Unsorted output and moving metadata to the front of the archive

[rbcrwd]

My team automates parsing UAC artifacts to ingest into our internal evidence systems. The uac.log file contains crucial metadata that we would like to use to guide parsing and routing, but it is unfortunately at the end of the [sorted] archive. We can scan the archive twice: once for uac.log and once for understanding, but it would be nice to limit how far the first scan must go, especially for large collections.

As such, I've implemented a pair of changes that, when combined, would allow us to move that log file to the front of the archive without materially affecting normal operation. Those changes are represented in my fork here: https://github.com/rbcrwd/uac/tree/feature/uac_log_move.

As I'm a first-time UAC contributor, I presumed it'd be better to open a ticket for discussion before a PR, so we can discuss whether the approach is reasonable.

[tclahr]

I think adding uac.log at the beginning of the .output_file.tmp is not an issue. We can work on a change that does not require adding a new command line option either.
Just for curiosity. Are you using .output_file.tmp during your automation process?

[rbcrwd]

We are not using the temporary file in our automation.

I agree that there are many ways to inject uac.log at the top of the tarball, and am happy to submit a PR doing so.

Given the "any Bourne shell" requirement the most stringently compatible way of doing so may involve a second temp file, which I was trying to avoid with the --unsorted approach. The option satisfies two goals for us, since we handle quite a few large collections for which sorting things like hash lists is wasted time and forensic spoliation.

[rbcrwd]

Per discussion, removed the --unsorted component for separate discussion and submitted PR #217 to move the log to the front of the archive.

[tclahr]

Code merged via PR #217