From 95bfec9362aaf54935dc675ad0ead39a12032cd9 Mon Sep 17 00:00:00 2001
From: Sebastien Chapiron <sebastien.chapiron@ssi.gouv.fr>
Date: Wed, 12 May 2021 14:33:58 +0200
Subject: [PATCH] New configuration

---
 .gitattributes                               |   4 +
 Configure.cmd                                |  68 +-
 README.md                                    |   8 +-
 config/DFIR-ORC_config.xml                   | 646 +++++++++++++++++--
 config/DFIR-ORC_embed.xml                    | 107 ++-
 config/FastFind_config.xml                   |   6 +
 config/FastFind_example.xml                  |  53 ++
 config/FatInfoDetail_config.xml              |  11 +
 config/FatInfoFirstBytes_config.xml          |   8 +
 config/FatInfoHashPE_config.xml              |  20 +-
 config/FatInfo_offline_config.xml            |  11 +
 config/GetADS_config.xml                     |  17 +
 config/GetADS_offline_config.xml             |  16 +
 config/GetArtefacts_config.xml               | 130 +++-
 config/GetArtefacts_little_config.xml        |  16 +
 config/GetArtefacts_offline_config.xml       | 103 +++
 config/GetBrowsersArtefacts_config.xml       | 180 ++++++
 config/GetBrowsersComplet_offline_config.xml | 213 ++++++
 config/GetBrowsersHistory_config.xml         |  84 +++
 config/GetCatRoot_config.xml                 |  10 +
 config/GetCatRoot_offline_config.xml         |  10 +
 config/GetEVT_config.xml                     |  12 +
 config/GetEVT_little_config.xml              |  24 +
 config/GetEVT_offline_config.xml             |  12 +
 config/GetEXE_TMP_offline_config.xml         |  18 +
 config/GetErrors_config.xml                  |  20 +
 config/GetErrors_offline_config.xml          |  17 +
 config/GetExeTMP_config.xml                  |  18 +
 config/GetExtAttrs_config.xml                |  11 +
 config/GetExtAttrs_offline_config.xml        |  11 +
 config/GetFuzzyHash_config.xml               |  18 +
 config/GetFuzzyHash_offline_config.xml       |  18 +
 config/GetHives_offline_config.xml           |  39 ++
 config/GetMFT_config.xml                     |  10 +
 config/GetMemDmp_config.xml                  |  12 +
 config/GetMemDmp_offline_config.xml          |  11 +
 config/GetResidents_config.xml               |  13 +
 config/GetResidents_offline_config.xml       |  10 +
 config/GetSAM_hive_offline_config.xml        |   9 +
 config/GetSDS_config.xml                     |  10 +
 config/GetSDS_offline_config.xml             |  10 +
 config/GetSamHive_config.xml                 |  14 +-
 config/GetSamples_config.xml                 |   6 +
 config/GetScript_config.xml                  |  28 +
 config/GetScript_little_config.xml           |  25 +
 config/GetScript_offline_config.xml          |  42 ++
 config/GetSystemHives_config.xml             |  56 +-
 config/GetSystemHives_little_config.xml      |  12 +
 config/GetTextLogs_config.xml                |  88 +++
 config/GetTextLogs_offline_config.xml        |  86 +++
 config/GetUserHives_config.xml               |  16 +-
 config/GetUserHives_offline_config.xml       |  10 +
 config/GetYaraSamples_config.xml             |  39 +-
 config/GetYaraSamples_offline_config.xml     |  18 +
 config/NTFSInfoDetail_alldrives_config.xml   |  11 +
 config/NTFSInfoDetail_systemdrive_config.xml |  11 +
 config/NTFSInfoQuick_config.xml              |   8 +
 config/NTFSInfo_little_config.xml            |  93 +++
 config/NTFSInfo_offline_config.xml           |  11 +
 config/ruleset.yara                          |   4 +-
 configure.ps1                                | 237 +++++++
 61 files changed, 2633 insertions(+), 206 deletions(-)
 create mode 100755 .gitattributes
 mode change 100755 => 100644 config/DFIR-ORC_config.xml
 mode change 100755 => 100644 config/DFIR-ORC_embed.xml
 create mode 100644 config/FastFind_config.xml
 create mode 100644 config/FastFind_example.xml
 create mode 100755 config/FatInfoDetail_config.xml
 create mode 100755 config/FatInfoFirstBytes_config.xml
 create mode 100644 config/FatInfo_offline_config.xml
 create mode 100755 config/GetADS_config.xml
 create mode 100644 config/GetADS_offline_config.xml
 create mode 100644 config/GetArtefacts_little_config.xml
 create mode 100644 config/GetArtefacts_offline_config.xml
 create mode 100644 config/GetBrowsersArtefacts_config.xml
 create mode 100644 config/GetBrowsersComplet_offline_config.xml
 create mode 100644 config/GetBrowsersHistory_config.xml
 create mode 100755 config/GetCatRoot_config.xml
 create mode 100644 config/GetCatRoot_offline_config.xml
 create mode 100755 config/GetEVT_config.xml
 create mode 100644 config/GetEVT_little_config.xml
 create mode 100644 config/GetEVT_offline_config.xml
 create mode 100644 config/GetEXE_TMP_offline_config.xml
 create mode 100755 config/GetErrors_config.xml
 create mode 100644 config/GetErrors_offline_config.xml
 create mode 100755 config/GetExeTMP_config.xml
 create mode 100755 config/GetExtAttrs_config.xml
 create mode 100644 config/GetExtAttrs_offline_config.xml
 create mode 100755 config/GetFuzzyHash_config.xml
 create mode 100755 config/GetFuzzyHash_offline_config.xml
 create mode 100644 config/GetHives_offline_config.xml
 create mode 100644 config/GetMFT_config.xml
 create mode 100755 config/GetMemDmp_config.xml
 create mode 100644 config/GetMemDmp_offline_config.xml
 create mode 100755 config/GetResidents_config.xml
 create mode 100755 config/GetResidents_offline_config.xml
 create mode 100644 config/GetSAM_hive_offline_config.xml
 create mode 100755 config/GetSDS_config.xml
 create mode 100644 config/GetSDS_offline_config.xml
 create mode 100755 config/GetSamples_config.xml
 create mode 100755 config/GetScript_config.xml
 create mode 100644 config/GetScript_little_config.xml
 create mode 100644 config/GetScript_offline_config.xml
 create mode 100755 config/GetSystemHives_little_config.xml
 create mode 100755 config/GetTextLogs_config.xml
 create mode 100644 config/GetTextLogs_offline_config.xml
 create mode 100644 config/GetUserHives_offline_config.xml
 mode change 100755 => 100644 config/GetYaraSamples_config.xml
 create mode 100644 config/GetYaraSamples_offline_config.xml
 create mode 100755 config/NTFSInfoDetail_alldrives_config.xml
 create mode 100755 config/NTFSInfoDetail_systemdrive_config.xml
 create mode 100755 config/NTFSInfoQuick_config.xml
 create mode 100644 config/NTFSInfo_little_config.xml
 create mode 100644 config/NTFSInfo_offline_config.xml
 mode change 100755 => 100644 config/ruleset.yara
 create mode 100644 configure.ps1

diff --git a/.gitattributes b/.gitattributes
new file mode 100755
index 0000000..656d4b3
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1,4 @@
+* text eol=crlf
+*.exe binary
+*.dll binary
+*.7z binary
\ No newline at end of file
diff --git a/Configure.cmd b/Configure.cmd
index f484559..9fbdcfa 100755
--- a/Configure.cmd
+++ b/Configure.cmd
@@ -1,34 +1,34 @@
-@ECHO off
-
-set ORC_CONFIG_FOLDER=.\config
-set ORC_TOOLS_FOLDER=.\tools
-set ORC_OUTPUT_FOLDER=.\output
-
-if not "%1"=="" (
-	echo Configuration folder defined: %1
-	set ORC_CONFIG_FOLDER=%1
-)
-
-if not defined ORC_OUTPUT goto DEFINE_ORC_OUTPUT
-if "%ORC_OUTPUT%" == "" goto DEFINE_ORC_OUTPUT
-
-goto CONFIGURE_ORC
-
-
-:DEFINE_ORC_OUTPUT
-
-set ORC_OUTPUT=DFIR-Orc.exe
-
-goto CONFIGURE_ORC
-
-
-:CONFIGURE_ORC
-
-echo Configuring Orc (%ORC_OUTPUT_FOLDER%\%ORC_OUTPUT%) with config: %ORC_CONFIG_FOLDER%
-
-%ORC_TOOLS_FOLDER%\DFIR-Orc_x64.exe ToolEmbed /Config=%ORC_CONFIG_FOLDER%\DFIR-ORC_embed.xml
-
-set ORC_CONFIG_FOLDER=
-set ORC_TOOLS_FOLDER=
-set ORC_OUTPUT_FOLDER=
-set ORC_OUTPUT=
+@ECHO off
+
+set ORC_CONFIG_FOLDER=.\config
+set ORC_TOOLS_FOLDER=.\tools
+set ORC_OUTPUT_FOLDER=.\output
+
+if not "%1"=="" (
+	echo Configuration folder defined: %1
+	set ORC_CONFIG_FOLDER=%1
+)
+
+if not defined ORC_OUTPUT goto DEFINE_ORC_OUTPUT
+if "%ORC_OUTPUT%" == "" goto DEFINE_ORC_OUTPUT
+
+goto CONFIGURE_ORC
+
+
+:DEFINE_ORC_OUTPUT
+
+set ORC_OUTPUT=DFIR-Orc.exe
+
+goto CONFIGURE_ORC
+
+
+:CONFIGURE_ORC
+
+echo Configuring Orc (%ORC_OUTPUT_FOLDER%\%ORC_OUTPUT%) with config: %ORC_CONFIG_FOLDER%
+
+%ORC_TOOLS_FOLDER%\DFIR-Orc_x64.exe ToolEmbed /Config=%ORC_CONFIG_FOLDER%\DFIR-ORC_embed.xml
+
+set ORC_CONFIG_FOLDER=
+set ORC_TOOLS_FOLDER=
+set ORC_OUTPUT_FOLDER=
+set ORC_OUTPUT=
diff --git a/README.md b/README.md
index 1e2ff41..fc70758 100644
--- a/README.md
+++ b/README.md
@@ -4,12 +4,18 @@ To configure DFIR ORC, you need:
 * configuration files in XML format, located in the "config" directory
 * items to embed (especially DFIR-Orc binaries in 32 and 64 bits), stored in the "tools" directory
 
-The configurations given as example here use Sysinternals "Autoruns" tools. You have to download and put it in the "tools" directory.
+The configurations given as example here use several Sysinternals tools, DumpIt and WinPmem. You have to download and copy them in the "tools" directory.
 
 The "tools" directory must therefore contain the following files:
 * DFIR-Orc_x64.exe
 * DFIR-Orc_x86.exe
 * autorunsc.exe
+* handle.exe
+* Tcpvcon.exe
+* PsService.exe
+* Listdlls.exe
+* DumpIt.exe
+* winpmem.exe
 
 Finally, to generate a configured DFIR-Orc executable, you have to run the ".\Configure.cmd" script (on a Windows system, **from an elevated command prompt**).
 The generated binary is created in the "output" directory.
diff --git a/config/DFIR-ORC_config.xml b/config/DFIR-ORC_config.xml
old mode 100755
new mode 100644
index 962e61d..ad503dd
--- a/config/DFIR-ORC_config.xml
+++ b/config/DFIR-ORC_config.xml
@@ -1,119 +1,625 @@
 <?xml version="1.0" encoding="utf-8"?>
+
 <wolf childdebug="no" command_timeout="600">
     <log disposition="truncate">DFIR-ORC_{SystemType}_{FullComputerName}_{TimeStamp}.log</log>
-    <outline disposition="truncate">DFIR-ORC_{SystemType}_{FullComputerName}.json</outline>
+    <outline disposition="truncate">DFIR-ORC_{SystemType}_{FullComputerName}_{TimeStamp}.json</outline>
 
-    <archive name="DFIR-ORC_{SystemType}_{FullComputerName}_Main.7z" keyword="Main" concurrency="2" repeat="Once" compression="fast">
-        <restrictions JobMemoryLimit="3G" ProcessMemoryLimit="2G" ElapsedTimeLimit="360"/>
+    <archive name="DFIR-ORC_{SystemType}_{FullComputerName}_Memory.7z" keyword="Memory" concurrency="2" repeat="Once" compression="fast" archive_timeout="120">
+        <restrictions ElapsedTimeLimit="360" />
 
-        <command keyword="SystemInfo">
-            <execute name="systeminfo.exe" run="%windir%\System32\systeminfo.exe"/>
-            <argument>/FO csv</argument>
-            <output name="Systeminfo.csv" source="StdOutErr"/>
+        <command keyword="GetRam_dmp" optional="yes" >
+            <execute name="dumpit" run="7z:#Tools|dumpit" />
+            <argument>/q /n /u</argument>
+            <output name="Dump_dumpit_{SystemType}_{FullComputerName}.dmp" source="File" argument="/o {FileName}" />
+            <output name="Dump_dumpit_{SystemType}_{FullComputerName}.log" source="StdOutErr" />
         </command>
 
-        <command keyword="Processes" winver="6.1+">
-            <execute name="powershell" run="%SystemRoot%\System32\WindowsPowerShell\V1.0\powershell.exe"/>
-            <argument>-NonInteractive -WindowStyle Hidden</argument>
-            <argument>Get-WMIObject win32_process | Export-Csv -NoTypeInformation -Encoding UTF8</argument>
-            <output name="processes.csv" source="File" argument="-Path {FileName}"/>
-            <output name="processes.log" source="StdOutErr"/>
+        <command keyword="GetRam_aff4" optional="yes" >
+            <execute name="winpmem" run="7z:#Tools|winpmem" />
+            <argument>--truncate --compression none -dd --verbose --acquire-memory --format map --volume_format aff4 --output -</argument>
+            <output name="Dump_winpmem_{SystemType}_{FullComputerName}.aff4" source="StdOut" />
+            <output name="Dump_winpmem_{SystemType}_{FullComputerName}.log" source="StdErr" />
+        </command>
+
+        <command keyword="GetRam_raw" optional="yes" >
+            <execute name="winpmem" run="7z:#Tools|winpmem" />
+            <argument>--truncate --compression none -dd --verbose --acquire-memory --volume_format raw --output -</argument>
+            <output name="Dump_winpmem_{SystemType}_{FullComputerName}.ram" source="StdOut" />
+            <output name="Dump_winpmem_{SystemType}_{FullComputerName}.log" source="StdErr" />
+        </command>
+    </archive>
+
+    <archive name="DFIR-ORC_{SystemType}_{FullComputerName}_Little.7z" keyword="Little" concurrency="2" repeat="Once" compression="ultra" archive_timeout="120">
+        <restrictions ElapsedTimeLimit="480" />
+
+        <command keyword="NTFSInfo_little" queue="flush">
+            <execute name="Orc.exe" run="self:#NTFSInfo" />
+            <argument>/config=res:#NTFSInfo_little_config.xml</argument>
+            <output name="NTFSInfo_detail.7z" source="File" argument="/out={FileName}" />
+            <output name="NTFSInfo_detail.log" source="StdOutErr" />
         </command>
 
-        <command keyword="GetEvents">
-            <execute name="DFIR-ORC.exe" run="self:#GetThis"/>
-            <argument>/config=res:#GetEvents_config.xml</argument>
-            <output name="Event.7z" source="File" argument="/out={FileName}"/>
-            <output name="Event.log" source="StdOutErr"/>
+        <command keyword="GetEVT_little">
+            <execute name="Orc.exe" run="self:#GetThis" />
+            <argument>/config=res:#GetEVT_little_config.xml</argument>
+            <output name="Event.7z" source="File" argument="/out={FileName}" />
+            <output name="Event.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="SystemInfo">
+            <execute name="systeminfo.exe" run="%windir%\System32\systeminfo.exe" />
+            <argument>/FO csv</argument>
+            <output  name="Systeminfo.csv" source="StdOutErr" />
         </command>
 
         <command keyword="Autoruns">
             <execute name="autorunsc.exe" run="7z:#Tools|autorunsc.exe"/>
-            <argument>-a * -c -h -m -s -t -accepteula</argument>
+            <argument>-accepteula -c -h -s -t -a * *</argument>
             <output name="autoruns.csv" source="StdOut"/>
             <output name="autoruns.log" source="StdErr"/>
         </command>
 
-        <command keyword="NTFSInfo" queue="flush">
-            <execute name="DFIR-ORC.exe" run="self:#NTFSInfo"/>
-            <argument>/config=res:#NTFSInfo_config.xml</argument>
-            <output name="NTFSInfo_SecDesc.7z" source="File" argument="/SecDescr={FileName}"/>
-            <output name="NTFSInfo_i30Info.7z" source="File" argument="/i30info={FileName}"/>
-            <output name="NTFSInfo.7z" source="File" argument="/out={FileName}"/>
-            <output name="NTFSInfo.log" source="StdOutErr"/>
+        <command keyword="USNInfo_systemdrive" queue="flush">
+            <execute name="Orc.exe" run="self:#USNInfo" />
+            <argument>%SystemDrive%\</argument>
+            <output name="USNInfo.7z" source="File" argument="/out={FileName}" />
+            <output name="USNInfo.log" source="StdOutErr" />
         </command>
 
-        <command keyword="NTFSInfoHashPE" queue="flush" optional="yes">
-            <execute name="DFIR-ORC.exe" run="self:#NTFSInfo"/>
-            <argument>/config=res:#NTFSInfoHashPE_config.xml</argument>
-            <output name="NTFSInfoHashPE_SecDesc.7z" source="File" argument="/SecDescr={FileName}"/>
-            <output name="NTFSInfoHashPE_i30Info.7z" source="File" argument="/i30info={FileName}"/>
-            <output name="NTFSInfoHashPE.7z" source="File" argument="/out={FileName}"/>
-            <output name="NTFSInfoHashPE.log" source="StdOutErr"/>
+        <command keyword="GetSystemHives_little">
+            <execute name="Orc.exe" run="self:#GetThis" />
+            <argument>/config=res:#GetSystemHives_little_config.xml</argument>
+            <output name="SystemHives_little.7z" source="File" argument="/out={FileName}" />
+            <output name="SystemHives_little.log" source="StdOutErr" />
         </command>
 
-        <command keyword="FatInfo">
-            <execute name="DFIR-Orc.exe" run="self:#FatInfo"/>
-            <argument>/config=res:#FatInfo_config.xml</argument>
-            <output name="FatInfo.7z" source="File" argument="/out={FileName}"/>
-            <output name="FatInfo.log" source="StdOutErr"/>
+        <command keyword="GetLegacyBootCode">
+            <execute name="Orc.exe" run="self:#GetSectors" />
+            <argument>/LegacyBootCode /SlackSpace</argument>
+            <output name="BootCode.7z" source="File" argument="/Out={FileName}" />
+            <output name="BootCode.log" source="StdOutErr" />
         </command>
 
-        <command keyword="FatInfoHashPE"  optional="yes">
-            <execute name="DFIR-Orc.exe" run="self:#FatInfo"/>
-            <argument>/config=res:#FatInfoHashPE_config.xml</argument>
-            <output name="FatInfoHashPE.7z" source="File" argument="/out={FileName}"/>
-            <output name="FatInfoHashPE.log" source="StdOutErr"/>
+        <command keyword="GetArtefacts_little">
+            <execute name="Orc.exe" run="self:#GetThis" />
+            <argument>/config=res:#GetArtefacts_little_config.xml</argument>
+            <output name="Artefacts.7z" source="File" argument="/out={FileName}" />
+            <output name="Artefacts.log" source="StdOutErr" />
         </command>
 
-        <command keyword="USNInfo" queue="flush">
-            <execute name="DFIR-Orc.exe" run="self:#USNInfo"/>
-            <argument>*</argument>
-            <output name="USNInfo.7z" source="File" argument="/out={FileName}"/>
-            <output name="USNInfo.log" source="StdOutErr"/>
+        <command keyword="Handle">
+            <execute name="handle.exe" run="7z:#Tools|handle.exe" />
+            <argument>/accepteula</argument>
+            <argument>/a</argument>
+            <output name="handle.txt" source="StdOutErr" />
+        </command>
+
+        <command keyword="GetObjInfo">
+            <execute name="Orc.exe" run="self:#ObjInfo" />
+            <output name="GetObjInfo.csv" source="File" argument="/out={FileName}" />
+            <output name="GetObjInfo.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="GetScripts_little">
+            <execute name="Orc.exe" run="self:#GetThis" />
+            <argument>/config=res:#GetScript_little_config.xml</argument>
+            <output name="Scripts_little.7z" source="File" argument="/out={FileName}" />
+            <output name="Scripts_little.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="Route">
+            <execute name="route.exe" run="%windir%\System32\route.exe" />
+            <argument>PRINT</argument>
+            <output  name="routes.txt" source="StdOutErr" />
+        </command>
+
+        <command keyword="Dns_cache">
+            <execute name="ipconfig.exe" run="%windir%\System32\ipconfig.exe"/>
+            <argument>/displaydns</argument>
+            <output  name="dns_cache.txt"  source="StdOutErr" />
+        </command>
+
+        <command keyword="Tcpvcon">
+            <execute name="Tcpvcon.exe" run="7z:#Tools|Tcpvcon.exe" />
+            <argument>/accepteula -a -n -c</argument>
+            <output  name="Tcpvcon.txt" source="StdOutErr" />
+        </command>
+
+        <command keyword="Netstat">
+            <execute name="netstat.exe" run="%windir%\System32\netstat.exe"/>
+            <argument>-a -n -o</argument>
+            <output  name="netstat.txt" source="StdOutErr" />
+        </command>
+
+    </archive>
+
+    <archive name="DFIR-ORC_{SystemType}_{FullComputerName}_FastFind.7z" keyword="FastFind" concurrency="1" repeat="Once" compression="fast" archive_timeout="120" optional="yes">
+        <restrictions ElapsedTimeLimit="480" />
+
+        <command keyword="FastFind">
+            <execute name="Orc.exe" run="self:#FastFind" />
+            <argument>/config=res:#FastFind_config.xml</argument>
+            <output name="FastFind_result.xml" source="File" argument="/out={FileName}" />
+            <output name="FastFind.log" source="StdOutErr" />
+        </command>
+    </archive>
+
+    <archive name="DFIR-ORC_{SystemType}_{FullComputerName}_General.7z" keyword="General" concurrency="2" repeat="Once" compression="fast" archive_timeout="120" >
+        <restrictions ElapsedTimeLimit="480" />
+
+        <command keyword="NTFSInfoQuick_alldrives" queue="flush" >
+            <execute name="Orc.exe" run="self:#NTFSInfo" />
+            <argument>/config=res:#NTFSInfoQuick_config.xml</argument>
+            <output name="NTFSInfo_quick.7z"  source="File" argument="/out={FileName}" />
+            <output name="NTFSInfo_quick.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="GetResidents">
+            <execute name="Orc.exe" run="self:#GetThis" />
+            <argument>/config=res:#GetResidents_config.xml</argument>
+            <output  name="Residents.7z" source="File" argument="/out={FileName}" />
+            <!-- GetResidents stdout is often larger than the actual archive => log only stderr -->
+            <output  name="Residents.log" source="StdErr" />
+        </command>
+
+        <command keyword="GetSamples">
+            <execute name="Orc.exe" run="self:#GetSamples" />
+            <argument>/config=res:#GetSamples_config.xml</argument>
+            <output  name="GetSamples_getthis.xml"  source="File"  argument="/getthisconfig={FileName}" />
+            <output  name="GetSamples_autoruns.xml"  source="File"  argument="/autoruns={FileName}" />
+            <output  name="GetSamples_sampleinfo.csv"  source="File"  argument="/sampleinfo={FileName}" />
+            <output  name="GetSamples_timeline.csv"  source="File"  argument="/timeline={FileName}" />
+            <output  name="GetSamples.7z"  source="File"  argument="/out={FileName}" />
+            <output  name="GetSamples.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="GetEVT">
+            <execute name="Orc.exe" run="self:#GetThis" />
+            <argument>/config=res:#GetEVT_config.xml</argument>
+            <output  name="Event.7z" source="File" argument="/out={FileName}" />
+            <output  name="Event.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="GetADS">
+            <execute name="Orc.exe" run="self:#GetThis" />
+            <argument>/config=res:#GetADS_config.xml</argument>
+            <output name="ADS.7z" source="File" argument="/out={FileName}" />
+            <output name="ADS.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="Listdlls">
+            <execute name="Listdlls.exe" run="7z:#Tools|Listdlls.exe" />
+            <argument>/accepteula</argument>
+            <output name="Listdlls.txt" source="StdOutErr" />
+        </command>
+
+        <command keyword="BITS_jobs" winver="6.0+">
+            <execute name="bitsadmin.exe" run="%windir%\System32\bitsadmin.exe" />
+            <argument>/list /allusers /verbose</argument>
+            <output  name="BITS_jobs.txt" source="StdOutErr" />
+        </command>
+
+        <command keyword="VSS_list">
+            <execute name="Orc.exe" run="self:#NTFSUtil" />
+            <argument>/VSS</argument>
+            <output  name="VSS_list.csv" source="File" argument="/out={FileName}" />
+            <output  name="VSS_list.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="EnumLocs">
+            <execute name="Orc.exe" run="self:#NTFSUtil" />
+            <argument>/enumlocs</argument>
+            <output name="Enumlocs.txt" source="StdOutErr" />
+        </command>
+
+        <command keyword="GetEXE_TMP">
+            <execute name="Orc.exe" run="self:#GetThis" />
+            <argument>/config=res:#GetExeTMP_config.xml</argument>
+            <output  name="EXE_TMP.7z" source="File" argument="/out={FileName}" />
+            <output  name="EXE_TMP.log" source="StdOutErr" />
         </command>
 
         <command keyword="GetArtefacts">
-            <execute name="DFIR-Orc.exe" run="self:#GetThis"/>
+            <execute name="Orc.exe" run="self:#GetThis" />
             <argument>/config=res:#GetArtefacts_config.xml</argument>
-            <output name="Artefacts.7z" source="File" argument="/out={FileName}"/>
-            <output name="Artefacts.log" source="StdOutErr"/>
-		</command>
+            <output  name="Artefacts.7z" source="File" argument="/out={FileName}" />
+            <output  name="Artefacts.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="GetExtAttrs">
+            <execute name="Orc.exe" run="self:#GetThis" />
+            <argument>/config=res:#GetExtAttrs_config.xml</argument>
+            <output  name="ExtAttrs.7z" source="File" argument="/out={FileName}" />
+            <output  name="ExtAttrs.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="GetTextLogs">
+            <execute name="Orc.exe" run="self:#GetThis" />
+            <argument>/config=res:#GetTextLogs_config.xml</argument>
+            <output  name="TextLogs.7z" source="File" argument="/out={FileName}" />
+            <output  name="TextLogs.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="GetScripts">
+            <execute name="Orc.exe" run="self:#GetThis" />
+            <argument>/config=res:#GetScript_config.xml</argument>
+            <output  name="Scripts.7z" source="File" argument="/out={FileName}" />
+            <output  name="Scripts.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="GetErrors">
+            <execute name="Orc.exe" run="self:#GetThis" />
+            <argument>/config=res:#GetErrors_config.xml</argument>
+            <output  name="Errors.7z" source="File" argument="/out={FileName}" />
+            <output  name="Errors.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="GetMemoryDmp" optional="yes">
+            <execute name="Orc.exe" run="self:#GetThis" />
+            <argument>/config=res:#GetMemDmp_config.xml</argument>
+            <output  name="Memory_dmp.7z" source="File" argument="/out={FileName}" />
+            <output  name="Memory_dmp.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="Arp_cache">
+            <execute name="arp.exe" run="%windir%\System32\arp.exe" />
+            <argument>-a</argument>
+            <output  name="arp_cache.txt"  source="StdOutErr" />
+        </command>
+
+        <command keyword="GetCatroot" optional="yes" queue="flush">
+            <execute name="Orc.exe" run="self:#GetThis" />
+            <argument>/config=res:#GetCatRoot_config.xml</argument>
+            <output  name="CatRoot.7z" source="File" argument="/out={FileName}" />
+            <output  name="CatRoot.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="GetSDS" optional="yes" >
+            <execute name="Orc.exe" run="self:#GetThis" />
+            <argument>/config=res:#GetSDS_config.xml</argument>
+            <output  name="Secure.7z" source="File" argument="/out={FileName}" />
+            <output  name="Secure.log" source="StdOutErr" />
+        </command>
+
     </archive>
 
-    <archive name="DFIR-ORC_{SystemType}_{FullComputerName}_Hives.7z" keyword="Hives" concurrency="2" repeat="Once" compression="fast">
-        <restrictions JobMemoryLimit="3G" ProcessMemoryLimit="1G" ElapsedTimeLimit="360"/>
+    <archive name="DFIR-ORC_{SystemType}_{FullComputerName}_Detail.7z" keyword="Detail" concurrency="2" repeat="Once" compression="fast" archive_timeout="120" >
+        <restrictions ElapsedTimeLimit="480" />
+
+        <command keyword="NTFSInfoDetail_alldrives" systemtype="DomainController|Workstation" queue="flush" >
+            <execute name="Orc.exe" run="self:#NTFSInfo" />
+            <argument>/config=res:#NTFSInfoDetail_alldrives_config.xml</argument>
+            <output name="NTFSInfo_i30Info.7z" source="File" argument="/i30info={FileName}"/>
+            <output name="NTFSInfo_SecDesc.7z" source="File" argument="/SecDescr={FileName}"/>
+            <output name="NTFSInfo_detail.7z"  source="File" argument="/out={FileName}" />
+            <output name="NTFSInfo_detail.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="NTFSInfoDetail_systemdrive" systemtype="Server" queue="flush" >
+            <execute name="Orc.exe" run="self:#NTFSInfo" />
+            <argument>/config=res:#NTFSInfoDetail_systemdrive_config.xml</argument>
+            <output name="NTFSInfo_i30Info.7z" source="File" argument="/i30info={FileName}"/>
+            <output name="NTFSInfo_SecDesc.7z" source="File" argument="/SecDescr={FileName}"/>
+            <output name="NTFSInfo_detail.7z"  source="File" argument="/out={FileName}" />
+            <output name="NTFSInfo_detail.log" source="StdOutErr" />
+        </command>
 
         <command keyword="GetSystemHives">
-            <execute name="DFIR-Orc.exe" run="self:#GetThis"/>
-            <argument>/config=res:#GetSystemHives_config.xml</argument>
-            <output name="SystemHives.7z" source="File" argument="/out={FileName}"/>
-            <output name="SystemHives.log" source="StdOutErr"/>
+            <execute name="Orc.exe" run="self:#GetThis" />
+            <argument>/config=res:#GetSystemHives_config.xml /shadows</argument>
+            <output  name="SystemHives.7z" source="File" argument="/out={FileName}" />
+            <output  name="SystemHives.log" source="StdOutErr" />
         </command>
 
         <command keyword="GetUserHives">
-            <execute name="DFIR-Orc.exe" run="self:#GetThis"/>
-            <argument>/config=res:#GetUserHives_config.xml</argument>
-            <output name="UserHives.7z" source="File" argument="/out={FileName}"/>
-            <output name="UserHives.log" source="StdOutErr"/>
+            <execute name="Orc.exe" run="self:#GetThis" />
+            <argument>/config=res:#GetUserHives_config.xml /shadows</argument>
+            <output  name="UserHives.7z" source="File" argument="/out={FileName}" />
+            <output  name="UserHives.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="FatInfo" >
+            <execute name="Orc.exe" run="self:#FatInfo" />
+            <argument>/config=res:#FatInfoDetail_config.xml</argument>
+            <output name="FatInfo_detail.7z"  source="File" argument="/out={FileName}" />
+            <output name="FatInfo_detail.log" source="StdOutErr" />
         </command>
 
+        <command keyword="USNInfo" queue="flush">
+            <execute name="Orc.exe" run="self:#USNInfo" />
+            <argument>*</argument>
+            <output  name="USNInfo.7z" source="File" argument="/out={FileName}" />
+            <output  name="USNInfo.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="GetUefiFull">
+            <execute name="Orc.exe" run="self:#GetSectors" />
+            <argument>/UefiFull</argument>
+            <output  name="UefiFull.7z" source="File" argument="/Out={FileName}" />
+            <output  name="UefiFull.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="GetFuzzyHash" optional="yes">
+            <execute name="Orc.exe" run="self:#GetThis" />
+            <argument>/config=res:#GetFuzzyHash_config.xml /fuzzyhash=tlsh,ssdeep</argument>
+            <output  name="FuzzyHash.7z" source="File" argument="/out={FileName}" />
+            <output  name="FuzzyHash.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="FatInfoPE" queue="flush" optional="yes">
+            <execute name="Orc.exe" run="self:#FatInfo" />
+            <argument>/config=res:#FatInfoHashPE_config.xml</argument>
+            <output name="FatInfo_pehash.7z"  source="File" argument="/out={FileName}" />
+            <output name="FatInfo_pehash.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="FatInfoFirstBytes"  queue="flush" optional="yes">
+            <execute name="Orc.exe" run="self:#FatInfo" />
+            <argument>/config=res:#FatInfoFirstBytes_config.xml</argument>
+            <output name="FatInfo_firstbytes.7z"  source="File" argument="/out={FileName}" />
+            <output name="FatInfo_firstbytes.log" source="StdOutErr" />
+        </command>
+    </archive>
+
+    <archive name="DFIR-ORC_{SystemType}_{FullComputerName}_Browsers.7z" keyword="Browsers" concurrency="2" repeat="Once" compression="Normal" archive_timeout="120" >
+        <restrictions ElapsedTimeLimit="360" />
+
+        <command keyword="GetBrowsersHistory">
+            <execute name="Orc.exe" run="self:#GetThis" />
+            <argument>/config=res:#GetBrowsersHistory_config.xml</argument>
+            <output  name="Browsers_history.7z" source="File" argument="/out={FileName}" />
+            <output  name="Browsers_history.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="GetBrowsersArtefacts">
+            <execute name="Orc.exe" run="self:#GetThis" />
+            <argument>/config=res:#GetBrowsersArtefacts_config.xml</argument>
+            <output  name="Browsers_artefacts.7z" source="File" argument="/out={FileName}" />
+            <output  name="Browsers_artefacts.log" source="StdOutErr" />
+        </command>
+    </archive>
+
+    <archive name="DFIR-ORC_{SystemType}_{FullComputerName}_SAM.7z" keyword="SAM" concurrency="2" repeat="Once" compression="fast" archive_timeout="120">
+        <restrictions ElapsedTimeLimit="60" />
+
         <command keyword="GetSamHive">
-            <execute name="DFIR-Orc.exe" run="self:#GetThis"/>
+            <execute name="Orc.exe" run="self:#GetThis" />
             <argument>/config=res:#GetSamHive_config.xml</argument>
-            <output name="SAM.7z" source="File" argument="/out={FileName}"/>
-            <output name="SAM.log" source="StdOutErr"/>
+            <output  name="SAM.7z" source="File" argument="/out={FileName}" />
+            <output  name="SAM.log" source="StdOutErr" />
         </command>
     </archive>
 
-    <archive name="DFIR-ORC_{SystemType}_{FullComputerName}_Yara.7z" keyword="Yara" concurrency="2" repeat="Once" compression="fast" archive_timeout="240" optional="yes">
-        <restrictions JobMemoryLimit="3G" ProcessMemoryLimit="3G" ElapsedTimeLimit="240"/>
+    <archive name="DFIR-ORC_{SystemType}_{FullComputerName}_Yara.7z" keyword="Yara" concurrency="2" repeat="Once" compression="fast" archive_timeout="120" optional="yes">
+        <restrictions ElapsedTimeLimit="480" />
 
         <command keyword="GetYara">
-            <execute name="DFIR-Orc.exe" run="self:#GetThis"/>
+            <execute name="Orc.exe" run="self:#GetThis" />
             <argument>/config=res:#GetYaraSamples_config.xml</argument>
-            <output name="Yara.7z" source="File" argument="/out={FileName}"/>
-            <output name="Yara.log" source="StdOutErr"/>
+            <output  name="Yara.7z" source="File" argument="/out={FileName}" />
+            <output  name="Yara.log" source="StdOutErr" />
+        </command>
+    </archive>
+
+    <archive name="DFIR-ORC_{SystemType}_{FullComputerName}_Powershell.7z" keyword="Powershell" concurrency="2" repeat="Once" compression="fast" archive_timeout="120">
+        <restrictions ElapsedTimeLimit="60" />
+
+        <command keyword="DNS_records" systemtype="DomainController|Server" winver="6.0+" >
+            <execute name="powershell" run="%SystemRoot%\System32\WindowsPowerShell\V1.0\powershell.exe"/>
+            <argument>-NonInteractive -WindowStyle Hidden -NoProfile</argument>
+            <argument>if (Get-Command Get-DnsServerZone -CommandType Function -ErrorAction SilentlyContinue) { Get-DnsServerZone | ForEach-Object {write-host '' ; write-host '***' $_.ZoneName '***' ; write-host '' ; Get-DnsServerResourceRecord -ZoneName ($_.ZoneName)} } else { Get-WmiObject -Namespace root\MicrosoftDNS MicrosoftDNS_Domain | ? { $_.ContainerName -NotLike '..RootHints' -And $_.ContainerName -NotLike '..Cache' } | select ContainerName | Sort-Object ContainerName | Get-Unique -AsString | % { dnscmd /zoneprint $_.ContainerName } }</argument>
+            <output  name="DNS_records.txt" source="StdOut" />
+            <output  name="DNS_records.log" source="StdErr" />
+        </command>
+
+        <command keyword="EventConsumer"  winver="6.0+">
+            <execute name="powershell" run="%SystemRoot%\System32\WindowsPowerShell\V1.0\powershell.exe"/>
+            <argument>-NonInteractive -WindowStyle Hidden -NoProfile</argument>
+            <argument>Get-WMIObject -Namespace root\Subscription -Class __EventConsumer</argument>
+            <output  name="EventConsumer.txt" source="StdOut" />
+            <output  name="EventConsumer.log" source="StdErr" />
+        </command>
+
+        <command keyword="ADComputers" systemtype="DomainController" winver="6.0+" >
+            <execute name="powershell" run="%SystemRoot%\System32\WindowsPowerShell\V1.0\powershell.exe"/>
+            <argument>-NonInteractive -WindowStyle Hidden -NoProfile</argument>
+            <argument>Import-Module ActiveDirectory ; $TimeAgo = (Get-Date).AddMonths(-3) ; Get-ADComputer -Filter {enabled -eq $true -and lastLogonTimeStamp -gt $TimeAgo} -Properties DNSHostName | Select DNSHostName | ConvertTo-Csv</argument>
+            <output  name="AD_computers.csv" source="StdOut" />
+            <output  name="AD_computers.log" source="StdErr" />
+        </command>
+
+        <command keyword="Processes1" winver="6.0+" >
+            <execute name="powershell" run="%SystemRoot%\System32\WindowsPowerShell\V1.0\powershell.exe"/>
+            <argument>-NonInteractive -WindowStyle Hidden -NoProfile</argument>
+            <argument>Get-WMIObject win32_process | Export-Csv -NoTypeInformation -Encoding UTF8</argument>
+            <output  name="processes1.csv" source="File" argument="-Path {FileName}" />
+            <output  name="processes1.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="Processes2" winver="6.0+" >
+            <execute name="powershell" run="%SystemRoot%\System32\WindowsPowerShell\V1.0\powershell.exe"/>
+            <argument>-NonInteractive -WindowStyle Hidden -NoProfile</argument>
+            <argument>Get-Process | Export-Csv -NoTypeInformation -Encoding UTF8</argument>
+            <output  name="processes2.csv" source="File" argument="-Path {FileName}" />
+            <output  name="processes2.log" source="StdOutErr" />
         </command>
+
     </archive>
+
+
+    <!--             -->
+    <!-- ORC OFFLINE -->
+    <!--             -->
+
+    <archive name="DFIR-ORC_{SystemType}_{FullComputerName}_Offline.7z" keyword="ORC_Offline" concurrency="2" repeat="Once" compression="fast" optional="yes">
+
+        <command keyword="NTFSInfo_offline" queue="flush">
+            <execute name="Orc.exe" run="self:#NTFSInfo" />
+            <argument>/config=res:#NTFSInfo_offline_config.xml</argument>
+            <output  name="NTFSInfo_i30Info.7z" source="File" argument="/i30info={FileName}"/>
+            <output  name="NTFSInfo_SecDesc.7z" source="File" argument="/SecDescr={FileName}"/>
+            <output  name="NTFSInfo_detail.7z"  source="File" argument="/fileinfo={FileName}" />
+            <output  name="NTFSInfo_detail.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="FatInfo_offline" queue="flush">
+            <execute name="Orc.exe" run="self:#FatInfo" />
+            <argument>/config=res:#FatInfo_offline_config.xml</argument>
+            <output name="FatInfo_detail.7z"  source="File" argument="/out={FileName}" />
+            <output name="FatInfo_detail.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="USNInfo_offline" queue="flush">
+            <execute name="Orc.exe" run="self:#USNInfo" />
+            <output  name="USNInfo.7z" source="File" argument="/out={FileName}" />
+            <output  name="USNInfo.log" source="StdOutErr" />
+            <argument>%OfflineLocation%</argument>
+        </command>
+
+        <command keyword="GetFuzzyHash_offline">
+            <execute name="Orc.exe" run="self:#GetThis" />
+            <argument>/config=res:#GetFuzzyHash_offline_config.xml /fuzzyhash=tlsh,ssdeep</argument>
+            <output  name="FuzzyHash.7z" source="File" argument="/out={FileName}" />
+            <output  name="FuzzyHash.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="GetSystemHives_offline">
+            <execute name="Orc.exe" run="self:#GetThis" />
+            <argument>/config=res:#GetHives_offline_config.xml</argument>
+            <output  name="SystemHives.7z" source="File" argument="/out={FileName}" />
+            <output  name="SystemHives.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="GetUserHives_offline">
+            <execute name="Orc.exe" run="self:#GetThis" />
+            <argument>/config=res:#GetUserHives_offline_config.xml</argument>
+            <output  name="UserHives.7z" source="File" argument="/out={FileName}" />
+            <output  name="UserHives.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="GetLegacyBootCode_offline">
+            <execute name="Orc.exe" run="self:#GetSectors" />
+            <output  name="BootCode.7z" source="File" argument="/LegacyBootCode /SlackSpace /Out={FileName}" />
+            <output  name="BootCode.log" source="StdOutErr" />
+        </command>
+
+        <!-- Ajout GetUefiFull -->
+
+        <command keyword="GetUefiFull_offline">
+            <execute name="Orc.exe" run="self:#GetSectors" />
+            <output  name="UefiFull.7z" source="File" argument="/UefiFull /Out={FileName}" />
+            <output  name="UefiFull.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="GetSDS_offline">
+            <execute name="Orc.exe" run="self:#GetThis" />
+            <argument>/config=res:#GetSDS_offline_config.xml</argument>
+            <output  name="Secure.7z" source="File" argument="/out={FileName}" />
+            <output  name="Secure.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="GetADS_offline">
+            <execute name="Orc.exe" run="self:#GetThis" />
+            <argument>/config=res:#GetADS_offline_config.xml</argument>
+            <output name="ADS.7z" source="File" argument="/out={FileName}" />
+            <output name="ADS.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="GetCatroot_offline"  queue="flush">
+            <execute name="Orc.exe" run="self:#GetThis" />
+            <argument>/config=res:#GetCatRoot_offline_config.xml</argument>
+            <output  name="CatRoot.7z" source="File" argument="/out={FileName}" />
+            <output  name="CatRoot.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="GetEVT_offline">
+            <execute name="Orc.exe" run="self:#GetThis" />
+            <argument>/config=res:#GetEVT_offline_config.xml</argument>
+            <output  name="Event.7z" source="File" argument="/out={FileName}" />
+            <output  name="Event.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="GetEXE_TMP_offline">
+            <execute name="Orc.exe" run="self:#GetThis" />
+            <argument>/config=res:#GetEXE_TMP_offline_config.xml</argument>
+            <output  name="EXE_TMP.7z" source="File" argument="/out={FileName}" />
+            <output  name="EXE_TMP.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="GetArtefacts_offline">
+            <execute name="Orc.exe" run="self:#GetThis" />
+            <argument>/config=res:#GetArtefacts_offline_config.xml</argument>
+            <output  name="Artefacts.7z" source="File" argument="/out={FileName}" />
+            <output  name="Artefacts.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="GetTextLogs_offline">
+            <execute name="Orc.exe" run="self:#GetThis" />
+            <argument>/config=res:#GetTextLogs_offline_config.xml</argument>
+            <output  name="TextLogs.7z" source="File" argument="/out={FileName}" />
+            <output  name="TextLogs.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="GetScripts_offline">
+            <execute name="Orc.exe" run="self:#GetThis" />
+            <argument>/config=res:#GetScript_offline_config.xml</argument>
+            <output  name="Scripts.7z" source="File" argument="/out={FileName}" />
+            <output  name="Scripts.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="GetErrors_offline">
+            <execute name="Orc.exe" run="self:#GetThis" />
+            <argument>/config=res:#GetErrors_offline_config.xml</argument>
+            <output  name="Errors.7z" source="File" argument="/out={FileName}" />
+            <output  name="Errors.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="GetMemoryDmp_offline" >
+            <execute name="Orc.exe" run="self:#GetThis" />
+            <argument>/config=res:#GetMemDmp_offline_config.xml</argument>
+            <output  name="Memory_dmp.7z" source="File" argument="/out={FileName}" />
+            <output  name="Memory_dmp.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="GetBrowsersComplet_offline">
+            <execute name="Orc.exe" run="self:#GetThis" />
+            <argument>/config=res:#GetBrowsersComplet_offline_config.xml</argument>
+            <output  name="Browsers_complet.7z" source="File" argument="/out={FileName}" />
+            <output  name="Browsers_complet.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="GetSamHive_offline">
+            <execute name="Orc.exe" run="self:#GetThis" />
+            <argument>/config=res:#GetSAM_hive_offline_config.xml</argument>
+            <output  name="SAM.7z" source="File" argument="/out={FileName}" />
+            <output  name="SAM.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="GetExtAttrs_offline">
+            <execute name="Orc.exe" run="self:#GetThis" />
+            <argument>/config=res:#GetExtAttrs_offline_config.xml</argument>
+            <output  name="ExtAttrs.7z" source="File" argument="/out={FileName}" />
+            <output  name="ExtAttrs.log" source="StdOutErr" />
+        </command>
+
+        <command keyword="GetResidents_offline">
+            <execute name="Orc.exe" run="self:#GetThis" />
+            <argument>/config=res:#GetResidents_offline_config.xml</argument>
+            <output  name="Residents.7z" source="File" argument="/out={FileName}" />
+            <output  name="Residents.log" source="StdOutErr" />
+        </command>
+
+    </archive>
+
+    <archive name="DFIR-ORC_{SystemType}_{FullComputerName}_Debug.7z" keyword="Debug" concurrency="1" repeat="Once" compression="fast" archive_timeout="120" optional="yes">
+
+        <command keyword="GetMFT">
+            <execute name="Orc.exe" run="self:#GetThis" />
+            <argument>/config=res:#GetMFT_config.xml</argument>
+            <output  name="MFT.7z" source="File" argument="/out={FileName}" />
+            <output  name="MFT.log" source="StdOutErr" />
+        </command>
+
+    </archive>
+
 </wolf>
diff --git a/config/DFIR-ORC_embed.xml b/config/DFIR-ORC_embed.xml
old mode 100755
new mode 100644
index 3a62df9..881ac07
--- a/config/DFIR-ORC_embed.xml
+++ b/config/DFIR-ORC_embed.xml
@@ -1,27 +1,86 @@
 <?xml version="1.0" encoding="utf-8"?>
 <toolembed>
-    <input>.\tools\DFIR-Orc_x86.exe</input>
-    <output>.\output\%ORC_OUTPUT%</output>
-
-    <run64 args="WolfLauncher">7z:#Tools|DFIR-Orc_x64.exe</run64>
-    <run32 args="WolfLauncher">self:#</run32>
-
-    <file name="WOLFLAUNCHER_CONFIG" path=".\%ORC_CONFIG_FOLDER%\DFIR-ORC_config.xml"/>
-
-    <file name="GetSystemHives_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetSystemHives_config.xml"/>
-    <file name="GetUserHives_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetUserHives_config.xml"/>
-    <file name="GetSamHive_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetSamHive_config.xml"/>
-    <file name="GetEvents_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetEvents_config.xml"/>
-    <file name="NTFSInfo_config.xml" path=".\%ORC_CONFIG_FOLDER%\NTFSInfo_config.xml"/>
-    <file name="NTFSInfoHashPE_config.xml" path=".\%ORC_CONFIG_FOLDER%\NTFSInfoHashPE_config.xml"/>
-    <file name="FatInfo_config.xml" path=".\%ORC_CONFIG_FOLDER%\FatInfo_config.xml"/>
-    <file name="FatInfoHashPE_config.xml" path=".\%ORC_CONFIG_FOLDER%\FatInfoHashPE_config.xml"/>
-    <file name="GetArtefacts_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetArtefacts_config.xml"/>
-    <file name="GetYaraSamples_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetYaraSamples_config.xml"/>
-    <file name="ruleset.yara" path=".\%ORC_CONFIG_FOLDER%\ruleset.yara"/>
-
-    <archive name="Tools" format="7z" compression="Ultra">
-        <file name="DFIR-Orc_x64.exe" path=".\tools\DFIR-Orc_x64.exe"/>
-        <file name="autorunsc.exe" path=".\tools\autorunsc.exe"/>
-    </archive>
+	<input>.\tools\DFIR-Orc_x86.exe</input>
+	<output>.\output\%ORC_OUTPUT%</output>
+
+	<run64 args="WolfLauncher" >7z:#Tools|DFIR-Orc_x64.exe</run64>
+	<run32 args="WolfLauncher" >self:#</run32>
+
+	<file name="WOLFLAUNCHER_CONFIG" path=".\%ORC_CONFIG_FOLDER%\DFIR-ORC_config.xml"/>
+
+	<file name="GetADS_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetADS_config.xml"/>
+	<file name="GetArtefacts_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetArtefacts_config.xml"/>
+	<file name="GetExtAttrs_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetExtAttrs_config.xml"/>
+	<file name="GetTextLogs_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetTextLogs_config.xml"/>
+	<file name="GetSDS_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetSDS_config.xml"/>
+	<file name="GetCatRoot_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetCatRoot_config.xml"/>
+	<file name="GetEVT_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetEVT_config.xml"/>
+	<file name="GetExeTMP_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetExeTMP_config.xml"/>
+	<file name="GetBrowsersHistory_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetBrowsersHistory_config.xml"/>
+	<file name="GetBrowsersArtefacts_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetBrowsersArtefacts_config.xml"/>
+	<file name="GetScript_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetScript_config.xml"/>
+	<file name="GetErrors_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetErrors_config.xml"/>
+	<file name="GetSamples_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetSamples_config.xml" />
+	<file name="GetSystemHives_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetSystemHives_config.xml"/>
+	<file name="GetUserHives_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetUserHives_config.xml"/>
+	<file name="GetSamHive_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetSamHive_config.xml"/>
+	<file name="GetYaraSamples_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetYaraSamples_config.xml"/>
+	<file name="NTFSInfoQuick_config.xml" path=".\%ORC_CONFIG_FOLDER%\NTFSInfoQuick_config.xml"/>
+	<file name="NTFSInfoDetail_systemdrive_config.xml" path=".\%ORC_CONFIG_FOLDER%\NTFSInfoDetail_systemdrive_config.xml"/>
+	<file name="NTFSInfoDetail_alldrives_config.xml" path=".\%ORC_CONFIG_FOLDER%\NTFSInfoDetail_alldrives_config.xml"/>
+	<file name="GetFuzzyHash_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetFuzzyHash_config.xml"/>
+	<file name="FatInfoDetail_config.xml" path=".\%ORC_CONFIG_FOLDER%\FatInfoDetail_config.xml"/>
+	<file name="FatInfoHashPE_config.xml" path=".\%ORC_CONFIG_FOLDER%\FatInfoHashPE_config.xml"/>
+	<file name="FatInfoFirstBytes_config.xml" path=".\%ORC_CONFIG_FOLDER%\FatInfoFirstBytes_config.xml"/>
+	<file name="GetMemDmp_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetMemDmp_config.xml"/>
+	<file name="GetResidents_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetResidents_config.xml"/>
+
+	<file name="GetADS_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetADS_offline_config.xml"/>
+	<file name="GetArtefacts_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetArtefacts_offline_config.xml"/>
+	<file name="GetExtAttrs_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetExtAttrs_offline_config.xml"/>
+	<file name="GetTextLogs_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetTextLogs_offline_config.xml"/>
+	<file name="GetHives_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetHives_offline_config.xml"/>
+	<file name="GetSDS_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetSDS_offline_config.xml"/>
+	<file name="GetCatRoot_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetCatRoot_offline_config.xml"/>
+	<file name="GetScript_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetScript_offline_config.xml"/>
+	<file name="GetErrors_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetErrors_offline_config.xml"/>
+	<file name="GetMemDmp_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetMemDmp_offline_config.xml"/>
+	<file name="GetEVT_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetEVT_offline_config.xml"/>
+	<file name="GetUserHives_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetUserHives_offline_config.xml"/>
+	<file name="GetEXE_TMP_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetEXE_TMP_offline_config.xml"/>
+	<file name="GetBrowsersComplet_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetBrowsersComplet_offline_config.xml"/>
+	<!-- <file name="GetYaraSamples_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetYaraSamples_offline_config.xml"/> -->
+	<file name="GetFuzzyHash_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetFuzzyHash_offline_config.xml"/>
+	<file name="NTFSInfo_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\NTFSInfo_offline_config.xml"/>
+	<file name="GetSAM_hive_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetSAM_hive_offline_config.xml"/>
+	<file name="FatInfo_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\FatInfo_offline_config.xml"/>
+	<file name="GetResidents_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetResidents_offline_config.xml"/>
+
+	<file name="NTFSInfo_little_config.xml" path=".\%ORC_CONFIG_FOLDER%\NTFSInfo_little_config.xml" />
+	<file name="GetEVT_little_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetEVT_little_config.xml" />
+	<file name="GetSystemHives_little_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetSystemHives_little_config.xml" />
+	<file name="GetArtefacts_little_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetArtefacts_little_config.xml" />
+	<file name="GetScript_little_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetScript_little_config.xml" />
+
+	<file name="FastFind_config.xml" path=".\%ORC_CONFIG_FOLDER%\FastFind_config.xml" />
+
+	<file name="GetMFT_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetMFT_config.xml" />
+
+	<file name="yara_rules" path=".\%ORC_CONFIG_FOLDER%\ruleset.yara" />
+
+	<pair name="AUTORUNS"  value="7z:#Tools|autorunsc.exe" />
+
+        <archive name="Tools" format="7z" compression="Ultra">
+		<file name="DFIR-Orc_x64.exe" path=".\tools\DFIR-Orc_x64.exe"/>
+
+		<file name="handle.exe" path=".\tools\handle.exe"/>
+		<file name="autorunsc.exe" path=".\tools\autorunsc.exe"/>
+		<file name="Tcpvcon.exe" path=".\tools\Tcpvcon.exe"/>
+		<file name="PsService.exe" path=".\tools\PsService.exe"/>
+		<file name="Listdlls.exe" path=".\tools\Listdlls.exe"/>
+
+		<file name="dumpit" path=".\tools\DumpIt.exe" />
+		<file name="winpmem" path=".\tools\winpmem.exe" />
+
+	</archive>
 </toolembed>
diff --git a/config/FastFind_config.xml b/config/FastFind_config.xml
new file mode 100644
index 0000000..e910954
--- /dev/null
+++ b/config/FastFind_config.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<fastfind version="FastFind_in_Orc">
+    <filesystem>
+        <location shadows="yes">%SystemDrive%</location>
+    </filesystem>
+</fastfind>
\ No newline at end of file
diff --git a/config/FastFind_example.xml b/config/FastFind_example.xml
new file mode 100644
index 0000000..4aee2ab
--- /dev/null
+++ b/config/FastFind_example.xml
@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<fastfind version="foobar_YYYYMMDD">
+    <filesystem>
+        <location shadows="yes">%SystemDrive%</location>
+        <yara block="20M" overlap="2M" timeout="120" source="res:#yara_rules" scan_method="blocks" />
+
+        <ntfs_find name="explorer.exe" />
+        <ntfs_find name_match="expl*.exe" />
+        <ntfs_find name_regex="expl.{4}\.[ex]+" />
+        <ntfs_find path="\windows\explorer.exe"/>
+        <ntfs_find path_match="*\explorer.exe" />
+        <ntfs_find path_regex="\\win.*\\explorer.exe" />
+        <!-- Always use another "metadata match" (path, name, size) when using md5, sha1, sha256, contains[_hex] and yara_rule, otherwise FastFind could end up having to read (and hash or yara-parse) every single files on the volume ! -->
+        <ntfs_find size="0" sha1="da39a3ee5e6b4b0d3255bfef95601890afd80709" />    <!-- matches the empty file -->
+        <!-- The use of "header[_hex|_regex]" is much more costly than a "metadata match" since it requires to read some data from the file, but less than a full content match so this can be used to narrow down the subset of files to parse for full-content matching (hashes, contains and yara) -->
+        <ntfs_find header="MZ" size_le="10M" contains="getthis_collection" />   <!-- matches ORC and FastFind -->
+        <ntfs_find header="MZ" size_le="10M" contains_hex="250073002000280043006100740061007300740072006f00700068006900630020006600610069006c00750072006500" /> <!-- matches ORC and FastFind -->
+        <ntfs_find size_le="15M" size_ge="10M" yara_rule="orc" />   <!-- matches ORC (FastFind should be smaller) -->
+
+        <ntfs_find ads="$J" />
+        <ntfs_find path="\$Extend\$UsnJrnl" ads="$J" />
+
+    </filesystem>
+
+    <registry>
+        <location>%SystemDrive%</location>
+        <hive name="NTUSER">
+            <ntfs_find name="NTUSER.DAT" />
+            <!-- For a listing of every values (and their corresponding data) below a certain key, use value_regex=".*" -->
+            <registry_find key_path_regex="\\Software(\\Wow6432Node)?\\Microsoft\\Windows\\CurrentVersion\\Run" value_regex=".*" />
+        </hive>
+        <hive name="SOFTWARE">
+            <ntfs_find path="\Windows\System32\config\SOFTWARE" />
+            <!-- data_contains is case sensitive -->
+            <registry_find key_path="\Microsoft\Windows NT\CurrentVersion" value="SystemRoot" value_type="REG_SZ" data_contains="\Win" />
+        </hive>
+        <hive name="SYSTEM">
+            <ntfs_find path="\Windows\System32\config\SYSTEM" />
+            <!-- matching only on key will not retrieve any value nor data, so the example below will only list services -->
+            <registry_find key_path_regex="\\ControlSet[0-9]{3}\\Services\\[^\\]+" />
+            <!-- data_hex must match the same length as the targeted value type (ie. for a REG_DWORD, data_hex must be 4-bytes long) -->
+            <registry_find key_path="\Select" value="Current" value_type="REG_DWORD" data_hex="00000001" />
+        </hive>
+    </registry>
+
+    <object>
+        <!-- object "type" can be one of the following : Type, Directory, Session, WindowStation, Event, KeyedEvent, Callback, Job, Mutant, Section, Semaphore, SymbolicLink, Device, Driver, ALPCPort, FilterConnectionPort, Key, File -->
+        <object_find type="Device" name="Ntfs" />
+        <object_find type="Device" path="\Ntfs" />
+        <object_find type="Mutant" name_regex="\{A3BD3259-3E4F-[a-f0-9]{4}-84C8-F0463A9D3EB5\}" />
+        <object_find type="Mutant" path_regex="\\Sessions\\[0-9]+\\.*" />
+    </object>
+</fastfind>
diff --git a/config/FatInfoDetail_config.xml b/config/FatInfoDetail_config.xml
new file mode 100755
index 0000000..8a01ad7
--- /dev/null
+++ b/config/FatInfoDetail_config.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0"?>
+
+<fatinfo resurrect="yes">
+  <location>*</location>
+  <columns>
+    <default>ComputerName,VolumeID,Default,RecordInUse,FirstBytes</default>
+    <default>Details</default>
+    <omit SizeGT="100M">MD5,SHA1,PeSHA1,PeSHA256,Authenticode</omit>
+    <add HasPE="">MD5,SHA1,PeSHA1,PeSHA256,Authenticode</add>  
+  </columns>
+</fatinfo>
diff --git a/config/FatInfoFirstBytes_config.xml b/config/FatInfoFirstBytes_config.xml
new file mode 100755
index 0000000..0a2d30f
--- /dev/null
+++ b/config/FatInfoFirstBytes_config.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0"?>
+
+<fatinfo resurrect="yes">
+  <location>*</location>
+  <columns>
+    <default>ComputerName,VolumeID,Default,RecordInUse,FirstBytes</default>
+  </columns>
+</fatinfo>
diff --git a/config/FatInfoHashPE_config.xml b/config/FatInfoHashPE_config.xml
index 85774cd..94d7855 100755
--- a/config/FatInfoHashPE_config.xml
+++ b/config/FatInfoHashPE_config.xml
@@ -1,10 +1,14 @@
 <?xml version="1.0"?>
+
 <fatinfo resurrect="yes">
-    <location>*</location>
-    <columns>
-        <default>ComputerName,VolumeID,Default,RecordInUse,FirstBytes</default>
-        <default>Details</default>
-        <omit SizeGT="100M">MD5,SHA1,PeSHA1,PeSHA256,Authenticode</omit>
-        <add HasPE="">MD5,SHA1,PeSHA1,PeSHA256,Authenticode</add>  
-    </columns>
-</fatinfo>
\ No newline at end of file
+  <location>*</location>
+  <columns>
+    <default>ComputerName,VolumeID,Default,RecordInUse</default>
+    <default>Details</default>
+    <omit SizeGT="100M">MD5,SHA1,PeSHA1,PeSHA256,Authenticode</omit>
+    <add HasPE="">MD5,SHA1,PeSHA1,PeSHA256,Authenticode</add>  
+  </columns>
+</fatinfo>
+
+
+
diff --git a/config/FatInfo_offline_config.xml b/config/FatInfo_offline_config.xml
new file mode 100644
index 0000000..ecc593b
--- /dev/null
+++ b/config/FatInfo_offline_config.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0"?>
+
+<fatinfo resurrect="yes">
+  <location>%OfflineLocation%</location>
+  <columns>
+    <default>ComputerName,VolumeID,Default,RecordInUse,FirstBytes</default> 
+    <default>Details</default>
+    <omit SizeGT="100M">MD5,SHA1,PeSHA1,PeSHA256,Authenticode</omit>
+    <add HasPE="">MD5,SHA1,PeSHA1,PeSHA256,Authenticode</add>
+  </columns>
+</fatinfo>
diff --git a/config/GetADS_config.xml b/config/GetADS_config.xml
new file mode 100755
index 0000000..2ea26c6
--- /dev/null
+++ b/config/GetADS_config.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0"?>
+<getthis reportall="">
+  <location>*</location>
+  <samples MaxPerSampleBytes="20MB" MaxTotalBytes="256MB" MaxSampleCount="200000" >
+    <sample name="ads">
+      <ntfs_find ads_match="?*" />
+      <ntfs_exclude path="\$UpCase" ads="$Info" />
+      <ntfs_exclude path="\$Extend\$UsnJrnl" ads="$J" />
+      <ntfs_exclude path="\$BadClus" ads="$Bad" />
+      <ntfs_exclude path="\$Extend\$RmMetadata\$Repair" ads="$Corrupt" />
+      <ntfs_exclude path="\$Extend\$RmMetadata\$Repair" ads="$Verify" />
+      <ntfs_exclude path="\$Extend\$RmMetadata\$TxfLog\$Tops" ads="$T" />
+      <ntfs_exclude path="\$Secure" ads="$SDS" /> 
+      <ntfs_exclude ads="WofCompressedData" />
+	</sample>
+  </samples>
+</getthis>
diff --git a/config/GetADS_offline_config.xml b/config/GetADS_offline_config.xml
new file mode 100644
index 0000000..08f7b73
--- /dev/null
+++ b/config/GetADS_offline_config.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0"?>
+<getthis reportall="" nolimits="">
+  <location>%OfflineLocation%</location>
+  <samples>
+    <sample name="ads">
+      <ntfs_find ads_match="?*" /> 
+      <ntfs_exclude path="\$UpCase" ads="$Info" />
+      <ntfs_exclude path="\$BadClus" ads="$Bad" />
+      <ntfs_exclude path="\$Extend\$RmMetadata\$Repair" ads="$Corrupt" />
+      <ntfs_exclude path="\$Extend\$RmMetadata\$Repair" ads="$Verify" />
+      <ntfs_exclude path="\$Secure" ads="$SDS" />
+      <ntfs_exclude path="\$Extend\$RmMetadata\$TxfLog\$Tops" ads="$T" />
+      <ntfs_exclude path="\$Extend\$UsnJrnl" ads="$J" />  
+    </sample>
+  </samples>
+</getthis>
diff --git a/config/GetArtefacts_config.xml b/config/GetArtefacts_config.xml
index 3081fb8..419d278 100755
--- a/config/GetArtefacts_config.xml
+++ b/config/GetArtefacts_config.xml
@@ -1,29 +1,105 @@
 <?xml version="1.0"?>
+
 <getthis reportall="">
-    <output compression="fast"/>
-    <location shadows="yes">*</location>
-    <samples MaxTotalBytes="1GB" MaxSampleCount="200000" MaxPerSampleBytes="650MB">
-
-        <sample name="Prefetch" MaxPerSampleBytes="20MB">
-            <ntfs_find path_match="\Windows\Prefetch\*.pf"/>
-            <ntfs_find path_match="\Windows\Prefetch\layout.ini"/>
-        </sample>
-
-        <sample name="AmCache" MaxPerSampleBytes="120MB">
-            <ntfs_find path_match="\Windows\AppCompat\Programs\*"/>
-        </sample>
-
-        <sample name="RDP_BMC" MaxPerSampleBytes="200MB" MaxTotalBytes="600MB">
-            <ntfs_find path_match="\Documents and Settings\*\Local Settings\Application Data\Microsoft\Terminal Server Client\Cache\*.bmc"/>
-            <ntfs_find path_match="\Documents and Settings\*\Local Settings\Application Data\Microsoft\Terminal Server Client\Cache\*.bin"/>
-            <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Terminal Server Client\Cache\*.bmc"/>
-            <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Terminal Server Client\Cache\*.bin"/>
-        </sample>
-
-        <sample name="BITS_QMGR" MaxTotalBytes="100MB">
-            <ntfs_find path_match="\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr*.dat"/>
-            <ntfs_find path_match="\ProgramData\Microsoft\Network\Downloader\qmgr*.dat"/>
-        </sample>
-
-    </samples>
-</getthis>
\ No newline at end of file
+  <output compression="fast" />
+  <location shadows="yes">*</location>
+  <samples MaxTotalBytes="1GB" MaxSampleCount="200000" MaxPerSampleBytes="650MB" >
+
+    <sample name="ActivityTimeline" MaxPerSampleBytes="120MB">
+        <ntfs_find name="ActivitiesCache.db" />
+    </sample>
+
+    <sample name="SuperFetch" MaxPerSampleBytes="50MB">
+        <ntfs_find path_match="\Windows\Prefetch\Ag*.db" />
+    </sample>
+
+    <sample name="Idx" MaxPerSampleBytes="5MB">
+        <ntfs_find path_match="\Documents and Settings\*\Application Data\Sun\Java\Deployment\cache\*.idx" />
+        <ntfs_find path_match="\Users\*\AppData\*\Sun\Java\Deployment\cache\*.idx" />
+    </sample>
+
+    <sample name="Sol" MaxPerSampleBytes="10MB">
+        <ntfs_find path_match="\Documents and Settings\*\Application Data\*SharedObjects\*.sol" />
+        <ntfs_find path_match="\Users\*\AppData\*SharedObjects\*.sol" />
+    </sample>
+
+    <sample name="Swf" MaxPerSampleBytes="10MB">
+        <ntfs_find path_match="\Documents and Settings\*\Application Data\*.swf" />
+        <ntfs_find path_match="\Users\*\AppData\*.swf" />
+    </sample>
+
+    <sample name="lnk" MaxPerSampleBytes="5MB">
+        <ntfs_find name_match="*.lnk" />
+    </sample>
+
+    <sample name="INFO2" MaxPerSampleBytes="20MB">
+        <ntfs_find path_match="\Recycler\*\INFO2" />
+    </sample>
+
+    <sample name="IconCache" MaxPerSampleBytes="50MB">
+        <ntfs_find path_match="\Users\*\Appdata\Local\IconCache.db" />
+	<ntfs_find path_match="\Documents and Settings\*\Local Settings\Application Data\IconCache.db" />
+    </sample>
+
+    <sample name="WMI_Filters" MaxTotalBytes="180MB" MaxPerSampleBytes="100MB">
+        <ntfs_find path_match="\Windows\system32\wbem\Repository\*.DATA" />
+        <ntfs_find path_match="\Windows\system32\wbem\Repository\*.MAP" />
+        <ntfs_find path_match="\Windows\system32\wbem\Repository\*.BTR" />
+    </sample>
+
+    <sample name="RDP_bmc" MaxPerSampleBytes="200MB" MaxTotalBytes="600MB">
+        <ntfs_find path_match="\Documents and Settings\*\Local Settings\Application Data\Microsoft\Terminal Server Client\Cache\*.bmc" />
+        <ntfs_find path_match="\Documents and Settings\*\Local Settings\Application Data\Microsoft\Terminal Server Client\Cache\*.bin" />
+	<ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Terminal Server Client\Cache\*.bmc" />
+	<ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Terminal Server Client\Cache\*.bin" />
+    </sample>
+
+    <sample name="BITS_QMGR" MaxTotalBytes="100MB">
+        <ntfs_find path_match="\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr*.dat" />
+        <ntfs_find path_match="\ProgramData\Microsoft\Network\Downloader\qmgr*.dat" />
+        <ntfs_find path="\ProgramData\Microsoft\Network\Downloader\qmgr.db" />
+        <ntfs_find path="\ProgramData\Microsoft\Network\Downloader\qmgr.jfm" />
+        <ntfs_find path="\ProgramData\Microsoft\Network\Downloader\edb.chk" />
+        <ntfs_find path_match="\ProgramData\Microsoft\Network\Downloader\edb*.jrs" />
+        <ntfs_find path_match="\ProgramData\Microsoft\Network\Downloader\edb*.log" />
+    </sample>
+
+    <sample name="SRUM" MaxTotalBytes="100MB">
+        <ntfs_find path_match="\Windows\System32\sru\*" />
+    </sample>
+
+    <sample name="plist" MaxTotalBytes="50MB">
+        <ntfs_find name_match="*.plist" />
+    </sample>
+
+    <sample name="sdb" MaxTotalBytes="500MB">
+        <ntfs_find path="\windows\security\database\secedit.sdb" />
+        <ntfs_find path_match="\windows\Apppatch\*.sdb" />
+    </sample>
+
+    <sample name="special_accounts" MaxTotalBytes="200MB">
+        <ntfs_find path_match="\windows\system32\config\systemprofile\*" />
+        <ntfs_find path_match="\windows\syswow64\config\systemprofile\*" />
+        <ntfs_find path_match="\windows\ServiceProfiles\LocalService\*" />
+        <ntfs_find path_match="\windows\ServiceProfiles\NetworkService\*" />
+        <ntfs_exclude name="ntuser.dat" />
+        <ntfs_exclude name="usrclass.dat" />
+    </sample>
+
+    <sample name="exchange_transport_agent" MaxTotalBytes="50MB">
+        <ntfs_find name="agents.config" />
+    </sample>
+
+    <sample name="Prefetch" MaxPerSampleBytes="20MB">
+        <ntfs_find path_match="\Windows\Prefetch\*.pf" />
+        <ntfs_find path_match="\Windows\Prefetch\layout.ini" />
+    </sample>
+
+    <sample name="recentFile" MaxPerSampleBytes="120MB">
+        <ntfs_find name="RecentFileCache.bcf" />
+        <ntfs_find path_match="\Windows\AppCompat\Programs\AEINV_*.xml" />
+        <ntfs_find path_match="\Users\*\AppData\Roaming\Microsoft\Windows\Recent\*Destinations-ms" />
+    </sample>
+
+  </samples>
+</getthis>
diff --git a/config/GetArtefacts_little_config.xml b/config/GetArtefacts_little_config.xml
new file mode 100644
index 0000000..08ef9cd
--- /dev/null
+++ b/config/GetArtefacts_little_config.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0"?>
+<getthis reportall="" hash="none">
+    <output compression="ultra" />
+    <location>%SystemDrive%</location>
+    <samples MaxPerSampleBytes="650MB" MaxTotalBytes="1GB" MaxSampleCount="200000">
+        <sample name="Prefetch" MaxPerSampleBytes="20MB">
+            <ntfs_find path_match="\Windows\Prefetch\*.pf" />
+            <ntfs_find path_match="\Windows\Prefetch\layout.ini" />
+        </sample>
+        <sample name="recentFile" MaxPerSampleBytes="120MB">
+            <ntfs_find name="RecentFileCache.bcf" />
+            <ntfs_find path_match="\Windows\AppCompat\Programs\AEINV_*.xml" />
+            <ntfs_find path_match="\Users\*\AppData\Roaming\Microsoft\Windows\Recent\*Destinations-ms" />
+        </sample>
+    </samples>
+</getthis>
diff --git a/config/GetArtefacts_offline_config.xml b/config/GetArtefacts_offline_config.xml
new file mode 100644
index 0000000..ebecb5a
--- /dev/null
+++ b/config/GetArtefacts_offline_config.xml
@@ -0,0 +1,103 @@
+<?xml version="1.0"?>
+<getthis reportall="" nolimits="">
+  <output compression="fast" />
+  <location>%OfflineLocation%</location>
+  <samples>
+
+    <sample name="ActivityTimeline" MaxPerSampleBytes="120MB">
+        <ntfs_find name="ActivitiesCache.db" />
+    </sample>
+
+    <sample name="recentFile" MaxPerSampleBytes="120MB">
+        <ntfs_find name="RecentFileCache.bcf" />
+        <ntfs_find path_match="\Users\*\AppData\Roaming\Microsoft\Windows\Recent\*Destinations-ms" />
+    </sample>
+
+    <sample name="Prefetch" MaxPerSampleBytes="20MB">
+        <ntfs_find path_match="\Windows\Prefetch\*.pf" />
+        <ntfs_find path_match="\Windows\Prefetch\layout.ini" />
+    </sample>
+
+    <sample name="SuperFetch" MaxPerSampleBytes="50MB">
+        <ntfs_find path_match="\Windows\Prefetch\Ag*.db" />
+    </sample>
+
+    <sample name="Idx" MaxPerSampleBytes="5MB">
+        <ntfs_find path_match="\Documents and Settings\*\Application Data\Sun\Java\Deployment\cache\*.idx" />
+        <ntfs_find path_match="\Users\*\AppData\*\Sun\Java\Deployment\cache\*.idx" />
+    </sample>
+
+    <sample name="Sol" MaxPerSampleBytes="10MB">
+        <ntfs_find path_match="\Documents and Settings\*\Application Data\*SharedObjects\*.sol" />
+        <ntfs_find path_match="\Users\*\AppData\*SharedObjects\*.sol" />
+    </sample>
+
+    <sample name="Swf" MaxPerSampleBytes="10MB">
+        <ntfs_find path_match="\Documents and Settings\*\Application Data\*.swf" />
+        <ntfs_find path_match="\Users\*\AppData\*.swf" />
+    </sample>
+
+    <sample name="lnk" MaxPerSampleBytes="5MB">
+        <ntfs_find name_match="*.lnk" />
+    </sample>
+
+    <sample name="INFO2" MaxPerSampleBytes="20MB">
+        <ntfs_find path_match="\Recycler\*\INFO2" />
+    </sample>
+
+    <sample name="IconCache" MaxPerSampleBytes="50MB">
+        <ntfs_find path_match="\Users\*\Appdata\Local\IconCache.db" />
+	<ntfs_find path_match="\Documents and Settings\*\Local Settings\Application Data\IconCache.db" />
+    </sample>
+
+    <sample name="WMI_Filters" MaxTotalBytes="180MB" MaxPerSampleBytes="100MB">
+        <ntfs_find path_match="\Windows\system32\wbem\Repository\*.DATA" />
+        <ntfs_find path_match="\Windows\system32\wbem\Repository\*.MAP" />
+        <ntfs_find path_match="\Windows\system32\wbem\Repository\*.BTR" />
+    </sample>
+
+    <sample name="RDP_bmc" MaxPerSampleBytes="200MB" MaxTotalBytes="1GB">
+        <ntfs_find path_match="\Documents and Settings\*\Local Settings\Application Data\Microsoft\Terminal Server Client\Cache\*.bmc" />
+        <ntfs_find path_match="\Documents and Settings\*\Local Settings\Application Data\Microsoft\Terminal Server Client\Cache\*.bin" />
+	<ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Terminal Server Client\Cache\*.bmc" />
+	<ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Terminal Server Client\Cache\*.bin" />
+    </sample>
+
+    <sample name="BITS_QMGR" MaxTotalBytes="100MB">
+        <ntfs_find path_match="\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr*.dat" />
+        <ntfs_find path_match="\ProgramData\Microsoft\Network\Downloader\qmgr*.dat" />
+        <ntfs_find path="\ProgramData\Microsoft\Network\Downloader\qmgr.db" />
+        <ntfs_find path="\ProgramData\Microsoft\Network\Downloader\qmgr.jfm" />
+        <ntfs_find path="\ProgramData\Microsoft\Network\Downloader\edb.chk" />
+        <ntfs_find path_match="\ProgramData\Microsoft\Network\Downloader\edb*.jrs" />
+        <ntfs_find path_match="\ProgramData\Microsoft\Network\Downloader\edb*.log" />
+    </sample>
+
+    <sample name="SRUM" MaxTotalBytes="100MB">
+        <ntfs_find path_match="\Windows\System32\sru\*" />
+    </sample>
+
+    <sample name="plist" MaxPerSampleBytes="2MB" MaxTotalBytes="50MB">
+        <ntfs_find name_match="*.plist" />
+    </sample>
+
+    <sample name="sdb" MaxTotalBytes="500MB">
+        <ntfs_find path="\windows\security\database\secedit.sdb" />
+        <ntfs_find path_match="\windows\Apppatch\*.sdb" />
+    </sample>
+
+    <sample name="special_accounts" >
+        <ntfs_find path_match="\windows\system32\config\systemprofile\*" />
+        <ntfs_find path_match="\windows\syswow64\config\systemprofile\*" />
+        <ntfs_find path_match="\windows\ServiceProfiles\LocalService\*" />
+        <ntfs_find path_match="\windows\ServiceProfiles\NetworkService\*" />
+        <ntfs_exclude name="ntuser.dat" />
+        <ntfs_exclude name="usrclass.dat" />
+    </sample>
+
+    <sample name="exchange_transport_agent">
+        <ntfs_find name="agents.config" />
+    </sample>
+
+  </samples>
+</getthis>
diff --git a/config/GetBrowsersArtefacts_config.xml b/config/GetBrowsersArtefacts_config.xml
new file mode 100644
index 0000000..5e3eec7
--- /dev/null
+++ b/config/GetBrowsersArtefacts_config.xml
@@ -0,0 +1,180 @@
+<?xml version="1.0"?>
+<getthis reportall="">
+  <output compression="fast" />
+  <location>*</location>
+  <samples MaxPerSampleBytes="128MB" MaxTotalBytes="512MB" MaxSampleCount="200000">
+  <!-- Configuration pour récupérer tous les artefacts intéressants hors GetBrowsersHistory -->
+    <sample name="Firefox_XP_Artefacts">
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\profiles.ini"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\bookmarkbackups\bookmarks*.jsonlz4"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\content-prefs.sqlite"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\addons.json"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\extensions.ini"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\extensions.json"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\extensions\*.xpi"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\storage.sqlite"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\storage\default\*\cache\caches.sqlite"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\storage\default\*\idb\*.sqlite"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\permissions.sqlite"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\prefs.js"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\webappsstore.sqlite"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\key*.db"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\sessionstore.js"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\sessionstore-backups\*.js*"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\formhistory.sqlite"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\cert*.db"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\datareporting\*"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\saved-telemetry-pings\*"/>
+      <!-- Cache -->
+      <ntfs_find path_match="\Documents and Settings\*\Local Settings\Application Data\Mozilla\Firefox\Profiles\*\cache2\entries\*"/>
+      <ntfs_find path_match="\Documents and Settings\*\Local Settings\Application Data\Mozilla\Firefox\Profiles\*\cache2\index*"/>
+    </sample>
+
+    <sample name="Firefox_Vista_Artefacts">
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\profiles.ini"/>
+      <ntfs_find path_match="\Users\*\AppData\*\Mozilla\Firefox\Crash Reports\*"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\bookmarkbackups\bookmarks*.jsonlz4"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\content-prefs.sqlite"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\addons.json"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\extensions.json"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\extensions\*.xpi"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\storage.sqlite"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\storage\default\*\cache\caches.sqlite"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\storage\default\*\idb\*.sqlite"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\permissions.sqlite"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\prefs.js"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\webappsstore.sqlite"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\protections.sqlite"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\key*.db"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\logins.json"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\sessionstore.jsonlz4"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\sessionstore-backups\*.jsonlz4*"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\sessionstore-backups\*.baklz4"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\favicon.sqlite"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\formhistory.sqlite"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\cert*.db"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\datareporting\*"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\saved-telemetry-pings\*"/>
+      <!-- Cache -->
+      <ntfs_find path_match="\Users\*\AppData\Local\Mozilla\Firefox\Profiles\*\cache2\entries\*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Mozilla\Firefox\Profiles\*\cache2\index*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Mozilla\Firefox\Profiles\*\jumpListCache\*.ico"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Mozilla\Firefox\Profiles\*\thumbnails\*.png"/>
+    </sample>
+
+    <sample name="Chrome_XP_Artefacts">
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Google\Chrome\User Data\Default\Bookmarks*"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Google\Chrome\User Data\Default\Extensions\*"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Google\Chrome\User Data\Default\Login Data*"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Google\Chrome\User Data\Default\Favicons*"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Google\Chrome\User Data\Default\Network Action Predictor*"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Google\Chrome\User Data\Default\Web Data*"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Google\Chrome\User Data\Default\Top Sites*"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Google\Chrome\User Data\Default\Shortcuts*"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Google\Chrome\User Data\Default\Preferences*"/>
+      <!-- Cache -->
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Google\Chrome\User Data\Default\Cache\*"/>
+    </sample>
+
+    <sample name="Chrome_50_Artefacts"> <!-- L'étoile après Chrome c'est pour inclure Canary -->
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\Bookmarks"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\Visited Links"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\Extension Cookies"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\Extensions\*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\Extension Activity\*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\Extension State\*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\Login Data*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\Current Session"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\Current Tabs"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\Last Session"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\Last Tabs"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\Favicons*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\QuotaManager"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\Network Action Predictor*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\Web data*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\Top Sites*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\Thumbnails"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\Shortcuts*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\Preferences"/>
+      <!-- Cache -->
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\*Cache\*"/>
+    </sample>
+
+
+    <sample name="Safari_XP_Artefacts">
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Apple Computer\Safari\*"/>
+      <ntfs_exclude path_match="\Documents and Settings\*\Application Data\Apple Computer\Safari\History.plist*"/>
+      <ntfs_exclude path_match="\Documents and Settings\*\Application Data\Apple Computer\Safari\Downloads.plist*"/>
+      <ntfs_exclude path_match="\Documents and Settings\*\Application Data\Apple Computer\Safari\Cookies.*"/>
+    </sample>
+
+    <sample name="Safari_Vista_Artefacts">
+      <ntfs_find path_match="\Users\*\AppData\*\Apple Computer\Safari\*"/>
+      <ntfs_exclude path_match="\Users\*\AppData\*\Apple Computer\Safari\History.plist*"/>
+      <ntfs_exclude path_match="\Users\*\AppData\*\Apple Computer\Safari\Downloads.plist*"/>
+      <ntfs_exclude path_match="\Users\*\AppData\*\Apple Computer\Safari\Cookies.*"/>
+    </sample>
+
+    <sample name="IE_XP_Artefacts">
+      <!-- IE sous XP -->
+      <ntfs_find path_match="\Documents and Settings\*\Local Settings\Temporary Internet Files\*\Content.IE5\*.dat"/>
+      <!-- IE 7-8 sous XP uniquement -->
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Microsoft\*\Credentials\*"/>
+      <!-- IE 8 sous XP uniquement -->
+      <ntfs_find path_match="\Documents and Settings\*\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\*Active\*.dat"/>
+    </sample>
+
+    <sample name="IE_Vista_Artefacts">
+      <!-- IE 7-9 sous Vista+ -->
+      <ntfs_find path_match="\Users\*\AppData\Local\*\Temporary Internet Files\*\Content.IE5\*.dat"/>
+      <!-- IE 8-9 sous Vista et 7 -->
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Microsoft\Windows\PrivacIE\*index.dat"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Microsoft\Windows\IETldCache\*index.dat"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Windows\Feeds Cache\index.dat"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\*\Microsoft\Internet Explorer\DOMStore\index.dat"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Internet Explorer\Recovery\*.dat"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Microsoft\Internet Explorer\UserData\*.dat"/>
+      <!-- IE 11 sous 7,8.1 et 10 -->
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Windows\INetCache\*"/>
+    </sample>
+
+    <sample name="Edge_Spartan_Artefacts">
+      <!-- Edge ancienne version -->
+      <ntfs_find path_match="\Users\*\AppData\Local\Packages\Microsoft.MicrosoftEdge_*\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\*\DBStore\*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Packages\Microsoft.MicrosoftEdge_*\AC\MicrosoftEdge\User\Default\Favorites\*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!*\MicrosoftEdge\ExtensionsByteCodeCache\Extensions\EdgeExtension_*_f8jsg5mm64m62\*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!*\MicrosoftEdge\User\Default\DOMStore\*.xml"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\*.dat"/>
+      <ntfs_find path_match="\Users\*\MicrosoftEdgeBackups\backups\MicrosoftEdgeBackup*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\*\Favorites\*_Icon.ico"/>
+      <!-- Cache -->
+      <ntfs_find path_match="\Users\*\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!*\MicrosoftEdge\Cache\*"/>
+    </sample>
+
+    <sample name="Edge_Anhaeim_Artefacts">
+      <!-- Edge nouvelle version basée sur Chromium -->
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\Bookmarks"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\Extension Cookies"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\Extension Activity\*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\Login Data*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\Current Session"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\Current Tabs"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\Last Session"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\Last Tabs"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\Favicons*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\QuotaManager"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\Network Action Predictor*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\Web data*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\Top Sites*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\Shortcuts*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\Preferences"/>
+      <!-- Cache -->
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\*Cache\*"/>
+    </sample>
+
+  </samples>
+</getthis>
+
diff --git a/config/GetBrowsersComplet_offline_config.xml b/config/GetBrowsersComplet_offline_config.xml
new file mode 100644
index 0000000..9e433b0
--- /dev/null
+++ b/config/GetBrowsersComplet_offline_config.xml
@@ -0,0 +1,213 @@
+<?xml version="1.0"?>
+<getthis reportall="" nolimits="">
+  <location>%OfflineLocation%</location>
+  <samples>
+  <!-- Configuration pour récupérer tous les artefacts intéressants correspond à GetBrowsersHistory + GetBrowsersCache + d'autres artefacts d'usage plus situationel -->
+    <sample name="Firefox_XP_Complet">
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\profiles.ini"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\places.sqlite*"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\downloads.sqlite*"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\cookies.sqlite*"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\bookmarkbackups\bookmarks*.jsonlz4"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\content-prefs.sqlite"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\addons.json"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\extensions.ini"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\extensions.json"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\extensions\*.xpi"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\storage.sqlite"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\storage\default\*\cache\caches.sqlite"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\storage\default\*\idb\*.sqlite"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\permissions.sqlite"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\prefs.js"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\webappsstore.sqlite"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\key*.db"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\sessionstore.js"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\sessionstore-backups\*.js*"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\formhistory.sqlite"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\cert*.db"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\datareporting\*"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\saved-telemetry-pings\*"/>
+      <!-- Cache -->
+      <ntfs_find path_match="\Documents and Settings\*\Local Settings\Application Data\Mozilla\Firefox\Profiles\*\cache2\entries\*"/>
+      <ntfs_find path_match="\Documents and Settings\*\Local Settings\Application Data\Mozilla\Firefox\Profiles\*\cache2\index*"/>
+    </sample>
+
+    <sample name="Firefox_Vista_Complet">
+      <!-- Old versions -->
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\downloads.sqlite"/>
+      <!-- Current version -->
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\profiles.ini"/>
+      <ntfs_find path_match="\Users\*\AppData\*\Mozilla\Firefox\Crash Reports\*"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\places.sqlite*"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\downloads.sqlite*"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\cookies.sqlite*"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\bookmarkbackups\bookmarks*.jsonlz4"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\content-prefs.sqlite"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\addons.json"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\extensions.json"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\extensions\*.xpi"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\storage.sqlite"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\storage\default\*\cache\caches.sqlite"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\storage\default\*\idb\*.sqlite"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\permissions.sqlite"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\prefs.js"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\webappsstore.sqlite"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\protections.sqlite"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\key*.db"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\logins.json"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\sessionstore.jsonlz4"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\sessionstore-backups\*.jsonlz4*"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\sessionstore-backups\*.baklz4"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\favicon.sqlite"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\formhistory.sqlite"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\cert*.db"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\datareporting\*"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\saved-telemetry-pings\*"/>
+      <!-- Cache -->
+      <ntfs_find path_match="\Users\*\AppData\Local\Mozilla\Firefox\Profiles\*\cache2\entries\*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Mozilla\Firefox\Profiles\*\cache2\index*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Mozilla\Firefox\Profiles\*\jumpListCache\*.ico"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Mozilla\Firefox\Profiles\*\thumbnails\*.png"/>
+    </sample>
+
+    <sample name="Chrome_XP_Complet">
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Google\Chrome\User Data\Default\Bookmarks*"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Google\Chrome\User Data\Default\History*"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Google\Chrome\User Data\Default\Archived History*"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Google\Chrome\User Data\Default\Cookies*"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Google\Chrome\User Data\Default\Extensions\*"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Google\Chrome\User Data\Default\Login Data*"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Google\Chrome\User Data\Default\Favicons*"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Google\Chrome\User Data\Default\Network Action Predictor*"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Google\Chrome\User Data\Default\Web Data*"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Google\Chrome\User Data\Default\Top Sites*"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Google\Chrome\User Data\Default\Shortcuts*"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Google\Chrome\User Data\Default\Preferences*"/>
+      <!-- Cache -->
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Google\Chrome\User Data\Default\Cache\*"/>
+    </sample>
+
+    <sample name="Chrome_50_Complet"> <!-- L'étoile après Chrome c'est pour inclure Canary -->
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\Bookmarks"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\History*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\Archived History*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\Visited Links"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\Cookies*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\Extension Cookies"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\Extensions\*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\Extension Activity\*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\Extension State\*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\Login Data*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\Current Session"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\Current Tabs"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\Last Session"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\Last Tabs"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\Favicons*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\QuotaManager"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\Network Action Predictor*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\Web data*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\Top Sites*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\Thumbnails"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\Shortcuts*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\Preferences"/>
+      <!-- Cache -->
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\*Cache\*"/>
+    </sample>
+
+
+    <sample name="Safari_XP_Complet">
+      <!-- A affiner -->
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Apple Computer\Safari\*"/>
+    </sample>
+
+    <sample name="Safari_Vista_Complet">
+      <!-- A affiner -->
+      <ntfs_find path_match="\Users\*\AppData\*\Apple Computer\Safari\*"/>
+    </sample>
+
+    <sample name="IE_XP_Complet">
+      <!-- IE sous XP -->
+      <ntfs_find path_match="\Documents and Settings\*\Local Settings\History\History.ie5\*.dat"/>
+      <ntfs_find path_match="\Documents and Settings\*\Cookies\*"/>
+      <ntfs_find path_match="\Documents and Settings\*\Local Settings\Temporary Internet Files\*\Content.IE5\*.dat"/>
+      <!-- IE 7-8 sous XP uniquement -->
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Microsoft\*\Credentials\*"/>
+      <!-- IE 8 sous XP uniquement -->
+      <ntfs_find path_match="\Documents and Settings\*\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\*Active\*.dat"/>
+    </sample>
+
+    <sample name="IE_Vista_Complet">
+      <!-- IE 7-9 sous Vista+ -->
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Windows\*\History.ie5\*\*.dat"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\*\Temporary Internet Files\*\Content.IE5\*.dat"/>
+      <ntfs_find path_match="\Users\*\AppData\*\Cookies\*"/>
+      <!-- IE 8-9 sous Vista et 7 -->
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Microsoft\Windows\PrivacIE\*index.dat"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Microsoft\Windows\IETldCache\*index.dat"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Windows\Feeds Cache\index.dat"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\*\Microsoft\Internet Explorer\DOMStore\index.dat"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Internet Explorer\Recovery\*.dat"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Microsoft\Internet Explorer\UserData\*.dat"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\index.dat"/>
+      <!-- IE 10 sous 7 SP1 et 8 -->
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Windows\WebCache\*.dat"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Windows\WebCache\*.log"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Windows\WebCache\*.jrs"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Windows\WebCache\*.chk"/>
+      <!-- IE 11 sous 7,8.1 et 10 -->
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Windows\INetCache\*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Windows\INetCookies\*"/>
+    </sample>
+
+    <sample name="Edge_Spartan_Complet">
+      <!-- Edge ancienne version -->
+      <ntfs_find path_match="\Users\*\AppData\Local\Packages\Microsoft.MicrosoftEdge_*\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\*\DBStore\*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Packages\Microsoft.MicrosoftEdge_*\AC\MicrosoftEdge\User\Default\Favorites\*"/>
+      <ntfs_find path_match="\Users\*\AppData\*\Microsoft\Windows\WebCache\*.dat"/>
+      <ntfs_find path_match="\Users\*\AppData\*\Microsoft\Windows\WebCache\*.log"/>
+      <ntfs_find path_match="\Users\*\AppData\*\Microsoft\Windows\WebCache\*.jrs"/>
+      <ntfs_find path_match="\Users\*\AppData\*\Microsoft\Windows\WebCache\*.jfm"/>
+      <ntfs_find path_match="\Users\*\AppData\*\Microsoft\Windows\WebCache\*.chk"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!*\MicrosoftEdge\ExtensionsByteCodeCache\Extensions\EdgeExtension_*_f8jsg5mm64m62\*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!*\MicrosoftEdge\User\Default\DOMStore\*.xml"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\*.dat"/>
+      <ntfs_find path_match="\Users\*\MicrosoftEdgeBackups\backups\MicrosoftEdgeBackup*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\*\Favorites\*_Icon.ico"/>
+      <!-- Cache -->
+      <ntfs_find path_match="\Users\*\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!*\MicrosoftEdge\Cache\*"/>
+    </sample>
+
+    <sample name="Edge_Anhaeim_Complet">
+      <!-- Edge nouvelle version basée sur Chromium -->
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\Bookmarks"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\History*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\Archived History*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\Cookies*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\Extension Cookies"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\Extension Activity\*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\Login Data*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\Current Session"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\Current Tabs"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\Last Session"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\Last Tabs"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\Favicons*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\QuotaManager"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\Network Action Predictor*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\Web data*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\Top Sites*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\Shortcuts*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\Preferences"/>
+      <!-- Cache -->
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\*Cache\*"/>
+    </sample>
+    
+    <sample name="Flash_Player_Complet">
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Macromedia\FlashPlayer\#SharedObjects\*.sol"/>
+    </sample>
+
+  </samples>
+</getthis>
+
diff --git a/config/GetBrowsersHistory_config.xml b/config/GetBrowsersHistory_config.xml
new file mode 100644
index 0000000..e3cd56b
--- /dev/null
+++ b/config/GetBrowsersHistory_config.xml
@@ -0,0 +1,84 @@
+<?xml version="1.0"?>
+<getthis reportall="">
+  <output compression="fast" />
+  <location>*</location>
+  <samples MaxPerSampleBytes="128MB" MaxTotalBytes="512MB" MaxSampleCount="200000">
+    <!-- Fichier de configuration pour la récupération de l'historique de navigation, de téléchargement et les cookies -->
+    <sample name="Firefox_XP_History">
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\places.sqlite*"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\downloads.sqlite*"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Mozilla\Firefox\Profiles\*\cookies.sqlite*"/>
+    </sample>
+
+    <sample name="Firefox_Vista_History">
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\places.sqlite*"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\downloads.sqlite*"/>
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\cookies.sqlite*"/>
+    </sample>
+
+    <sample name="Chrome_XP_History">
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Google\Chrome\User Data\Default\History*"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Google\Chrome\User Data\Default\Cookies*"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Google\Chrome\User Data\Default\Archived History*"/>
+    </sample>
+
+    <sample name="Chrome_Vista_History"> <!-- L'étoile après Chrome c'est pour inclure Canary -->
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\History*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\Archived History*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Google\Chrome*\User Data\Default\Cookies*"/>
+    </sample>
+
+    <sample name="Safari_XP_History">
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Apple Computer\Safari\History.plist*"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Apple Computer\Safari\Downloads.plist*"/>
+      <ntfs_find path_match="\Documents and Settings\*\Application Data\Apple Computer\Safari\Cookies.*"/>
+    </sample>
+
+    <sample name="Safari_Vista_History">
+      <ntfs_find path_match="\Users\*\AppData\*\Apple Computer\Safari\History.plist*"/>
+      <ntfs_find path_match="\Users\*\AppData\*\Apple Computer\Safari\Downloads.plist*"/>
+      <ntfs_find path_match="\Users\*\AppData\*\Apple Computer\Safari\Cookies.*"/>
+    </sample>
+
+    <sample name="IE_XP_History">
+      <!-- IE sous XP -->
+      <ntfs_find path_match="\Documents and Settings\*\Local Settings\History\History.ie5\*.dat"/>
+      <ntfs_find path_match="\Documents and Settings\*\Cookies\*"/>
+    </sample>
+
+    <sample name="IE_Vista_History">
+      <!-- IE 7-9 sous Vista+ -->
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Windows\*\History.ie5\*\*.dat"/>
+      <ntfs_find path_match="\Users\*\AppData\*\Cookies\*"/>
+      <!-- IE 8-9 sous Vista et 7 -->
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\index.dat"/>
+      <!-- IE 10 sous 7 SP1 et 8 -->
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Windows\WebCache\*.dat"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Windows\WebCache\*.log"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Windows\WebCache\*.jrs"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Windows\WebCache\*.chk"/>
+      <!-- IE 11 sous 7,8.1 et 10 -->
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Windows\INetCookies\*"/>
+    </sample>
+
+    <sample name="Edge_Spartan_History">
+      <ntfs_find path_match="\Users\*\AppData\*\Microsoft\Windows\WebCache\*.dat"/>
+      <ntfs_find path_match="\Users\*\AppData\*\Microsoft\Windows\WebCache\*.log"/>
+      <ntfs_find path_match="\Users\*\AppData\*\Microsoft\Windows\WebCache\*.jrs"/>
+      <ntfs_find path_match="\Users\*\AppData\*\Microsoft\Windows\WebCache\*.jfm"/>
+      <ntfs_find path_match="\Users\*\AppData\*\Microsoft\Windows\WebCache\*.chk"/>
+    </sample>
+
+    <sample name="Edge_Anhaeim_History">
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\History*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\Archived History*"/>
+      <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Edge\User Data\Default\Cookies*"/>
+    </sample>
+    
+    <sample name="Flash_Player_History">
+      <ntfs_find path_match="\Users\*\AppData\Roaming\Macromedia\FlashPlayer\#SharedObjects\*.sol"/>
+    </sample>
+
+  </samples>
+</getthis>
+
diff --git a/config/GetCatRoot_config.xml b/config/GetCatRoot_config.xml
new file mode 100755
index 0000000..e0398ed
--- /dev/null
+++ b/config/GetCatRoot_config.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0"?>
+<getthis reportall="">
+ <output compression="fast" /> 
+  <location>%SystemDrive%\</location>
+  <samples MaxPerSampleBytes="50MB" MaxTotalBytes="550MB" MaxSampleCount="200000">
+    <sample name="CatRoot">
+      <ntfs_find name_match="*.cat" header_hex="30" />
+    </sample>
+  </samples>
+</getthis>
diff --git a/config/GetCatRoot_offline_config.xml b/config/GetCatRoot_offline_config.xml
new file mode 100644
index 0000000..d8848e4
--- /dev/null
+++ b/config/GetCatRoot_offline_config.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0"?>
+<getthis reportall="" nolimits="" >
+  <output compression="fast" /> 
+  <location>%OfflineLocation%</location>
+  <samples> <!-- MaxPerSampleBytes="50MB" MaxSampleCount="15000" MaxTotalBytes="250MB"> -->
+    <sample name="CatRoot">
+      <ntfs_find name_match="*.cat" header_hex="30"/>
+    </sample>
+  </samples>
+</getthis>
diff --git a/config/GetEVT_config.xml b/config/GetEVT_config.xml
new file mode 100755
index 0000000..5ec3d17
--- /dev/null
+++ b/config/GetEVT_config.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0"?>
+<getthis reportall="">
+  <location>%SystemDrive%\</location>
+  <samples MaxPerSampleBytes="3GB" MaxTotalBytes="25GB" MaxSampleCount="200000">
+    <sample name="evtx">
+      <ntfs_find name_match="*.evtx" header="ElfFile" />
+    </sample>
+    <sample name="evt">
+      <ntfs_find name_match="*.evt" header_hex="300000004c664c65" />
+    </sample>
+  </samples>
+</getthis>
diff --git a/config/GetEVT_little_config.xml b/config/GetEVT_little_config.xml
new file mode 100644
index 0000000..f53532c
--- /dev/null
+++ b/config/GetEVT_little_config.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0"?>
+<getthis reportall="" hash="none">
+    <!-- <output compression="ultra" /> -->
+    <location>%SystemDrive%\</location>
+    <samples MaxPerSampleBytes="3GB" MaxTotalBytes="25GB" MaxSampleCount="200000">
+        <sample name="evtx">
+            <!-- Exclude some notoriously big event logs -->
+            <ntfs_exclude name="Microsoft-Windows-Storage-Storport%4Operational.evtx" />
+            <ntfs_exclude name="Microsoft-Windows-Store%4Operational.evtx" />
+            <ntfs_exclude name_match="Archive-*.evtx" />
+            <ntfs_exclude name_match="microsoft-exchange-activemonitoring*.evtx" />
+            <ntfs_exclude name_match="*%4diagnostic.evtx" />
+            <ntfs_exclude name_match="microsoft-windows-hcs-*.evtx" />
+            <ntfs_exclude name="microsoft office web apps.evtx" />
+            <ntfs_exclude name_match="microsoft-team foundation server-*.evtx" />
+            <!-- Target the collection of event logs in the "default" path only. -->
+            <ntfs_find path_match="\Windows\System32\WinEVT\logs\*.evtx" />
+        </sample>
+        <sample name="evt">
+            <!-- Target the collection of event logs in the "default" path only. -->
+            <ntfs_find path_match="\Windows\System32\Config\*.evt" header_hex="300000004c664c65" />
+        </sample>
+    </samples>
+</getthis>
diff --git a/config/GetEVT_offline_config.xml b/config/GetEVT_offline_config.xml
new file mode 100644
index 0000000..775fae9
--- /dev/null
+++ b/config/GetEVT_offline_config.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0"?>
+<getthis reportall="" nolimits="">
+  <location>%OfflineLocation%</location>
+  <samples>  <!-- MaxPerSampleBytes="3000MB" MaxSampleCount="300" MaxTotalBytes="1024MB"> --> 
+    <sample name="evtx">
+      <ntfs_find name_match="*.evtx" header="ElfFile" />
+    </sample>
+    <sample name="evt">
+      <ntfs_find name_match="*.evt" header_hex="300000004c664c65" />
+    </sample>
+  </samples>
+</getthis>
diff --git a/config/GetEXE_TMP_offline_config.xml b/config/GetEXE_TMP_offline_config.xml
new file mode 100644
index 0000000..b89e2f7
--- /dev/null
+++ b/config/GetEXE_TMP_offline_config.xml
@@ -0,0 +1,18 @@
+<?xml version="1.0"?>
+<getthis reportall="" nolimits="">
+  <location>%OfflineLocation%</location>
+  <output password="avproof" />
+  <samples> <!-- MaxPerSampleBytes="10MB" MaxSampleCount="512" MaxTotalBytes="200MB"> -->
+    <sample name="EXE_TMP">
+      <ntfs_exclude path_match="*\WorkingTemp\*" />
+      <ntfs_find path_match="\Documents And Settings\*\Local Settings\Temp\*" header="MZ" />
+      <ntfs_find path_match="\Users\*\AppData\*" header="MZ" />
+      <ntfs_find path_match="\Documents And Settings\*\Application Data\*" header="MZ" />
+      <ntfs_find path_match="\RECYCLER\*" header="MZ" />
+	  <ntfs_find path_match="\$Recycle.bin\*" header="MZ" />	  
+	  <ntfs_find path_match="\Windows\Temp\*" header="MZ" />	
+	  <ntfs_find path_match="\Temp\*" header="MZ" />	  	  
+	  <ntfs_find path_match="\System Volume Information\*" header="MZ" />	  	  
+    </sample>
+  </samples>
+</getthis>
diff --git a/config/GetErrors_config.xml b/config/GetErrors_config.xml
new file mode 100755
index 0000000..39374fb
--- /dev/null
+++ b/config/GetErrors_config.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0"?>
+<getthis reportall="">
+  <location>%SystemDrive%\</location>
+  <samples MaxPerSampleBytes="512MB" MaxTotalBytes="2GB" MaxSampleCount="200000">
+    <sample name="minidump">
+      <ntfs_find path_match="\Windows\Minidump\*" />
+      <ntfs_find name_match="*.mdmp" />
+    </sample>
+    <sample name="WER">
+      <ntfs_find name_match="*.wer" />
+	  <ntfs_find name_match="WER*.sysdata.xml" />
+    </sample>
+    <sample name="Drwtsn">
+      <ntfs_find name="Drwtsn32.log" />
+    </sample>
+    <sample name="memory_dmp" MaxTotalBytes="800MB">
+      <ntfs_find name_match="*memory.dmp" />
+    </sample>
+  </samples>
+</getthis>
diff --git a/config/GetErrors_offline_config.xml b/config/GetErrors_offline_config.xml
new file mode 100644
index 0000000..53aca3e
--- /dev/null
+++ b/config/GetErrors_offline_config.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0"?>
+<getthis reportall="" nolimits="">
+  <location>%OfflineLocation%</location>
+  <samples> <!-- MaxPerSampleBytes="5MB" MaxSampleCount="1024" MaxTotalBytes="150GB"> -->
+    <sample name="minidump">
+      <ntfs_find path_match="\Windows\Minidump\*"/>
+      <ntfs_find name_match="*.mdmp"/>
+    </sample>
+    <sample name="WER">
+      <ntfs_find name_match="*.wer"/>
+	  <ntfs_find name_match="WER*.sysdata.xml"/>
+    </sample>
+    <sample name="Drwtsn">
+      <ntfs_find name="Drwtsn32.log"/>
+    </sample>
+  </samples>
+</getthis>
diff --git a/config/GetExeTMP_config.xml b/config/GetExeTMP_config.xml
new file mode 100755
index 0000000..8aaf884
--- /dev/null
+++ b/config/GetExeTMP_config.xml
@@ -0,0 +1,18 @@
+<?xml version="1.0"?>
+<getthis reportall="">
+  <location>*</location>
+  <output password="avproof" />
+  <samples MaxPerSampleBytes="10MB" MaxTotalBytes="512MB" MaxSampleCount="200000">
+	<sample name="EXE_TMP">
+      <ntfs_exclude path_match="*\WorkingTemp\*" />
+      <ntfs_find path_match="\Documents And Settings\*\Local Settings\Temp\*" header="MZ" />
+      <ntfs_find path_match="\Users\*\AppData\*" header="MZ" />
+      <ntfs_find path_match="\Documents And Settings\*\Application Data\*" header="MZ" />
+      <ntfs_find path_match="\RECYCLER\*" header="MZ" />
+	  <ntfs_find path_match="\$Recycle.bin\*" header="MZ" />	  
+	  <ntfs_find path_match="\Windows\Temp\*" header="MZ" />	  	  
+	  <ntfs_find path_match="\Temp\*" header="MZ" />
+	  <ntfs_find path_match="\System Volume Information\*" header="MZ" />	  	  
+	</sample>
+  </samples>
+</getthis>
diff --git a/config/GetExtAttrs_config.xml b/config/GetExtAttrs_config.xml
new file mode 100755
index 0000000..dbb3c30
--- /dev/null
+++ b/config/GetExtAttrs_config.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0"?>
+
+<getthis reportall="">
+  <location>*</location>
+  <samples MaxPerSampleBytes="5MB" MaxTotalBytes="256MB" MaxSampleCount="200000">
+    <sample name="extAttrs">
+      <ntfs_find ea_match="?*" />
+      <ntfs_exclude path="\$Extent\$UsnJrnl" ads="$J" />
+    </sample>
+  </samples>
+</getthis>
diff --git a/config/GetExtAttrs_offline_config.xml b/config/GetExtAttrs_offline_config.xml
new file mode 100644
index 0000000..b953ab7
--- /dev/null
+++ b/config/GetExtAttrs_offline_config.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0"?>
+
+<getthis reportall="" nolimits="">
+  <location>%OfflineLocation%</location>
+  <samples>
+    <sample name="extAttrs">
+      <ntfs_find ea_match="?*" />
+      <ntfs_exclude path="\$Extent\$UsnJrnl" ads="$J" />
+    </sample>
+  </samples>
+</getthis>
diff --git a/config/GetFuzzyHash_config.xml b/config/GetFuzzyHash_config.xml
new file mode 100755
index 0000000..c23f643
--- /dev/null
+++ b/config/GetFuzzyHash_config.xml
@@ -0,0 +1,18 @@
+<?xml version="1.0"?>
+
+<getthis reportall="">
+  <location>*</location>
+  <samples MaxSampleCount="0">
+    <sample name="FuzzyHash">
+      <ntfs_exclude path_match="*\WorkingTemp\*" />
+      <ntfs_find path_match="\Documents And Settings\*\Local Settings\Temp\*" />
+      <ntfs_find path_match="\Users\*\AppData\*" />
+      <ntfs_find path_match="\Documents And Settings\*\Application Data\*" />
+      <ntfs_find path_match="\RECYCLER\*" />
+      <ntfs_find path_match="\$Recycle.bin\*" />
+      <ntfs_find path_match="\Windows\Temp\*" />
+      <ntfs_find path_match="\Temp\*" />
+      <ntfs_find path_match="\System Volume Information\*" />
+    </sample>
+  </samples>
+</getthis> 
\ No newline at end of file
diff --git a/config/GetFuzzyHash_offline_config.xml b/config/GetFuzzyHash_offline_config.xml
new file mode 100755
index 0000000..2ead87c
--- /dev/null
+++ b/config/GetFuzzyHash_offline_config.xml
@@ -0,0 +1,18 @@
+<?xml version="1.0"?>
+
+<getthis reportall="">
+  <location>%OfflineLocation%</location>
+  <samples MaxSampleCount="0">
+    <sample name="FuzzyHash">
+      <ntfs_exclude path_match="*\WorkingTemp\*" />
+      <ntfs_find path_match="\Documents And Settings\*\Local Settings\Temp\*" />
+      <ntfs_find path_match="\Users\*\AppData\*" />
+      <ntfs_find path_match="\Documents And Settings\*\Application Data\*" />
+      <ntfs_find path_match="\RECYCLER\*" />
+      <ntfs_find path_match="\$Recycle.bin\*" />
+      <ntfs_find path_match="\Windows\Temp\*" />
+      <ntfs_find path_match="\Temp\*" />
+      <ntfs_find path_match="\System Volume Information\*" />
+    </sample>
+  </samples>
+</getthis> 
\ No newline at end of file
diff --git a/config/GetHives_offline_config.xml b/config/GetHives_offline_config.xml
new file mode 100644
index 0000000..0dcb758
--- /dev/null
+++ b/config/GetHives_offline_config.xml
@@ -0,0 +1,39 @@
+<?xml version="1.0"?>
+<getthis reportall="" nolimits="" >
+  <location>%OfflineLocation%</location>
+  <samples> <!-- MaxPerSampleBytes="300MB" MaxSampleCount="100" MaxTotalBytes="1024MB"> -->
+    <sample>
+      <ntfs_find name="SECURITY" header="regf" />
+    </sample>
+    <sample>
+      <ntfs_find name="SOFTWARE" header="regf" />
+    </sample>
+    <sample>
+      <ntfs_find name="SYSTEM" header="regf" />
+    </sample>
+    <sample>
+      <ntfs_find name="COMPONENTS" header="regf" />
+    </sample>
+    <sample>
+      <ntfs_find name="DEFAULT" header="regf" />
+    </sample>
+    <sample>
+      <ntfs_find name="BCD-Template" header="regf" />
+    </sample>
+    <sample>
+      <ntfs_find name="syscache.hve" header="regf" />
+    </sample>
+    <sample>
+      <ntfs_find name="UserDiff" header="regf" />
+    </sample>
+    <sample>
+      <ntfs_find name="ELAM" header="regf" />
+    </sample>
+    <sample>
+        <ntfs_find name="Amcache.hve" header="regf" />
+        <ntfs_find name="Amcache.hve.tmp" />
+        <ntfs_find name="Amcache.hve.log1" />
+        <ntfs_find name="Amcache.hve.log2" />
+    </sample>
+  </samples>
+</getthis>
diff --git a/config/GetMFT_config.xml b/config/GetMFT_config.xml
new file mode 100644
index 0000000..daff17a
--- /dev/null
+++ b/config/GetMFT_config.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0"?>
+<getthis nolimits="">
+ <output compression="fast" /> 
+  <location>%SystemDrive%</location>
+  <samples>
+    <sample name="MFT">
+      <ntfs_find path="\$MFT" />
+    </sample>
+  </samples>
+</getthis>
\ No newline at end of file
diff --git a/config/GetMemDmp_config.xml b/config/GetMemDmp_config.xml
new file mode 100755
index 0000000..0202046
--- /dev/null
+++ b/config/GetMemDmp_config.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0"?>
+<getthis reportall="">
+  <output compression="fast" />
+  <location shadows="yes">%SystemDrive%\</location>
+  <!-- Destiné à la collecte de full dumps au coup par coup. Une entrée similaire est présente dans GetErrors pour la collecte des dumps partiels -->
+  <!-- En mode offline pas de limite -->
+  <samples MaxPerSampleBytes="100GB" MaxTotalBytes="150GB">
+    <sample name="memory_dump">
+      <ntfs_find name_match="*memory.dmp" />
+    </sample>
+  </samples>
+</getthis>
diff --git a/config/GetMemDmp_offline_config.xml b/config/GetMemDmp_offline_config.xml
new file mode 100644
index 0000000..e1954d7
--- /dev/null
+++ b/config/GetMemDmp_offline_config.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0"?>
+<getthis reportall="" nolimits="" >
+  <output compression="fast" />
+  <location >%OfflineLocation%</location>
+  <samples> <!-- MaxSampleCount="5" MaxPerSampleBytes="100GB" MaxTotalBytes="100GB" > --> 
+    <sample name="memory_dump">
+      <ntfs_find name_match="*memory.dmp"/>
+    </sample>
+  </samples>
+</getthis>
+
diff --git a/config/GetResidents_config.xml b/config/GetResidents_config.xml
new file mode 100755
index 0000000..0b14ac7
--- /dev/null
+++ b/config/GetResidents_config.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0"?>
+
+<getthis reportall="">
+  <output compression="fast" />
+  <location>*</location>
+  <samples MaxTotalBytes="200MB" MaxSampleCount="100000" MaxPerSampleBytes="1KB"  >
+
+  <sample name="fichiers_residents" >
+        <ntfs_find size_le="750" size_gt="0" />
+    </sample>
+
+   </samples>
+</getthis>
diff --git a/config/GetResidents_offline_config.xml b/config/GetResidents_offline_config.xml
new file mode 100755
index 0000000..fd2c189
--- /dev/null
+++ b/config/GetResidents_offline_config.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0"?>
+<getthis reportall="" nolimits="">
+  <output compression="fast" />
+  <location>%OfflineLocation%</location>
+  <samples>  
+	<sample name="fichiers_residents">
+        <ntfs_find size_le="750" size_gt="0" />
+    </sample>
+  </samples>
+</getthis>
diff --git a/config/GetSAM_hive_offline_config.xml b/config/GetSAM_hive_offline_config.xml
new file mode 100644
index 0000000..3725ec8
--- /dev/null
+++ b/config/GetSAM_hive_offline_config.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0"?>
+<getthis reportall="" nolimits="">
+  <location>%OfflineLocation%</location>
+  <samples>
+    <sample>
+        <ntfs_find name="SAM" header="regf" />
+    </sample>
+  </samples>
+</getthis>
diff --git a/config/GetSDS_config.xml b/config/GetSDS_config.xml
new file mode 100755
index 0000000..863e7e6
--- /dev/null
+++ b/config/GetSDS_config.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0"?>
+<getthis reportall="">
+  <location>%SystemDrive%\</location>
+  <samples MaxSampleCount="2" MaxTotalBytes="512MB">
+    <sample>
+      <ntfs_find name="$Secure" ads="$SDS" />
+      <ntfs_find attr_name="$SII" attr_type="$INDEX_ALLOCATION" />
+    </sample>
+  </samples>
+</getthis>
diff --git a/config/GetSDS_offline_config.xml b/config/GetSDS_offline_config.xml
new file mode 100644
index 0000000..54af970
--- /dev/null
+++ b/config/GetSDS_offline_config.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0"?>
+<getthis reportall="" nolimits="">
+  <location>%OfflineLocation%</location>
+  <samples> 
+    <sample>
+      <ntfs_find name="$Secure" ads="$SDS" />
+      <ntfs_find attr_name="$SII" attr_type="$INDEX_ALLOCATION"/>
+    </sample>
+  </samples>
+</getthis>
diff --git a/config/GetSamHive_config.xml b/config/GetSamHive_config.xml
index ce19255..f6ef2c5 100755
--- a/config/GetSamHive_config.xml
+++ b/config/GetSamHive_config.xml
@@ -1,9 +1,9 @@
 <?xml version="1.0"?>
 <getthis reportall="" flushregistry="yes">
-    <location shadows="yes">%SystemDrive%</location>
-    <samples MaxPerSampleBytes="300MB" MaxTotalBytes="512MB">
-        <sample>
-            <ntfs_find name="SAM" header="regf"/>
-        </sample>
-    </samples>
-</getthis>
\ No newline at end of file
+  <location shadows="yes" >%SystemDrive%\</location>
+  <samples MaxPerSampleBytes="300MB" MaxTotalBytes="512MB">
+    <sample>
+        <ntfs_find name="SAM" header="regf" />
+    </sample>
+  </samples>
+</getthis>
diff --git a/config/GetSamples_config.xml b/config/GetSamples_config.xml
new file mode 100755
index 0000000..99977fa
--- /dev/null
+++ b/config/GetSamples_config.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<getsamples>
+    <getthis name="getthis.exe" run="self:#" args="getthis" />
+    <output password="avproof" />
+    <samples MaxPerSampleBytes="16MB" MaxTotalBytes="512MB" MaxSampleCount="200000"/>
+</getsamples>
diff --git a/config/GetScript_config.xml b/config/GetScript_config.xml
new file mode 100755
index 0000000..f2ac170
--- /dev/null
+++ b/config/GetScript_config.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0"?>
+<getthis reportall="">
+  <location>*</location>
+  <output password="avproof"/>
+  
+  <samples MaxPerSampleBytes="512KB" MaxTotalBytes="150MB" MaxSampleCount="200000">
+    <sample name="job">
+        <ntfs_find name_match="*.job" />
+    </sample>   
+    <sample name="job_xml">
+        <ntfs_find path_match="\Windows\Tasks\*"  />
+        <ntfs_find path_match="\Windows\System32\Tasks\*" />
+    </sample>
+    <sample name="ps_jobs">
+        <ntfs_find path_match="\Users\*\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\*"/>
+    </sample>
+    <sample name="py">
+        <ntfs_find name_match="*.py" />
+        <ntfs_find name_match="*.pyc" />
+    </sample>
+	<sample name="lua">
+        <ntfs_find name_match="*.lua" />
+    </sample>
+    <sample name="kixtart">
+        <ntfs_find name_match="*.kix" />
+    </sample>
+  </samples>
+</getthis>
diff --git a/config/GetScript_little_config.xml b/config/GetScript_little_config.xml
new file mode 100644
index 0000000..f1fff88
--- /dev/null
+++ b/config/GetScript_little_config.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0"?>
+<getthis reportall="" hash="SHA1">
+    <output compression="ultra" password="avproof"/>
+    <location>%SystemDrive%</location>
+    <samples MaxPerSampleBytes="512KB" MaxTotalBytes="150MB" MaxSampleCount="200000">
+        <sample name="vbs_vbe">
+            <ntfs_find name_match="*.vbs" />
+            <ntfs_find name_match="*.vbe" />
+        </sample>
+        <sample name="bat">
+            <ntfs_find name_match="*.bat" />
+        </sample>
+        <sample name="cmd">
+            <ntfs_find name_match="*.cmd" />
+        </sample>
+        <sample name="ps1">
+            <ntfs_find name_match="*.ps1" />
+        </sample>
+        <sample name="excel_macro">
+            <ntfs_find path_match="\Users\*\AppData\Roaming\Microsoft\Excel\XLStart" />
+            <ntfs_find path_match="\Documents and Settings\*\Application Data\Microsoft\Excel\XLStart" />
+            <ntfs_find path_match="\Program Files\Microsoft Office\*\XLSTART" />
+        </sample>
+    </samples>
+</getthis>
diff --git a/config/GetScript_offline_config.xml b/config/GetScript_offline_config.xml
new file mode 100644
index 0000000..c594bec
--- /dev/null
+++ b/config/GetScript_offline_config.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0"?>
+<getthis reportall="" nolimits="">
+  <location>%OfflineLocation%</location>
+  <output password="avproof"/>
+  <samples> 
+    <sample name="job">
+        <ntfs_find name_match="*.job" />
+    </sample>
+    <sample name="job_xml">
+        <ntfs_find path_match="\Windows\Tasks\*" />
+		<ntfs_find path_match="\Windows\System32\Tasks\*" />
+    </sample>
+    <sample name="vbs_vbe">
+        <ntfs_find name_match="*.vbs" />
+        <ntfs_find name_match="*.vbe" />
+    </sample>
+    <sample name="bat">
+        <ntfs_find name_match="*.bat" />
+    </sample>
+    <sample name="cmd">
+        <ntfs_find name_match="*.cmd" />
+    </sample>
+    <sample name="ps1">
+        <ntfs_find name_match="*.ps1" />
+    </sample>
+	<sample name="py">
+        <ntfs_find name_match="*.py" />
+        <ntfs_find name_match="*.pyc" />
+    </sample>
+	<sample name="lua">
+        <ntfs_find name_match="*.lua" />
+    </sample>
+	<sample name="kixtart">
+        <ntfs_find name_match="*.kix" />
+    </sample>
+	<sample name="excel_macro">
+	<ntfs_find path_match="\Users\*\AppData\Roaming\Microsoft\Excel\XLStart"/>
+	<ntfs_find path_match="\Documents and Settings\*\Application Data\Microsoft\Excel\XLStart"/>
+	<ntfs_find path_match="\Program Files\Microsoft Office\*\XLSTART"/>	
+    </sample>		
+  </samples>
+</getthis>
diff --git a/config/GetSystemHives_config.xml b/config/GetSystemHives_config.xml
index 33ffe4d..a0bca66 100755
--- a/config/GetSystemHives_config.xml
+++ b/config/GetSystemHives_config.xml
@@ -1,21 +1,39 @@
 <?xml version="1.0"?>
 <getthis reportall="" flushregistry="yes">
-    <location>%SystemRoot%</location>
-    <samples MaxPerSampleBytes="500MB" MaxTotalBytes="2048MB">
-        <sample>
-            <ntfs_find name="SECURITY" header="regf"/>
-        </sample>
-        <sample>
-            <ntfs_find name="SOFTWARE" header="regf"/>
-        </sample>
-        <sample>
-            <ntfs_find name="SYSTEM" header="regf"/>
-        </sample>
-        <sample>
-            <ntfs_find name="COMPONENTS" header="regf"/>
-        </sample>
-        <sample>
-            <ntfs_find name="DEFAULT" header="regf"/>
-        </sample>
-    </samples>
-</getthis>
\ No newline at end of file
+  <location>%SystemDrive%</location>
+  <samples MaxPerSampleBytes="500MB" MaxTotalBytes="2048MB">
+    <sample>
+      <ntfs_find name="SECURITY" header="regf" />
+    </sample>
+    <sample>
+      <ntfs_find name="SOFTWARE" header="regf" />
+    </sample>
+    <sample>
+      <ntfs_find name="SYSTEM" header="regf" />
+    </sample>
+    <sample>
+      <ntfs_find name="COMPONENTS" header="regf" />
+    </sample>
+    <sample>
+      <ntfs_find name="DEFAULT" header="regf" />
+    </sample>
+    <sample>
+      <ntfs_find name="BCD-Template" header="regf" />
+    </sample>
+    <sample>
+      <ntfs_find name="syscache.hve" header="regf" />
+    </sample>
+    <sample>
+      <ntfs_find name="UserDiff" header="regf" />
+    </sample>
+    <sample>
+      <ntfs_find name="ELAM" header="regf" />
+    </sample>
+    <sample>
+        <ntfs_find name="Amcache.hve" header="regf" />
+        <ntfs_find name="Amcache.hve.tmp" />
+        <ntfs_find name="Amcache.hve.log1" />
+        <ntfs_find name="Amcache.hve.log2" />
+    </sample>
+  </samples>
+</getthis>
diff --git a/config/GetSystemHives_little_config.xml b/config/GetSystemHives_little_config.xml
new file mode 100755
index 0000000..47f9f07
--- /dev/null
+++ b/config/GetSystemHives_little_config.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0"?>
+<getthis reportall="" flushregistry="yes">
+  <location>%SystemDrive%</location>
+  <samples MaxPerSampleBytes="500MB" MaxTotalBytes="2048MB">
+    <sample>
+        <ntfs_find name="Amcache.hve" header="regf" />
+        <ntfs_find name="Amcache.hve.tmp" />
+        <ntfs_find name="Amcache.hve.log1" />
+        <ntfs_find name="Amcache.hve.log2" />
+    </sample>
+  </samples>
+</getthis>
diff --git a/config/GetTextLogs_config.xml b/config/GetTextLogs_config.xml
new file mode 100755
index 0000000..694b95c
--- /dev/null
+++ b/config/GetTextLogs_config.xml
@@ -0,0 +1,88 @@
+<?xml version="1.0"?>
+<getthis reportall="">
+  <output compression="fast"/>
+  <location>%SystemDrive%\</location>
+  <samples MaxPerSampleBytes="150MB" MaxTotalBytes="2GB" MaxSampleCount="200000">
+    <sample name="network" MaxTotalBytes="200MB">
+      <ntfs_find path_match="*\system32\dns\*.log" />
+      <ntfs_find path_match="*\system32\dhcp\*.log" />
+      <ntfs_find name="pfirewall.log" />
+      <ntfs_find path_match="*\system32\drivers\etc\*" />
+    </sample>
+
+    <sample name="divers" MaxTotalBytes="200MB">
+      <ntfs_find name="SchedLgU.txt" />
+      <ntfs_find name_match="setupapi*.log" />
+      <ntfs_find name="mrt.log" />
+      <ntfs_find name="userenv.log" />
+      <ntfs_find name="userenv.bak" />
+    </sample>
+
+    <sample name="AV_log" MaxTotalBytes="200MB">
+        <!-- Avast https://forum.avast.com/index.php?topic=212738.0 -->
+        <ntfs_find path_match="\Documents and Settings\All Users\Application Data\Avast Software\Avast\Log\*" />
+        <ntfs_find path_match="\ProgramData\Avast Software\Avast\Log\*" />
+        <ntfs_find path_match="\Users\*\Avast Software\Avast\Log\*" />
+        <!-- Avira https://support.avira.com/hc/en/community/posts/360006303377-How-To-Check-My-Scan-Logs -->
+        <ntfs_find path_match="\Documents and Settings\All Users\Application Data\Avira\Antivirus\LOGFILES\*" />
+        <ntfs_find path_match="\ProgramData\Avira\Antivirus\LOGFILES\*" />
+        <!-- BitDefender https://www.bitdefender.com/consumer/support/answer/1477/ -->
+        <ntfs_find path_match="\Documents and Settings\All Users\Application Data\BitDefender\Desktop\Profiles\Logs\*.xml" />
+        <ntfs_find path_match="\ProgramData\BitDefender\Desktop\Profiles\Logs\*.xml" />
+        <ntfs_find path_match="\Documents and Settings\All Users\Application Data\Bitdefender\Endpoint Security\Logs\*" />
+        <ntfs_find path_match="\ProgramData\Bitdefender\Endpoint Security\Logs\*" />
+        <!-- Ivanti/Bitdefender https://forums.ivanti.com/s/question/0D51B00005TOuJcSAL/bitdefender-logs -->
+        <ntfs_find path_match="\Documents and Settings\All Users\Application Data\Ivanti\Endpoint\Logs\*" />
+        <ntfs_find path_match="\ProgramData\Ivanti\Endpoint\Logs\*" />
+        <!-- ESET https://github.com/laciKE/EsetLogParser -->
+        <ntfs_find path_match="\Documents and Settings\All Users\Application Data\ESET\*\Logs\virlog.dat" />
+        <ntfs_find path_match="\ProgramData\ESET\*\Logs\virlog.dat" />
+        <!-- F-Secure (old ?) https://community.f-secure.com/en/discussion/107401/no-log-file -->
+        <ntfs_find path_match="\Program Files*\F-Secure\Common\Logfile.log" />
+        <ntfs_find path_match="\Documents and Settings\All Users\Application Data\F-Secure\Log\*" />
+        <ntfs_find path_match="\ProgramData\F-Secure\Log\*" />
+        <ntfs_find path_match="\Users\*\AppData\Local\F-Secure\Log\*" />
+        <!-- McAfee EndpointSecurity https://docs.mcafee.com/bundle/endpoint-security-10.6.0-common-client-product-guide-windows/page/GUID-2E289950-D6E3-4F7F-93EE-998790E5E028.html -->
+        <ntfs_find path_match="\Documents and Settings\All Users\Application Data\McAfee\Endpoint Security\Logs\*.log" />
+        <ntfs_find path_match="\ProgramData\McAfee\Endpoint Security\Logs\*.log" />
+        <!-- McAfee DesktopProtection http://virusscan.helpmax.net/fr/partie%C2%A0iv-surveillance-analyse-et-parametrage-de-votre-protection/surveillance-de-lactivite-de-votre-environnement/outils-de-surveillance-de-lactivite/utilisation-des-journaux-dactivite/ -->
+        <ntfs_find path_match="\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\*.txt" />
+        <ntfs_find path_match="\ProgramData\McAfee\DesktopProtection\*.txt" />
+        <!-- Sophos https://community.sophos.com/kb/en-us/43391 -->
+        <ntfs_find path_match="\Documents and Settings\All Users\Application Data\Sophos\Sophos *\Logs\*" />
+        <ntfs_find path_match="\ProgramData\Sophos\Sophos *\Logs\*" />
+        <!-- Symantec Endpoint Protection https://knowledge.broadcom.com/external/article/152795/where-can-i-find-endpoint-protection-cli.html -->
+        <ntfs_find path_match="\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\*.log" /> <!-- wildcard * is greedy and recursive, this will match all .log files anywhere inside the subtree -->
+        <ntfs_find path_match="\ProgramData\Symantec\Symantec Endpoint Protection\*.log" />
+        <!-- Windows Defender and Kaspersky handle their logs in the Windows Event Log. TrendMicro remains unclear... -->
+    </sample>
+
+    <sample name="hives_log" MaxSampleCount="100" MaxTotalBytes="150MB">
+      <ntfs_find name_match="ntuser*.log*" />
+      <ntfs_find name_match="amcach*.log*" />
+      <ntfs_find name_match="usrcla*.log*" />
+      <ntfs_find name_match="settin*.log*" />
+      <ntfs_find name_match="sam*.log*" />
+      <ntfs_find name_match="securi*.log*" />
+      <ntfs_find name_match="softwa*.log*" />
+      <ntfs_find name_match="system*.log*" />
+      <ntfs_find name_match="defaul*.log*" />
+    </sample>	
+	
+    <sample name="IIS_log" MaxPerSampleBytes="100MB" MaxTotalBytes="1500MB"> <!-- Réagencement des règles : les règles type match sont traitées dans l'ordre où elles apparaissent, il faut donc commencer par les plus restrictives. -->
+      <ntfs_find name_match="u_ex*.log" />
+    </sample>
+
+    <sample name="powershell_traces" MaxTotalBytes="100MB" >
+      <ntfs_find name="ConsoleHost_history.txt" />
+      <ntfs_find path_match="*\Appdata\Local\Microsoft\Windows\Powershell\CommandAnalysis\*" />
+      <ntfs_find path_match="*\Appdata\Local\Microsoft\Windows\Powershell\ModuleAnalysisCache" />
+    </sample>
+
+    <sample name=".log" MaxPerSampleBytes="100MB" MaxTotalBytes="450MB">
+      <ntfs_find name_match="*.log" />
+    </sample>
+
+</samples>
+  
+</getthis>
diff --git a/config/GetTextLogs_offline_config.xml b/config/GetTextLogs_offline_config.xml
new file mode 100644
index 0000000..18ebeb1
--- /dev/null
+++ b/config/GetTextLogs_offline_config.xml
@@ -0,0 +1,86 @@
+<?xml version="1.0"?>
+<getthis reportall="" nolimits="" >
+  <output compression="fast"/>
+  <location>%OfflineLocation%</location>
+  <samples> 
+    <sample name="network">
+      <ntfs_find path_match="*\system32\dns\*.log" />
+      <ntfs_find path_match="*\system32\dhcp\*.log" />
+      <ntfs_find name="pfirewall.log" />
+      <ntfs_find path_match="*\system32\drivers\etc\*" />
+    </sample>
+
+    <sample name="divers">
+      <ntfs_find name="SchedLgU.txt" />
+      <ntfs_find name_match="setupapi*.log" />
+      <ntfs_find name="mrt.log" />
+      <ntfs_find name="userenv.log" />
+      <ntfs_find name="userenv.bak" />
+    </sample>
+
+    <sample name="AV_log">
+        <!-- Avast https://forum.avast.com/index.php?topic=212738.0 -->
+        <ntfs_find path_match="\Documents and Settings\All Users\Application Data\Avast Software\Avast\Log\*" />
+        <ntfs_find path_match="\ProgramData\Avast Software\Avast\Log\*" />
+        <ntfs_find path_match="\Users\*\Avast Software\Avast\Log\*" />
+        <!-- Avira https://support.avira.com/hc/en/community/posts/360006303377-How-To-Check-My-Scan-Logs -->
+        <ntfs_find path_match="\Documents and Settings\All Users\Application Data\Avira\Antivirus\LOGFILES\*" />
+        <ntfs_find path_match="\ProgramData\Avira\Antivirus\LOGFILES\*" />
+        <!-- BitDefender https://www.bitdefender.com/consumer/support/answer/1477/ -->
+        <ntfs_find path_match="\Documents and Settings\All Users\Application Data\BitDefender\Desktop\Profiles\Logs\*.xml" />
+        <ntfs_find path_match="\ProgramData\BitDefender\Desktop\Profiles\Logs\*.xml" />
+        <ntfs_find path_match="\Documents and Settings\All Users\Application Data\Bitdefender\Endpoint Security\Logs\*" />
+        <ntfs_find path_match="\ProgramData\Bitdefender\Endpoint Security\Logs\*" />
+        <!-- Ivanti/Bitdefender https://forums.ivanti.com/s/question/0D51B00005TOuJcSAL/bitdefender-logs -->
+        <ntfs_find path_match="\Documents and Settings\All Users\Application Data\Ivanti\Endpoint\Logs\*" />
+        <ntfs_find path_match="\ProgramData\Ivanti\Endpoint\Logs\*" />
+        <!-- ESET https://github.com/laciKE/EsetLogParser -->
+        <ntfs_find path_match="\Documents and Settings\All Users\Application Data\ESET\*\Logs\virlog.dat" />
+        <ntfs_find path_match="\ProgramData\ESET\*\Logs\virlog.dat" />
+        <!-- F-Secure (old ?) https://community.f-secure.com/en/discussion/107401/no-log-file -->
+        <ntfs_find path_match="\Program Files*\F-Secure\Common\Logfile.log" />
+        <ntfs_find path_match="\Documents and Settings\All Users\Application Data\F-Secure\Log\*" />
+        <ntfs_find path_match="\ProgramData\F-Secure\Log\*" />
+        <ntfs_find path_match="\Users\*\AppData\Local\F-Secure\Log\*" />
+        <!-- McAfee EndpointSecurity https://docs.mcafee.com/bundle/endpoint-security-10.6.0-common-client-product-guide-windows/page/GUID-2E289950-D6E3-4F7F-93EE-998790E5E028.html -->
+        <ntfs_find path_match="\Documents and Settings\All Users\Application Data\McAfee\Endpoint Security\Logs\*.log" />
+        <ntfs_find path_match="\ProgramData\McAfee\Endpoint Security\Logs\*.log" />
+        <!-- McAfee DesktopProtection http://virusscan.helpmax.net/fr/partie%C2%A0iv-surveillance-analyse-et-parametrage-de-votre-protection/surveillance-de-lactivite-de-votre-environnement/outils-de-surveillance-de-lactivite/utilisation-des-journaux-dactivite/ -->
+        <ntfs_find path_match="\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\*.txt" />
+        <ntfs_find path_match="\ProgramData\McAfee\DesktopProtection\*.txt" />
+        <!-- Sophos https://community.sophos.com/kb/en-us/43391 -->
+        <ntfs_find path_match="\Documents and Settings\All Users\Application Data\Sophos\Sophos *\Logs\*" />
+        <ntfs_find path_match="\ProgramData\Sophos\Sophos *\Logs\*" />
+        <!-- Symantec Endpoint Protection https://knowledge.broadcom.com/external/article/152795/where-can-i-find-endpoint-protection-cli.html -->
+        <ntfs_find path_match="\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\*.log" /> <!-- wildcard * is greedy and recursive, this will match all .log files anywhere inside the subtree -->
+        <ntfs_find path_match="\ProgramData\Symantec\Symantec Endpoint Protection\*.log" />
+        <!-- Windows Defender and Kaspersky handle their logs in the Windows Event Log. TrendMicro remains unclear... -->
+    </sample>
+
+    <sample name="hives_log" >
+      <ntfs_find name_match="ntuser*.log*" />
+      <ntfs_find name_match="amcach*.log*" />
+      <ntfs_find name_match="usrcla*.log*" />
+      <ntfs_find name_match="settin*.log*" />
+      <ntfs_find name_match="sam*.log*" />
+      <ntfs_find name_match="securi*.log*" />
+      <ntfs_find name_match="softwa*.log*" />
+      <ntfs_find name_match="system*.log*" />
+      <ntfs_find name_match="defaul*.log*" />
+    </sample>	
+
+    <sample name="IIS_log">
+      <ntfs_find name_match="u_ex*.log" />
+    </sample>
+
+    <sample name="powershell_traces" >
+      <ntfs_find name="ConsoleHost_history.txt" />
+      <ntfs_find path_match="*\Appdata\Local\Microsoft\Windows\Powershell\CommandAnalysis\*" />
+      <ntfs_find path_match="*\Appdata\Local\Microsoft\Windows\Powershell\ModuleAnalysisCache" />
+    </sample>
+
+    <sample name=".log" >
+      <ntfs_find name_match="*.log" />
+    </sample>
+  </samples>
+</getthis>
diff --git a/config/GetUserHives_config.xml b/config/GetUserHives_config.xml
index 3eae401..f284ec1 100755
--- a/config/GetUserHives_config.xml
+++ b/config/GetUserHives_config.xml
@@ -1,10 +1,10 @@
 <?xml version="1.0"?>
 <getthis reportall="" flushregistry="yes">
-    <location>*</location>
-    <samples MaxPerSampleBytes="500MB" MaxTotalBytes="2048MB">
-        <sample>
-            <ntfs_find name="ntuser.dat" header="regf"/>
-            <ntfs_find name="UsrClass.dat" header="regf"/>
-        </sample>
-    </samples>
-</getthis>
\ No newline at end of file
+  <location>*</location>
+  <samples MaxPerSampleBytes="500MB" MaxTotalBytes="2048MB">
+    <sample>
+      <ntfs_find name="ntuser.dat" header="regf" />
+      <ntfs_find name="UsrClass.dat" header="regf" />
+    </sample>
+  </samples>
+</getthis>
diff --git a/config/GetUserHives_offline_config.xml b/config/GetUserHives_offline_config.xml
new file mode 100644
index 0000000..c933b0b
--- /dev/null
+++ b/config/GetUserHives_offline_config.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0"?>
+<getthis reportall="" nolimits="" >
+  <location>%OfflineLocation%</location>
+  <samples> 
+    <sample>
+      <ntfs_find name="ntuser.dat" header="regf" />
+      <ntfs_find name="UsrClass.dat" header="regf" />
+    </sample>
+  </samples>
+</getthis>
diff --git a/config/GetYaraSamples_config.xml b/config/GetYaraSamples_config.xml
old mode 100755
new mode 100644
index c1134f2..b434f14
--- a/config/GetYaraSamples_config.xml
+++ b/config/GetYaraSamples_config.xml
@@ -1,12 +1,39 @@
 <?xml version="1.0"?>
+
 <getthis reportall="">
-    <output compression="fast"/>
-    <location>%SystemDrive%</location>
-    <yara block="20M" overlap="2M" timeout="20" source="res:#ruleset.yara"/>
+
+    <output compression="fast" />
+
+    <location>C:\</location>
+
+    <yara block="20M" overlap="2M" timeout="20" source="res:#yara_rules" />
 
     <samples MaxSampleCount="2000" MaxTotalBytes="500MB">
-        <sample name="size_lower_8M" MaxPerSampleBytes="8MB">
-            <ntfs_find size_le="8M" yara_rule="*"/>
+        <!--
+            Generic catch-all ntfs_find rule to collect any sample that had a "reliable" match (ie. samples that fit into the default 20M buffer)
+            This rule should be disabled in favor of the specifc rules below when proper tagging and triaging of Yara rules is done
+        -->
+        <sample name="size_lower_5M" MaxPerSampleBytes="5MB">
+            <ntfs_find size_le="5M" yara_rule="*" />
+        </sample>
+
+        <!--
+            Specific rules, disabled while specific yara rulesets are not available
+        -->
+        <!-- Specific ntfs_find rule to apply some yara rules only on PE files (these rules should be prefixed with "rule_pe_" -->
+        <!--
+        <sample name="pefile" MaxPerSampleBytes="20MB">
+            <ntfs_find header="MZ" size_le="20M" yara_rule="rule_pe_*" />
+        </sample>
+        -->
+        <!-- Specific ntfs_find rule to search patterns in memory (ie. in pagefile.sys), but do not collect the pagefile -->
+        <!--
+        <sample name="pagefile" MaxPerSampleBytes="0MB">
+            <ntfs_find name="pagefile.sys" yara_rule="rule_memory_*" />
         </sample>
+        -->
+
     </samples>
-</getthis>
\ No newline at end of file
+
+</getthis>
+
diff --git a/config/GetYaraSamples_offline_config.xml b/config/GetYaraSamples_offline_config.xml
new file mode 100644
index 0000000..317066a
--- /dev/null
+++ b/config/GetYaraSamples_offline_config.xml
@@ -0,0 +1,18 @@
+<?xml version="1.0"?>
+
+<getthis reportall="" nolimits="">
+
+    <output compression="fast" />
+
+    <location>%OfflineLocation%</location>
+
+    <yara block="20M" overlap="2M" timeout="20" source="res:#yara_rules" />
+
+    <samples>
+        <sample name="orc">
+            <ntfs_find name_match="*.exe"  yara_rule="orc" />
+        </sample>
+    </samples>
+
+</getthis>
+
diff --git a/config/NTFSInfoDetail_alldrives_config.xml b/config/NTFSInfoDetail_alldrives_config.xml
new file mode 100755
index 0000000..5ac5bbc
--- /dev/null
+++ b/config/NTFSInfoDetail_alldrives_config.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0"?>
+
+<ntfsinfo walker="MFT" resurrect="yes">
+  <location>*</location>
+  <columns>
+    <default>Default</default>
+    <omit SizeGT="10M">MD5,SHA1,SHA256,PeMD5,PeSHA1,PeSHA256</omit>
+    <add HasPE="">MD5,SHA1,SHA256,PeMD5,PeSHA1,PeSHA256,Details,Authenticode</add>
+  </columns>
+</ntfsinfo>
+
diff --git a/config/NTFSInfoDetail_systemdrive_config.xml b/config/NTFSInfoDetail_systemdrive_config.xml
new file mode 100755
index 0000000..cad3473
--- /dev/null
+++ b/config/NTFSInfoDetail_systemdrive_config.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0"?>
+
+<ntfsinfo walker="MFT" resurrect="yes">
+  <location>%SystemDrive%\</location>
+  <columns>
+    <default>Default,FirstBytes</default>
+    <omit SizeGT="10M">MD5,SHA1,SHA256,PeMD5,PeSHA1,PeSHA256</omit>
+    <add HasPE="">MD5,SHA1,SHA256,PeMD5,PeSHA1,PeSHA256,Details,Authenticode</add>
+  </columns>
+</ntfsinfo>
+
diff --git a/config/NTFSInfoQuick_config.xml b/config/NTFSInfoQuick_config.xml
new file mode 100755
index 0000000..02dd7f0
--- /dev/null
+++ b/config/NTFSInfoQuick_config.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0"?>
+
+<ntfsinfo walker="MFT" resurrect="yes">
+  <location shadows="yes">*</location>
+  <columns>
+    <default>Default,EASize</default>
+  </columns>
+</ntfsinfo>
diff --git a/config/NTFSInfo_little_config.xml b/config/NTFSInfo_little_config.xml
new file mode 100644
index 0000000..5b91a81
--- /dev/null
+++ b/config/NTFSInfo_little_config.xml
@@ -0,0 +1,93 @@
+<?xml version="1.0"?>
+<ntfsinfo walker="MFT">
+    <fileinfo compression="ultra" />
+    <location>%SystemDrive%</location>
+    <columns>
+        <!--
+Contains:
+* **Standard Information:**
+    * **File:** Name of the file
+    * **ParentName:** Name of the parent folder
+    * **SizeInBytes:** File size in bytes
+* **Date Information:**
+    * **CreationDate:** File creation date *"mm/dd/yyyy hh\:mm\:ss.000"*
+    * **LastModificationDate:** File last write date *"mm/dd/yyyy hh\:mm\:ss.000"*
+    * **LastAccessDate:** File last read access date
+    * **LastAttrChangeDate:** Last Attribute change date (MFT information changed) *"mm/dd/yyyy hh\:mm\:ss.000"*
+    * **FileNameCreationDate:** File name (hard link) creation date
+    * **FileNameLastAccessDate:** File name (hard link) access date
+    * **FileNameLastDataModificationDate:** File name (hard link) last date *data* was modified
+    * **FileNameLastAttrModificationDate:** File name (hard link) last date MFT *attribute* was modified
+* **PE Header related information:**
+    * **Platform:** PE Header platform
+    * **TimeStamp:** PE Header timestamp
+    * **SubSystem:** PE Header SubSystem
+* **Version Information:**
+    * **FileOS:** VersionInfo OS tag
+    * **FileType:** VersionInfo type
+    * **Version:** VersionInfo file version
+    * **CompanyName:** VersionInfo company name
+    * **ProductName:** VersionInfo product name
+    * **OriginalFileName:** VersionInfo original file name
+* **Cryptographic/Authenticode Information:**
+    * **SHA1:** Cryptographic SHA1 hash (in hex)
+    * **AuthenticodeStatus:** Status of the authenticode signature for the file. Possible values are:
+        * **Unknown:** Status failed to be determined
+        * **Empty string:** File is not a PE
+        * **SignedVerified:** File is signed and the signature verified
+        * **CatalogSignedVerified:** File hash is listed in a catalog
+        * **SignedNotVerified:** File signature does _not_ verify
+        * **NotSigned:** No signature or catalog could be found for this file
+    * **AuthenticodeSignerThumbprint:** Signer's certificate hash
+    * **AuthenticodeCAThumbprint:** Signer's root CA certificate hash
+* **Alternate Storage areas:**
+    * **ADS:** Alternate Data Stream Information
+* **RecordInUse:** Boolean which indicates if this record was in use or free (i.e. deleted)
+
+Missing:
+* **Volume Identification:**
+    * **ComputerName:** Name of the computer
+    * **VolumeID:** Id of the volume
+* **Standard Information:**
+    * **FullName:** Full-path name
+    * **Extension:** Optional file name extension (split path)
+    * **Attributes:** FAT file system attributes
+* **FirstBytes:** First 16 bytes (in hex) of the ``$DATA`` attribute content.
+* **Security:**
+    * **OwnerSID:** SID of the owner for this entry
+    * **Owner:** Name of the owner for this entry
+    * **SecDescrID** ID of security descriptor for the file
+* **ShortName:**
+    * **Short Name** (8.3) if any
+* **Cryptographic/Authenticode Information:**
+    * **MD5:** Cryptographic MD5 hash (in hex)
+    * **SHA256:** Cryptographic SHA256 hash (in hex)
+    * **PeMD5:** Authenticode (PE) file MD5 hash
+    * **PeSHA1:** Authenticode (PE) file SHA1 hash
+    * **PeSHA256:** Authenticode (PE) file SHA256 hash
+    * **AuthenticodeSigner:** Signer's certificate (value of the first occurrence of the attributes szOID_COMMON_NAME, szOID_ORGANIZATIONAL_UNIT_NAME, szOID_ORGANIZATION_NAME, or szOID_RSA_emailAddr)
+    * **AuthenticodeCA:** Signer's root CA certificate (value of the first occurrence of the attributes szOID_COMMON_NAME, szOID_ORGANIZATIONAL_UNIT_NAME, szOID_ORGANIZATION_NAME, or szOID_RSA_emailAddr)
+    * **SecurityDirectory** Base64 encoded security directory of the PE file (if present)
+* **Alternate Storage areas:**
+    * **ExtendedAttribute:** Colon separated names of the extended attributes (``$EA`` attribute content)
+* **Reference Numbers**
+    * **USN:** Update Sequence Number (last USN added in the journal for this entry)
+    * **FRN:** File Reference Number (version index of the entry in the MFT)
+    * **ParentFRN:** Parent Folder Reference Number
+* **FilenameFlags:** Type of file name (POSIX=0,WIN32=1,DOS83=2)
+* **FilenameID:** Attribute ID for this ``$FILE_NAME``
+* **DataID:** Attribute ID for this ``$DATA``
+* **Status:** File lock status (per CreateFile return value, if available)
+* **OwnerID:** Owner ID for this entry (ID for quotas, not security)
+* **FilenameIndex:** Index of this ``$FILE_NAME`` in this record
+* **DataIndex:** Index of this ``$DATA`` in this record
+* **SnapshotID:** Snapshot associated with this entry
+* **SSDeep:** Fuzzyhash SSDeep
+* **TLSH:** Trend Micro's TLSH
+* **SignedHash:** Signed hash inside the security directory of the PE
+ -->
+        <default>File,ParentName,SizeInBytes,CreationDate,LastModificationDate,LastAccessDate,LastAttrChangeDate,FileNameCreationDate,FileNameLastModificationDate,FileNameLastAccessDate,FileNameLastAttrModificationDate,ADS,RecordInUse</default>
+        <omit SizeGT="10M">SHA1</omit>
+        <add HasPE="">SHA1,Details,AuthenticodeStatus,AuthenticodeSignerThumbprint,AuthenticodeCAThumbprint</add>
+    </columns>
+</ntfsinfo>
diff --git a/config/NTFSInfo_offline_config.xml b/config/NTFSInfo_offline_config.xml
new file mode 100644
index 0000000..556df8e
--- /dev/null
+++ b/config/NTFSInfo_offline_config.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0"?>
+<ntfsinfo walker="MFT" resurrect="yes" >
+  <fileinfo compression="fast"/>
+  <location>%OfflineLocation%</location>
+  <columns>
+    <default>ComputerName,VolumeID,Default,ExtendedAttribute,RecordInUse,SecDescrID,ADS,FirstBytes</default>
+    <default>Details</default>
+    <omit SizeGT="100M">MD5,SHA1,SHA256,PeMD5,PeSHA1,PeSHA256,Authenticode</omit>
+    <add HasPE="">MD5,SHA1,SHA256,PeMD5,PeSHA1,PeSHA256,Authenticode</add>
+  </columns>
+</ntfsinfo>
diff --git a/config/ruleset.yara b/config/ruleset.yara
old mode 100755
new mode 100644
index 5421ef8..adf8f16
--- a/config/ruleset.yara
+++ b/config/ruleset.yara
@@ -1,6 +1,6 @@
 rule dfir_orc {
     strings:
         $dummy = "This is a dummy rule not supposed to match anything but the binary embedding it!"
-    condition:
+    condition :
         $dummy
-}
+}
\ No newline at end of file
diff --git a/configure.ps1 b/configure.ps1
new file mode 100644
index 0000000..cf66ea1
--- /dev/null
+++ b/configure.ps1
@@ -0,0 +1,237 @@
+function Configure-Orc
+{
+    <#
+        .SYNOPSIS
+            Configure DFIR-ORC
+        
+        .PARAMETER RawBin
+            Path to DFIR-ORC raw binaries. Default is 'tools\' directory in
+            configuration directory
+
+        .PARAMETER Configuration
+            Path to DFIR-ORC configuration root directory containing 'tools\'
+            and 'config\' subdirectories. Default is '.\'
+
+        .PARAMETER ToolEmbedXml
+            Path to ToolEmbed's XML configuration file. If not specified the
+            script will lookup in this order in configuration directory:
+            - ORC_embed.xml
+            - DFIR-ORC_embed.xml
+            - *.xml with '<toolembed>' as root element
+
+        .PARAMETER Destination
+            Path to configured DFIR-ORC output file. Default is '.\output\'
+            or 'output\' in configuration root directory if provided with
+            Configuration parameter
+
+        .PARAMETER Force
+            DFIR-ORC raw binaries present in tools directory will be replaced
+            if -RawBin option is used
+
+        .EXAMPLE
+            .\configure.ps1 `
+                -RawBin D:\dfir-orc\build\dev\latest\bin\MinSizeRel\ `
+                -Configuration C:\dev\dfir-orc\ `
+                -Destination C:\dev\dfir-orc\release\DFIR-Orc.exe
+    #>
+    [cmdletbinding()]
+    Param (
+        [Parameter(Mandatory = $false)]
+        [ValidateNotNullOrEmpty()]
+        [System.IO.DirectoryInfo]
+        $RawBin,
+
+        [Parameter(Mandatory = $false)]
+        [ValidateNotNullOrEmpty()]
+        [System.IO.DirectoryInfo]
+        $Configuration = ".",
+
+        [Parameter(Mandatory = $false)]
+        [System.IO.FileInfo]
+        $ToolEmbedXml,
+
+        [Parameter(Mandatory = $false)]
+        [ValidateNotNullOrEmpty()]
+        [System.IO.FileInfo]
+        $Destination,
+
+        [Switch]
+        $Force
+    )
+
+    $ErrorActionPreference = "Stop"
+
+    $OrcRawBinaries = @(
+        "DFIR-Orc_x64.exe"
+        "DFIR-Orc_x86.exe"
+    )
+
+    $OrcRawBinariesToClean = @()
+
+    if($RawBin)
+    {
+        foreach($OrcRawBinary in $OrcRawBinaries)
+        {
+            if(Test-Path "${RawBin}\${OrcRawBinary}")
+            {
+                if($Force -Or -Not (Test-Path "${Configuration}\tools\${OrcRawBinary}"))
+                {
+                    Copy-Item -Force -Path "${RawBin}\${OrcRawBinary}" -Destination "${Configuration}/tools"
+                    $OrcRawBinariesToClean += $OrcRawBinary
+                }
+                else
+                {
+                    Write-Warning "DFIR-ORC raw binary seems already present at ${Configuration}\tools\${OrcRawBinary} and will be used to configure DFIR-ORC."
+                    Write-Warning "Use -Force option if you want to replace it"
+                }
+            }
+            else
+            {
+                Write-Error "Cannot find ${OrcRawBinary} raw binary"
+            }
+        }
+    }
+    else
+    {
+        $RawBin = "./tools"
+    }
+
+    foreach($OrcRawBinary in $OrcRawBinaries)
+    {
+        if(-Not (Test-Path "${Configuration}\tools\${OrcRawBinary}"))
+        {
+            Write-Error "DFIR-ORC raw binary ${OrcRawBinary} is not present in ${Configuration}\tools directory"
+        }
+    }
+
+    Push-Location $Configuration
+    try
+    {
+        if(-Not $ToolEmbedXml)
+        {
+            $ToolEmbedXml = Get-ToolEmbedXml -Path ".\config"
+        }
+
+        if(-Not $ToolEmbedXml -Or -Not (Test-Path $ToolEmbedXml))
+        {
+            Write-Error "Cannot find ToolEmbed configuration"
+        }
+        else
+        {
+            Write-Output "Found ToolEmbed configuration: '${ToolEmbedXml}'"
+        }
+
+        $ENV:__COMPAT_LAYER = "RUNASINVOKER"
+
+        # XML configuration files usually references some environment variables
+        $ENV:ORC_CONFIG_FOLDER = "config"
+        $ENV:ORC_OUTPUT = "DFIR-Orc.exe"
+
+        . tools\DFIR-Orc_x64.exe ToolEmbed /Config="${ToolEmbedXml}"
+
+        $ToolEmbedOutput = Get-ToolEmbedOutput -Path $ToolEmbedXml
+    }
+    finally
+    {
+        Pop-Location
+    }
+
+    if(! $Destination)
+    {
+        $Destination = "${Configuration}\output"
+    }
+
+    if($Destination -notmatch '\.exe$')
+    {
+        $DestinationDir = $Destination
+        $ExecutableName = Split-Path $ToolEmbedOutput -leaf
+        $Destination = "$Destination/$ExecutableName"
+    }
+    else
+    {
+        $DestinationDir = Split-Path $Destination
+    }
+
+    if(-Not (Test-Path $DestinationDir))
+    {
+        New-Item -ItemType Directory $DestinationDir | Out-Null
+        Write-Output "Create '$DestinationDir' directory"
+    }
+
+    if("${Configuration}/${ToolEmbedOutput}" -ne $Destination)
+    {
+        Move-Item -Force -Path "${Configuration}/${ToolEmbedOutput}" -Destination $Destination
+    }
+
+    Write-Output `
+        "`n`nDFIR-ORC configuration is done: '$(Resolve-Path ${Destination})'`n"
+
+    # Clean DFIR-ORC raw binaries
+    if($RawBin)
+    {
+        foreach($OrcRawBinary in $OrcRawBinariesToClean)
+        {
+            if(Test-Path "$Configuration\tools\$OrcRawBinary")
+            {
+                Remove-Item -Path "${Configuration}\tools\${OrcRawBinary}"
+            }
+        }
+    }
+}
+
+function Get-ToolEmbedXml
+{
+    param(
+        [System.IO.DirectoryInfo]
+        $Path
+    )
+
+    $EmbedFileNames = @(
+        "ORC_embed.xml"
+        "DFIR-ORC_embed.xml"
+        "Embed.xml"
+    )
+
+    foreach($EmbedFileName in $EmbedFileNames)
+    {
+        if(Test-Path "$Path\$EmbedFileName")
+        {
+            $ToolEmbedXml = "$Path/$EmbedFileName"
+            if(Get-Item -Path $ToolEmbedXml | Select-Xml -XPath toolembed)
+            {
+                return $ToolEmbedXml
+            }
+        }
+    }
+
+    # Lookup for an xml file with 'toolembed' as root element
+    $ToolEmbedXml = `
+        Get-ChildItem -Filter *.xml ${Path}/ | `
+        Select-Xml -XPath toolembed | `
+        Select-Object -First 1 | `
+        Select-Object -ExpandProperty Path
+
+    return $ToolEmbedXml
+}
+
+function Get-ToolEmbedOutput
+{
+    <#
+        .SYNOPSIS
+            Look into ToolEmbed XML configuration for '<output>' element value
+    #>
+    [OutputType([String])]
+    param(
+        [System.IO.FileInfo]
+        $Path
+    )
+
+    $Output = `
+        Select-Xml -XPath "toolembed/output" ${Path} | `
+        Select-Object -ExpandProperty Node | `
+        Select-Object -ExpandProperty InnerText
+
+    return [Environment]::ExpandEnvironmentVariables($Output)
+}
+
+Configure-Orc @args