Skip to content
AIR Knowledge Base

Event Log EVT Files

Overview

Section titled “Overview”

Evidence: Event Log EVT Files
Description: Dump evt event log files
Category: EventLogs
Platform: windows
Short Name: evt
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No

Background

Section titled “Background”

Windows event log files (EVTX/EVT) store channel data on disk. This data is essential for offline analysis and evidence preservation.

Data Collected

Section titled “Data Collected”

This collector gathers structured data about event log evt files.

Collection Method

Section titled “Collection Method”

This collector enumerates standard event log directories (EVTX in winevt\Logs, legacy EVT in System32\config), copies files, and records metadata and hashes.

Forensic Value

Section titled “Forensic Value”

This evidence is crucial for forensic investigations to preserve original log files and verify integrity with hashes.