s3mprgumb1 / whodunnit Goto Github PK

Change arrays to ArrayLists to drastically improve performance

Arrays in PowerShell are of fixed length at creation, as such, using the += operator to append an element to the array causes the entire array to be rebuilt in memory. This significantly increases the time complexity of the append operation, from O(1) to O(n).

Switching data structures from Arrays to ArrayLists would solve this issue, reducing the time complexity down to O(1), while leaving the memory space complexity roughly the same, where as using a HashTable would increase the space used to store the data structure.

The current menu is quite simplistic for a forensic tool, as a result this issue is aimed at implementing the menu style that is present in the current version of the project.

Export logs to a format that Microsoft's Windows Event Viewer can import

Currently, the only supported export format is XML. The goal of this issue is to support an export format that mimics the format used by the native Windows Event Viewer. This would allow a user to export logs using whodunnit, then import them into a familiar GUI setting for further filtration, or simply manual review.

Importing logs from the currently running system is great, but the ability to import logs from an offline disk is critical to a forensic investigation. This issue consists of two parts: Importing from a mounted drive, and importing from an offline NTFS disk, using the MFT to locate the log files.