Skip to content
EVTX parser

DFIR blog: Windows Event Log forensics & .evtx parsing

How to collect .evtx logs from a live Windows system (4 methods)
Four ways to pull .evtx off a live Windows host — wevtutil, FTK Imager, KAPE, raw NTFS — with chain-of-custody trade-offs for each and the commands you'll actually run.
Event ID 4625 explained: detecting brute force, sprays & enumeration
4625 is the failed-logon record. Read it right and you spot password sprays, credential stuffing, and Kerberos abuse before they succeed.
Event ID 1102 explained: Security audit log cleared (and what survives)
1102 is the one event you can't suppress without leaving more evidence. Here's what it tells you and what survives the clear.
EVTX file format explained: chunks, templates & BinXML internals
How a .evtx file is laid out at the byte level — file header, 64 KB chunks, the template table, and the BinXML record stream that references it.
PowerShell Event ID 4104 explained: scriptblock logging for DFIR
Scriptblock logging is Windows' most useful free defensive control. It records the full script body — including obfuscated or in-memory ones — under event 4104.
Event ID 7045 explained: service installation as a persistence signal
Service creation is one of the loudest persistence techniques. Event 7045 captures every install — read these three fields and you'll catch most of it.
Sysmon Event ID 1 explained: process creation for DFIR triage
Sysmon's event 1 is the richest process-creation record Windows can produce. Here's what's in it and how to triage it fast.
Event ID 4624 explained: Windows successful logon & LogonType reference
What a 4624 record actually contains, why the LogonType field matters more than the event itself, and how to read them at scale.
Start here: a DFIR analyst's guide to .evtx
What .evtx is, which channels matter, the Event IDs to know, and where to find each one on disk — a navigational starting point for everything else on this blog.