A paper about how Microsoft's WOW64 technology unintentionally fools IT-Security analysts.
November, 30th 2011
You can download the full document in pdf format
You can download the latest presentation slides (Deepsec 2012) in pdf format
As soon as the recordings of our presentation at Deepsec 2012 (Thanks to the Deepsec folks!) are available you will find an according link here.
The 64-bit version of Microsoft Windows includes file-system virtualization features to run 32-bit programs. File access is transparently redirected to other directories in certain cases.
This feature can easily fool an analyst looking at a running system and can have a massive impact on infection-driven forensics, malware analysis and comparable investigations.
In the worst case this can lead to an entirely wrong interpretation of a case/situation.
While this issue is not entirely new, it is necessary to raise the IT-Security community's awareness, as some of the common tools and procedures in use need to be adapted in the presence of the files system redirector.