ANSSI-FR/ADTimeline

Arrays and PSObjects

LxLeChat opened this issue · 4 comments

LxLeChat commented

Consider the following syntax, available since powershell 3.0:

$Replinfo += [PSCustomObject]@{
                    Propriete1='Value1'
                    Propriete2='Value1'
                    Propriete3='Value1'
                }

It might make you save some time when creating new objects.

Maybe you can use arraylist instead of arrays: way faster to add items in it.
Other consideration when using arrays: everytime you use += the array is duplicated, and your new item added at the end of the newly created array. So i dont know how many object your array must contain, but the more objects you add... the slower it gets.
ArrayList is not duplicated when you add new items.

$replinfo = [System.Collections.ArrayList]@()
$replinfo.add(
    [PSCustomObject]@{
        Propriete1='Value1'
        Propriete2='Value1'
        Propriete3='Value1'
    }
)
ldap389 commented

The script should be able to run on a machine with Powershell 2.0, I will make it clear in the Prerequisites section of the Readme file.
Regarding the use of System.Collections.ArrayList it looks to be a good idea as it is available with any version of the .NET Framework. I will implement and test it, then push it in next release if everything is ok.

LxLeChat commented

alright cool ! i think this should work !

Regarding ps v2, in the prerequisites you mention windows nt 6.1 is needed ( windows8/windows server 2008 r2), so... you see me coming ;) wmf3 is fully compatible with NT 6.1 !
Moreover PS v2 is deprecated !
If its an audit tool, its launched from one computer/server. So pushing wmf3 on one computer/server (pushing it on the whole infra is not necessary )

My point being: why ps v2 :) anyway :) if this is not up to debate, so be it ! :)

ldap389 commented

I totally understand your point but ADTimeline is more a DFIR tool than an audit tool. So it has often to be deployed quickly by an IT staff under pressure. At the same time they are asked for firewall, proxy logs and a ton of stuff...
That is why we want to spare them the time to deploy wmf3, even on one computer, and not add more prerequisites for running a tool.

  • 👍1
ldap389 commented

Use of System.Collections.ArrayList pushed in last commit