Sitemap
All pages on the site.
Home
DFIR blog: Windows Event Log forensics & .evtx parsing
- Event ID 4663 explained: file & registry access auditing with SACLs
- Event ID 4672 explained: detecting privileged logons in Windows
- Event ID 4688 explained: Windows process creation auditing for DFIR
- Event ID 4720 explained: detecting rogue account creation in AD
- Event ID 4768 explained: Kerberos TGT requests & AS-REP roasting
- Event ID 4769 explained: Kerberos service tickets & kerberoasting
- Event ID 7036 explained: service state changes for DFIR triage
- How to open an .evtx file (5 methods, no install required)
- What is an .evtx file? Windows Event Log format explained
- How to collect .evtx logs from a live Windows system (4 methods)
- Event ID 4625 explained: detecting brute force, sprays & enumeration
- Event ID 1102 explained: Security audit log cleared (and what survives)
- EVTX file format explained: chunks, templates & BinXML internals
- PowerShell Event ID 4104 explained: scriptblock logging for DFIR
- Event ID 7045 explained: service installation as a persistence signal
- Sysmon Event ID 1 explained: process creation for DFIR triage
- Event ID 4624 explained: Windows successful logon & LogonType reference
- Start here: a DFIR analyst's guide to .evtx