Embedded Tool Suite

The DFIR ORC framework relies on a suite of tools to parse and collect artefacts in a reliable manner. This part of the documentation provides details about their behavior and configuration.

Utility tools embedded in DFIR ORC binaries are listed below. There is another tool which is not related to collection per se: ToolEmbed.

• FatInfo: Collects FAT metadata from the file system (file names, hashes, authenticode data, etc.)

• FastFind: Locate and report on Indicators of Compromise

• GetSamples: Automated sample collection

• GetSectors: Collects MBR, VBR and partition slack space

• GetThis: Collects sample data from the file system (files, ADS, Extended Attributes, etc.)

• NTFSInfo: Collects NTFS metadata (file entries, timestamps, file hashes, authenticode data, etc.)

• NTFSUtil: NTFS Master File Table inspector

• ObjInfo: Collects the named object list (named pipes, mutexes, etc.)

• RegInfo: Collects registry related information (without mounting hives)

• USNInfo: Collects USN journal