Back to binalyze.com

Event Log EVT Records

Overview

Evidence: Event Log EVT Records Description: Collect legacy Event Log EVT Records Category: System Platform: Windows Short Name: evtrecords Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): Yes

Background

Legacy EVT logs (pre-Vista) store event records in a binary format under the Windows Event Log service used by older systems.

Data Collected

This collector gathers structured data about EVT records and their sources.

EVT Records Data

Field
Description
Example

ID

Primary key (auto-increment)

1

Source

Event source

Security

EventID

Event ID

528

Description

Event description

Successful Logon

FilePath

EVT file path

C:\Windows\System32\config\AppEvent.evt

Collection Method

This collector parses the necessary data from the event_logs table and collects files from common legacy locations.

Usage

Correlate with other forensic artifacts when investigating older Windows systems.

Notes

Legacy formats may be incomplete or corrupted; validate against multiple sources.

PreviousEvent LogsNextEvent Log EVTX Files

Last updated

Was this helpful?