It is not software. It only defines how files should be saved. Kernel/User level drivers are written to implement file systems. Just as one would use, say linked lists to keep track of items in the to-do lists. For the most part, we are used to looking at a 1-1 relationship between partitions and file systems.

The need for mobile security has never been more important than last decade and coming years. As the primary mode of communication and entertainment continue towards mobile phones so does their use in illegal activities. Malware authors understand this trend. They are no strangers to the skyrocketing computation powers of the modern mobile devices while traditional mobile anti-malware software stay behind with their good ol’ hash matches. Problem Statement The year 2019 saw nearly 20 Million pieces of malware, that was a 30% increase from 2018 [1].

Deep learning algorithms like Convolutional Neural Networks are dominating computer vision tasks. They work extremly well use cases including face detection, age estimation, object detection, object classification, motion detection, pose estimation, and virtually every visually identifiable pattern of interest. Some researchers have even proposed using deep learning algorithms to automate blood spatter analysis [1-2]. However, these neural nets don’t always work the way we want them to. Even though CNNs have proved themselves to be better at recognising patterns like camera lens noise [3].