Event Log EVT Files

Overview

Evidence: Event Log EVT Files Description: Dump evt event log files Category: EventLogs Platform: windows Short Name: evt Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows event log files (EVTX/EVT) store channel data on disk. This data is essential for offline analysis and evidence preservation.

Data Collected

This collector gathers structured data about event log evt files.

Collection Method

This collector enumerates standard event log directories (EVTX in winevt\Logs, legacy EVT in System32\config), copies files, and records metadata and hashes.

Forensic Value

This evidence is crucial for forensic investigations to preserve original log files and verify integrity with hashes.