WolfLauncher Configuration File

The index of this section consists in the following XML skeleton file, which features all the elements that can appear in a real configuration file.

It is not a usable configuration, in the sense that it does not contain any attribute key or value, and can exhibit incompatible elements. Its point is to be exhaustive from the point of view of existing usable elements.

<wolf attributes=”…” >
<log attributes=”…” > value </log>
<recipient attributes=”…”> value </recipient>
<archive attributes=”…”>
<restrictions attributes=”…” />
<command attributes=”…” >
<execute attributes=”…” />
<input attributes=”…” />
<output attributes=”…” />
<argument attributes=”…” />

wolf Element

optional=no, default=N/A

Root element.

Attributes

  • childdebug (optional=yes, default=off)

    Enables (or disables) the command engine to attach as a debugger to all created processes. Upon unhandled exceptions (i.e. application crashes), the command engine will capture the memory dump of the faulty process. This memory dump will then be collected to enable the analysis of the crash.

  • command_timeout (optional=yes, default=3 hours)

    Configures the time (in minutes) the engine will wait for the last command(s) to complete. Upon timeout, the command engine will stop, kill any pending process and move on with archive completion.

  • archive_timeout (optional=yes, default=5 minutes)

    Configures the time (in minutes) the engine will wait for the archive to complete. Upon timeout, this archive will be canceled.

  • werdontshowui (optional=yes, default=WER UI will appear)

    Configures Windows Error Reporting to prevent blocking UI in case of a crash during DFIR ORC execution. WER previous configuration is restored at the end of DFIR ORC execution.

Back to Root

log Element

optional=yes, default=no log file, parent element: wolf

The log element can be used to create an optional log file of DFIR ORC execution. This file will be uploaded if an <upload/> element is specified in a DFIR ORC local configuration file.

Attributes

  • name (optional=no, default=N/A)

    Base file name of the log file. The same patterns can be used as in the archive file names (cf archive element).

    The following patterns will be automatically substituted:

    Pattern

    Description

    {ComputerName}

    NetBIOS computer name

    {FullComputerName}

    Fully qualified DNS name of physical computer (per GetComputerNameEx())

    {TimeStamp}

    The current date and time in the following form: YYYYMMDD_HHMMSS

    {SystemType}

    The Windows edition type running on this computer: WorkStation, Server, DomainController

  • disposition (optional=yes, default=append)

    Specifies if the log file should:

    • be appended to an existing file -> use “append”

    • be created as a new file (and logging should fail if file exists) -> use “create_new”

    • truncate any existing file or create a new file -> use “truncate”

Example

<log disposition='truncate' >DFIR-ORC\_{SystemType}_{ComputerName}.log</log>

Back to Root

recipient Element

optional=yes, default=N/A, parent element: wolf

The recipient element is used to create the list of recipients able to open the CMS enveloped archives. It basically consists of a list of encoded certificates.

Attributes

  • name (optional=no, default=N/A)

    Name of the recipient

  • archive (optional=no, default=N/A)

    Comma separated list of archive keyword specs to match against archive names. Specifies one or more archives encrypted in a CMS PKCS#7 message (cf http://tools.ietf.org/html/rfc2315).

Example

<recipient name='certfr' archive='*' >
  -----BEGIN CERTIFICATE-----
    ... value ...
  -----END CERTIFICATE-----
</recipient>

Back to Root

archive Element

optional=no, default=N/A, parent element: wolf

The archive element specifies the archives to be created during the execution of DFIR-Orc.exe WolfLauncher.

Attributes

  • name (optional=no, default=N/A)

    Configures the name of the archive

    The following patterns will be automatically substituted:

    Pattern

    Description

    {ComputerName}

    NetBIOS computer name

    {FullComputerName}

    Fully qualified DNS name of physical computer (per GetComputerNameEx())

    {TimeStamp}

    The current date and time in the following form: YYYYMMDD_HHMMSS

    {SystemType}

    The Windows edition type running on this computer: WorkStation, Server, DomainController

  • keyword (optional=no, default=N/A)

    Uniquely identifies this archive

  • concurrency (optional=no, default=N/A)

    Configures the number of concurrent executions

  • optional (optional=yes, default=archive is generated)

    Marks an archive as optional (i.e. not generated by default)

  • repeat (optional=no, default=Once)

    Configures the behavior of the engine upon rerun. Permitted values are:

    • CreateNew: a new archive is created each time DFIR-Orc.exe is run, with names suffixed by _1.7z, _2.7z, etc. An alternative is to use the {TimeStamp} pattern in the archive name.

    • Overwrite: previous archives are overwritten by new executions of DFIR-Orc.exe.

    • Once: if the target file already exists (and is not empty), then this archive is skipped.

    Note

    This is also taken into account when associated with the upload functionality.

  • compression (optional=yes, default=normal)

    Configures the compression level used by the compression engine (7zip & zip only). Values can be: None, Fastest, Fast, Normal, Maximum, Ultra.

  • command_timeout (optional=yes, default=3 hours)

    Per archive, override the global configured time (in minutes) the engine will wait for the last command(s) to complete. Upon timeout, the command engine will stop, kill any pending process and move on with archive completion.

  • archive_timeout (optional=yes, default=5 minutes)

    Per archive, override the global configured time (in minutes) the engine will wait for the archive to complete. Upon timeout, this archive will be canceled.

  • childdebug (optional=yes, default=false)

    Per archive, sets if the child process should be under the control of a debugger when running. If so, a mini dump file will be created if a crash occurs. If set to “no”, explicitly disables the debugger, any other value activates the debugger. Please note that this setting is overridden by command line option or attribute attached to the wolf element.

Example

<archive name='Quick\_{ComputerName}.7z' keyword='Basic' concurrency='2' repeat='Overwrite' >
  <restrictions JobMemoryLimit='3G' JobCPULimit='30' ProcessMemoryLimit='1G'
      ElapsedTimeLimit='360' ProcessCPULimit='10' />
    ...
</archive>

Back to Root

restrictions Element

optional=yes, default=N/A, parent element: wolf

This element configures the Windows job controlling the execution of subprocesses. Limits are set to the resources processes can consume. When a limit is reached, all remaining processes in the job will be terminated and the available output files will be collected into the archive.

Attributes

  • JobMemoryLimit (optional=yes, default=unlimited)

    Memory limit (working set) which the processes created can collectively commit. Can be expressed with multipliers (K,M,G). Example 3G for 3GB.

  • ProcessMemoryLimit (optional=yes, default=unlimited)

    Memory limit (working set) which the processes created can individually commit. Can be expressed with multipliers (K,M,G). Example 3G for 3GB.

  • ElapsedTimeLimit (optional=yes, default=unlimited)

    Elapsed time (in minutes) the complete execution of the commands involved in this archive can take.

  • JobCPULimit (optional=yes, default=unlimited)

    Limits the amount of CPU time which processes in the job can collectively consume before being stopped (in minutes).

  • ProcessCPULimit (optional=yes, default=unlimited)

    Limits the amount of CPU time a process can use before being stopped (in minutes).

Example

<restrictions JobMemoryLimit="3G" ProcessMemoryLimit="2G" ElapsedTimeLimit="360" />

Back to Root

command Element

optional=no, default=N/A, parent element: archive

The command executed is created with the command element. This section of the configuration describes:

  • the resources needed to execute: binary, prerequisites,

  • the arguments passed to the command line, and

  • the output expected upon completion of the task.

Attributes

  • keyword (optional=no, default=N/A)

    Uniquely identifies this task in the archive

  • winver (optional=yes, default=always execute)

    Limits the execution of this command to one or several specific versions of Windows. The valid values of this attribute are:

    • winver=”X.x”: this command will only execute on Windows major version X and minor x,

    • winver=”X.x+”: this command will only execute on Windows version “X.x” and successors,

    • winver=”X.x-“: this command will only execute on Windows version “X.x” and predecessors.

  • queue (optional=yes, default=queue)

    Configures the behavior of the archive engine for the output of this command. The available values for this attribute are as follows.

    • flush: the command produces a lot of output the engine must archive immediately,

    • Any other value will configure the output of this command to be queued until the next flush or the end of all the commands.

  • systemtype (optional=yes, default=always execute)

    Configures if a specific command should be run depending on the system type. The available values for this attribute are:

    • WorkStation: for client workstations

    • Server: for general purpose servers

    • DomainController: for domain controllers

    Values can be combined with ‘|’. For example, Server|DomainController results in executing the command on all servers.

  • optional (optional=yes, default=false (command not optional))

    Marks a command execution as optional (i.e. not executed by default)

Example

<command keyword='NTFSInfo'  queue='flush'>
          <execute name='DFIR-Orc.exe' run='self:#NTFSInfo' />
          <argument>/config=res:#ntfsinfo_basic</argument>
          <output name='NTFSInfo'
                  source='Directory' filematch='\*.csv'
                  argument='/fileinfo={DirectoryName}' />
          <output name='NTFSInfo.log' source='StdOut' />
</command>

Back to Root

execute Element

optional=no, default=N/A, parent element: command

Configures the program to be executed. It can be a local command from the file system or an embedded resource. On 64-bit platforms, the run64 attribute is evaluated first and used if available. If not, DFIR-Orc.exe WolfLauncher evaluates the run attribute.

Similarly, on 32-bit platforms, the run32 attribute is evaluated first and used if available. If not, DFIR-Orc.exe WolfLauncher evaluates the run attribute. Attributes named run, run32 and run64 can use the resource syntax or directly reference a file on the live system (environment variables are expanded).

Attributes

  • name (optional=no, default=N/A)

    Provides the name of a temporary file to be extracted (if need be)

  • run (optional=yes, default=N/A)

    Provides the reference to the binary to execute (either on the file system or as a resource)

  • run32 (optional=yes, default=N/A)

    Provides the reference to the binary to execute on 32-bit platforms

  • run64 (optional=yes, default=N/A)

    Provides the reference to the binary to execute on 64-bit platforms

Example

<execute name='ipconfig.exe' run='%windir%\System32\ipconfig.exe' />

Back to Root

input Element

optional=yes, default=N/A, parent element: command

Configures the files on which the execution depends (typically a configuration file or input file). Command-line arguments can be passed to a tool using the argument attribute.

Attributes

  • name (optional=no, default=N/A)

    Name of the extracted file

  • source (optional=no, default=N/A)

    Describes the source for this input. Typically this is a resource of the DFIR-Orc.exe PE file.

  • argument (optional=yes, default=empty)

    A command line argument to specify this input file to the executed command. Order is preserved.

Example

<input  name='NTFSInfo_Config.xml' source='res:#NTFSINFO_Config'
  argument='/config={FileName}' />

Back to Root

output Element

optional=yes, default=N/A, parent element: command

Configures the outputs of the command execution. Command-line arguments to further specify the output can be passed to a tool using the argument attribute.

Attributes

  • name (optional=no, default=N/A)

    This is the file name (relative to the temp dir) of the expected output of the execution

  • source (optional=no, default=N/A)

    This is the type of output:

    • “StdOut” is the console output

    • “StdErr” is the error console output

    • “StdOutErr” represents the normal and error console outputs combined

    • “File” is a single output file

    • “Directory” is a list of files from a directory

  • argument (optional=yes, default=N/A)

    A command-line argument to specify this output to the executed command. Order is preserved.

  • filematch (optional=yes, default=N/A)

    Filters the content of the directory to a subset of expected files matching a DOS pattern (for instance *.csv).

Examples

<output name='NTFSInfo_AllRecords'
          source='Directory' filematch='\*.csv'
          argument='/fileinfo={DirectoryName}' />
<output  name='USNInfo.log' source='StdOut' />

Back to Root

argument Element

optional=yes, default=N/A, parent element: command

This element will add an argument to the command line of the executed command.

Attributes

None

Example

<argument>/config=MyConfig.xml /verbose</argument>

Back to Root