Windows Firewall Connection Log

windowsSystem ConfigurationDisk ImageSIEM / Log Aggregator

Location

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx and C:\Windows\System32\LogFiles\Firewall\pfirewall.log

Description

Windows Firewall event log capturing Events 5156/5157 (allowed/blocked connections) with process ID, application path, source/destination IP and port. Also includes pfirewall.log text file when logging is enabled.

Forensic Value

Windows Firewall logs provide per-process network connection visibility without requiring Sysmon. Event 5156 records every allowed connection with the responsible application path, enabling detection of unusual processes making outbound connections. Event 5157 blocked connection logs reveal port scanning and lateral movement attempts that were stopped. When Sysmon Event 3 is unavailable, these logs are the best alternative for process-to-network attribution.

Tools Required

KAPEEvtxECmd (Eric Zimmerman)Event Log ExplorerLog Parser

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical