Event Tracing for Windows (ETW), introduced in Windows 2000, is a Windows subsystem typically used for performance and debugging analysis by the Windows OS and by application developers. Event Trace Logs or ETLs are ETW sessions that are stored to disk. They can be found in numerous locations on a Windows system and have the extension ‘.etl’. They can contain internal and external drive information, nearby WiFi SSIDs and configuration, process and thread information, file and disk IO, system sleep session studies, identified malware, Boot and Shutdown information and much more. This talk will cover what ETL files are, where you can expect to find them, decoding ETL files, caveats associated with them, and some interesting artifacts and forensically relevant data that ETL files can provide.