DFIR ORC Embedded Tool Suite

Utility tools embedded in the DFIR ORC binary are listed below. There is another tool which is not related to collection per se: ToolEmbed.

  • FastFind: Will locate and report presence of Indicators Of Compromise (FileSystem, Registry Keys, Windows Named Objects)

  • GetSectors: Collects MBR, VBR and partition slack space

  • GetThis: Collects sample data from the FileSystem (Files, ADS, Extended Attributes, …)

  • NTFSInfo: Collects NTFS meta data (File entries, timestamps, file hashes, authenticode data, etc..)

  • ObjInfo: Collects the named object list (named pipes, mutexes, …)

  • RegInfo: Collects registry related information (without mounting hives)

  • USNInfo: Collects USN Jounal

  • DD: Copies specified blocks from devices

  • NTFSUtil: NTFS Master File Table inspector

The English version of the detailed documentation for these tools is being finalized and will appear shortly.