Common Options & Properties

Supported Versions

File system related tools are entirely implemented in native C++, compiled with Visual Studio 2017 Update 9 and do not require any installation prior to execution on the currently supported versions of Windows.

Help

Getting help can be done using /help or /?, for configured and unconfigured binaries.

DFIR-Orc.exe /help
DFIR-Orc_x64.exe NTFSUtil /?

For any tool embedded by default, the same options apply. For example, both of the following commands display the help menu for NTFSUtil:

DFIR-Orc_x64.exe NTFSUtil /help
DFIR-Orc.exe NTFSUtil /?

Table of Contents of Common Options & Properties

• Implementation Details About Parsers
  • MFT Parser
  • USN Parser
• Configuring Locations
  • Locations
    • Locations for Mounted Volumes
    • Locations for Physical Drives
    • Locations for Disk Images (.dd)
    • Locations for Volumes and Partitions of an Image (.dd)
    • Locations for Volume Shadow Copies
      • Explicit Volume Shadow Copy
      • Automatic Shadow Copies Addition
      • Shadow copy parser engine
    • Locations for Offline MFT
    • Location variables
  • Usage
    • altitude Attribute, /Altitude=<Strategy> Option
    • knownlocations Attribute, /knownlocations Option
    • shadows Attribute, /shadows Option
    • exclude Attribute, /Exclude="<DriveList>" Option
• Configuring the Yara Scanner
  • source Attribute
  • scan_method Attribute
  • block Attribute
  • overlap Attribute
  • timeout Attribute
• Configuring Attributes of ntfs_find and ntfs_exclude Elements
  • Search Algorithm and Result of a Search
  • Possible Attributes of a ntfs_find Element
  • Possible Attributes of a ntfs_exclude Element
  • Order of Evaluation of Attributes in Clauses
  • Typical Usage Examples
• Configuring Console Output, Logging
  • Usage
  • log Element
    • Console sink element, /log:console,... Option
      • level Attribute, /log:console,level=<Level>,... Option
      • backtrace Attribute, /log:console,backtrace=<Level>,... Option
    • File sink element, /log:file,... Option
      • level Attribute, /log:file,level=<Level>,... Option
      • backtrace Attribute, /log:file,backtrace=<Level>,... Option
      • output Element, /log:file,output=Path>,... Option
    • Syslog sink element, /log:syslog,... Option
      • level Attribute, /log:syslog,level=<Level>,... Option
      • backtrace Attribute, /log:syslog,backtrace=<Level>,... Option
      • host Attribute, /log:syslog,host=<ip4_or_ip6>,... Option
      • port Attribute, /log:syslog,port=<port>,... Option
    • Example
    • noconsole Attribute, /noconsole Option
    • verbose Attribute, /verbose Option
    • debug Attribute, /debug Option
  • Typical Usage Example
• Configuring Process Priority
• Configuring Tool Output
  • File Output
  • Directory Output
  • Archive Output
    • Compression (only for zip and 7z Format)
    • Password (only for zip and 7z Format)
  • File Character Encoding