DFIR-ORC / dfir-orc

Forensics artefact collection tool for systems running Microsoft Windows
https://dfir-orc.github.io
GNU Lesser General Public License v2.1
388 stars 42 forks source link
collection dfir incident-response

DFIR ORC

LGPL licensed

Documentation

https://dfir-orc.github.io

Build

Branch Status
main Build Status
release/10.1 Build Status
release/10.2 Build Status

Requirements

Build environment can be setup quickly using Microsoft's developer virtual machines. Import this .vsconfig from Visual Studio Installer.

Commands

Both 32-bit and 64-bit versions should be built for maximum compatiliby before deployment. See https://dfir-orc.github.io for more details about deployment and configuration.

In a prompt like Developer Command Prompt for VS 2019 (prefer to avoid using cmd.exe):

git clone --recursive https://github.com/dfir-orc/dfir-orc.git
cd dfir-orc
mkdir build-x86 build-x64

cd build-x86
cmake -G "Visual Studio 17 2022" -A Win32 -T v141_xp ..
cmake --build . --config MinSizeRel -- -maxcpucount

cd ../build-x64
cmake -G "Visual Studio 17 2022" -A x64 -T v141_xp ..
cmake --build . --config MinSizeRel -- -maxcpucount

Important Always do a git submodule update after any git pull to update submodules aswell. Alternatively, always pull with git pull --recurse-submodules

Options

CMake option Default Description
ORC_DOWNLOADS_ONLY OFF Only download vcpkg dependencies
ORC_BUILD_VCPKG ON Build vcpkg dependencies
ORC_BUILD_APACHE_ORC OFF Build Apache Orc module
ORC_BUILD_COMMAND ON Build OrcCommand library
ORC_BUILD_FASTFIND OFF Build FastFind binary
ORC_BUILD_ORC ON Build Orc binary
ORC_BUILD_PARQUET OFF Build Parquet module (x64)
ORC_BUILD_SSDEEP OFF Build with ssdeep support
ORC_BUILD_JSON ON Build with JSON enabled
ORC_USE_STATIC_CRT ON Use static runtime
ORC_VCPKG_ROOT ${ORC}/external/vcpkg VCPKG root directory
ORC_XMLLITE_PATH XmlLite.dll path (xp sp2)
VCPKG_TARGET_TRIPLET Autodetect VCPKG triplet to use
CMAKE_TOOLCHAIN_FILE Autodetect VCPKG's toolchain file

[1] The xmllite.dll is native after patched Windows XP SP2

Note: Some combinations may be irrelevant.

License

The contents of this repository is available under LGPL2.1+ license. The name DFIR ORC and the associated logo belongs to ANSSI, no use is permitted without express approval.


Le contenu de ce dépôt est disponible sous licence LGPL2.1+, tel qu'indiqué ici. Le nom DFIR ORC et le logo associé appartiennent à l'ANSSI, aucun usage n'est permis sans autorisation expresse.

Acknowledgments

DFIR ORC is disclosing Microsoft source code with Microsoft's permission.