Skip to content

DFIR blog: Windows Event Log forensics & .evtx parsing

A field-by-field reference for the Windows .evtx format — file header, ELFCHNK chunk header, event record, the full BinXML token and value-type tables, and a worked decode from raw bytes to rendered XML.
How attackers clear, truncate and timestomp Windows event logs — and the byte-level tells that survive: 1102/104 clearing events, record-ID gaps, chunk CRC mismatches, dirty chunks, and records carvable from slack and unallocated space.
Detecting privilege escalation and persistence through group membership changes in the Security log — local (4732), global (4728) and universal (4756) group additions, what the fields mean, and the create-then-add pattern.
A practical guide to reading .evtx files with PowerShell — Get-WinEvent vs Get-EventLog, the fast FilterHashtable path, XPath filters for EventData fields, FilterXml, and the limitations that trip people up.
Every Windows event a Remote Desktop session leaves behind, across four logs — 1149, LocalSessionManager 21/22/24/25, Security 4624 type 10 and 4778/4779 — and how they fit together into one timeline.
How attackers use scheduled tasks for persistence and what it leaves in the event logs — Security 4698/4699/4700/4701/4702 with the full task XML, and the Task Scheduler Operational log 106/140/141/200.
How to scan .evtx files with detection rules at scale — what Sigma is, how Chainsaw and Hayabusa apply it to event logs, when to use each, and how to fit rule-based triage into an investigation.
The Windows event IDs that matter in an investigation, grouped by attack phase — with the log they live in, a one-line meaning, and a link to the deep-dive for each. A reference for incident response and threat hunting.
How Windows logon auditing actually fits together — logon types, 4624/4625 fields and failure codes, the Kerberos 4768/4769/4771 chain, NTLM 4776, and how the events correlate across the domain controller and the target host.