AF-007 Reproducibility Dataset: Security Event Log Clearance and Repopulation

This dataset contains the primary forensic artifacts for AF-007, a reproducibility case for detecting Security Event Log clearance and subsequent repopulation on Windows 10.

AF-007 models an anti-forensic scenario in which the Windows Security Event Log is cleared using wevtutil, after which normal system activity generates new events that give the appearance of continuity. The inconsistency is detected by correlating Event ID 1102 in the Security event log with truncation evidence in the NTFS USN change journal. The expected detection outcome is that AF-007 should fire when Security.evtx contains an audit-log-cleared event and the corresponding USN records show truncation activity for the Security log file.

Included files in this version are: Security.evtx, the exported Windows Security event log containing post-clearance records; security_evtx.csv, the parsed event-log export used to identify Event ID 1102 and related log metadata; af007_usn_j, the raw NTFS USN change journal artifact; and af007_usn_j.csv, the parsed USN export used to identify DataTruncation evidence affecting the Security log.

The Security event log was exported from Windows Event Viewer and parsed into CSV using EvtxECmd-compatible workflow, while NTFS journal artifacts were extracted from the source image and parsed into CSV using MFTECmd-compatible forensic workflow for reproducible downstream mapping and validation in the IoI framework.

Scenario summary: platform Windows 10; subsystem Windows Event Logging; manipulation Security log clearance using wevtutil cl Security; expected inconsistency the Security log records the clearing event while the USN journal independently records truncation of the log file.

Related framework resources: framework repository https://github.com/ioi-framework/ioi-framework ; case materials https://github.com/ioi-framework/ioi-framework/tree/main/CASES/AF-007 ; website case page https://ioi-framework.github.io/cases/af-007/

This record is intended as a versioned reproducibility dataset for the AF-007 case and may be updated in future Zenodo versions as additional documentation, checksums, manifests, or companion derived files are added.