ETL
Overview
Section titled “Overview”Evidence: ETL
Description: Collect ETL Log
Category: System
Platform: windows
Short Name: etl
Is Parsed: No
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Section titled “Background”Event Trace for Windows (ETW) is a high-performance event tracing mechanism built into Windows. ETL (Event Trace Log) files store trace data captured by ETW providers. These files contain detailed system and application event information that can be more granular than standard Windows Event Logs.
ETL files are used for diagnostics, performance analysis, and troubleshooting. They can contain valuable forensic information about system behavior, application activity, and performance metrics.
Data Collected
Section titled “Data Collected”This collector gathers structured data about etl.
ETL Data
Section titled “ETL Data”| Field | Description | Example |
|---|---|---|
Name | Artifact name | ETL Log |
Type | File or Folder | File |
SourcePath | Original file path | C:\Windows\System32\WDI\LogFiles\trace.etl |
Path | Relative path in evidence | Other/trace.etl |
Collection Method
Section titled “Collection Method”This collector collects ETL files from the following locations:
Windows\System32\WDI\LogFiles\*.etlWindows\System32\LogFiles\WMI\*.etlWindows\System32\WDI\*\*\*.etlProgramdata\Microsoft\Windows\Power Efficiency Diagnostics(directory)Windows\Panther\*.etlUsers\*\AppData\Local\Microsoft\Windows\Explorer\*.etl
Forensic Value
Section titled “Forensic Value”ETL logs provide detailed diagnostic and performance data that can reveal system behavior and application activity. Investigators use this data to analyze system performance issues, track application behavior, investigate diagnostic events, detect anomalous system activity, and reconstruct detailed system timelines.