Skip to content

ETW forensic tool for Volatility3 plugin

License

Notifications You must be signed in to change notification settings

JPCERTCC/etw-scan

Repository files navigation

ETW Scanner for Volatility3

Description

This tool is a Volatility3 plugin that scans memory dumps for Event Tracing for Windows (ETW). This tool can check detailed ETW configuration settings that cannot be checked in user mode. This plugin can recover ETW events (ETL files) from ETW structures on memory. This plugin provides a new artifact.

Usage

Setup

  1. Clone the latest version of Volatility3 from GitHub:

    git clone https://github.com/volatilityfoundation/volatility3.git

    For more details on how to install Volatility3, please see here.

  2. Install Python requirements

    cd volatility3
    pip install -r requirements.txt
  3. Clone the ETW Scanner of Volatility plugin from GitHub:

    git clone https://github.com/JPCERTCC/etw-scan.git
  4. Patch to Volatility3 source code

    cd etw-scan
    cat patch/windows_init.patch >> ../volatility3/framework/symbols/windows/__init__.py
    cat patch/extensions_init.patch >> ../volatility3/framework/symbols/windows/extensions/__init__.py

How To Use

Scan ETW Providers from memory dump

$ python3 vol.py -f test.mem -p etw-scan/plugins/ etwscan.etwProvider

Scan ETW Consumers from memory dump

$ python3 vol.py -f test.mem -p etw-scan/plugins/ etwscan.etwConsumer

Dump ETW Event from memory dump

$ python3 vol.py -f test.mem -p etw-scan/plugins/ etwscan.etwConsumer --dump

Demonstration

How to use ETW Scanner for Volatility3

Demonstration_part1

How to recover ETW events from memory images using ETW Scanner for Volatility3

Demonstration_part2

Documentation

Blog

English

Japanese

Slides