This tool is a Volatility3 plugin that scans memory dumps for Event Tracing for Windows (ETW). This tool can check detailed ETW configuration settings that cannot be checked in user mode. This plugin can recover ETW events (ETL files) from ETW structures on memory. This plugin provides a new artifact.
-
Clone the latest version of Volatility3 from GitHub:
git clone https://github.com/volatilityfoundation/volatility3.git
For more details on how to install Volatility3, please see here.
-
Install Python requirements
cd volatility3 pip install -r requirements.txt
-
Clone the ETW Scanner of Volatility plugin from GitHub:
git clone https://github.com/JPCERTCC/etw-scan.git
-
Patch to Volatility3 source code
cd etw-scan cat patch/windows_init.patch >> ../volatility3/framework/symbols/windows/__init__.py cat patch/extensions_init.patch >> ../volatility3/framework/symbols/windows/extensions/__init__.py
$ python3 vol.py -f test.mem -p etw-scan/plugins/ etwscan.etwProvider
$ python3 vol.py -f test.mem -p etw-scan/plugins/ etwscan.etwConsumer
$ python3 vol.py -f test.mem -p etw-scan/plugins/ etwscan.etwConsumer --dump
- CODE BLUE 2024