forked from libyal/libevtx
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ChangeLog
488 lines (372 loc) · 9.52 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
TODO
* add parameter expansion support
* evtxexport: add add support for .mui files in the same directory
* add clean IO handle function
* msvscpp:
- check and fix debug output generation
* mark file as corrupted on CRC mismatch ?
* check signal abort
* parse binary data from EventData
* event message file ?
- correctly deal with \\ in C:\Program Files\Common Files\McAfee\SystemCore\\naievent.dll
* improve detecting corrupted recovered event records
* improve dealing with corrupted event records?
* formatted output
- check with test data if output is now correct
* wevt
- improve (template) codepage handling
- improve template definition XML template value handling
* message handle:
- create: message string object
- get %WinDir% from registry
* resource file
- cache message strings
- cache template providers
- cache template events
- cache template definitions
* tests
- evtexport: handle "Provider identifier" in debug ouput
* XML output change
- Keywords add no leading 0's
<Keywords>0x8080000000000000</Keywords>
strings:
- support non-contiguous data elements ?
libfwevt optimization:
- reference value while parsing?
- count number of data elements (strings) while parsing
- reference binary (data) while parsing
* API
- get op code (0 => Info)
- task category (none if not set)
- keywords
* recovery:
- pass what type of chunk is being read
- pass flag to binary xml parsing to ignore parsing errors ?
or make this the default behavior
- move read xml out of init record function ?
* fix message filename retrieval, registry being read wrong ?
* implement libevtx_xml_tag_get_attribute_by_utf8_path (and utf16 equivalent) ?
* implement libevtx_xml_tag_get_element_by_utf8_path (and utf16 equivalent) ?
* store name hash in value identifier
* deal with corruption scenario
* deal with trailing empty data ?
* remove libevtx_libfguid.h once libfvalue wraps the format flags
* evtxeport:
- non-xml export format use evtexport like approach (add functions to get
specific event data)
* add recovery scan
* add debug function for binary XML token types
* codepage support
* flag internally if the file is corrupted (CRC mismatch)
Format:
* what about empty binary xml data in the event record? does it only contain a 0x00 byte?
Debug:
* libfwevt: character reference print trailing data
* handle empty XML document:
libevtx_record_values_read_xml_document: XML document:
libfwevt_xml_tag_debug_print: invalid XML tag.
Recovery:
* scan for records in chunk free space
20141019
* changes for deployment
20141009
* updated dependencies and corresponding changes
20141004
* update Python-bindings tests
20140929
* removed README.macosx
* changes for project site move
20140901
* bug fix in Python-bindings
20140731
* bug fix in Python-bindings
20140723
* worked on dpkg debug packages support
20140531
* updated msvscpp files
20140530
* updated dependencies
* worked on Python-bindings
* replaced PackageMaker for pkgbuild
20140402
* code clean up
20140323
* worked on Python-bindings
20140317
* updated dependencies
* worked on setup.py
* worked on Python-bindings
20140210
* added evtxexport man page
20140131
* removed examples
20140112
* updated dependencies
20140105
* 2014 update
20132111
* small fix in evtxexport -h output
* updated dependencies
* worked on python bindings
20131013
* updated dependencies
20131009
* improved dpkg files
20130929
* worked on setup.py, largely for MSI builds
20130923
* updated dependencies
20130909
* updated dependencies
* worked on libcthreads build support
20130727
* updated dependencies
* pyevtx
- changed event identifier to an unsigned long
- fixes for >2G file objects in BFIO glue code
20130718
* updated dependencies
* removed unnecessary restriction in library include headers
20130713
* worked on tests
* improved reading from dirty files with an incorrect number of chunks
20130712
* fix for encoding special characters in XML output
* code clean up
* pyevtx small changes to docstrings
* worked on tests
* updated dependencies
* added support for parsing ProcessingErrorData
20130609
* updated dependencies
20120521
* worked on improving corruption detection for recovered records
20120421
* worked on tests
* updated dependencies
* bug fixes in binary xml parsing
20120418
* fixed issue for uftf16 base16 string too small
20120417
* comparing the results of various builds
20120414
* textual changes
* code clean up
20120413
* updated dependencies
* fixed codepage 1255 restriction
* worked on tests
* updates and bug fixes in pyevtx
* improvements to message string support
20120329
* bug fix for recent libfdata changes
* updated dependencies
20120319
* updated dependencies
* changes for libfdata update
20130307
* updated macosx files
20130303
* added PackageMaker files
20130301
* fixed bug in handling recovered records when no records are available
20130226
* worked on error tolerance
* added debug output for file flags
20130210
* updated libcfile to allow reading from open files
* fixed incorrect name of resulting evtxexport binary in msvscpp files
20130209
* small fix in the libcdirectory msvscpp files
* updated dependencies
* made record parsing more error resilient for Archived evtx files
20130208
* worked on formatted strings
* added decimal representation to level
20130207
* worked on record parsing
20130206
* worked on record parsing
* merged <Data Name="ExtraInfo">\n</Data> into <Data Name="ExtraInfo"/>
value consists of a single linefeed 0x0a
20130205
* library now parses records without template by default
* worked on message string
* message string now prints unused conversion specifiers
20130113
* updated msvscpp files
* updated examples
20130110
* updated manuals
* worked on pyevtx
20130109
* worked on pyevtx
20130107
* 2013 update
* updated dependencies
20121220
* worked on formatted message strings
* fixed for multi platform builds
20121219
* worked on formatted message strings
20121218
* worked on formatted message strings
20121217
* worked on formatted message strings
20121214
* worked on formatted message strings
* evtxexport: added decimal event number
20121213
* worked on formatted message strings
20121212
* worked on formatted message strings
20121125
* worked on formatted message strings
* evtxexport: detect double newlines and remove
* updated dependencies
20121122
* pyevtx: code clean up
20121119
* worked on formatted message strings
* updated libfwevt
20121104
* pyevtx: bug fixes
* updated dependencies
* code clean up
20121031
* worked on formatted message strings
20121030
* code clean up
* worked on message string object
* worked on formatted message strings
20121029
* worked on formatted message strings
* code clean up
20121028
* worked on formatted message strings
20121027
* worked on formatted message strings
20121025
* added examples and tests directories
* worked on user security identifier function
20121022
* worked on provider identifier support
20121021
* worked on provider identifier support
* worked on libfwevt
20121020
* worked on provider identifier support
20121019
* worked on formatted message strings
- added support for case change in mui filename expansion
* worked on libevtx
- added support for Binary
- added support for UserData
20121018
* worked on formatted message strings
* bug fix in libcerror
* bug fix in libcpath
* bug fix handling %WinDir%
* worked on pyevtx
20121017
* code clean up
* worked on formatted message strings
* updated libwrc
20121016
* changed default language
* worked on pyevtx
* worked on formatted message strings
20121013
* worked on evtxexport
20121012
* worked on evtxexport
20120924
* updated dependencies
* libcdata update
20120919
* updated dependencies
20120912
* updated dependencies
20120819
* updated dependencies
20120817
* worked on python bindings
- added iterator
20120816
* worked on python bindings
20120815
* worked on library
20120814
* worked on python bindings
* worked on tools
20120805
* updated dependencies
20120718
* updated dependencies
* added libcstring, libfwevt
* worked on libfwevt integration into libevtx
* added support for empty element tag value
20120501
* updated dependencies
* worked on text format export
20120430
* worked on record recovery
* worked on text format export
20120429
* worked on split value support
* worked on character and entity reference support
20120428
* updated dependencies
* worked on PI support
20120423
* fixes for deployment
20120422
* libfvalue update
* improvement for reading and converting to XML
20120419
* code clean up
* improvements for distribution
* improvements for non-debug build
20120418
* worked on libfvalue - format passing
20120417
* added libexe, libregf, libwrc, libcdirectory
* updated libfdatetime
* worked on libfvalue
20120415
* worked on libfvalue to copy to string functions
* code now merges <File></File> to <File/>
20120414
* worked on API
* worked on parsing binary XML
- added support for array types
20120413
* worked on evtxexport
* worked on API
20120410
* worked on API
20120409
* updated dependencies
* worked on storing XML tags and attributes
20120312
* worked on parsing binary XML
20120311
* worked on parsing binary XML
20120310
* worked on reading events
20120307
* worked on reading chunks
* added CRC32 support
20120306
* 2012 update
20111101
* updated configure.ac and m4 files
* updated spec and pc file
* updated README files
* updated common, libcstring, libsystem, libuna, libbfio, libfdatetime,
libfvalue
* worked on windows codepage 932 and 936 support
20110920
* worked on initial version
20110919
* initial version based on libesedb 20110919