New configuration

.gitattributes

@@ -0,0 +1,4 @@
+* text eol=crlf
+*.exe binary
+*.dll binary
+*.7z binary

Configure.cmd

@@ -1,34 +1,34 @@
-@ECHO off
-
-set ORC_CONFIG_FOLDER=.\config
-set ORC_TOOLS_FOLDER=.\tools
-set ORC_OUTPUT_FOLDER=.\output
-
-if not "%1"=="" (
-	echo Configuration folder defined: %1
-	set ORC_CONFIG_FOLDER=%1
-)
-
-if not defined ORC_OUTPUT goto DEFINE_ORC_OUTPUT
-if "%ORC_OUTPUT%" == "" goto DEFINE_ORC_OUTPUT
-
-goto CONFIGURE_ORC
-
-
-:DEFINE_ORC_OUTPUT
-
-set ORC_OUTPUT=DFIR-Orc.exe
-
-goto CONFIGURE_ORC
-
-
-:CONFIGURE_ORC
-
-echo Configuring Orc (%ORC_OUTPUT_FOLDER%\%ORC_OUTPUT%) with config: %ORC_CONFIG_FOLDER%
-
-%ORC_TOOLS_FOLDER%\DFIR-Orc_x64.exe ToolEmbed /Config=%ORC_CONFIG_FOLDER%\DFIR-ORC_embed.xml
-
-set ORC_CONFIG_FOLDER=
-set ORC_TOOLS_FOLDER=
-set ORC_OUTPUT_FOLDER=
-set ORC_OUTPUT=
+@ECHO off
+
+set ORC_CONFIG_FOLDER=.\config
+set ORC_TOOLS_FOLDER=.\tools
+set ORC_OUTPUT_FOLDER=.\output
+
+if not "%1"=="" (
+	echo Configuration folder defined: %1
+	set ORC_CONFIG_FOLDER=%1
+)
+
+if not defined ORC_OUTPUT goto DEFINE_ORC_OUTPUT
+if "%ORC_OUTPUT%" == "" goto DEFINE_ORC_OUTPUT
+
+goto CONFIGURE_ORC
+
+
+:DEFINE_ORC_OUTPUT
+
+set ORC_OUTPUT=DFIR-Orc.exe
+
+goto CONFIGURE_ORC
+
+
+:CONFIGURE_ORC
+
+echo Configuring Orc (%ORC_OUTPUT_FOLDER%\%ORC_OUTPUT%) with config: %ORC_CONFIG_FOLDER%
+
+%ORC_TOOLS_FOLDER%\DFIR-Orc_x64.exe ToolEmbed /Config=%ORC_CONFIG_FOLDER%\DFIR-ORC_embed.xml
+
+set ORC_CONFIG_FOLDER=
+set ORC_TOOLS_FOLDER=
+set ORC_OUTPUT_FOLDER=
+set ORC_OUTPUT=

README.md

@@ -4,12 +4,18 @@ To configure DFIR ORC, you need:
 * configuration files in XML format, located in the "config" directory
 * items to embed (especially DFIR-Orc binaries in 32 and 64 bits), stored in the "tools" directory
 
-The configurations given as example here use Sysinternals "Autoruns" tools. You have to download and put it in the "tools" directory.
+The configurations given as example here use several Sysinternals tools, DumpIt and WinPmem. You have to download and copy them in the "tools" directory.
 
 The "tools" directory must therefore contain the following files:
 * DFIR-Orc_x64.exe
 * DFIR-Orc_x86.exe
 * autorunsc.exe
+* handle.exe
+* Tcpvcon.exe
+* PsService.exe
+* Listdlls.exe
+* DumpIt.exe
+* winpmem.exe
 
 Finally, to generate a configured DFIR-Orc executable, you have to run the ".\Configure.cmd" script (on a Windows system, **from an elevated command prompt**).
 The generated binary is created in the "output" directory.

config/DFIR-ORC_embed.xml

@@ -1,27 +1,86 @@
 <?xml version="1.0" encoding="utf-8"?>
 <toolembed>
-    <input>.\tools\DFIR-Orc_x86.exe</input>
-    <output>.\output\%ORC_OUTPUT%</output>
-
-    <run64 args="WolfLauncher">7z:#Tools|DFIR-Orc_x64.exe</run64>
-    <run32 args="WolfLauncher">self:#</run32>
-
-    <file name="WOLFLAUNCHER_CONFIG" path=".\%ORC_CONFIG_FOLDER%\DFIR-ORC_config.xml"/>
-
-    <file name="GetSystemHives_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetSystemHives_config.xml"/>
-    <file name="GetUserHives_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetUserHives_config.xml"/>
-    <file name="GetSamHive_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetSamHive_config.xml"/>
-    <file name="GetEvents_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetEvents_config.xml"/>
-    <file name="NTFSInfo_config.xml" path=".\%ORC_CONFIG_FOLDER%\NTFSInfo_config.xml"/>
-    <file name="NTFSInfoHashPE_config.xml" path=".\%ORC_CONFIG_FOLDER%\NTFSInfoHashPE_config.xml"/>
-    <file name="FatInfo_config.xml" path=".\%ORC_CONFIG_FOLDER%\FatInfo_config.xml"/>
-    <file name="FatInfoHashPE_config.xml" path=".\%ORC_CONFIG_FOLDER%\FatInfoHashPE_config.xml"/>
-    <file name="GetArtefacts_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetArtefacts_config.xml"/>
-    <file name="GetYaraSamples_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetYaraSamples_config.xml"/>
-    <file name="ruleset.yara" path=".\%ORC_CONFIG_FOLDER%\ruleset.yara"/>
-
-    <archive name="Tools" format="7z" compression="Ultra">
-        <file name="DFIR-Orc_x64.exe" path=".\tools\DFIR-Orc_x64.exe"/>
-        <file name="autorunsc.exe" path=".\tools\autorunsc.exe"/>
-    </archive>
+	<input>.\tools\DFIR-Orc_x86.exe</input>
+	<output>.\output\%ORC_OUTPUT%</output>
+
+	<run64 args="WolfLauncher" >7z:#Tools|DFIR-Orc_x64.exe</run64>
+	<run32 args="WolfLauncher" >self:#</run32>
+
+	<file name="WOLFLAUNCHER_CONFIG" path=".\%ORC_CONFIG_FOLDER%\DFIR-ORC_config.xml"/>
+
+	<file name="GetADS_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetADS_config.xml"/>
+	<file name="GetArtefacts_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetArtefacts_config.xml"/>
+	<file name="GetExtAttrs_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetExtAttrs_config.xml"/>
+	<file name="GetTextLogs_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetTextLogs_config.xml"/>
+	<file name="GetSDS_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetSDS_config.xml"/>
+	<file name="GetCatRoot_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetCatRoot_config.xml"/>
+	<file name="GetEVT_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetEVT_config.xml"/>
+	<file name="GetExeTMP_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetExeTMP_config.xml"/>
+	<file name="GetBrowsersHistory_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetBrowsersHistory_config.xml"/>
+	<file name="GetBrowsersArtefacts_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetBrowsersArtefacts_config.xml"/>
+	<file name="GetScript_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetScript_config.xml"/>
+	<file name="GetErrors_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetErrors_config.xml"/>
+	<file name="GetSamples_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetSamples_config.xml" />
+	<file name="GetSystemHives_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetSystemHives_config.xml"/>
+	<file name="GetUserHives_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetUserHives_config.xml"/>
+	<file name="GetSamHive_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetSamHive_config.xml"/>
+	<file name="GetYaraSamples_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetYaraSamples_config.xml"/>
+	<file name="NTFSInfoQuick_config.xml" path=".\%ORC_CONFIG_FOLDER%\NTFSInfoQuick_config.xml"/>
+	<file name="NTFSInfoDetail_systemdrive_config.xml" path=".\%ORC_CONFIG_FOLDER%\NTFSInfoDetail_systemdrive_config.xml"/>
+	<file name="NTFSInfoDetail_alldrives_config.xml" path=".\%ORC_CONFIG_FOLDER%\NTFSInfoDetail_alldrives_config.xml"/>
+	<file name="GetFuzzyHash_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetFuzzyHash_config.xml"/>
+	<file name="FatInfoDetail_config.xml" path=".\%ORC_CONFIG_FOLDER%\FatInfoDetail_config.xml"/>
+	<file name="FatInfoHashPE_config.xml" path=".\%ORC_CONFIG_FOLDER%\FatInfoHashPE_config.xml"/>
+	<file name="FatInfoFirstBytes_config.xml" path=".\%ORC_CONFIG_FOLDER%\FatInfoFirstBytes_config.xml"/>
+	<file name="GetMemDmp_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetMemDmp_config.xml"/>
+	<file name="GetResidents_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetResidents_config.xml"/>
+
+	<file name="GetADS_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetADS_offline_config.xml"/>
+	<file name="GetArtefacts_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetArtefacts_offline_config.xml"/>
+	<file name="GetExtAttrs_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetExtAttrs_offline_config.xml"/>
+	<file name="GetTextLogs_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetTextLogs_offline_config.xml"/>
+	<file name="GetHives_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetHives_offline_config.xml"/>
+	<file name="GetSDS_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetSDS_offline_config.xml"/>
+	<file name="GetCatRoot_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetCatRoot_offline_config.xml"/>
+	<file name="GetScript_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetScript_offline_config.xml"/>
+	<file name="GetErrors_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetErrors_offline_config.xml"/>
+	<file name="GetMemDmp_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetMemDmp_offline_config.xml"/>
+	<file name="GetEVT_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetEVT_offline_config.xml"/>
+	<file name="GetUserHives_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetUserHives_offline_config.xml"/>
+	<file name="GetEXE_TMP_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetEXE_TMP_offline_config.xml"/>
+	<file name="GetBrowsersComplet_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetBrowsersComplet_offline_config.xml"/>
+	<!-- <file name="GetYaraSamples_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetYaraSamples_offline_config.xml"/> -->
+	<file name="GetFuzzyHash_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetFuzzyHash_offline_config.xml"/>
+	<file name="NTFSInfo_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\NTFSInfo_offline_config.xml"/>
+	<file name="GetSAM_hive_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetSAM_hive_offline_config.xml"/>
+	<file name="FatInfo_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\FatInfo_offline_config.xml"/>
+	<file name="GetResidents_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetResidents_offline_config.xml"/>
+
+	<file name="NTFSInfo_little_config.xml" path=".\%ORC_CONFIG_FOLDER%\NTFSInfo_little_config.xml" />
+	<file name="GetEVT_little_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetEVT_little_config.xml" />
+	<file name="GetSystemHives_little_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetSystemHives_little_config.xml" />
+	<file name="GetArtefacts_little_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetArtefacts_little_config.xml" />
+	<file name="GetScript_little_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetScript_little_config.xml" />
+
+	<file name="FastFind_config.xml" path=".\%ORC_CONFIG_FOLDER%\FastFind_config.xml" />
+
+	<file name="GetMFT_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetMFT_config.xml" />
+
+	<file name="yara_rules" path=".\%ORC_CONFIG_FOLDER%\ruleset.yara" />
+
+	<pair name="AUTORUNS"  value="7z:#Tools|autorunsc.exe" />
+
+        <archive name="Tools" format="7z" compression="Ultra">
+		<file name="DFIR-Orc_x64.exe" path=".\tools\DFIR-Orc_x64.exe"/>
+
+		<file name="handle.exe" path=".\tools\handle.exe"/>
+		<file name="autorunsc.exe" path=".\tools\autorunsc.exe"/>
+		<file name="Tcpvcon.exe" path=".\tools\Tcpvcon.exe"/>
+		<file name="PsService.exe" path=".\tools\PsService.exe"/>
+		<file name="Listdlls.exe" path=".\tools\Listdlls.exe"/>
+
+		<file name="dumpit" path=".\tools\DumpIt.exe" />
+		<file name="winpmem" path=".\tools\winpmem.exe" />
+
+	</archive>
 </toolembed>

config/FastFind_config.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<fastfind version="FastFind_in_Orc">
+    <filesystem>
+        <location shadows="yes">%SystemDrive%</location>
+    </filesystem>
+</fastfind>

config/FastFind_example.xml

@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<fastfind version="foobar_YYYYMMDD">
+    <filesystem>
+        <location shadows="yes">%SystemDrive%</location>
+        <yara block="20M" overlap="2M" timeout="120" source="res:#yara_rules" scan_method="blocks" />
+
+        <ntfs_find name="explorer.exe" />
+        <ntfs_find name_match="expl*.exe" />
+        <ntfs_find name_regex="expl.{4}\.[ex]+" />
+        <ntfs_find path="\windows\explorer.exe"/>
+        <ntfs_find path_match="*\explorer.exe" />
+        <ntfs_find path_regex="\\win.*\\explorer.exe" />
+        <!-- Always use another "metadata match" (path, name, size) when using md5, sha1, sha256, contains[_hex] and yara_rule, otherwise FastFind could end up having to read (and hash or yara-parse) every single files on the volume ! -->
+        <ntfs_find size="0" sha1="da39a3ee5e6b4b0d3255bfef95601890afd80709" />    <!-- matches the empty file -->
+        <!-- The use of "header[_hex|_regex]" is much more costly than a "metadata match" since it requires to read some data from the file, but less than a full content match so this can be used to narrow down the subset of files to parse for full-content matching (hashes, contains and yara) -->
+        <ntfs_find header="MZ" size_le="10M" contains="getthis_collection" />   <!-- matches ORC and FastFind -->
+        <ntfs_find header="MZ" size_le="10M" contains_hex="250073002000280043006100740061007300740072006f00700068006900630020006600610069006c00750072006500" /> <!-- matches ORC and FastFind -->
+        <ntfs_find size_le="15M" size_ge="10M" yara_rule="orc" />   <!-- matches ORC (FastFind should be smaller) -->
+
+        <ntfs_find ads="$J" />
+        <ntfs_find path="\$Extend\$UsnJrnl" ads="$J" />
+
+    </filesystem>
+
+    <registry>
+        <location>%SystemDrive%</location>
+        <hive name="NTUSER">
+            <ntfs_find name="NTUSER.DAT" />
+            <!-- For a listing of every values (and their corresponding data) below a certain key, use value_regex=".*" -->
+            <registry_find key_path_regex="\\Software(\\Wow6432Node)?\\Microsoft\\Windows\\CurrentVersion\\Run" value_regex=".*" />
+        </hive>
+        <hive name="SOFTWARE">
+            <ntfs_find path="\Windows\System32\config\SOFTWARE" />
+            <!-- data_contains is case sensitive -->
+            <registry_find key_path="\Microsoft\Windows NT\CurrentVersion" value="SystemRoot" value_type="REG_SZ" data_contains="\Win" />
+        </hive>
+        <hive name="SYSTEM">
+            <ntfs_find path="\Windows\System32\config\SYSTEM" />
+            <!-- matching only on key will not retrieve any value nor data, so the example below will only list services -->
+            <registry_find key_path_regex="\\ControlSet[0-9]{3}\\Services\\[^\\]+" />
+            <!-- data_hex must match the same length as the targeted value type (ie. for a REG_DWORD, data_hex must be 4-bytes long) -->
+            <registry_find key_path="\Select" value="Current" value_type="REG_DWORD" data_hex="00000001" />
+        </hive>
+    </registry>
+
+    <object>
+        <!-- object "type" can be one of the following : Type, Directory, Session, WindowStation, Event, KeyedEvent, Callback, Job, Mutant, Section, Semaphore, SymbolicLink, Device, Driver, ALPCPort, FilterConnectionPort, Key, File -->
+        <object_find type="Device" name="Ntfs" />
+        <object_find type="Device" path="\Ntfs" />
+        <object_find type="Mutant" name_regex="\{A3BD3259-3E4F-[a-f0-9]{4}-84C8-F0463A9D3EB5\}" />
+        <object_find type="Mutant" path_regex="\\Sessions\\[0-9]+\\.*" />
+    </object>
+</fastfind>

config/FatInfoDetail_config.xml

@@ -0,0 +1,11 @@
+<?xml version="1.0"?>
+
+<fatinfo resurrect="yes">
+  <location>*</location>
+  <columns>
+    <default>ComputerName,VolumeID,Default,RecordInUse,FirstBytes</default>
+    <default>Details</default>
+    <omit SizeGT="100M">MD5,SHA1,PeSHA1,PeSHA256,Authenticode</omit>
+    <add HasPE="">MD5,SHA1,PeSHA1,PeSHA256,Authenticode</add>  
+  </columns>
+</fatinfo>

config/FatInfoFirstBytes_config.xml

@@ -0,0 +1,8 @@
+<?xml version="1.0"?>
+
+<fatinfo resurrect="yes">
+  <location>*</location>
+  <columns>
+    <default>ComputerName,VolumeID,Default,RecordInUse,FirstBytes</default>
+  </columns>
+</fatinfo>

config/FatInfoHashPE_config.xml

@@ -1,10 +1,14 @@
 <?xml version="1.0"?>
+
 <fatinfo resurrect="yes">
-    <location>*</location>
-    <columns>
-        <default>ComputerName,VolumeID,Default,RecordInUse,FirstBytes</default>
-        <default>Details</default>
-        <omit SizeGT="100M">MD5,SHA1,PeSHA1,PeSHA256,Authenticode</omit>
-        <add HasPE="">MD5,SHA1,PeSHA1,PeSHA256,Authenticode</add>  
-    </columns>
-</fatinfo>
+  <location>*</location>
+  <columns>
+    <default>ComputerName,VolumeID,Default,RecordInUse</default>
+    <default>Details</default>
+    <omit SizeGT="100M">MD5,SHA1,PeSHA1,PeSHA256,Authenticode</omit>
+    <add HasPE="">MD5,SHA1,PeSHA1,PeSHA256,Authenticode</add>  
+  </columns>
+</fatinfo>
+
+
+

config/FatInfo_offline_config.xml

@@ -0,0 +1,11 @@
+<?xml version="1.0"?>
+
+<fatinfo resurrect="yes">
+  <location>%OfflineLocation%</location>
+  <columns>
+    <default>ComputerName,VolumeID,Default,RecordInUse,FirstBytes</default> 
+    <default>Details</default>
+    <omit SizeGT="100M">MD5,SHA1,PeSHA1,PeSHA256,Authenticode</omit>
+    <add HasPE="">MD5,SHA1,PeSHA1,PeSHA256,Authenticode</add>
+  </columns>
+</fatinfo>

config/GetADS_config.xml

@@ -0,0 +1,17 @@
+<?xml version="1.0"?>
+<getthis reportall="">
+  <location>*</location>
+  <samples MaxPerSampleBytes="20MB" MaxTotalBytes="256MB" MaxSampleCount="200000" >
+    <sample name="ads">
+      <ntfs_find ads_match="?*" />
+      <ntfs_exclude path="\$UpCase" ads="$Info" />
+      <ntfs_exclude path="\$Extend\$UsnJrnl" ads="$J" />
+      <ntfs_exclude path="\$BadClus" ads="$Bad" />
+      <ntfs_exclude path="\$Extend\$RmMetadata\$Repair" ads="$Corrupt" />
+      <ntfs_exclude path="\$Extend\$RmMetadata\$Repair" ads="$Verify" />
+      <ntfs_exclude path="\$Extend\$RmMetadata\$TxfLog\$Tops" ads="$T" />
+      <ntfs_exclude path="\$Secure" ads="$SDS" /> 
+      <ntfs_exclude ads="WofCompressedData" />
+	</sample>
+  </samples>
+</getthis>

config/GetADS_offline_config.xml

@@ -0,0 +1,16 @@
+<?xml version="1.0"?>
+<getthis reportall="" nolimits="">
+  <location>%OfflineLocation%</location>
+  <samples>
+    <sample name="ads">
+      <ntfs_find ads_match="?*" /> 
+      <ntfs_exclude path="\$UpCase" ads="$Info" />
+      <ntfs_exclude path="\$BadClus" ads="$Bad" />
+      <ntfs_exclude path="\$Extend\$RmMetadata\$Repair" ads="$Corrupt" />
+      <ntfs_exclude path="\$Extend\$RmMetadata\$Repair" ads="$Verify" />
+      <ntfs_exclude path="\$Secure" ads="$SDS" />
+      <ntfs_exclude path="\$Extend\$RmMetadata\$TxfLog\$Tops" ads="$T" />
+      <ntfs_exclude path="\$Extend\$UsnJrnl" ads="$J" />  
+    </sample>
+  </samples>
+</getthis>