- Nationwide Digital Forensic & Cyber Services
- BOOK A FREE CONSULTATION TODAY!
Independent forensic analysis of Windows Security, System, Application, PowerShell, and RDP event logs (EVTX). We reconstruct logons, privilege use, account modifications, service failures, PowerShell execution, and detect evidence of log clearing or tampering.
Quick Answer. Windows Event Log Forensics is the structured examination of Windows EVTX log files stored under C:\Windows\System32\winevt\Logs\. The core channels analyzed are Security.evtx (authentication, privilege, object access, account management), System.evtx (services, drivers, shutdowns, time changes), Application.evtx, Microsoft-Windows-PowerShell/Operational.evtx, Microsoft-Windows-TerminalServices-LocalSessionManager/Operational.evtx, and Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational.evtx. Each event is bound to a Record Number, a hashed EVTX chunk, a monotonic timestamp, and a Security Identifier (SID), producing a tamper-evident record chain admissible under FRE 702 and 901.
Windows Vista and later store logs in the binary XML EVTX format. Each channel is a separate file, each event carries a fixed schema with an EventID, Provider, Level, Channel, Computer, and per-event XML payload (EventData). We parse the raw EVTX using tools that respect the on-disk chunk structure so that timestamps, ordering, and record integrity are preserved.
| Event ID | Channel | Meaning |
|---|---|---|
| 4624 | Security | Successful logon (LogonType field indicates interactive, network, RDP, service) |
| 4625 | Security | Failed logon with Sub Status code (0xC000006A wrong password, 0xC0000064 unknown user) |
| 4634 / 4647 | Security | Logoff and user-initiated logoff |
| 4648 | Security | Logon using explicit credentials (RunAs, mapped drive with alternate creds) |
| 4672 | Security | Special privileges assigned to new logon (admin-equivalent) |
| 4720 / 4722 / 4724 / 4726 | Security | User account created, enabled, password reset by admin, deleted |
| 4732 / 4733 / 4756 | Security | Member added to local or universal security group |
| 4740 | Security | User account locked out |
| 4776 | Security | NTLM authentication attempt at the domain controller |
| 4778 / 4779 | Security | Session reconnected / disconnected (RDP / Fast User Switching) |
| 1102 | Security | The audit log was cleared (attacker anti-forensics indicator) |
| 104 | System | Event log file was cleared |
| 1149 | TerminalServices-RemoteConnectionManager | User authentication succeeded with source IP |
| 21 / 24 / 25 | TerminalServices-LocalSessionManager | RDP session logon / disconnect / reconnect |
| 7045 / 7040 | System | Service installed / service start type changed (common persistence) |
| 4104 | PowerShell/Operational | Full script block logged (attack tool detection) |
The LogonType value on a 4624/4625 event is often the single most decisive field in a Windows matter, because it determines whether the person was physically at the keyboard, connecting over the network, or arriving via Remote Desktop.
| LogonType | Name | Interpretation |
|---|---|---|
| 2 | Interactive | Physical console keyboard/mouse or KVM |
| 3 | Network | SMB, file share, RPC, remote WMI |
| 4 | Batch | Scheduled task running as the user |
| 5 | Service | Windows service starting under the identity |
| 7 | Unlock | Workstation unlocked from screen saver / lock screen |
| 8 | NetworkCleartext | Password sent in cleartext (IIS Basic, legacy) |
| 9 | NewCredentials | RunAs /netonly β alternate creds for network resources only |
| 10 | RemoteInteractive | Remote Desktop (RDP) session |
| 11 | CachedInteractive | Cached domain credentials (laptop offline / DC unreachable) |
Sophisticated actors clear logs to hide activity. Windows itself records the clearing action in a way that is difficult to suppress:
wevtutil.exe, PowerShell Clear-EventLog in 4104 blocks, and NTFS $UsnJrnl entries showing EVTX file replacement.Elite Digital Forensics is an independent, defense-aligned Windows forensics practice. We are retained by attorneys, in-house counsel, and, where appropriate, individuals and businesses directly. Every engagement begins with a scoped acquisition plan, hash-verified evidence, and a written report suitable for attorney review, negotiation, or court. When retained through counsel, our work product is protected. See the Windows Forensics hub for the full analytical framework we bring to every matter.
Yes, in most cases. Security 4624 with LogonType and the associated 4634/4647 logoff bounds the session. We correlate with Prefetch, UserAssist, and RDPCache where relevant to strengthen attribution.
Clearing is itself an event (1102/104). We also recover EVTX fragments from unallocated space, pagefile, Volume Shadow Copies, memory images, and backing artifacts like $UsnJrnl to reconstruct activity independent of the primary log.
Partial. Classic Windows PowerShell 400/600/800 events still fire. Amcache, Prefetch, and Sysmon (if installed) can also reveal execution. We document scope limits candidly.
It depends on channel size and activity volume. Security.evtx on a busy machine may roll every few days; System.evtx on a quiet endpoint can span many months. We report actual coverage per channel.
Tell us about the computer, the accounts, and the timeframe. We will tell you what is recoverable, what is not, and what it will cost.
Request Confidential Consultation Call (833) 292-3733This content is for educational and informational purposes only and does not constitute legal advice. Elite Digital Forensics provides independent digital forensic services and expert witness testimony; we do not provide legal representation. Every case is fact-specific; outcomes depend on the evidence, jurisdiction, and counsel. Retain qualified legal counsel for advice about your matter.
Elite Digital Forensics Assistant