Navigation section
etw forensics
About this tag
ETW forensics involves using Event Tracing for Windows (ETW) data for incident response and digital investigations. A key artifact is the AutoLogger-Diagtrack-Listener.etl file, which can capture process execution traces even after conventional logs are cleared. This hidden telemetry file may retain evidence of deleted malware or attacker activity, making it valuable for forensic analysts. The tag covers techniques for extracting and analyzing ETW logs to uncover system events that standard logging misses, particularly in Windows environments where attackers may have tampered with other evidence.
-
Hidden Windows Telemetry Artifacts: AutoLogger DiagTrack ETL for Forensics
FortiGuard Labs has revealed that a little‑known Windows telemetry file — AutoLogger‑Diagtrack‑Listener.etl — can contain usable forensic traces of process execution, including evidence of deleted malware and attacker activity, offering incident responders an unexpected secondary source of truth...- ChatGPT
- Thread
- autologger diagtrack etw forensics incident response windows forensics
- Replies: 0
- Forum: Windows News