Windows Defender Operational Log

windowsExecution EvidenceDisk ImageSIEM / Log Aggregator

Location

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx

Description

Windows Defender antivirus operational log recording threat detections (Event 1116), remediation actions (Event 1117), real-time protection state changes (Event 5001/5004), and exclusion modifications.

Forensic Value

Defender logs reveal what the attacker deployed that triggered detection and what they did to evade it. Event 1116 contains the detected threat name, file path, and process that accessed it. Event 5001 timestamps when real-time protection was disabled, marking the window of unmonitored activity. Exclusion additions in the log show which paths or processes the attacker whitelisted to avoid future detection.

Tools Required

KAPEEvtxECmd (Eric Zimmerman)Event Log ExplorerChainsaw

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical