ETW/ETL Trace Files (DiagTrack/AutoLogger)
windowsExecution EvidenceDisk Image
Location
C:\Windows\System32\WDI\LogFiles\ and C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger\Description
Event Tracing for Windows (ETW) binary trace files (.etl) generated by AutoLogger sessions and diagnostic providers. Includes AutoLogger-DiagTrack-Listener.etl and various WDI trace files containing detailed system telemetry.
Forensic Value
ETL trace files contain process execution evidence, network connection data, and system diagnostic information that is rarely cleaned by attackers because these files are not well-known forensic artifacts. AutoLogger-DiagTrack-Listener.etl may contain evidence of executed processes including their paths and command lines. These traces persist across reboots and can fill gaps when standard event logs have been cleared.
Tools Required
KAPEtracerptxperf (Windows Performance Toolkit)ETLParserSilkETW