ETW Scanner for Volatility3

Description

This tool is a Volatility3 plugin that scans memory dumps for Event Tracing for Windows (ETW). This tool can check detailed ETW configuration settings that cannot be checked in user mode. This plugin can recover ETW events (ETL files) from ETW structures on memory. This plugin provides a new artifact.

Usage

Setup

1. Clone the latest version of Volatility3 from GitHub:

   git clone https://github.com/volatilityfoundation/volatility3.git

   For more details on how to install Volatility3, please see here.

2. Install Python requirements

   cd volatility3
   pip install -r requirements.txt

3. Clone the ETW Scan of Volatility plugin from GitHub:

   git clone https://github.com/JPCERTCC/etw-scan.git

4. Patch to Volatility3 source code

   cd etw-scan
   cat patch/windows_init.patch >> ../volatility3/framework/symbols/windows/__init__.py
   cat patch/extensions_init.patch >> ../volatility3/framework/symbols/windows/extensions/__init__.py

How To Use

Scan ETW Providers from memory dump

$ python3 vol.py -f test.mem -p etw-scan/plugins/ etwscan.etwProvider

Scan ETW Consumers from memory dump

$ python3 vol.py -f test.mem -p etw-scan/plugins/ etwscan.etwConsumer

Dump ETW Event from memory dump

$ python3 vol.py -f test.mem -p etw-scan/plugins/ etwscan.etwConsumer --dump

Demonstration

TBA

Documentation

Blog

English

TBA

Japanese

TBA

Slides

TBA