Evidence: Event Log EVTX Files
Description: Dump evtx event log files
Category: EventLogs
Platform: windows
Short Name: evtx
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Windows event log files (EVTX/EVT) store channel data on disk. This data is essential for offline analysis and evidence preservation.
Data Collected
This collector gathers structured data about event log evtx files.
Collection Method
This collector enumerates standard event log directories (EVTX in winevt\Logs, legacy EVT in System32\config), copies files, and records metadata and hashes.
Forensic Value
This evidence is crucial for forensic investigations to preserve original log files and verify integrity with hashes.
