sc-anssi
commented
2 years ago Hi, You didn't miss it in the doc, there is indeed no such option yet. We are wary of keeping the directory structure for several reasons including:
- it's something under direct attacker's control (without needing to be privileged)
- possible 7zip limitations in what it can replicate from NTFS features (path depth, names, etc...)
- a similar result can be achieved by scripting the extraction of collected artifacts using GetThis.csv files which hold the mapping between the original path on disk (FullName) and the collected sample in the archive (SampleName)
That being said we also agree the structure of collected files could be better and we will think about possible improvements based on this idea, however not in the near future.
Scripting with GetThis.csv as mentioned in the last item is definitively the recommended way of re-creating the original directory structure for collected artifacts.
Regards
reynas
Not sure if I missed this in the documentation of the project. It would be nice to have to option to recreate the directory/folder structure of the files and folders that are collected from a system.
As an example: Currently, with the config GetUserHives.xml : the user registry hives are collected from all users and outputted in one folder. It could be more clear to have these hives located in their original folder structure. It could also help identify collection problems, having a clear directory structure that you expect to have or not.
Is there an option I'm missing or is this not possible with dfir-orc? Thanks!