PowerShell Script Block & Operational Logs

windowsExecution EvidenceDisk ImageSIEM / Log Aggregator

Location

C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx

Description

PowerShell Operational log and Script Block Logging (Event 4104) capturing the full text of executed scripts, including those decoded at runtime from Base64 or obfuscation layers.

Forensic Value

Script Block Logging defeats obfuscation by recording scripts after all decoding layers are resolved, exposing the final plaintext payload. This is often the only artifact that reveals encoded download cradles, credential harvesting, and in-memory-only tools like Invoke-Mimikatz. Module logging (Event 4103) adds pipeline execution details for reconstruction.

Tools Required

KAPEEvtxECmd (Eric Zimmerman)ChainsawPowerShell

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical