Sysmon Event Log

windowsExecution EvidenceDisk ImageSIEM / Log Aggregator

Location

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx

Description

Microsoft Sysinternals System Monitor log capturing process creation with hashes (Event 1), network connections (Event 3), file creation (Event 11), registry modifications (Event 13), and DNS queries (Event 22).

Forensic Value

Sysmon provides process-level granularity that native Windows logs lack. Process GUIDs allow reconstructing full parent-child execution trees even across reboots. Network connection events tie processes to C2 IPs and beaconing intervals. File-create-time changes (Event 2) expose timestomping attempts.

Tools Required

KAPEEvtxECmd (Eric Zimmerman)ChainsawSysmon View

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical