ETL

Overview

Evidence: ETL Description: Collect ETL Log Category: System Platform: windows Short Name: etl Is Parsed: No Sent to Investigation Hub: Yes Collect File(s): Yes

Background

Event Trace for Windows (ETW) is a high-performance event tracing mechanism built into Windows. ETL (Event Trace Log) files store trace data captured by ETW providers. These files contain detailed system and application event information that can be more granular than standard Windows Event Logs.

ETL files are used for diagnostics, performance analysis, and troubleshooting. They can contain valuable forensic information about system behavior, application activity, and performance metrics.

Data Collected

This collector gathers structured data about etl.

ETL Data

Field

Description

Example

Name

Artifact name

ETL Log

Type

File or Folder

File

SourcePath

Original file path

C:\Windows\System32\WDI\LogFiles\trace.etl

Path

Relative path in evidence

Other/trace.etl

Collection Method

This collector collects ETL files from the following locations:

Windows\System32\WDI\LogFiles\*.etl
Windows\System32\LogFiles\WMI\*.etl
Windows\System32\WDI\*\*\*.etl
Programdata\Microsoft\Windows\Power Efficiency Diagnostics (directory)
Windows\Panther\*.etl
Users\*\AppData\Local\Microsoft\Windows\Explorer\*.etl

Forensic Value

ETL logs provide detailed diagnostic and performance data that can reveal system behavior and application activity. Investigators use this data to analyze system performance issues, track application behavior, investigate diagnostic events, detect anomalous system activity, and reconstruct detailed system timelines.

PreviousEset Logs NextEvent Log EVT Files

Last updated 3 days ago

Was this helpful?