https://blog.it-learn.io/tags/event-log-forensics/Recent content in Event-Log-Forensics on it-learn.io | IT, Networking & Cybersecurity BlogHugoen-usMon, 01 Jun 2026 00:00:00 +0000https://blog.it-learn.io/posts/2026-06-01-windows-event-log-forensics-event-ids/Mon, 01 Jun 2026 00:00:00 +0000https://blog.it-learn.io/posts/2026-06-01-windows-event-log-forensics-event-ids/<p>If you can read Windows event logs, you can reconstruct what happened on a Windows host. If you cannot, you are guessing.</p> <p>This post is the field guide. We cover the event IDs that actually show up in investigations, what each one means in context, how to correlate them across logs, the gotchas that fool beginners, and the queries that turn raw <code>.evtx</code> files into a defensible timeline.</p> <h2 id="where-event-logs-live-and-how-they-are-structured">Where event logs live and how they are structured</h2> <p>Windows event logs are <code>.evtx</code> files (XML-based, since Vista) stored under <code>%SystemRoot%\System32\winevt\Logs\</code>. The three logs that matter most for forensics are:</p>