forked from libyal/libevtx
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ChangeLog
82 lines (72 loc) · 2.59 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
TODO
* add parameter expansion support
* evtxexport: add add support for .mui files in the same directory
* add clean IO handle function
* msvscpp:
- check and fix debug output generation
* mark file as corrupted on CRC mismatch ?
* check signal abort
* parse binary data from EventData
* event message file ?
- correctly deal with \\ in C:\Program Files\Common Files\McAfee\SystemCore\\naievent.dll
* improve detecting corrupted recovered event records
* improve dealing with corrupted event records?
* formatted output
- check with test data if output is now correct
* wevt
- improve (template) codepage handling
- improve template definition XML template value handling
* message handle:
- create: message string object
- get %WinDir% from registry
* resource file
- cache message strings
- cache template providers
- cache template events
- cache template definitions
* tests
- evtexport: handle "Provider identifier" in debug ouput
* XML output change
- Keywords add no leading 0's
<Keywords>0x8080000000000000</Keywords>
strings:
- support non-contiguous data elements ?
libfwevt optimization:
- reference value while parsing?
- count number of data elements (strings) while parsing
- reference binary (data) while parsing
* API
- get op code (0 => Info)
- task category (none if not set)
- keywords
* recovery:
- pass what type of chunk is being read
- pass flag to binary xml parsing to ignore parsing errors ?
or make this the default behavior
- move read xml out of init record function ?
* fix message filename retrieval, registry being read wrong ?
* implement libevtx_xml_tag_get_attribute_by_utf8_path (and utf16 equivalent) ?
* implement libevtx_xml_tag_get_element_by_utf8_path (and utf16 equivalent) ?
* store name hash in value identifier
* deal with corruption scenario
* deal with trailing empty data ?
* remove libevtx_libfguid.h once libfvalue wraps the format flags
* evtxeport:
- non-xml export format use evtexport like approach (add functions to get
specific event data)
* add recovery scan
* add debug function for binary XML token types
* codepage support
* flag internally if the file is corrupted (CRC mismatch)
Format:
* what about empty binary xml data in the event record? does it only contain a 0x00 byte?
Debug:
* libfwevt: character reference print trailing data
* handle empty XML document:
libevtx_record_values_read_xml_document: XML document:
libfwevt_xml_tag_debug_print: invalid XML tag.
Recovery:
* scan for records in chunk free space
20110919
* see `git log' for more recent change log
* initial version based on libesedb 20110919