Skip to content

DFIR blog: Windows Event Log forensics & .evtx parsing

Detecting code injection and credential theft with Sysmon — CreateRemoteThread (8) and ProcessAccess (10), reading GrantedAccess masks against lsass.exe, and using the call trace to find unsigned modules.
How a changed system clock undermines a timeline, and how Event ID 4616 exposes it — reading PreviousTime vs NewTime, separating benign NTP sync from anti-forensic manipulation, and the process that made the change.
Reading the CodeIntegrity Operational log for application-control and driver-blocking evidence — audit blocks (3076) vs enforced blocks (3077), what they reveal about unsigned and untrusted code, and how they fit alongside AppLocker.
Reading Microsoft Defender's Operational log in DFIR — malware detections (1116/1117), real-time protection disabled (5001), and the settings changes (5007) attackers use to add exclusions and go quiet.
Reading account-lockout and password-change events in the Security log — 4740 (locked out) and its caller computer, 4767 (unlocked), 4723/4724 (password change vs admin reset), and what each pattern means for an investigation.
A token-by-token walkthrough of BinXML — the binary XML encoding inside .evtx records. Names, hashes, templates, the substitution array, nested fragments, and the edge cases that break parsers.
How attackers move host-to-host over RDP and the event-log trail it leaves — chaining RDPClient 1024 to RemoteConnectionManager 1149, spotting jump-host fan-out, restricted-admin and tunnelled RDP, and the gaps to watch for.
A practical workflow for answering 'was there a remote desktop session' from EVTX alone — which logs to pull, which event IDs to filter, how to confirm a real interactive session, and how to read the source and timing.
How to turn scattered .evtx files into one defensible timeline — which events to anchor on, normalising to UTC, correlating across hosts and logs, joining sessions by LogonId, and avoiding the common timelining mistakes.