BITS-Client Event Log

windowsPersistence MechanismsDisk ImageSIEM / Log Aggregator

Location

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx

Description

Background Intelligent Transfer Service client log capturing Event 59 (transfer initiated with full URL) and Event 60 (transfer completed with byte count). Supplements the qmgr.db database with timestamped event records.

Forensic Value

BITS-Client events provide timestamped evidence of file downloads that BITS jobs initiated, including the full remote URL and local destination path. Event 59 records the URL at transfer start, proving the download source for malicious payloads. Event 60 confirms successful completion with total bytes transferred. These events persist even after BITS job cleanup and complement qmgr.db analysis for complete BITS activity reconstruction.

Tools Required

KAPEEvtxECmd (Eric Zimmerman)Event Log ExplorerChainsaw

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical