Windows Event Log Analysis Β· EVTX Forensics

Windows Event Log Forensics: EVTX Analysis and Expert Testimony

Independent forensic analysis of Windows Security, System, Application, PowerShell, and RDP event logs (EVTX). We reconstruct logons, privilege use, account modifications, service failures, PowerShell execution, and detect evidence of log clearing or tampering.

← Canonical HubThis page is part of the Windows Forensics cluster. Return to the hub for the full artifact index and cross-cluster context.

Quick Answer. Windows Event Log Forensics is the structured examination of Windows EVTX log files stored under C:\Windows\System32\winevt\Logs\. The core channels analyzed are Security.evtx (authentication, privilege, object access, account management), System.evtx (services, drivers, shutdowns, time changes), Application.evtx, Microsoft-Windows-PowerShell/Operational.evtx, Microsoft-Windows-TerminalServices-LocalSessionManager/Operational.evtx, and Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational.evtx. Each event is bound to a Record Number, a hashed EVTX chunk, a monotonic timestamp, and a Security Identifier (SID), producing a tamper-evident record chain admissible under FRE 702 and 901.

Core EVTX channels we examine

Windows Vista and later store logs in the binary XML EVTX format. Each channel is a separate file, each event carries a fixed schema with an EventID, Provider, Level, Channel, Computer, and per-event XML payload (EventData). We parse the raw EVTX using tools that respect the on-disk chunk structure so that timestamps, ordering, and record integrity are preserved.

  • Security.evtx β€” logons, logoffs, privileges, account management, policy changes, object access (when auditing enabled).
  • System.evtx β€” service state, driver loads, unexpected shutdowns, time-service adjustments (event 4616 / Kernel-General 1).
  • Application.evtx β€” application crashes (1000/1001), MSI installs, Defender detections in older builds.
  • Microsoft-Windows-PowerShell/Operational β€” 4103/4104 (script block logging), 4105/4106 (invocation) when ScriptBlockLogging is enabled.
  • PowerShellCore/Operational and Windows PowerShell classic channel (400/403/600/800).
  • TerminalServices-LocalSessionManager β€” session connect (21), reconnect (25), disconnect (24), logoff (23).
  • TerminalServices-RemoteConnectionManager β€” remote authentication (1149) with source IP.
  • Microsoft-Windows-Sysmon/Operational β€” process creation (1), network connection (3), file create (11), registry (12/13/14) when Sysmon deployed.

Event IDs that drive most matters

Event IDChannelMeaning
4624SecuritySuccessful logon (LogonType field indicates interactive, network, RDP, service)
4625SecurityFailed logon with Sub Status code (0xC000006A wrong password, 0xC0000064 unknown user)
4634 / 4647SecurityLogoff and user-initiated logoff
4648SecurityLogon using explicit credentials (RunAs, mapped drive with alternate creds)
4672SecuritySpecial privileges assigned to new logon (admin-equivalent)
4720 / 4722 / 4724 / 4726SecurityUser account created, enabled, password reset by admin, deleted
4732 / 4733 / 4756SecurityMember added to local or universal security group
4740SecurityUser account locked out
4776SecurityNTLM authentication attempt at the domain controller
4778 / 4779SecuritySession reconnected / disconnected (RDP / Fast User Switching)
1102SecurityThe audit log was cleared (attacker anti-forensics indicator)
104SystemEvent log file was cleared
1149TerminalServices-RemoteConnectionManagerUser authentication succeeded with source IP
21 / 24 / 25TerminalServices-LocalSessionManagerRDP session logon / disconnect / reconnect
7045 / 7040SystemService installed / service start type changed (common persistence)
4104PowerShell/OperationalFull script block logged (attack tool detection)

Logon types decoded (Security 4624 / 4625)

The LogonType value on a 4624/4625 event is often the single most decisive field in a Windows matter, because it determines whether the person was physically at the keyboard, connecting over the network, or arriving via Remote Desktop.

LogonTypeNameInterpretation
2InteractivePhysical console keyboard/mouse or KVM
3NetworkSMB, file share, RPC, remote WMI
4BatchScheduled task running as the user
5ServiceWindows service starting under the identity
7UnlockWorkstation unlocked from screen saver / lock screen
8NetworkCleartextPassword sent in cleartext (IIS Basic, legacy)
9NewCredentialsRunAs /netonly β€” alternate creds for network resources only
10RemoteInteractiveRemote Desktop (RDP) session
11CachedInteractiveCached domain credentials (laptop offline / DC unreachable)

Detecting cleared or tampered event logs

Sophisticated actors clear logs to hide activity. Windows itself records the clearing action in a way that is difficult to suppress:

  • Security 1102 β€” “The audit log was cleared” with the SID and account of the clearer.
  • System 104 β€” arbitrary log file cleared.
  • EVTX chunk gaps, non-sequential Record Numbers, and mismatched chunk hashes indicate targeted deletion or modification.
  • Backing artifacts survive: Prefetch of wevtutil.exe, PowerShell Clear-EventLog in 4104 blocks, and NTFS $UsnJrnl entries showing EVTX file replacement.
  • Where Volume Shadow Copies exist, we recover the pre-cleared EVTX from an earlier restore point and compare hashes.

Common EVTX challenges and defenses

  • Clock drift. Cross-reference with 4616 (system time changed) and W32Time entries in System.evtx.
  • Time zone. EVTX timestamps are UTC. Reports state UTC and the applicable local zone.
  • Log rollover. Default channel size is small (20 MB Security by default); we recover overwritten records from the pagefile, memory image, or Shadow Copies.
  • Domain vs local. Domain-joined machines split authentication: 4624 appears on the workstation, 4776/4768/4769 appear on the domain controller. We correlate across both.

How Elite Digital Forensics helps

Elite Digital Forensics is an independent, defense-aligned Windows forensics practice. We are retained by attorneys, in-house counsel, and, where appropriate, individuals and businesses directly. Every engagement begins with a scoped acquisition plan, hash-verified evidence, and a written report suitable for attorney review, negotiation, or court. When retained through counsel, our work product is protected. See the Windows Forensics hub for the full analytical framework we bring to every matter.

Related Windows forensics pages

Frequently asked questions

Can you prove who was logged in at a specific time?

Yes, in most cases. Security 4624 with LogonType and the associated 4634/4647 logoff bounds the session. We correlate with Prefetch, UserAssist, and RDPCache where relevant to strengthen attribution.

What if the event logs were cleared?

Clearing is itself an event (1102/104). We also recover EVTX fragments from unallocated space, pagefile, Volume Shadow Copies, memory images, and backing artifacts like $UsnJrnl to reconstruct activity independent of the primary log.

Are PowerShell logs available if ScriptBlockLogging wasn’t enabled?

Partial. Classic Windows PowerShell 400/600/800 events still fire. Amcache, Prefetch, and Sysmon (if installed) can also reveal execution. We document scope limits candidly.

How far back do Windows event logs go?

It depends on channel size and activity volume. Security.evtx on a busy machine may roll every few days; System.evtx on a quiet endpoint can span many months. We report actual coverage per channel.

Ready to move on your windows event log matter?

Tell us about the computer, the accounts, and the timeframe. We will tell you what is recoverable, what is not, and what it will cost.

Request Confidential Consultation Call (833) 292-3733

Primary sources and references

  1. Microsoft: Audit Logon Events. learn.microsoft.com
  2. Microsoft: Windows Event Log. learn.microsoft.com
  3. Microsoft: Event 4624 documentation. learn.microsoft.com
  4. SANS Poster: Hunt Evil (Windows Event Logs). www.sans.org

This content is for educational and informational purposes only and does not constitute legal advice. Elite Digital Forensics provides independent digital forensic services and expert witness testimony; we do not provide legal representation. Every case is fact-specific; outcomes depend on the evidence, jurisdiction, and counsel. Retain qualified legal counsel for advice about your matter.

#EventLogForensics #EVTX #WindowsForensics #IncidentResponse #DFIR #EliteDigitalForensics #ExpertWitness

Assistant Icon Elite Digital Forensics Assistant
πŸ‘‹ Live Chat Now!
Free Virtual Consultation 24/7
Chat Now!

By submitting this form, you consent to be contacted by email, text, or phone. Your information is kept secure and confidential. Reply Stop to opt out at anytime.Β 

IMPORTANT: Please remember to check your spam or junk folder