Event Log EVTX Files

Overview

Evidence: Event Log EVTX Files Description: Dump evtx event log files Category: EventLogs Platform: windows Short Name: evtx Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows event log files (EVTX/EVT) store channel data on disk. This data is essential for offline analysis and evidence preservation.

Data Collected

This collector gathers structured data about event log evtx files.

Collection Method

This collector enumerates standard event log directories (EVTX in winevt\Logs, legacy EVT in System32\config), copies files, and records metadata and hashes.

Forensic Value

This evidence is crucial for forensic investigations to preserve original log files and verify integrity with hashes.