Terminal Services / RDP Event Logs

windowsAuthentication & AccessDisk ImageSIEM / Log Aggregator

Location

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

Description

Remote Desktop Services event logs capturing RDP session lifecycle events. Event 1149 records successful network-level authentication with source IP and username. Events 21/22/23/24/25 track session logon, reconnect, and disconnect states.

Forensic Value

RDP is the most common lateral movement mechanism in enterprise breaches. Event 1149 provides the remote IP address of every successful RDP authentication, directly proving which machine an attacker pivoted from. Session disconnect and reconnect events reconstruct the duration of attacker interactive access on each host. Correlating these with Security 4624 Type 10 events validates the complete lateral movement chain.

Tools Required

KAPEEvtxECmd (Eric Zimmerman)Event Log ExplorerChainsaw

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical