LiveAnalysysがオンの際にSecuirtyログのみを確認するように修正 (#60)

* Logon Timeline Bug: セキュリティ以外のタイムラインが作成されてしまう
Fixes #58

* adapt autoformatter

* change arraylist insert to add function

* fixed typo

* fixed argument check error

* added filepath argument to logontimeline function

* fixed  processing evtxfiles when logfile is null

* add warning in logfile or logdirectory is specified when liveanalysys

* fixed output ERROR when set LogDirectory #58

* fix LiveAnalysys with LogDir or LogFile output condition #58

Config/Language/en.ps1

@@ -326,7 +326,7 @@ $Create_LogonTimeline_TypeOther = "Other Type Logons:"
 $Create_LogonTimeline_localComputer = "LOCAL"
 
 $Warn_DC_LiveAnalysis = "Warning: You probably should not be doing live analysis on a Domain Controller. Please copy log files offline for analysis."
-$Error_InCompatible_LiveAnalysisAndLogFile = "Error: You cannot specify -LiveAnalysis and -LogFile at the same time."
+$Error_InCompatible_LiveAnalysisAndLogFile = "Error: You cannot specify -LiveAnalysis and -LogFile (or -LogDirectory) at the same time."
 $Error_InCompatible_LogDirAndFile = "Error：You cannot specify -LogDirectory and -LogFile at the same time." 
 $Error_NotSupport_LiveAnalysys = "Error: Live Analysis is only supported on Windows"
 $Error_NeedAdministratorPriv = "Error: You need to be running Powershell as Administrator."

Config/Language/ja.ps1

@@ -328,13 +328,13 @@ $Create_LogonTimeline_TypeOther = "その他のタイプのログオン:"
 $Create_LogonTimeline_localComputer = "ローカル"
 
 $Warn_DC_LiveAnalysis = "注意：ドメインコントローラーでライブ調査をしない方が良いです。ログをオフラインにコピーしてから解析して下さい。"
-$Error_InCompatible_LiveAnalysisAndLogFile = "エラー：「-LiveAnalysis」 と「-LogFile」を同時に指定できません。"
+$Error_InCompatible_LiveAnalysisAndLogFile = "エラー：「-LiveAnalysis」 と「-LogFile」「-LogDirectory」を同時に指定できません。"
 $Error_InCompatible_LogDirAndFile = "エラー：「-LogDirectory」 と「-LogFile」を同時に指定できません。"
 $Error_NotSupport_LiveAnalysys = "エラー： ライブ調査はWindowsにしか対応していません。"
 $Error_NeedAdministratorPriv = "エラー： Powershellを管理者として実行する必要があります。"
 $Error_NoSaveOutputWithCSV = "エラー： 「-SaveOutput」を指定してください"
 $Error_NoNeedSaveOutputWithGUI = "エラー： 「-OutputGUI」と「-SaveOutput」を同時に指定できません。"
-$Error_InCompatible_NoLiveAnalysisOrLogFileSpecified = "エラー: -LiveAnalysisまたは-LogFileを指定する必用があります。"
+$Error_InCompatible_NoLiveAnalysisOrLogFileSpecified = "エラー: -LiveAnalysisまたは-LogFileを指定する必要があります。"
 
 #function Show-Contributors
 $Show_Contributors =

WELA.ps1

@@ -228,7 +228,7 @@ $TotalLogs = 0
 
 $HostLanguage = Get-WinSystemLocale | Select-Object Name # en-US, ja-JP, etc..
 
-if  ( $HostLanguage.Name -eq "ja-JP" -and $English -eq $true ){
+if ( $HostLanguage.Name -eq "ja-JP" -and $English -eq $true ) {
     Import-Module './Config/Language/en.ps1' -Force;
 }
 elseif ( $HostLanguage.Name -eq "ja-JP" -or $Japanese -eq $true ) {
@@ -429,7 +429,7 @@ function Get-KerberosStatusStr {
 }
 
 function Create-LogonTimeline {
-    param([string] $UTCOffset)
+    param([string] $UTCOffset, [string] $filePath)
     # Notes: 
     #   Logoff events without corresponding logon events first won't be printed
     #   The log service shutdown time is used for the shutdown time so might be wrong if the log service was turned off while the system was running. (anti-forensics, etc..)
@@ -470,9 +470,9 @@ function Create-LogonTimeline {
         $WineventFilter.Add( "EndTime" , $EndTimeline )
     }
 
-    $WineventFilter.Add( "Path", $LogFile )
-    $filesize = Format-FileSize( (get-item $LogFile).length )
-    $filesizeMB = (Get-Item $LogFile).length / 1MB 
+    $WineventFilter.Add( "Path", $filePath )
+    $filesize = Format-FileSize( (get-item $filePath).length )
+    $filesizeMB = (Get-Item $filePath).length / 1MB
 
     $filesizeMB = $filesizeMB * 0.1
     $ApproxTimeInSeconds = $filesizeMB * 60
@@ -481,7 +481,7 @@ function Create-LogonTimeline {
     $RuntimeMinutes = $TempTimeSpan.Minutes.ToString()
     $RuntimeSeconds = $TempTimeSpan.Seconds.ToString()
 
-    Write-Host ( $Create_LogonTimeline_Filename -f $LogFile )           # "File Name: {0}"
+    Write-Host ( $Create_LogonTimeline_Filename -f $filePath )           # "File Name: {0}"
     Write-Host ( $Create_LogonTimeline_Filesize -f $filesize )          # "File Size: {0}"
     Write-Host ( $Create_LogonTimeline_Estimated_Processing_Time -f $RuntimeHours, $RuntimeMinutes, $RuntimeSeconds )   # "Estimated processing time: {0} hours {1} minutes {2} seconds"
 
@@ -1770,7 +1770,7 @@ if ( $LiveAnalysis -eq $true -and $IsDC -eq $true ) {
     exit
 }
 
-if ( $LiveAnalysis -eq $true -and $LogFile -ne "" ) {
+if ( $LiveAnalysis -eq $true -and ($LogFile -ne "" -or $LogDirectory -ne "")) {
     Write-Host
     Write-Host $Error_InCompatible_LiveAnalysisAndLogFile -ForegroundColor White -BackgroundColor Red
     Write-Host 
@@ -1786,9 +1786,9 @@ if ( $LiveAnalysis -eq $false -and $LogFile -eq "" -and $EventID_Statistics -eq
 }
 
 #No analysis source was specified
-if ( $EventID_Statistics -eq $true -or $LogonTimeline -eq $true -or $AnalyzeNTLM_UsageBasic -eq $true -or $AnalyzeNTLM_UsageDetailed -eq $true){
+if ( $EventID_Statistics -eq $true -or $LogonTimeline -eq $true -or $AnalyzeNTLM_UsageBasic -eq $true -or $AnalyzeNTLM_UsageDetailed -eq $true) {
 
-    if ( $LiveAnalysis -ne $true -and $LogFile -ne $true -and $LogDirectory -ne $true){
+    if ( $LiveAnalysis -ne $true -and ($LogFile -ne "" -or $LogDirectory -ne "")) {
 
         Write-Host
         Write-Host $Error_InCompatible_NoLiveAnalysisOrLogFileSpecified -ForegroundColor White -BackgroundColor Red
@@ -1801,7 +1801,10 @@ if ( $EventID_Statistics -eq $true -or $LogonTimeline -eq $true -or $AnalyzeNTLM
 
 #Create-Timeline
 
-$evtxFiles = @($LogFile)
+$evtxFiles = [System.Collections.ArrayList] @()
+if ($LogFile -ne "") {
+    [void]$evtxFiles.Add($LogFile)
+}
 
 if ( $LiveAnalysis -eq $true ) {
 
@@ -1811,9 +1814,13 @@ if ( $LiveAnalysis -eq $true ) {
         $evtxFiles = @(
             "C:\Windows\System32\Winevt\Logs\Microsoft-Windows-NTLM%4Operational.evtx"
         )
-
-    } else {
-
+    }
+    elseif ($LogonTimeline -eq $true) {
+        $evtxFiles = @(
+            "C:\Windows\System32\winevt\Logs\Security.evtx"
+        )
+    } 
+    else {
         $evtxFiles = @(
             "C:\Windows\System32\winevt\Logs\Security.evtx",
             "C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx"
@@ -1829,8 +1836,7 @@ elseif ( $LogDirectory -ne "" ) {
         exit
     }
 
-    $evtxFiles = Get-ChildItem -Filter *.evtx -Path $LogDirectory | ForEach-Object { $_.FullName }
-
+    Get-ChildItem -Filter *.evtx -Path $LogDirectory | ForEach-Object { [void]$evtxFiles.Add($_.FullName) }
 }
 
 $Timezone = Get-TimeZone
@@ -1852,18 +1858,18 @@ foreach ( $LogFile in $evtxFiles ) {
 
     if ( $LogonTimeline -eq $true ) {
 
-        Create-LogonTimeline $UTCOffset
+        Create-LogonTimeline $UTCOffset -filePath $LogFile
 
     }
 
-    if ( $AnalyzeNTLM_UsageBasic -eq $true){
+    if ( $AnalyzeNTLM_UsageBasic -eq $true) {
 
         .  ($AnalyzersPath + "NTLM-Operational.ps1")
         Analyze-NTLMOperationalBasic
 
     }
 
-    if ( $AnalyzeNTLM_UsageDetailed -eq $true){
+    if ( $AnalyzeNTLM_UsageDetailed -eq $true) {
 
         .  ($AnalyzersPath + "NTLM-Operational.ps1")
         Analyze-NTLMOperationalDetailed