Authors: Asif Matadar



Since the announcement of WSL in 2016, there has been a lot of excitement to
leverage WSL across workstations and servers alike by organisation’s and those that
work in the industry. With the announcement of WSL 2 and the architecture changes
that have been incorporated it is no surprise that the momentum and interest is only

What does that mean for someone who works as a Digital Forensics & Incident
Response professional? Well adversaries and malware authors have already started
focussing attention on WSL; therefore, it is important to understand the underlying
architecture changes that will allow one to investigate a compromised Windows 10
or Windows Server 2019 soon.

This talk will highlight the nuances to be aware of from a Digital Forensics & Incident
Response perspective and illustrate forensic artefacts of interest, which will consist
of a forensic examination of a WSL Endpoint to provide the audience an appreciation
of what that entails and share insights that will assist them when the time arises.