← All cases
AF-007 · Temporal
Security Event Log Clearance and Repopulation
✓ Validated event-logs Windows 10
Contributed by @ioi-framework · 2025-01-01 · View IoI rule →
Dependent artifacts Security.evtx $UsnJrnl
Sample JSON-LD EVTX snippet USN snippet
Reproducibility bundle Zenodo DOI ↗

Summary

This case demonstrates an anti-forensic technique where the Windows Security Event Log is cleared using the built-in wevtutil command. After clearing, normal system usage (logon and reboot) generates new records, giving the appearance of continuity. The presence of Event ID 1102 combined with USN DataTruncation evidence exposes the log clearing activity.

Scenario Steps

1. Set Up — Launched Windows 10 Pro x64 VirtualBox VM (UEFI enabled).

2. Tampering — Cleared Security log using: wevtutil cl Security. Verified Security log was empty in Event Viewer.

3. Post-Tampering Activity — Performed normal actions to repopulate logs: logged off and back in (generating Event 4624), rebooted VM (generating Event 6005 in System log).

4. Evidence Collection — Exported Security.evtx (cleared + repopulated). Powered off VM, converted disk to raw image, loaded into Autopsy, extracted $UsnJrnl:$J. Parsed with MFTECmd.exe -f usn_journal.raw --csv af007_usn.csv.

Ground Truth Criteria

  • Security.evtx contains Event ID 1102 (Audit Log Cleared) from the Security channel
  • $UsnJrnl shows DataTruncation for files containing “Security” in the filename

Inconsistency Summary

The clearing of Security.evtx is recorded by Windows itself through Event ID 1102. The $UsnJrnl shows DataTruncation activity for the Security.evtx file. Subsequent real events reappear in the log creating an illusion of continuity — but the Event 1102 + USN truncation combination exposes the manipulation.

Detection Logic

-- Step 1: Find Event 1102 (Log Clearing) in Security channel
FIND event_records WHERE event_records.eventID = '1102'
  AND event_records.channel = 'Security'
  RETURN startTime AS clear_time, eventRecordText AS details

-- Step 2: Find USN DataTruncation for Security files
FIND usn_entries WHERE usn_entries.fileName CONTAINS 'Security'
  AND usn_entries.updateReasons CONTAINS 'DataTruncation'
  RETURN fileName, updateReasons, updateTimestamp

-- Detection Rule
IF event_1102 EXISTS IN event_records (channel = 'Security')
  OR usn_entries SHOWS DataTruncation for Security files
THEN FLAG 'AF-007: Security Event Log Clearing Detected'