Skip to content
EVTX parser

Posts tagged "{tag}": #dfir

← Back to blog
Carving deleted EVTX records and recovering rolled-over logs
Signature carving EVTX records from unallocated space, pagefile, and memory — and the tools that handle malformed chunks gracefully when the live log is missing what you need.
evtxcarvingdfirdata-recovery
Detecting lateral movement in Security.evtx
How real adversary tools move host-to-host in Windows estates, and the precise event ID combinations in Security.evtx that catch PsExec, Impacket, and WMIExec.
evtxlateral-movementdfirincident-response
Event log clearing and the gaps that survive
How attackers clear Windows event logs, what evidence remains on disk and in forwarded channels, and the difference between wevtutil cl and thread-suspension tools like Invoke-Phant0m.
evtxanti-forensicsdfirincident-response
The EVTX file format, decoded
A working tour of the EVTX binary format: file header, ELFCHNK chunks, BinXML templates, substitution arrays, and why parsing this thing is harder than it looks.
evtxfile-formatbinxmldfir
EVTX triage: what to read first when you have an hour and a host
A practitioner's order of operations for triaging Windows Event Logs during incident response — which channels matter, which event IDs lie to you, and where Sysmon does the heavy lifting.
evtxincident-responsewindows-event-logssysmon
PowerShell logging: what you get with module and script block logging on
The practical difference between PowerShell module logging, script block logging, transcripts, and AMSI buffers — and the GPO settings that actually turn the useful ones on.
evtxpowershelldfirlogging
Sysmon configuration that catches real adversaries
An opinionated take on Sysmon: which event IDs actually matter in IR, why olafhartong/sysmon-modular is the right baseline, and the configuration mistakes that blind you to real attacks.
sysmonevtxdetection-engineeringdfir