ETL

ETL (Event Trace Log) files store the output of instruments attached to their application, or user or kernel events during real-time. The enable the consumption of those events post- that time.

According to file.org these files "can contain information about disk access and page faults, logging high-frequency events and recording the performance of the Microsoft operating system. This information can be used to analyze and adjust voice response software applications."

Identification

After the trace log file header the names of the logger and the log file are stored as null-terminated Unicode strings. So ETL files contain near the beginning the bytes sequence .\0e\0\t\0l\0\0\0 triggered by used file name suffix .etl. ^[2]

Software

• tracerpt
• etl-parser Event Trace Log file reader in pure Python

Sample files

• https://github.com/airbus-cert/etl-parser/tree/master/tests/example/

References

• file.org: Opening ETL Files
• Microsoft: Event Tracing

1. ↑ http://extension.nirsoft.net/etl
2. ↑ https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/etw/tracelog/trace_logfile_header.htm