# ETL ## Overview **Evidence:** ETL\ **Description:** Collect ETL Log\ **Category:** System\ **Platform:** windows\ **Short Name:** etl\ **Is Parsed:** No\ **Sent to Investigation Hub:** Yes\ **Collect File(s):** Yes ## Background Event Trace for Windows (ETW) is a high-performance event tracing mechanism built into Windows. ETL (Event Trace Log) files store trace data captured by ETW providers. These files contain detailed system and application event information that can be more granular than standard Windows Event Logs. ETL files are used for diagnostics, performance analysis, and troubleshooting. They can contain valuable forensic information about system behavior, application activity, and performance metrics. ## Data Collected This collector gathers structured data about etl. ### ETL Data | Field | Description | Example | | ------------ | ------------------------- | ------------------------------------------ | | `Name` | Artifact name | ETL Log | | `Type` | File or Folder | File | | `SourcePath` | Original file path | C:\Windows\System32\WDI\LogFiles\trace.etl | | `Path` | Relative path in evidence | Other/trace.etl | ## Collection Method This collector collects ETL files from the following locations: * `Windows\System32\WDI\LogFiles\*.etl` * `Windows\System32\LogFiles\WMI\*.etl` * `Windows\System32\WDI\*\*\*.etl` * `Programdata\Microsoft\Windows\Power Efficiency Diagnostics` (directory) * `Windows\Panther\*.etl` * `Users\*\AppData\Local\Microsoft\Windows\Explorer\*.etl` ## Forensic Value ETL logs provide detailed diagnostic and performance data that can reveal system behavior and application activity. Investigators use this data to analyze system performance issues, track application behavior, investigate diagnostic events, detect anomalous system activity, and reconstruct detailed system timelines.