We can clear a single log by wevtutil cl Security, but we have many logs on systems to manage. It is also possible in an event of system compromise to clear all the logs by the intruder. So, how would one clear all logs in a simple and easy step? Use ProwerShell most likely or a DOS for loop might suffice.
I wanted to look at PowerShell and its capability to do this task. It can actually do this very easily by a single line of command:
wevtutil el | Foreach-Object {wevtutil cl "$_"}
The el parameter enumerates all logs on the system, so that output can be used to send each log name to wevtutil to clear each log. It is nice, but I also wanted to know how many of these logs I have on my system. So, PowerShell was the natural choice for this task. A few minutes of search on the Internet revealed that there are many ways to count objects in PowerShell. This is where the true investigator gene triggered in my head and wanted to find out their differences.
Digital Forensics is partially a field of inductive reasoning where each step of the reasoning needs to be reliable and scientifically tested in order to come to a reliable conclusion. It will never be as reliable as deductive logic, but well tested methodologies can make it as reliable as the latest knowledge allows us.
One benefit of education is the ability to test tools and make heuristic decisions when using them. In some cases, we might even determine a suspect education level and sophistication of attacks that we might be facing if we could capture and analyze the code he/she uses in reconnaissance. After all, we need to connect a human to a technical action in order to call this field a science.
But that is enough.
I decided to test three methods of counting. I needed a large set of objects to iterate through in order to see a trend. I decided to count the number directory entries on my system drive. That should be large enough to see any emerging trend. I have stopped all unnecessary services on my system to create stable environment and to establish a baseline. I will be monitoring one process, but wanted to make sure nothing interferes with my system while testing. I ran PowerShell as an administrator and ran each command three times with a little pause in between each command.
I was not surprised about the similarity of the I/O operations since in each case the directory objects needed to be accessed, but the memory utilization did surprise me in the third case. It seems like the third method gathers all file objects before counting them at the end. The first two methods seem to pick up an object increment a counter and then drop the object while the third method picks up all objects and hangs on to them before determine their count.
The commands I tested:
I. Get-ChildItem -recurse -EA SilentlyContinue|measure
II. Get-ChildItem -recurse -EA SilentlyContinue|foreach-object { $count++}
III. (Get-ChildItem -recurse -EA SilentlyContinue).count
$count
Note: the -EA SilentlyContinue parameter was used to suppress error messages since there are some directories that not even an administrator can access. I first ran a few tests without this parameter, but the errors were annoying, so I decided to add the parameter later on. It is the part of the scientific method to evaluate and to adjust procedures along the way.
It might never be interesting in an actual investigation, but in order to develop a pattern recognition skill, this type of exercises can develop investigators that are not just logical thinkers, but problem solvers who will not just pick up the first tool he/she finds and treat it like an IT person would just to get the job done, but ensures the best and most reliable methods in investigations. By the way, all three tools did find the same amount of directory entries and they did compete the task in the same amount of time.
References:
http://technet.microsoft.com/en-us/library/cc732848.aspx
http://technet.microsoft.com/en-us/library/ee176841.aspx