Windows Event Logs
Windows Event Logs are the primary diary of everything that happens on a Windows machine. From user authentication and service starts to application crashes and security policy changes, the event logging subsystem captures it all across hundreds of dedicated EVTX channel files. For an incident responder, mastering event logs is non-negotiable. They are the primary source for establishing who did what and when.
Every building has a security guard at the front desk who writes down every single person who enters, when they badge in and where they go. Windows Event Logs are that security guard's ledger. Every time you log in, open a program or change a setting, Windows writes an entry into its ledger with the exact time and details. If an attacker breaks in, their footsteps should appear in this ledger.
General
The Windows Event Log service manages hundreds of binary EVTX channel files stored under C:\Windows\System32\winevt\Logs\. Each file follows the EVTX binary format, which uses a chunked structure for efficient storage and indexing. The three most critical channels are Security.evtx, System.evtx and Application.evtx. Modern Windows systems extend this significantly with operational logs for PowerShell, Task Scheduler, WMI and driver activity. Each event record contains a unique Event ID that maps to a documented system action, along with a UTC timestamp, the generating process and rich XML-formatted event-specific data.
Traces
When we parse event logs during an investigation, we work with structured XML fields and focus on specific key Event IDs. The most critical data points include:
- Event ID: The specific numeric code identifying the exact system action that occurred.
- TimeCreated: The UTC timestamp of when the event was generated on the system.
- Account Name / SID: The user account or service account associated with the event.
- Logon Type: Distinguishes interactive, network, batch and service logon events.
- Source Machine / IP: The originating host for remote authentication and network events.
- and more.
Forensic Use Cases
We rely on event logs to reconstruct attacker activity from initial access through lateral movement:
- Authentication Analysis: Tracking successful and failed logons using Event IDs 4624 and 4625 to map brute force attempts or Pass-the-Hash attacks.
- Log Clearance Detection: Identifying Event ID 1102 which fires when an attacker clears the Security log to hide their tracks.
- Lateral Movement: Correlating remote logon events across multiple hosts that show an attacker pivoting through the network using stolen credentials.
- Privilege Escalation: Tracking Event ID 4672 which records when a special privilege is assigned to a new logon session.
- and more.