Resubmitting at the request of @joswr1ght to remove accidental whitespace edits in #21.
Currently, DeepBlue.ps1 will parse all System EID 104 events as "The System log was cleared" in any output format, as shown below using the Out-GridView cmdlet.
However, System EID 104 can also relate to other log types than just System and the current hardcoded "The System log was cleared" message can be misleading. I modified DeepBlue.ps1 to pull the message field from the EVTX log to a variable and utilize that for System EID 104 output instead of a hardcoded message. This adjustment is reflected below against the same log data using the Out-GridView cmdlet, showing that both System and Application log files were cleared, not just System.
This change should help investigators more easily identify which log types were cleared on the target system they are investigating.
Please note that this proposed change only applies to the PS1 script - I have not made any attempts to utilize or adjust the Python version of this program.
Resubmitting at the request of @joswr1ght to remove accidental whitespace edits in #21.
Currently,
DeepBlue.ps1will parse all System EID 104 events as "The System log was cleared" in any output format, as shown below using theOut-GridViewcmdlet.However, System EID 104 can also relate to other log types than just System and the current hardcoded "The System log was cleared" message can be misleading. I modified
DeepBlue.ps1to pull themessagefield from the EVTX log to a variable and utilize that for System EID 104 output instead of a hardcoded message. This adjustment is reflected below against the same log data using theOut-GridViewcmdlet, showing that both System and Application log files were cleared, not just System.This change should help investigators more easily identify which log types were cleared on the target system they are investigating.
Please note that this proposed change only applies to the PS1 script - I have not made any attempts to utilize or adjust the Python version of this program.