File: ChangeLog

package info (click to toggle)
libevtx 20181227-2
  • links: PTS, VCS
  • area: main
  • in suites: bookworm, bullseye
  • size: 16,584 kB
  • sloc: ansic: 272,141; sh: 6,144; makefile: 1,666; python: 325; sed: 16
file content (82 lines) | stat: -rw-r--r-- 2,650 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
 
TODO
* add parameter expansion support
* evtxexport: add add support for .mui files in the same directory
* add clean IO handle function
* msvscpp:
  - check and fix debug output generation
* mark file as corrupted on CRC mismatch ?
* check signal abort
* parse binary data from EventData
* event message file ?
  - correctly deal with \\ in C:\Program Files\Common Files\McAfee\SystemCore\\naievent.dll
* improve detecting corrupted recovered event records
* improve dealing with corrupted event records?
* formatted output
  - check with test data if output is now correct
* wevt
  - improve (template) codepage handling
  - improve template definition XML template value handling
* message handle:
  - create: message string object
  - get %WinDir% from registry
* resource file
  - cache message strings
  - cache template providers
  - cache template events
  - cache template definitions
* tests
  - evtexport: handle "Provider identifier" in debug ouput

* XML output change
  - Keywords add no leading 0's
    <Keywords>0x8080000000000000</Keywords>

strings:
  - support non-contiguous data elements ?

libfwevt optimization:
  - reference value while parsing?
  - count number of data elements (strings) while parsing
  - reference binary (data) while parsing

* API
  - get op code (0 => Info)
  - task category (none if not set)
  - keywords

* recovery:
  - pass what type of chunk is being read
  - pass flag to binary xml parsing to ignore parsing errors ?
    or make this the default behavior
  - move read xml out of init record function ?
* fix message filename retrieval, registry being read wrong ?
* implement libevtx_xml_tag_get_attribute_by_utf8_path (and utf16 equivalent) ?
* implement libevtx_xml_tag_get_element_by_utf8_path (and utf16 equivalent) ?
* store name hash in value identifier
* deal with corruption scenario
* deal with trailing empty data ?
* remove libevtx_libfguid.h once libfvalue wraps the format flags
* evtxeport:
  - non-xml export format use evtexport like approach (add functions to get
    specific event data)
* add recovery scan
* add debug function for binary XML token types
* codepage support
* flag internally if the file is corrupted (CRC mismatch)

Format:
* what about empty binary xml data in the event record? does it only contain a 0x00 byte?

Debug:
* libfwevt: character reference print trailing data
* handle empty XML document:
  libevtx_record_values_read_xml_document: XML document:
  libfwevt_xml_tag_debug_print: invalid XML tag.

Recovery:
* scan for records in chunk free space

20110919
* see `git log' for more recent change log
* initial version based on libesedb 20110919