F051MEDIUMInconclusivevalidator: passed
Event log file clearance evidence (Anti-forensics / Defense Evasion)
Event log clear: EventID 1102, Security channel
Analyst narrative
Event log entry EventID 1102 (Log File Cleared) detected in Security event log channel, timestamp 2018-03-14 20:48:48.239330+00:00. Indicates deliberate event log clearing to erase forensic evidence. Candidate cand-0187. Fact_ids: event_log_fact-0043765.
Claims asserted
event_logEvent log EventID 1102 (Security channel)parse_event_logs
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
parse_event_logs