Beforehand, DeepBlueCLI.ps1 would parse all System EID 104 events as "The System log was cleared" in any output format, as shown below using the Out-GridView cmdlet.
However, System EID 104 can also relate to other log types than just System and the current hardcoded "The System log was cleared" message can be misleading. I modified DeepBlueCLI.ps1 to pull the "message" field from the EVTX log to a variable and utilize that for System EID 104 output instead of a hardcoded message. This adjustment is reflected below against the same log data using the Out-GridView cmdlet, showing that both System and Application log files were cleared, not just System.
This change should help investigators more easily identify which log types were cleared on the target system they are investigating.
Please note that this proposed change only applies to the PS1 script - I have not made any attempts to utilize or adjust the Python version of this program.
Beforehand, DeepBlueCLI.ps1 would parse all System EID 104 events as "The System log was cleared" in any output format, as shown below using the
Out-GridViewcmdlet.However, System EID 104 can also relate to other log types than just System and the current hardcoded "The System log was cleared" message can be misleading. I modified DeepBlueCLI.ps1 to pull the "message" field from the EVTX log to a variable and utilize that for System EID 104 output instead of a hardcoded message. This adjustment is reflected below against the same log data using the
Out-GridViewcmdlet, showing that both System and Application log files were cleared, not just System.This change should help investigators more easily identify which log types were cleared on the target system they are investigating.
Please note that this proposed change only applies to the PS1 script - I have not made any attempts to utilize or adjust the Python version of this program.