Added binary XML creation time to API and evtxexport #21

configure.ac

@@ -2,7 +2,7 @@ AC_PREREQ( 2.59 )
 
 AC_INIT(
  [libevtx],
- [20190414],
+ [20190617],
  [[email protected]])
 
 AC_CONFIG_SRCDIR(

evtxtools/export_handle.c

@@ -1920,6 +1920,69 @@ int export_handle_export_record_text(
 	 "Event number\t\t\t: %" PRIu64 "\n",
 	 value_64bit );
 
+	result = libevtx_record_get_creation_time(
+	          record,
+	          &value_64bit,
+	          error );
+
+	if( result == -1 )
+	{
+		libcerror_error_set(
+		 error,
+		 LIBCERROR_ERROR_DOMAIN_RUNTIME,
+		 LIBCERROR_RUNTIME_ERROR_GET_FAILED,
+		 "%s: unable to retrieve creation time.",
+		 function );
+
+		goto on_error;
+	}
+	else if( result != 0 )
+	{
+		if( libfdatetime_filetime_copy_from_64bit(
+		     filetime,
+		     value_64bit,
+		     error ) != 1 )
+		{
+			libcerror_error_set(
+			 error,
+			 LIBCERROR_ERROR_DOMAIN_RUNTIME,
+			 LIBCERROR_RUNTIME_ERROR_SET_FAILED,
+			 "%s: unable to copy filetime from 64-bit.",
+			 function );
+
+			goto on_error;
+		}
+#if defined( HAVE_WIDE_SYSTEM_CHARACTER )
+		result = libfdatetime_filetime_copy_to_utf16_string(
+			  filetime,
+			  (uint16_t *) filetime_string,
+			  48,
+			  LIBFDATETIME_STRING_FORMAT_TYPE_CTIME | LIBFDATETIME_STRING_FORMAT_FLAG_DATE_TIME_NANO_SECONDS,
+			  error );
+#else
+		result = libfdatetime_filetime_copy_to_utf8_string(
+			  filetime,
+			  (uint8_t *) filetime_string,
+			  48,
+			  LIBFDATETIME_STRING_FORMAT_TYPE_CTIME | LIBFDATETIME_STRING_FORMAT_FLAG_DATE_TIME_NANO_SECONDS,
+			  error );
+#endif
+		if( result != 1 )
+		{
+			libcerror_error_set(
+			 error,
+			 LIBCERROR_ERROR_DOMAIN_RUNTIME,
+			 LIBCERROR_RUNTIME_ERROR_SET_FAILED,
+			 "%s: unable to copy filetime to string.",
+			 function );
+
+			goto on_error;
+		}
+		fprintf(
+		 export_handle->notify_stream,
+		 "Creation time\t\t\t: %" PRIs_SYSTEM " UTC\n",
+		 filetime_string );
+	}
 	if( libevtx_record_get_written_time(
 	     record,
 	     &value_64bit,

include/libevtx.h.in

@@ -419,7 +419,16 @@ int libevtx_record_get_identifier(
      uint64_t *identifier,
      libevtx_error_t **error );
 
-/* Retrieves the 64-bit FILETIME value containing the written time
+/* Retrieves the 64-bit FILETIME value containing the creation time from the binary XML
+ * Returns 1 if successful, 0 if not available or -1 on error
+ */
+LIBEVTX_EXTERN \
+int libevtx_record_get_creation_time(
+     libevtx_record_t *record,
+     uint64_t *filetime,
+     libevtx_error_t **error );
+
+/* Retrieves the 64-bit FILETIME value containing the written time from the event record header
  * Returns 1 if successful or -1 on error
  */
 LIBEVTX_EXTERN \

libevtx/libevtx_record.c

@@ -350,16 +350,16 @@ int libevtx_record_get_identifier(
 	return( 1 );
 }
 
-/* Retrieves the 64-bit FILETIME value containing the written time
+/* Retrieves the 64-bit FILETIME value containing the creation time from the binary XML
  * Returns 1 if successful or -1 on error
  */
-int libevtx_record_get_written_time(
+int libevtx_record_get_creation_time(
      libevtx_record_t *record,
      uint64_t *filetime,
      libcerror_error_t **error )
 {
 	libevtx_internal_record_t *internal_record = NULL;
-	static char *function                      = "libevtx_record_get_written_time";
+	static char *function                      = "libevtx_record_get_creation_time";
 
 	if( record == NULL )
 	{
@@ -374,30 +374,61 @@ int libevtx_record_get_written_time(
 	}
 	internal_record = (libevtx_internal_record_t *) record;
 
-	if( internal_record->record_values == NULL )
+	if( libevtx_record_values_get_creation_time(
+	     internal_record->record_values,
+	     filetime,
+	     error ) != 1 )
 	{
 		libcerror_error_set(
 		 error,
 		 LIBCERROR_ERROR_DOMAIN_RUNTIME,
-		 LIBCERROR_RUNTIME_ERROR_VALUE_MISSING,
-		 "%s: invalid record - missing record values.",
+		 LIBCERROR_RUNTIME_ERROR_GET_FAILED,
+		 "%s: unable to retrieve creation time from record values.",
 		 function );
 
 		return( -1 );
 	}
-	if( filetime == NULL )
+	return( 1 );
+}
+
+/* Retrieves the 64-bit FILETIME value containing the written time from the event record header
+ * Returns 1 if successful or -1 on error
+ */
+int libevtx_record_get_written_time(
+     libevtx_record_t *record,
+     uint64_t *filetime,
+     libcerror_error_t **error )
+{
+	libevtx_internal_record_t *internal_record = NULL;
+	static char *function                      = "libevtx_record_get_written_time";
+
+	if( record == NULL )
 	{
 		libcerror_error_set(
 		 error,
 		 LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
 		 LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
-		 "%s: invalid filetime.",
+		 "%s: invalid record.",
 		 function );
 
 		return( -1 );
 	}
-	*filetime = internal_record->record_values->written_time;
+	internal_record = (libevtx_internal_record_t *) record;
 
+	if( libevtx_record_values_get_written_time(
+	     internal_record->record_values,
+	     filetime,
+	     error ) != 1 )
+	{
+		libcerror_error_set(
+		 error,
+		 LIBCERROR_ERROR_DOMAIN_RUNTIME,
+		 LIBCERROR_RUNTIME_ERROR_GET_FAILED,
+		 "%s: unable to retrieve written time from record values.",
+		 function );
+
+		return( -1 );
+	}
 	return( 1 );
 }
 

libevtx/libevtx_record.h

@@ -82,6 +82,12 @@ int libevtx_record_get_identifier(
      uint64_t *identifier,
      libcerror_error_t **error );
 
+LIBEVTX_EXTERN \
+int libevtx_record_get_creation_time(
+     libevtx_record_t *record,
+     uint64_t *filetime,
+     libcerror_error_t **error );
+
 LIBEVTX_EXTERN \
 int libevtx_record_get_written_time(
      libevtx_record_t *record,