handle evtx Events not in chronological order

[jtmoon79]

Describe the bug

EVTX files may store Events out of chronological order. This will cause s4 to print those Events out of order at the point where the disorder occurs. This will cause the merging of differing log message to behave errantly.

To Reproduce

Run s4 with --summary on some EVTX files on a Windows host. Most are found at path C:\Windows\System32\winevt\Logs. Note the out of order value.

Additional context

Testing on a Windows 11 Pro host, about 2/3 of EVTX files, among ~100 files, had chronologically out of order files.

This Issue is labelled both a bug and enhancement. It is a bug in s4 as it breaks a core purpose of the program and assumption of the user. However it's due to the nature of EVTX files so "Fixing" this is an enhancement.

---

Meta Issue #182

[jtmoon79]

Relates to #87

[jtmoon79]

The implementation in e42d021 does:

1. reads entire .evtx file (in analyze(...)) stored in a BTreeMap
2. later, executor thread effectively calls BTreeMap.pop_first() until None is returned

This bad news is:

• the entire file is stored in memory before being processed
• the runtime has increased from O(n) (precisely n=events) to O(n*log(n)) (precisely log(n) * n + n where n=events)