DFIR ORC Local Configuration File

DFIR ORC can be locally configured to specify a limited set of configuration elements. Typically, those elements are the client’s specific configuration options (like the upload method, priority, temporary folder, etc.). The local configuration can be specified using:

  • The /local=<LocalConfigFile> command-line option

  • A file in the same directory as DFIR ORC, with the same base name and .xml extension, e.g.:

    • <SomeDirectory>\\DFIR-Orc.exe

    • <SomeDirectory>\\DFIR-Orc.xml

The index of this sections consists in the following XML skeleton file, which features all the elements that can appear in a real configuration file. It is not a usable configuration, in the sense that it does not contain any attribute key or value, and can exhibit incompatible elements. Its point is to be exhaustive from the point of view of existing usable elements.

<dfir-orc attributes=”…”>
<output> value </output>
<upload attributes=”…” />
<recipient attributes=”…”> value </recipient>
<key> value </key>

dfir-orc Element

optional=no, default=N/A

Root element


  • priority (optional=yes, default=normal)

    Configures Windows process (and thread) priority class. Available values for this attribute are: Low, Normal & High.

  • powerstate (optional=yes, default=unmodified power state)

    Configures DFIR ORC’s main thread power state to optionally prevent the system from going to sleep when DFIR ORC is running. Allowed value is a comma separated list of

    • SystemRequired

    • Displayrequired

    • UserPresent

    • AwayMode.

    When only looking to prevent sleep, recommended value for this option is SystemRequired,AwayMode. More information on power states: https://docs.microsoft.com/en-us/windows/desktop/api/winbase/nf-winbase-setthreadexecutionstate

Back to Root

temporary Element

optional=yes, default=%temp%, parent element: dfir-orc

This element configures the location of temporary files created by the tool. The inner text of this element contains the name of the folder. Environment variables will be substituted.





Back to Root

output Element

optional=no, default=’.’, parent element: dfir-orc

This element configures the folder where the various archives will be created. A local drive or a remote SMB share can be specified (in the latter, the upload syntax should be privileged to reduce network congestion). Environment variables will be substituted.





Back to Root

upload Element

optional=yes, default=no upload, parent element: dfir-orc

The upload element is used to configure an optional upload operation when an archive is created.


  • job (optional=yes, default=none)

    Describes the upload operation.

  • method (optional=no, default=N/A)

    Describes the method to upload the files. Currently only “filecopy” (uses SMB) or “BITS” are allowed values.

  • server (optional=no, default=N/A)

    Specifies the server name (e.g. file://servername or http://servername, or https://servername) when using BITS or SMB.

  • path (optional=no, default= / or \ depending on the method)

    Specifies the file share or folder for the upload

  • user (optional=yes, default=the current user (executing DFIR ORC))

    Specifies the user name to be used to connect to the remote server.

  • password (optional=yes, default=N/A)

    Specifies the password to use (for the user defined above)

  • authscheme (optional=yes, default=Negotiate (if a user name is specified, anonymous otherwise))

    Specifies the authentication scheme for the connection. Possible scheme values are:

    • Anonymous

    • Basic

    • NTLM

    • Kerberos

    • Negotiate

  • operation (optional=yes, default=copy)

    “copy” or “move” the archives to the upload server.

  • mode (optional=yes, default=sync)

    “sync” or “async”: upload can be synchronous or asynchronous (asynchronous allows DFIR ORC to exit prior to BITS jobs completes). “async” is not supported for “filecopy” method.

  • include (optional=yes, default=none)

    Specifies a comma (or semicolon) separated list of patterns, matching the file name of archives, which determines that an output archive from DFIR-Orc.exe will be uploaded to the specified location. When include is not present, all archives are uploaded, if not explicitly excluded (see below). When include is specified, only archives whose name matches one of the patterns will be uploaded.

  • exclude (optional=yes, default=none)

    Specifies a comma (or semicolon) separated list of patterns, matching the file name of archives, which determines that an output archive should not be uploaded. When excluded, an output archive is left intact in the output directory (i.e. regardless of the operation attribute). The exclude attribute takes precedence over the include attribute, meaning an archive whose name matches both include and exclude patterns will be excluded.


<upload job="DFIR-ORC" method="BITS"
  user="MyORG\BITSUploadClient" password="P@ssw0rd!"
  include="DFIR-ORC_*_Hives.7z" />

Back to Root

recipient Element

optional=yes, default=N/A, parent element: dfir-orc

The recipient element is used to create the list of recipients able to open the enveloped CMS archives. It basically consists of a list of encoded certificates. This element is used to add a recipient’s certificate to the list of possible recipients for individual archives. This element implies encryption of the archives specified in its compulsory archive attribute.


  • name (optional=no, default=N/A)

    Name of the recipient

  • archive (optional=no, default=Does not encrypt any archive)

    Comma separated list of archive keyword specs to match against archive names. Specifies one or more archives encrypted in a CMS PKCS#7 message (cf http://tools.ietf.org/html/rfc2315 )


<recipient name='certfr' archive='*' >

Back to Root

key Element

optional=yes, default=N/A, parent element: dfir-orc

The key element allows to select only specific commands to be executed or archives to be generated. All non-matching keywords or archives are not executed or generated. This element is exclusive with enable_key and disable_key.




  <key>ORC_Quick</ key>

Back to Root

enable_key and disable_key Elements

optional=yes, default=N/A, parent element: dfir-orc

The enable_key element will enable an optional archive or command (cf. archive element , command element). The disable_key element will disable an archive generation or command execution. Elements enable_key and disable_key can be combined and repeated. All enable_key elements take effect before the disable_key elements. Keywords are case insensitive. The data in the element can be a comma separated list of keywords.





Back to Root