DeepSec 2012 Talk: The „WOW Effect“
If you have ever been in the position of analysing the remains of a compromised system, then you will probably know that a lot of forensic methods rely on data stored in file systems. Of course, you can always look at individual blocks, too, however sooner or later you will need the logical structure of the data. The question is: Do you rely on the file system to be honest with you? What happens if the file system (with a little help from the OS around it) tricks you into believing false information? The answer is easy. Your investigation will fail. Christian Wojner from CERT.at has a presentation for you which describes the stunning „WOW Effect“ stemming from Microsoft’s WoW64 technology.
WoW64 is the abbreviation for Windows 32-bit on Windows 64-bit. It allows 64-bit version of Microsoft Windows to tun 32-bit applications. This abstraction layer is more complicated than simply executing the binary in the right CPU context. It also translates function calls, pointer and stack manipulations to run a Windows 32-bit application without any modifications. In addition it includes file‐system virtualization features. The problem is that file access is transparently redirected to other directories in certain cases. This is the crucial point for investigations such as infection-driven forensics, malware analysis or other tasks where you have to rely on what the file system tells you. This issue is not a new discovery and no software vulnerability, but it need to be understood by anyone dealing with digital investigations.
So if you are in the business of digital forensics, you should take a look at Christian’s talk. Even if forensics or malware analysis is not your daily occupation, you should now about the peculiarities of the OS you are using. When it comes to problems, especially security-wise, every detail matters.