Uncovering Hidden Forensic Evidence in Windows: The Mystery of AutoLogger-Diagtrack-Listener.etl

FortiGuard IR responded to a ransomware incident where the attacker used anti-forensic methods; investigators discovered that an obscure ETW-generated file (AutoLogger-Diagtrack-Listener.etl) can retain historical process-creation events and command-line data, enabling recovery of deleted binaries (e.g., a renamed GMER executable). The report describes ETW mechanics, presents extracted forensic fields of interest, documents controlled tests that could create but not populate the ETL file reliably, and recommends further research to determine the conditions under which this artifact becomes a dependable source of forensic evidence.