Introduction

DFIR ORC, where ORC stands for “Outil de Recherche de Compromission” in French, is a collection of specialized tools dedicated to reliably parse and collect critical artefacts such as the MFT, registry hives or event logs. It can also embed external tools and their configurations.

DFIR ORC collects data, but does not analyze it: it is not meant to triage machines. It cannot spy on an attacker either, as an EDR or HIDS/HIPS would. It rather provides a forensically relevant snapshot of machines running Microsoft Windows.

Along the years, it has evolved to become stable and reliable software to faithfully collect unaltered data. Meant to scale up for use on large installed bases, it supports fine-tuning to have low impact on production environments.

How to build DFIR ORC?

DFIR ORC is not usable out-of-the-box: it is a configurable framework allowing to build a binary by embedding other tools, including file system parsing tools which are also released.

Everything needed to build a functional tool using Microsoft Visual Studio (free edition) is provided. To get started building, check out this GitHub repository!

Tutorial

DFIR ORC can be quite difficult to understand the first time around. A tutorial, organized in progressive steps, can help users understand how the tool works and how to tune its configuration.

Table of Contents

A Few Q&A to Introduce DFIR ORC

What is DFIR ORC?

DFIR ORC is a modular and scalable tool to collect artefacts on Microsoft Windows systems, in a decentralized manner.

What is an artefact? What is digital forensics?

Digital forensics investigators study traces left by various activities on computing systems. These traces are named artefacts. Usually, analysts track traces of computer hacks or criminal activities. When incident responders analyze machines following a security breach, they use forensic investigation techniques to understand what happened and when. This helps restoring a safe production environment as quickly as possible.

Who can use DFIR ORC?

DFIR ORC is intended for computer security professionals wishing to collect forensically relevant data. The incident responders addressing security breaches on Microsoft Windows installed bases are the primary target audience.

Is DFIR expertise needed to run DFIR ORC?

Once configured, DFIR ORC is meant to be executed easily by any computer user. On large Microsoft Windows installed bases, administrators can deploy and gather the results as they would for any other binary.

The DFIR ORC framework is the result of several years of development. It has been used in various contexts, from the investigation of a single desktop disk to incident response for a multinational corporation.

Can DFIR ORC identify compromised machines?

DFIR ORC collects data, but does not perform any analysis. Strictly speaking, it cannot be used to determine whether a machine has been compromised. Diagnoses arise from analysis of artefacts by forensic investigators.

Why has ANSSI developed DFIR ORC?

In the last decade, the DFIR community has had to deal with ever-growing installed bases and to address Advanced Persistent Threats (APTs). In an effort to face these challenges, ANSSI has revamped its investigation methodology and developed suitable tooling. DFIR ORC is a direct result of this change in the paradigm.

What is released?

The release consists of three GitHub repositories, gathered in an organization. The repositories contain:

  • the main program orchestrating the collection on a machine

  • tools to parse file systems

  • data collection tools

  • configuration examples: configurations define which elements should be collected using embedded or external tools, and allow to cap resource usage. Thus, a usable instance of DFIR ORC needs to embed an appropriate configuration.

  • a tutorial to customize configurations, to appear shortly, under final review.

  • a compilation guide to obtain a usable binary using Microsoft Visual Studio (free version) with code and configurations cited above.

Why is DFIR ORC released?

As numerous institutions and private firms, ANSSI makes use of open-source software, and wishes to contribute back to the digital security community. The release of DFIR ORC, result of 8 years of active development, forms a significant contribution.

ANSSI developers of the DFIR ORC framework hope that a community of users and developers will emerge following this release, to help in the evolution of the tools.

Are the tools still maintained? Will there be other releases?

Yes! Developers of DFIR ORC keep on improving the framework, fixing bugs and adding new features. New versions will be pushed in the appropriate repositories.

Why is it written in C++?

C++ suited the project when it was started, and it still does. Its main advantages are as follows :

  • it is a low-level language allowing system programming,

  • it performs and scales up to handle lots of data,

  • it does not need any external dependency to run,

  • it is a modern language still under development.

Can DFIR ORC be used in malicious ways?

ANSSI is mindful of potential hijacks of the code released in any situation. The publication of this code is intended to be useful to the forensics community. However, we must point out that, as any collection framework, DFIR ORC is meant to embed other tools, intended to run on a whole installed base.

Warning

Users must control the origin and integrity of the tool before using it. DFIR ORC is meant to be modular, hence users should always run the specific version of the tool they were issued by a trusted party for a given situation.

As for the code itself, most of the resources to which DFIR ORC needs to access are privileged, for good reason. Therefore, DFIR ORC has to be run with administrative privileges, which comes with the usual risks.

Eventually, from the legal point of view, the code published is proposed “as is” without any kind of warranty, as is explicitly stated by its license.

What makes DFIR ORC a forensically sound framework?

The framework has been developed to minimize its footprint on the system on which it runs.

Firstly, the configuration allows influencing the order in which the tools are run : noisy tools can be scheduled last.

Secondly, the published file system tools obey the following principles : write the minimum amount of data necessary, create as few files as possible to avoid writing over entries in the MFT, restrain from creating any kind of system object such as a registry key or a service as it is not required. Of course, external tools embedded in DFIR ORC do not necessarily abide by these rules.

In a usual deployment, DFIR ORC writes results in a single directory and does not install any program on machines. When it is finished, only the archives remain, waiting to be collected.

Why and how should I contribute?

As for any actively maintained open-source project, taking part in DFIR ORC helps it evolve towards an even more stable and useful tool set. Helping can be done at several levels :

Any kind of general feedback or question can also be sent by e-mail : dfir-orc at ssi.gouv.fr.