Powered by OpenAIRE graph
Found an issue? Give us feedback
image/svg+xml art designer at PLoS, modified by Wikipedia users Nina, Beao, JakobVoss, and AnonMoos Open Access logo, converted into svg, designed by PLoS. This version with transparent background. http://commons.wikimedia.org/wiki/File:Open_Access_logo_PLoS_white.svg art designer at PLoS, modified by Wikipedia users Nina, Beao, JakobVoss, and AnonMoos http://www.plos.org/ ZENODOarrow_drop_down
image/svg+xml art designer at PLoS, modified by Wikipedia users Nina, Beao, JakobVoss, and AnonMoos Open Access logo, converted into svg, designed by PLoS. This version with transparent background. http://commons.wikimedia.org/wiki/File:Open_Access_logo_PLoS_white.svg art designer at PLoS, modified by Wikipedia users Nina, Beao, JakobVoss, and AnonMoos http://www.plos.org/
ZENODO
Dataset . 2026
License: CC BY
Data sources: ZENODO
ZENODO
Dataset . 2026
License: CC BY
Data sources: Datacite
ZENODO
Dataset . 2026
License: CC BY
Data sources: Datacite
 View all 2 versions
Claim

AF-007 Reproducibility Dataset: Security Event Log Clearance and Repopulation

Research datakeyboard_double_arrow_right Dataset 21 Apr 2026Publisher:Zenodo
Authors: Gabriel Pita, Raquel;

doi: 10.5281/zenodo.19684111 , 10.5281/zenodo.19684112

AF-007 Reproducibility Dataset: Security Event Log Clearance and Repopulation

Abstract

This dataset contains the primary forensic artifacts for AF-007, a reproducibility case for detecting Security Event Log clearance and subsequent repopulation on Windows 10. AF-007 models an anti-forensic scenario in which the Windows Security Event Log is cleared using wevtutil, after which normal system activity generates new events that give the appearance of continuity. The inconsistency is detected by correlating Event ID 1102 in the Security event log with truncation evidence in the NTFS USN change journal. The expected detection outcome is that AF-007 should fire when Security.evtx contains an audit-log-cleared event and the corresponding USN records show truncation activity for the Security log file. Included files in this version are: Security.evtx, the exported Windows Security event log containing post-clearance records; security_evtx.csv, the parsed event-log export used to identify Event ID 1102 and related log metadata; af007_usn_j, the raw NTFS USN change journal artifact; and af007_usn_j.csv, the parsed USN export used to identify DataTruncation evidence affecting the Security log. The Security event log was exported from Windows Event Viewer and parsed into CSV using EvtxECmd-compatible workflow, while NTFS journal artifacts were extracted from the source image and parsed into CSV using MFTECmd-compatible forensic workflow for reproducible downstream mapping and validation in the IoI framework. Scenario summary: platform Windows 10; subsystem Windows Event Logging; manipulation Security log clearance using wevtutil cl Security; expected inconsistency the Security log records the clearing event while the USN journal independently records truncation of the log file. Related framework resources: framework repository https://github.com/ioi-framework/ioi-framework ; case materials https://github.com/ioi-framework/ioi-framework/tree/main/CASES/AF-007 ; website case page https://ioi-framework.github.io/cases/af-007/ This record is intended as a versioned reproducibility dataset for the AF-007 case and may be updated in future Zenodo versions as additional documentation, checksums, manifests, or companion derived files are added.

  • BIP!
    Impact byBIP!
    selected citations
    These citations are derived from selected sources.
    This is an alternative to the "Influence" indicator, which also reflects the overall/total impact of an article in the research community at large, based on the underlying citation network (diachronically).
    		 0
    popularity
    This indicator reflects the "current" impact/attention (the "hype") of an article in the research community at large, based on the underlying citation network.
    		 Average
    influence
    This indicator reflects the overall/total impact of an article in the research community at large, based on the underlying citation network (diachronically).
    		 Average
    impulse
    This indicator reflects the initial momentum of an article directly after its publication, based on the underlying citation network.
    		 Average
Powered by OpenAIRE graph
Found an issue? Give us feedback
selected citations
These citations are derived from selected sources.
This is an alternative to the "Influence" indicator, which also reflects the overall/total impact of an article in the research community at large, based on the underlying citation network (diachronically).
BIP!Citations provided by BIP!
popularity
This indicator reflects the "current" impact/attention (the "hype") of an article in the research community at large, based on the underlying citation network.
BIP!Popularity provided by BIP!
influence
This indicator reflects the overall/total impact of an article in the research community at large, based on the underlying citation network (diachronically).
BIP!Influence provided by BIP!
impulse
This indicator reflects the initial momentum of an article directly after its publication, based on the underlying citation network.
BIP!Impulse provided by BIP!
0
Average
Average
Average