index.html

<!DOCTYPE html>

<html lang="en">
  <head>
    <meta charset="utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.19: https://docutils.sourceforge.io/" />

    <title>Introduction &#8212; DFIR ORC  documentation</title>
    <link rel="stylesheet" type="text/css" href="_static/pygments.css" />
    <link rel="stylesheet" type="text/css" href="_static/solar.css" />
    <link rel="stylesheet" type="text/css" href="_static/css/custom.css" />
    <script data-url_root="./" id="documentation_options" src="_static/documentation_options.js"></script>
    <script src="_static/jquery.js"></script>
    <script src="_static/underscore.js"></script>
    <script src="_static/_sphinx_javascript_frameworks_compat.js"></script>
    <script src="_static/doctools.js"></script>
    <script src="_static/sphinx_highlight.js"></script>
    <link rel="index" title="Index" href="genindex.html" />
    <link rel="search" title="Search" href="search.html" />
    <link rel="next" title="Tutorial" href="tuto.html" /><link href='http://fonts.googleapis.com/css?family=Source+Code+Pro|Open+Sans:300italic,400italic,700italic,400,300,700' rel='stylesheet' type='text/css'>
<link href="_static/solarized-dark.css" rel="stylesheet">
  </head><body>
    <div class="related" role="navigation" aria-label="related navigation">
      <h3>Navigation</h3>
      <ul>
        
        
        <li class="right" >
          <a href="tuto.html" title="Tutorial"
             accesskey="N">next</a>
          
        
        <li class="nav-item nav-item-0"><a href="#">DFIR ORC  documentation</a> &#187;</li> 
      </ul>
    </div>
      <div class="sphinxsidebar" role="navigation" aria-label="main navigation">
        <div class="sphinxsidebarwrapper">
            <p class="logo"><a href="#">
              <img class="logo" src="_static/logo.jpg" alt="Logo"/>
            </a></p>
<h3><a href="#">Table of Contents</a></h3>
<ul class="current">
<li class="toctree-l1 current"><a class="current reference internal" href="#">Introduction</a></li>
<li class="toctree-l1"><a class="reference internal" href="tuto.html">Tutorial</a></li>
<li class="toctree-l1"><a class="reference internal" href="platforms.html">Requirements</a></li>
<li class="toctree-l1"><a class="reference internal" href="intro_to_data_collection.html">Design and Architecture</a></li>
<li class="toctree-l1"><a class="reference internal" href="configuration.html">Configuration</a></li>
<li class="toctree-l1"><a class="reference internal" href="embedded_tool_suite.html">Embedded Tool Suite</a></li>
<li class="toctree-l1"><a class="reference internal" href="licenses.html">Licenses</a></li>
</ul>

<div id="searchbox" style="display: none" role="search">
  <h3 id="searchlabel">Quick search</h3>
    <div class="searchformwrapper">
    <form class="search" action="search.html" method="get">
      <input type="text" name="q" aria-labelledby="searchlabel" />
      <input type="submit" value="Go" />
    </form>
    </div>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
        </div>
      </div>

    <div class="document">
      <div class="documentwrapper">
        <div class="bodywrapper">
          <div class="body" role="main">
            
  <section id="introduction">
<h1>Introduction<a class="headerlink" href="#introduction" title="Permalink to this heading">¶</a></h1>
<p>DFIR ORC, where ORC stands for “Outil de Recherche de Compromission” in French, is a <a class="reference internal" href="embedded_tool_suite.html"><span class="doc">collection of specialized tools</span></a> dedicated to reliably parse and collect critical artefacts such as the MFT, registry hives or event logs.
It can also embed external tools and their configurations.</p>
<p>DFIR ORC collects data, but does not analyze it: it is not meant to triage machines. It cannot spy on an attacker either, as an EDR or HIDS/HIPS would.
It rather provides a forensically relevant snapshot of machines running Microsoft Windows.</p>
<p>Along the years, it has evolved to become stable and reliable software to faithfully collect unaltered data.
Meant to scale up for use on large installed bases, it supports fine-tuning to have low impact on production environments.</p>
<div class="note admonition">
<p class="admonition-title">How to build DFIR ORC?</p>
<p>DFIR ORC is not usable out-of-the-box: it is a configurable framework allowing to build a binary by embedding other tools, including file system parsing tools which are also released.</p>
<p><strong>Everything needed to build a functional tool using Microsoft Visual Studio (free edition) is provided.</strong>
To get started building, check out this <a class="reference external" href="https://github.com/dfir-orc/dfir-orc">GitHub repository</a>!</p>
</div>
<div class="warning admonition">
<p class="admonition-title">Tutorial</p>
<p>DFIR ORC can be quite difficult to understand the first time around. A <a class="reference internal" href="tuto.html"><span class="doc">tutorial</span></a>, organized in progressive steps, can help users understand how the tool works and how to tune its configuration.</p>
</div>
</section>
<section id="table-of-contents">
<h1>Table of Contents<a class="headerlink" href="#table-of-contents" title="Permalink to this heading">¶</a></h1>
<div class="toctree-wrapper compound">
<ul class="current">
<li class="toctree-l1 current"><a class="current reference internal" href="#">Introduction</a></li>
<li class="toctree-l1"><a class="reference internal" href="tuto.html">Tutorial</a><ul>
<li class="toctree-l2"><a class="reference internal" href="tuto.html#build">1. Build</a></li>
<li class="toctree-l2"><a class="reference internal" href="tuto.html#configure">2. Configure</a></li>
<li class="toctree-l2"><a class="reference internal" href="tuto.html#test-the-configuration">3. Test the Configuration</a></li>
<li class="toctree-l2"><a class="reference internal" href="tuto.html#use-local-configuration-files">4. Use Local Configuration Files</a></li>
<li class="toctree-l2"><a class="reference internal" href="tuto.html#edit-embedded-configurations">5. Edit Embedded Configurations</a></li>
<li class="toctree-l2"><a class="reference internal" href="tuto.html#the-final-challenge">6. The Final Challenge</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="platforms.html">Requirements</a></li>
<li class="toctree-l1"><a class="reference internal" href="intro_to_data_collection.html">Design and Architecture</a><ul>
<li class="toctree-l2"><a class="reference internal" href="design_principles.html">Design Principles</a></li>
<li class="toctree-l2"><a class="reference internal" href="architecture.html">Architecture</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="configuration.html">Configuration</a><ul>
<li class="toctree-l2"><a class="reference internal" href="resources.html">Referencing Resources in Configurations</a></li>
<li class="toctree-l2"><a class="reference internal" href="cli_options.html">DFIR ORC Command-line Options</a></li>
<li class="toctree-l2"><a class="reference internal" href="wolf_config.html">WolfLauncher Configuration File</a></li>
<li class="toctree-l2"><a class="reference internal" href="ToolEmbed.html">ToolEmbed</a></li>
<li class="toctree-l2"><a class="reference internal" href="orc_local_config.html">DFIR ORC Local Configuration File</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="embedded_tool_suite.html">Embedded Tool Suite</a><ul>
<li class="toctree-l2"><a class="reference internal" href="info_tools.html">Common Options &amp; Properties</a></li>
<li class="toctree-l2"><a class="reference internal" href="FatInfo.html">FatInfo</a></li>
<li class="toctree-l2"><a class="reference internal" href="FastFind.html">FastFind</a></li>
<li class="toctree-l2"><a class="reference internal" href="GetThis.html">GetThis</a></li>
<li class="toctree-l2"><a class="reference internal" href="GetSamples.html">GetSamples</a></li>
<li class="toctree-l2"><a class="reference internal" href="GetSectors.html">GetSectors</a></li>
<li class="toctree-l2"><a class="reference internal" href="NTFSInfo.html">NTFSInfo</a></li>
<li class="toctree-l2"><a class="reference internal" href="NTFSUtil.html">NTFSUtil</a></li>
<li class="toctree-l2"><a class="reference internal" href="ObjInfo.html">ObjInfo</a></li>
<li class="toctree-l2"><a class="reference internal" href="RegInfo.html">RegInfo</a></li>
<li class="toctree-l2"><a class="reference internal" href="USNInfo.html">USNInfo</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="licenses.html">Licenses</a><ul>
<li class="toctree-l2"><a class="reference internal" href="open-license.html">English version</a></li>
<li class="toctree-l2"><a class="reference internal" href="LO.html">French version</a></li>
</ul>
</li>
</ul>
</div>
<section id="a-few-q-a-to-introduce-dfir-orc">
<h2>A Few Q&amp;A to Introduce DFIR ORC<a class="headerlink" href="#a-few-q-a-to-introduce-dfir-orc" title="Permalink to this heading">¶</a></h2>
<section id="what-is-dfir-orc">
<h3>What is DFIR ORC?<a class="headerlink" href="#what-is-dfir-orc" title="Permalink to this heading">¶</a></h3>
<p>DFIR ORC is a modular and scalable tool to collect artefacts on Microsoft Windows systems, in a decentralized manner.</p>
</section>
<section id="what-is-an-artefact-what-is-digital-forensics">
<h3>What is an artefact? What is digital forensics?<a class="headerlink" href="#what-is-an-artefact-what-is-digital-forensics" title="Permalink to this heading">¶</a></h3>
<p>Digital forensics investigators study traces left by various activities on computing systems.
These traces are named artefacts. Usually, analysts track traces of computer hacks or criminal activities.
When incident responders analyze machines following a security breach, they use forensic investigation techniques to understand what happened and when. This helps restoring a safe production environment as quickly as possible.</p>
</section>
<section id="who-can-use-dfir-orc">
<h3>Who can use DFIR ORC?<a class="headerlink" href="#who-can-use-dfir-orc" title="Permalink to this heading">¶</a></h3>
<p>DFIR ORC is intended for computer security professionals wishing to collect forensically relevant data. The
incident responders addressing security breaches on Microsoft Windows installed bases are the primary target audience.</p>
</section>
<section id="is-dfir-expertise-needed-to-run-dfir-orc">
<h3>Is DFIR expertise needed to run DFIR ORC?<a class="headerlink" href="#is-dfir-expertise-needed-to-run-dfir-orc" title="Permalink to this heading">¶</a></h3>
<p>Once configured, DFIR ORC is meant to be executed easily by any computer user. On large Microsoft Windows installed bases, administrators can deploy and gather the results as they would for any other binary.</p>
<p>The DFIR ORC framework is the result of several years of development. It has been used in various contexts, from the investigation of a single desktop disk to incident response for a multinational corporation.</p>
</section>
<section id="can-dfir-orc-identify-compromised-machines">
<h3>Can DFIR ORC identify compromised machines?<a class="headerlink" href="#can-dfir-orc-identify-compromised-machines" title="Permalink to this heading">¶</a></h3>
<p>DFIR ORC collects data, but does not perform any analysis. Strictly speaking, it cannot be used to determine whether
a machine has been compromised. Diagnoses arise from analysis of artefacts by forensic investigators.</p>
</section>
<section id="why-has-anssi-developed-dfir-orc">
<h3>Why has ANSSI developed DFIR ORC?<a class="headerlink" href="#why-has-anssi-developed-dfir-orc" title="Permalink to this heading">¶</a></h3>
<p>In the last decade, the DFIR community has had to deal with ever-growing installed bases and to address Advanced Persistent Threats (APTs). In an effort to face these challenges, ANSSI has revamped its investigation methodology and developed suitable tooling. DFIR ORC is a direct result of this change in the paradigm.</p>
</section>
<section id="what-is-released">
<h3>What is released?<a class="headerlink" href="#what-is-released" title="Permalink to this heading">¶</a></h3>
<p>The release consists of three GitHub repositories, gathered in an <a class="reference external" href="https://github.com/dfir-orc">organization</a>. The repositories contain:</p>
<blockquote>
<div><ul class="simple">
<li><p>the <a class="reference external" href="https://github.com/dfir-orc/dfir-orc">source code</a> to be compiled for:</p></li>
</ul>
<blockquote>
<div><ul class="simple">
<li><p>the main program orchestrating the collection on a machine</p></li>
<li><p>tools to parse file systems</p></li>
<li><p>data collection tools</p></li>
</ul>
</div></blockquote>
<ul class="simple">
<li><p><a class="reference external" href="https://github.com/dfir-orc/dfir-orc-config">configuration examples</a>: configurations define which elements should be collected using embedded or external tools, and allow to cap resource usage. Thus, a usable instance of DFIR ORC needs to embed an appropriate configuration.</p></li>
<li><p>a <a class="reference internal" href="tuto.html"><span class="doc">tutorial to customize configurations</span></a>, to appear shortly, under final review.</p></li>
<li><p>a <a class="reference external" href="https://github.com/dfir-orc/dfir-orc">compilation guide</a> to obtain a usable binary using Microsoft Visual Studio (free version) with code and configurations cited above.</p></li>
</ul>
</div></blockquote>
</section>
<section id="why-is-dfir-orc-released">
<h3>Why is DFIR ORC released?<a class="headerlink" href="#why-is-dfir-orc-released" title="Permalink to this heading">¶</a></h3>
<p>As numerous institutions and private firms, ANSSI makes use of open-source software, and wishes to contribute back to the digital security community. The release of DFIR ORC, result of 8 years of active development, forms a significant  contribution.</p>
<p>ANSSI developers of the DFIR ORC framework hope that a community of users and developers will emerge following this release, to help in the evolution of the tools.</p>
</section>
<section id="are-the-tools-still-maintained-will-there-be-other-releases">
<h3>Are the tools still maintained? Will there be other releases?<a class="headerlink" href="#are-the-tools-still-maintained-will-there-be-other-releases" title="Permalink to this heading">¶</a></h3>
<p>Yes! Developers of DFIR ORC keep on improving the framework, fixing bugs and adding new features.
New versions will be pushed in the appropriate repositories.</p>
</section>
<section id="why-is-it-written-in-c">
<h3>Why is it written in C++?<a class="headerlink" href="#why-is-it-written-in-c" title="Permalink to this heading">¶</a></h3>
<p>C++ suited the project when it was started, and it still does. Its main advantages are as follows :</p>
<ul class="simple">
<li><p>it is a low-level language allowing system programming,</p></li>
<li><p>it performs and scales up to handle lots of data,</p></li>
<li><p>it does not need any external dependency to run,</p></li>
<li><p>it is a modern language still under development.</p></li>
</ul>
</section>
<section id="can-dfir-orc-be-used-in-malicious-ways">
<h3>Can DFIR ORC be used in malicious ways?<a class="headerlink" href="#can-dfir-orc-be-used-in-malicious-ways" title="Permalink to this heading">¶</a></h3>
<p>ANSSI is mindful of potential hijacks of the code released in any situation.
The publication of this code is intended to be useful to the forensics community.
However, we must point out that, as any collection framework, DFIR ORC is meant to
embed other tools, intended to run on a whole installed base.</p>
<div class="warning admonition">
<p class="admonition-title">Warning</p>
<p><strong>Users must control the origin and integrity of the tool before using it</strong>.
DFIR ORC is meant to be modular, hence users should <strong>always run the specific version of the tool they were issued by a trusted party for a given situation</strong>.</p>
</div>
<p>As for the code itself, most of the resources to which DFIR ORC needs to access are privileged, for good reason. Therefore, DFIR ORC has to be run with administrative privileges, which comes with the usual risks.</p>
<p>Eventually, from the legal point of view, the code published is proposed
“as is” without any kind of warranty, as is explicitly stated by its <a class="reference external" href="https://github.com/dfir-orc/dfir-orc/blob/master/LICENSE.txt">license</a>.</p>
</section>
<section id="what-makes-dfir-orc-a-forensically-sound-framework">
<h3>What makes DFIR ORC a forensically sound framework?<a class="headerlink" href="#what-makes-dfir-orc-a-forensically-sound-framework" title="Permalink to this heading">¶</a></h3>
<p>The framework has been developed to minimize its footprint on the system on which it runs.</p>
<p>Firstly, the configuration allows influencing the order in which the tools are run : noisy tools can be scheduled last.</p>
<p>Secondly, the published file system tools obey the following principles : write the minimum amount of data necessary,
create as few files as possible to avoid writing over entries in the MFT, restrain from creating any kind of system object such as a registry key or a service as it is not required. Of course, external tools embedded in DFIR ORC do not necessarily abide by these rules.</p>
<p>In a usual deployment, DFIR ORC writes results in a single directory and does not install any program on machines. When it is finished, only the archives remain, waiting to be collected.</p>
</section>
<section id="why-and-how-should-i-contribute">
<h3>Why and how should I contribute?<a class="headerlink" href="#why-and-how-should-i-contribute" title="Permalink to this heading">¶</a></h3>
<p>As for any actively maintained open-source project, taking part in DFIR ORC helps it evolve towards an even more stable and useful tool set.
Helping can be done at several levels :</p>
<ul class="simple">
<li><p>by submitting bug reports or feature ideas - using GitHub issues <a class="reference external" href="https://github.com/dfir-orc/dfir-orc">on the code repository</a></p></li>
<li><p>by submitting pull requests for bug fixes or new features <a class="reference external" href="https://github.com/dfir-orc/dfir-orc">on the code repository</a></p></li>
<li><p>by having new ideas of elements to collect - using GitHub issues or pull requests in the <a class="reference external" href="https://github.com/dfir-orc/dfir-orc-config">configuration repository</a></p></li>
<li><p>by providing feedback on the documentation - using GitHub issues in the <a class="reference external" href="https://github.com/dfir-orc/dfir-orc.github.io">documentation repository</a>. Pull requests will be possible soon.</p></li>
</ul>
<p>Any kind of general feedback or question can also be sent by e-mail : dfir-orc <em>at</em> ssi.gouv.fr.</p>
</section>
</section>
</section>


            <div class="clearer"></div>
          </div>
        </div>
      </div>
      <div class="clearer"></div>
    </div>
    <div class="related" role="navigation" aria-label="related navigation">
      <h3>Navigation</h3>
      <ul>
        
        
        <li class="right" >
          <a href="tuto.html" title="Tutorial"
             >next</a>
          
        
        <li class="nav-item nav-item-0"><a href="#">DFIR ORC  documentation</a> &#187;</li> 
      </ul>
    </div>
 
    <div class="footer">
        &copy; Copyright 2019, ANSSI. The contents of this documentation is available under the Open License version 2.0 as published by Etalab (French task force for Open Data). The name DFIR ORC and the associated logo belong to ANSSI, no use is permitted without its express approval. Le contenu de cette documentation est disponible sous license Open License version 2.0 telle que publiée par Etalab (organisation francaise pour Open Data). Le nom DFIR ORC et le logo associé appartiennent à l&#39;ANSSI, tout usage doit être expressément autorisé par l&#39;ANSSI..
    Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> 5.3.0.Theme is <a href="http://github.com/vimalkvn/solar-theme">Solar</a>
    </div>
 <script type="text/javascript">
    $(document).ready(function() {
        $(".toggle > *").hide();
        $(".toggle .header").show();
        $(".toggle .header").click(function() {
            $(this).parent().children().not(".header").toggle(400);
            $(this).parent().children(".header").toggleClass("open");
        })
    });
</script>

  </body>
</html>