The EventLogs have long been the cornerstone for incident investigators delving into the intricacies of Windows operating system forensics. Yet, these logs often reveal their limitations when it comes to identifying suspicious activities, prompting the need for supplementary audit logs or advanced tools such as Sysmon.
In this landscape, Event Tracing for Windows (ETW) emerges as a formidable yet frequently underestimated feature, offering a more holistic approach to Windows forensics. Originally designed for application debugging, ETW has matured into an essential framework for collecting and managing EventLogs, effectively bridging gaps left by traditional logging methods.
Recent observations by security analysts at JPCert highlight ETW’s growing significance within the detection frameworks of Endpoint Detection and Response (EDR) products and antivirus solutions. The architecture of ETW is structured around four primary components:
- Providers: Applications and drivers that generate events
- Consumers: Applications that process these events
- Sessions: Mechanisms that relay events from providers to buffers
- Controllers: Entities that create, initiate, and terminate sessions
Free Ultimate Continuous Security Monitoring Guide - Download Here (PDF)
ETW’s Forensic Potential
What distinguishes ETW is its inherent capability to log a diverse array of operating system behaviors as events by default, thereby furnishing a treasure trove of information that transcends the confines of traditional EventLogs. This functionality positions ETW as an indispensable asset for forensic investigators and security experts alike.
Several ETW providers stand out for their utility in incident investigation and malware detection:
- Microsoft-Windows-Threat-Intelligence
- Microsoft-Windows-DNS-Client
- Microsoft-Antimalware-AMFilter
- Microsoft-Windows-Shell-Core
- Microsoft-Windows-Kernel-Process
- Microsoft-Windows-Kernel-File
While certain ETW events are saved as files by default, many are accessed from buffers in real-time. This characteristic ensures that even if an attacker attempts to erase ETL files, crucial information may still linger within these buffers.
To further enhance investigative capabilities, JPCert has introduced a Volatility plugin known as the ETW Scanner, which can extract ETW events from memory images, equipping investigators with a potent tool for incident response.
The insights gleaned from recovered ETW events can prove invaluable during investigations. For example, the LwtNetLog ETW session, which is enabled by default, gathers a variety of network-related data. By scrutinizing these events, investigators can unveil malware communication patterns, DNS queries, and other network activities that might otherwise evade detection.
As the field of Windows forensics continues to advance, ETW stands out as a powerful ally for security professionals. Its capacity to deliver detailed logs of system behaviors, combined with tools like the ETW Scanner, introduces a new dimension to incident investigation and malware detection. By harnessing the potential of ETW, investigators can delve deeper into system activities, potentially revealing threats that conventional logging methods may overlook.
Analyze Unlimited Phishing & Malware with ANY.RUN For Free - 14 Days Free Trial.
