-
Notifications
You must be signed in to change notification settings - Fork 44
/
Copy pathpubliccode.yml
87 lines (80 loc) · 3.23 KB
/
publiccode.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
# This repository adheres to the publiccode.yml standard by including this
# metadata file that makes public software easily discoverable.
# More info at https://github.com/italia/publiccode.yml
publiccodeYmlVersion: '0.2'
categories:
- it-security
- data-collection
description:
en:
documentation: 'https://dfir-orc.github.io/'
features:
- |-
FatInfo: Collects FAT metadata from the file system (file names, hashes,
authenticode data, etc.)
- 'FastFind: Locate and report on Indicators of Compromise'
- 'GetSamples: Automated sample collection (started processes, ...)'
- |-
GetThis: Collects sample data from the file system (files, ADS, Extended
Attributes, etc.)
- 'GetSectors: Collects MBR, VBR and partition slack space'
- |-
NTFSInfo: Collects NTFS metadata (file entries, timestamps, file hashes,
authenticode data, etc.)
- 'NTFSUtil: NTFS Master File Table inspector'
- 'ObjInfo: Collects the named object list (named pipes, mutexes, etc.)'
- 'RegInfo: Collects registry related information (without mounting hives)'
- 'USNInfo: Collects USN journal'
- 'ToolEmbed: Configure for an automated deployment'
genericName: Forensics artefact collection tool
longDescription: |
DFIR ORC, where ORC stands for “Outil de Recherche de Compromission” in
French, is a collection of specialized tools dedicated to reliably parse
and collect critical artefacts such as the MFT, registry hives or event
logs. It can also embed external tools and their configurations.
DFIR ORC collects data, but does not analyze it: it is not meant to triage
machines. It cannot spy on an attacker either, as an EDR or HIDS/HIPS
would. It rather provides a forensically relevant snapshot of machines
running Microsoft Windows.
Along the years, it has evolved to become stable and reliable software to
faithfully collect unaltered data. Meant to scale up for use on large
installed bases, it supports fine-tuning to have low impact on production
environments.
DFIR-ORC incorporates the entire tool collection within a single
executable. The tools can be executed manually or configured for automated
deployment with ToolEmbed, allowing for background execution to conserve
CPU and I/O resources, as well as encryption of the results and their
transmission, along with many other features.
shortDescription: Forensics artefact collection tool for systems running Microsoft Windows
developmentStatus: stable
it:
conforme:
gdpr: false
lineeGuidaDesign: false
misureMinimeSicurezza: false
modelloInteroperabilita: false
countryExtensionVersion: '0.2'
piattaforme:
anpr: false
cie: false
pagopa: false
spid: false
legal:
license: LGPL-2.1-only
mainCopyrightOwner: Répulique Française - ANSSI
repoOwner: Répulique Française - ANSSI
localisation:
availableLanguages:
- en
localisationReady: false
maintenance:
contacts:
- name: Jean Gautier
type: internal
name: DFIR-ORC
platforms:
- windows
releaseDate: '2024-08-29'
softwareType: standalone/desktop
softwareVersion: v10.2.6
url: 'https://github.com/DFIR-ORC/dfir-orc'