{"id":21018088,"url":"https://github.com/jpcertcc/etw-scan","last_synced_at":"2025-05-15T06:31:33.219Z","repository":{"id":262946131,"uuid":"869527866","full_name":"JPCERTCC/etw-scan","owner":"JPCERTCC","description":"ETW forensic tool for Volatility3 plugin","archived":false,"fork":false,"pushed_at":"2024-11-15T08:33:21.000Z","size":2732,"stargazers_count":11,"open_issues_count":0,"forks_count":0,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-04-03T05:11:14.256Z","etag":null,"topics":["forensics","incident-response","memory","security","volatility-framework","volatility-plugins"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/JPCERTCC.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-10-08T12:55:04.000Z","updated_at":"2024-12-15T02:05:23.000Z","dependencies_parsed_at":"2024-11-15T07:37:47.548Z","dependency_job_id":null,"html_url":"https://github.com/JPCERTCC/etw-scan","commit_stats":null,"previous_names":["jpcertcc/etw-scan"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JPCERTCC%2Fetw-scan","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JPCERTCC%2Fetw-scan/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JPCERTCC%2Fetw-scan/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JPCERTCC%2Fetw-scan/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/JPCERTCC","download_url":"https://codeload.github.com/JPCERTCC/etw-scan/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254288101,"owners_count":22045862,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["forensics","incident-response","memory","security","volatility-framework","volatility-plugins"],"created_at":"2024-11-19T10:23:34.165Z","updated_at":"2025-05-15T06:31:30.347Z","avatar_url":"https://github.com/JPCERTCC.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ETW Scanner for Volatility3\n\n## Description\n\nThis tool is a Volatility3 plugin that scans memory dumps for Event Tracing for Windows (ETW). This tool can check detailed ETW configuration settings that cannot be checked in user mode. This plugin can recover ETW events (ETL files) from ETW structures on memory. This plugin provides a new artifact.\n\n## Usage\n\n### Setup\n\n1. Clone the latest version of Volatility3 from GitHub:\n\n    ```shell\n    git clone https://github.com/volatilityfoundation/volatility3.git\n    ```\n\n    For more details on how to install Volatility3, [please see here](https://github.com/volatilityfoundation/volatility3/tree/develop).\n\n2. Install Python requirements\n\n    ```shell\n    cd volatility3\n    pip install -r requirements.txt\n    ```\n\n3. Clone the ETW Scanner of Volatility plugin from GitHub:\n\n    ```shell\n    git clone https://github.com/JPCERTCC/etw-scan.git\n    ```\n\n4. Patch to Volatility3 source code\n\n    ```shell\n    cd etw-scan\n    cat patch/windows_init.patch \u003e\u003e ../volatility3/framework/symbols/windows/__init__.py\n    cat patch/extensions_init.patch \u003e\u003e ../volatility3/framework/symbols/windows/extensions/__init__.py\n    ```\n\n### How To Use\n\n#### Scan ETW Providers from memory dump\n\n```shell\n$ python3 vol.py -f test.mem -p etw-scan/plugins/ etwscan.etwProvider\n```\n\n#### Scan ETW Consumers from memory dump\n\n```shell\n$ python3 vol.py -f test.mem -p etw-scan/plugins/ etwscan.etwConsumer\n```\n\n#### Dump ETW Event from memory dump\n\n```shell\n$ python3 vol.py -f test.mem -p etw-scan/plugins/ etwscan.etwConsumer --dump\n```\n\n## Demonstration\n\n### How to use ETW Scanner for Volatility3\n\n[![Demonstration_part1](https://img.youtube.com/vi/l4-CqWWZOxw/0.jpg)](https://www.youtube.com/watch?v=l4-CqWWZOxw)\n\n### How to recover ETW events from memory images using ETW Scanner for Volatility3\n\n[![Demonstration_part2](https://img.youtube.com/vi/IxFSBWS2wkY/0.jpg)](https://www.youtube.com/watch?v=IxFSBWS2wkY)\n\n## Documentation\n\n### Blog\n\n#### English\n\n* [https://blogs.jpcert.or.jp/en/2024/11/etw_forensics.html](https://blogs.jpcert.or.jp/en/2024/11/etw_forensics.html)\n\n#### Japanese\n\n* [https://blogs.jpcert.or.jp/ja/2024/11/etw_forensics.html](https://blogs.jpcert.or.jp/ja/2024/11/etw_forensics.html)\n\n### Slides\n\n* CODE BLUE 2024\n  - [Slides](docs/Event_Tracing_for_Windows_Internals.pdf)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjpcertcc%2Fetw-scan","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjpcertcc%2Fetw-scan","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjpcertcc%2Fetw-scan/lists"}