Looking for a “new” Windows artifact that is currently being underutilized and contains a wealth of information? Event Tracing for Windows (ETW) and Event Trace Logs (ETL) may be your answer. There’s nothing new about them, yet they can provide a wealth of information. Event Tracing for Windows was
introduced in Windows 2000 and is still going strong in current versions of Windows. ETW is typically used for performance and debugging analysis by the Windows OS and by application developers. ETLs are ETW sessions that are stored to disk. They can be found in numerous locations on a Windows system and carry the extension “.etl.” They can contain system configuration information, WiFi connection SSIDs and configuration, Process and Thread information, File and Disk IO, Sleep Session
Studies, Boot and Shutdown information, and much more.

This talk will cover what ETL files are and where you can expect to find them, how to decode ETL files, caveats associated with those files, and some interesting and forensically relevant data that ETL files can provide.

Nicole Ibrahim (@nicoleibrahim), Digital Forensics Expert, G-C Partners, LLC

свернуть