Forensic Analysis of Windows Subsystem for Android (WSA) Overview Microsoft released Windows 11 with a new feature, Windows Subsystem for Android (WSA). This feature enabled users to run Android applications in Windows 11 without involving third-party virtualization software. I believe that digital forensic examiners need to understand this feature as it can be used as a new source of digital evidence in Windows 11 systems. This blog post focuses on some of the critical WSA artifacts and how to extract data from the WSA environment. Analysis of the WSA Environment Like any newly implemented feature, there is limited documentation and research regarding WSA. Figure 1 shows two primary layers to be considered during a digital forensic examination of WSA. Wi ndows 11 is the first layer and the overall environment containing all the data, including execution, logging, and registry artifacts. The second layer is the Android environment, which contains user data and the installed applicat