You rock! Best ETW presentation I've seen. Cuts through a lot of the hype, buzz/tech-words, sumerizes, and gets to the point of where some of the ETW .etl files are and how to properly view them et al. The PDF lead me to her talk: www.sans.org/cyber-security-summit/archives/file/summit-archive-1528388048.pdf A related great post of hers too: www.hecfblog.com/2018/06/etw-event-tracing-for-windows-and-etl.html?m=1
Thank you for this talk! I'm wondering if the BootCKCL.etl file has been deprecated. I've looked on Window 11 and a couple of Windows 10 VMs. What I am seeing in WDI\Logfiles\ is BootPerfDiagLogger.etl which mmaayyyyy be the replacement? Also there is a StartupInfo folder at this location that contains a number of XML files with the user SID _StartupInfox.xml where x is a sequential number. In any event, looks like some stuff has changed.
Unfortunately, the viewer isn't publicly available. You can download the command line tool we released. It outputs the data to a CSV file and an SQLite database. Find it here: github.com/gcpartners/ETLParser
What I don't get is why don't the companies who make Hard Drives, Operating Systems, etc make the tools and support law enforcement? They obviously know all the ins/out of the environment.
