-
Notifications
You must be signed in to change notification settings - Fork 2
/
searchindex.js
1 lines (1 loc) · 99.9 KB
/
searchindex.js
1
Search.setIndex({"docnames": ["FastFind", "FatInfo", "GetSamples", "GetSectors", "GetThis", "LO", "NTFSInfo", "NTFSUtil", "ObjInfo", "RegInfo", "ToolEmbed", "USNInfo", "architecture", "cli_options", "configuration", "configuring_console_output", "configuring_locations", "configuring_ntfs_opt", "configuring_process", "configuring_tool_output", "configuring_yara", "design_principles", "embedded_tool_suite", "fs_implem_details", "index", "info_tools", "intro_to_data_collection", "licenses", "open-license", "orc_local_config", "outcome", "outline", "platforms", "resources", "tuto", "wolf_config"], "filenames": ["FastFind.rst", "FatInfo.rst", "GetSamples.rst", "GetSectors.rst", "GetThis.rst", "LO.rst", "NTFSInfo.rst", "NTFSUtil.rst", "ObjInfo.rst", "RegInfo.rst", "ToolEmbed.rst", "USNInfo.rst", "architecture.rst", "cli_options.rst", "configuration.rst", "configuring_console_output.rst", "configuring_locations.rst", "configuring_ntfs_opt.rst", "configuring_process.rst", "configuring_tool_output.rst", "configuring_yara.rst", "design_principles.rst", "embedded_tool_suite.rst", "fs_implem_details.rst", "index.rst", "info_tools.rst", "intro_to_data_collection.rst", "licenses.rst", "open-license.rst", "orc_local_config.rst", "outcome.rst", "outline.rst", "platforms.rst", "resources.rst", "tuto.rst", "wolf_config.rst"], "titles": ["FastFind", "FatInfo", "GetSamples", "GetSectors", "GetThis", "LICENCE OUVERTE 2.0/OPEN LICENCE 2.0", "NTFSInfo", "NTFSUtil", "ObjInfo", "RegInfo", "ToolEmbed", "USNInfo", "Architecture", "DFIR ORC Command-line Options", "Configuration", "Configuring Console Output, Logging", "Configuring Locations", "Configuring Attributes of <code class=\"docutils literal notranslate\"><span class=\"pre\">ntfs_find</span></code> and <code class=\"docutils literal notranslate\"><span class=\"pre\">ntfs_exclude</span></code> Elements", "Configuring Process Priority", "Configuring Tool Output", "Configuring the Yara Scanner", "Design Principles", "Embedded Tool Suite", "Implementation Details About Parsers", "Introduction", "Common Options & Properties", "Design and Architecture", "Licenses", "OPEN LICENCE 2.0/LICENCE OUVERTE 2.0", "DFIR ORC Local Configuration File", "DFIR-ORC Execution Outcome", "DFIR-ORC Execution Outline", "Requirements", "Referencing Resources in Configurations", "Tutorial", "WolfLauncher Configuration File"], "terms": {"The": [0, 1, 2, 3, 4, 6, 7, 8, 9, 10, 11, 12, 13, 15, 16, 17, 18, 19, 20, 22, 23, 24, 26, 28, 29, 30, 31, 32, 33, 35], "purpos": [0, 1, 2, 3, 4, 9, 13, 28, 35], "i": [0, 1, 2, 3, 4, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 28, 29, 30, 31, 32, 33, 34, 35], "check": [0, 2, 24, 34], "presenc": [0, 1, 6, 16], "known": [0, 7, 16, 17, 21, 31, 32], "indic": [0, 1, 4, 6, 13, 17, 22, 34], "larg": [0, 5, 20, 24], "instal": [0, 12, 24, 25], "base": [0, 1, 5, 6, 9, 10, 12, 17, 19, 23, 24, 29, 34, 35], "sinc": [0, 1, 2, 12, 34], "aim": [0, 13, 26, 28], "analyz": [0, 2, 8, 9, 11, 18, 24], "thousand": 0, "requir": [0, 1, 4, 6, 12, 14, 16, 21, 24, 25, 28, 34], "minim": [0, 2, 10, 17, 18, 21, 24], "interact": [0, 13, 32], "To": [0, 1, 2, 4, 6, 7, 9, 10, 12, 13, 14, 15, 16, 17, 18, 19, 21, 23, 24, 28, 29, 33, 34, 35], "achiev": 0, "thi": [0, 1, 2, 3, 4, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 26, 29, 31, 32, 33, 34, 35], "goal": [0, 12, 21], "us": [0, 1, 2, 3, 4, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 19, 20, 21, 23, 25, 28, 29, 31, 32, 33, 35], "an": [0, 1, 2, 3, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 17, 19, 21, 23, 25, 28, 29, 32, 33, 34, 35], "xml": [0, 1, 2, 4, 6, 9, 10, 12, 13, 14, 15, 16, 17, 19, 20, 21, 29, 30, 33, 34, 35], "configur": [0, 1, 2, 3, 4, 6, 7, 8, 9, 10, 11, 13, 22, 24, 25, 26, 32], "embed": [0, 2, 7, 10, 12, 14, 16, 20, 21, 24, 25, 32, 33, 35], "resourc": [0, 1, 6, 10, 12, 14, 20, 24, 32, 34, 35], "specifi": [0, 1, 2, 3, 6, 8, 9, 10, 11, 12, 14, 15, 16, 17, 19, 20, 23, 29, 35], "look": [0, 1, 3, 4, 6, 7, 8, 9, 11, 12, 29, 34], "can": [0, 1, 2, 3, 4, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 19, 20, 21, 23, 25, 28, 29, 32, 34, 35], "leverag": [0, 4], "collect": [0, 1, 2, 3, 4, 6, 7, 9, 11, 12, 13, 16, 17, 19, 21, 22, 24, 31, 32, 34, 35], "enabl": [0, 4, 6, 13, 15, 16, 21, 29, 32, 35], "sophist": 0, "search": [0, 4, 9, 12, 25, 34], "up": [0, 6, 12, 15, 17, 24, 28, 29, 35], "mount": [0, 1, 6, 7, 11, 22, 25], "multipl": [0, 2, 6, 15, 16, 17, 23], "hive": [0, 4, 12, 13, 17, 22, 24, 32, 34], "from": [0, 1, 2, 3, 6, 7, 8, 9, 10, 11, 14, 15, 16, 17, 20, 21, 22, 23, 24, 26, 28, 29, 32, 33, 34, 35], "signatur": [0, 1, 2, 6, 16, 21], "kei": [0, 6, 8, 9, 14, 21, 24, 30, 34, 35], "valu": [0, 2, 3, 4, 7, 9, 13, 15, 16, 17, 19, 20, 29, 31, 34, 35], "directori": [0, 1, 2, 3, 4, 6, 7, 8, 9, 10, 11, 12, 13, 16, 17, 24, 25, 29, 31, 34, 35], "pipe": [0, 22], "event": [0, 4, 6, 8, 21, 24, 30, 32], "doe": [0, 1, 2, 3, 4, 6, 7, 13, 15, 16, 17, 23, 24, 28, 29, 32, 34, 35], "find": [0, 4, 6, 9, 20, 34], "rootkit": 0, "data": [0, 1, 3, 5, 6, 7, 9, 12, 14, 16, 17, 20, 21, 22, 23, 24, 29, 32], "ulterior": 0, "analysi": [0, 9, 19, 21, 24, 35], "trace": [0, 15, 24, 29, 35], "ani": [0, 1, 3, 4, 6, 7, 9, 13, 14, 16, 17, 21, 24, 25, 28, 29, 34, 35], "other": [0, 1, 2, 4, 6, 7, 8, 9, 12, 13, 14, 17, 21, 28, 33, 34, 35], "compromis": [0, 21, 22], "e": [0, 1, 3, 4, 6, 7, 9, 12, 13, 16, 17, 21, 24, 28, 29, 33, 34, 35], "onli": [0, 1, 2, 3, 4, 6, 7, 8, 9, 12, 13, 16, 17, 21, 24, 25, 29, 32, 34, 35], "specif": [0, 1, 3, 4, 9, 16, 17, 21, 23, 24, 26, 28, 29, 34, 35], "threat": [0, 24], "standalon": 0, "execut": [0, 1, 2, 6, 10, 13, 14, 15, 16, 19, 20, 21, 24, 25, 26, 29, 33, 34], "prior": [0, 25, 29, 35], "It": [0, 1, 2, 4, 7, 9, 10, 11, 12, 13, 14, 16, 17, 21, 23, 24, 28, 29, 32, 34, 35], "current": [0, 2, 4, 7, 8, 9, 10, 11, 13, 15, 25, 29, 31, 34, 35], "support": [0, 2, 4, 7, 10, 13, 15, 16, 17, 19, 24, 29, 35], "follow": [0, 1, 2, 3, 4, 6, 7, 8, 9, 10, 11, 12, 13, 15, 16, 17, 19, 20, 24, 25, 28, 29, 31, 32, 33, 34, 35], "xp": [0, 21, 33], "sp2": [0, 32, 33], "win32": [0, 6], "x64": [0, 7, 13, 31, 33, 34], "server": [0, 12, 15, 29, 31, 35], "2003": 0, "sp3": 0, "vista": [0, 6, 21], "sp1": [0, 32], "2008": 0, "2012": [0, 32], "7": [0, 13, 21, 29, 31, 35], "rtm": [0, 13, 31, 34], "8": [0, 1, 4, 6, 7, 21, 24, 31, 32], "ntf": [0, 4, 6, 7, 9, 11, 12, 16, 17, 22, 23, 31], "volum": [0, 3, 4, 7, 9, 11, 12, 21, 23, 25, 31, 34], "1": [0, 1, 5, 6, 7, 10, 13, 15, 17, 19, 21, 24, 28, 29, 30, 31, 32], "r2": 0, "2016": [0, 32], "2019": [0, 7, 13, 31, 32, 34], "10": [0, 7, 13, 21, 31, 32, 34, 35], "1903": [0, 13, 34], "same": [0, 2, 4, 6, 7, 9, 11, 16, 20, 21, 25, 27, 29, 34, 35], "mft": [0, 1, 4, 6, 9, 17, 24, 25], "parser": [0, 1, 4, 6, 7, 9, 11, 12, 25], "ntfsinfo": [0, 4, 11, 12, 13, 15, 16, 19, 21, 22, 24, 33, 34, 35], "target": [0, 2, 4, 6, 8, 10, 12, 13, 21, 24, 35], "lookup": 0, "For": [0, 1, 2, 3, 4, 6, 7, 8, 9, 10, 11, 12, 13, 16, 17, 21, 25, 33, 34, 35], "detail": [0, 3, 4, 7, 8, 9, 10, 11, 13, 17, 19, 22, 25, 31, 34], "pleas": [0, 1, 3, 4, 6, 8, 9, 10, 11, 12, 16, 34, 35], "refer": [0, 1, 2, 3, 4, 6, 8, 9, 10, 11, 12, 14, 16, 17, 20, 28, 33, 34, 35], "upon": [0, 21, 35], "success": 0, "result": [0, 1, 2, 3, 4, 6, 7, 8, 9, 10, 12, 13, 14, 16, 21, 24, 25, 28, 30, 34, 35], "its": [0, 1, 2, 4, 6, 7, 9, 12, 13, 14, 16, 17, 20, 21, 24, 28, 29, 32, 33, 34], "one": [0, 1, 2, 3, 4, 6, 8, 9, 10, 11, 13, 15, 16, 17, 19, 20, 21, 28, 29, 32, 33, 34, 35], "element": [0, 7, 13, 14, 16, 19, 20, 24, 25, 34], "per": [0, 1, 4, 6, 11, 13, 22, 31, 35], "also": [0, 2, 3, 4, 6, 8, 9, 10, 11, 12, 13, 14, 16, 17, 19, 21, 24, 28, 34, 35], "two": [0, 4, 6, 7, 8, 9, 10, 11, 14, 16, 17, 20, 21, 23, 34], "csv": [0, 1, 2, 3, 4, 6, 8, 9, 11, 12, 19, 34, 35], "here": [0, 2, 6, 9, 10, 12, 23, 34], "sampl": [0, 3, 12, 16, 17, 19, 22, 34], "tool": [0, 1, 2, 3, 4, 6, 7, 8, 9, 10, 11, 13, 14, 15, 16, 17, 18, 25, 26, 29, 32, 33, 34, 35], "fast_find": 0, "comput": [0, 1, 3, 4, 6, 7, 8, 9, 11, 13, 23, 24, 34, 35], "jeangabook": [0, 34], "o": [0, 1, 6, 7], "microsoft": [0, 6, 8, 13, 16, 19, 24, 29, 31, 32, 34], "enterpris": [0, 31, 34], "edit": [0, 10, 24, 31, 35], "build": [0, 12, 13, 31], "18362": [0, 13, 34], "64": [0, 7, 10, 13, 31, 32, 34, 35], "bit": [0, 7, 10, 13, 29, 31, 32, 34, 35], "role": 0, "workstat": [0, 13, 31, 34, 35], "c": [0, 1, 4, 6, 7, 8, 9, 11, 12, 13, 15, 16, 19, 23, 25, 30, 31, 34], "temp": [0, 1, 2, 4, 6, 8, 9, 11, 12, 13, 15, 16, 19, 29, 30, 31, 34, 35], "fastfind_output": 0, "filefind_match": 0, "sha256": [0, 1, 4, 6, 17, 30], "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855": 0, "record": [0, 1, 3, 4, 6, 16, 17, 23], "frn": [0, 4, 6, 11], "0x00080000000e75bc": 0, "volume_id": 0, "0xd2501a75501a6091": 0, "snapshot_id": 0, "00000000": 0, "0000": [0, 7], "000000000000": 0, "standardinform": 0, "creation": [0, 1, 2, 4, 6, 7, 8, 13], "09": [0, 7, 13, 31, 34], "30": [0, 7, 35], "13": [0, 7], "29": 0, "17": [0, 7, 31], "691": 0, "lastmodif": 0, "33": 0, "16": [0, 1, 6, 17], "007": 0, "lastaccess": 0, "lastentrychang": 0, "38": [0, 7], "18": [0, 7, 31], "941": 0, "attribut": [0, 5, 7, 9, 11, 13, 19, 22, 23, 25, 28, 34], "A": [0, 1, 2, 3, 4, 6, 7, 8, 9, 10, 11, 15, 16, 17, 20, 26, 29, 35], "filenam": [0, 7, 34, 35], "fullnam": [0, 1, 4, 6, 31], "test": [0, 1, 6, 9, 12, 13, 17, 19, 24, 32], "files": [0, 20], "0": [0, 3, 6, 7, 13, 15, 16, 29, 30, 31, 34], "md5": [0, 1, 4, 6, 17], "d41d8cd98f00b204e9800998ecf8427": 0, "sha1": [0, 1, 4, 6, 17], "da39a3ee5e6b4b0d3255bfef95601890afd80709": 0, "gdi": 0, "dll": [0, 1, 4, 6, 10, 33, 34], "0x0000000000000000": [0, 7], "0xb80097bc00978054": 0, "i30": [0, 6, 7, 17], "syswow64": [0, 31], "gdi32ful": 0, "parentfrn": [0, 4, 6, 11], "0x00030000000789d7": 0, "07": [0, 7, 13, 31], "12": [0, 7, 31], "01": [0, 7], "896": 0, "927": 0, "04": [0, 7], "46": [0, 31], "430": 0, "05": [0, 31], "26": [0, 31, 34], "670": 0, "hive_path": 0, "system32": [0, 4, 17, 31, 35], "softwar": [0, 4, 9, 12, 13, 16, 17, 24], "regfind_match": 0, "keypath": 0, "currentvers": [0, 9, 16], "run": [0, 1, 2, 4, 7, 8, 9, 12, 13, 14, 26, 29, 31, 32, 33, 34, 35], "securityhealth": 0, "type": [0, 1, 3, 4, 6, 7, 8, 9, 13, 17, 31, 34, 35], "reg_expand_sz": [0, 9], "lastmodified_kei": 0, "02": [0, 7, 15, 30], "15": [0, 4, 7, 31], "14": [0, 7, 28, 31, 34], "043": 0, "data_s": [0, 9], "88": [0, 7], "object_match": 0, "symboliclink": [0, 8], "partition0": 0, "devic": [0, 7, 8, 16, 32], "harddisk0": 0, "link_target": 0, "link_creationtim": 0, "00": [0, 7], "49": [0, 7], "107": 0, "driver": [0, 2, 4, 8, 16, 17], "cng": 0, "separ": [0, 1, 4, 6, 9, 11, 13, 17, 20, 21, 29, 35], "three": [0, 1, 4, 7, 16, 24, 34], "section": [0, 4, 8, 14, 17, 29, 33, 34, 35], "In": [0, 2, 3, 4, 6, 7, 9, 10, 12, 13, 15, 16, 17, 19, 24, 32, 34], "each": [0, 1, 6, 7, 9, 12, 16, 17, 20, 21, 34, 35], "enclos": [0, 9], "insid": [0, 3, 4, 6, 9, 13, 16, 32, 33, 34], "ha": [0, 1, 2, 4, 6, 7, 9, 10, 13, 16, 17, 21, 28, 34], "report": [0, 6, 8, 13, 17, 22, 24, 35], "rule": [0, 1, 4, 6, 9, 12, 17, 20, 24, 34], "which": [0, 1, 2, 3, 4, 6, 7, 9, 10, 11, 12, 13, 15, 17, 20, 21, 22, 24, 28, 29, 34, 35], "both": [0, 1, 2, 4, 6, 9, 12, 14, 17, 20, 21, 25, 29, 34, 35], "inform": [0, 2, 4, 7, 8, 11, 15, 16, 21, 22, 23, 29, 32, 34], "retriev": [0, 7, 9, 17, 28], "columnnam": [0, 4, 8, 9, 11], "computernam": [0, 1, 3, 4, 6, 8, 9, 31, 35], "volumeid": [0, 1, 4, 6, 11], "id": [0, 1, 4, 6, 7, 16], "snapshotid": [0, 4, 6, 11], "snapshot": [0, 4, 6, 7, 9, 11, 24], "associ": [0, 4, 6, 9, 11, 17, 32, 35], "entri": [0, 1, 4, 6, 7, 11, 16, 17, 22, 24, 33], "parent": [0, 1, 4, 6, 11, 12, 15, 19, 29, 35], "full": [0, 1, 3, 4, 6, 8, 9, 11, 14, 16, 17, 34], "pathnam": 0, "sizeinbyt": [0, 1, 4, 6], "size": [0, 1, 2, 4, 6, 7, 9, 10, 13, 16, 17, 19, 20, 30, 31, 34], "byte": [0, 1, 3, 4, 6, 7, 9, 16, 17, 19, 20], "creationd": [0, 1, 4, 6], "date": [0, 1, 4, 5, 6, 8, 9, 28, 35], "yyyi": [0, 1, 4, 6], "mm": [0, 1, 4, 6], "dd": [0, 1, 3, 4, 6, 9, 12, 21, 25], "hh": [0, 1, 4, 6], "ss": [0, 1, 4, 6], "sss": [0, 4], "lastmodificationd": [0, 1, 4, 6, 9], "last": [0, 1, 3, 4, 6, 9, 13, 16, 24, 34, 35], "write": [0, 1, 4, 6, 7, 10, 13, 17, 21, 24, 33, 34], "lastaccessd": [0, 1, 4, 6], "read": [0, 1, 3, 4, 6, 16, 17, 20, 23, 34], "access": [0, 1, 2, 3, 4, 6, 8, 13, 16, 24, 32], "lastattrchanged": [0, 4, 6], "chang": [0, 4, 6, 7, 12, 13, 23, 24, 34], "filenamecreationd": [0, 4, 6], "hard": [0, 4, 6, 7, 31], "link": [0, 4, 6, 8, 28], "filenamelastmodificationd": [0, 4, 6], "modif": [0, 4, 9, 14, 34], "filenamelastaccessd": [0, 4, 6], "filenamelastattrchanged": 0, "cryptograph": [0, 1, 4, 6, 23], "hash": [0, 1, 4, 6, 17, 20, 21, 22, 23], "pars": [0, 1, 4, 6, 7, 9, 11, 16, 22, 23, 24], "whether": [0, 1, 2, 4, 6, 13, 23, 24, 29, 35], "found": [0, 1, 3, 4, 6, 7, 8, 9, 11, 12, 17, 34], "list": [0, 1, 2, 4, 6, 7, 8, 9, 11, 12, 13, 14, 16, 17, 20, 21, 22, 27, 29, 31, 33, 35], "If": [0, 2, 4, 6, 8, 9, 10, 11, 12, 13, 17, 19, 21, 23, 28, 32, 35], "wa": [0, 1, 2, 4, 6, 9, 13, 16, 17, 21, 23, 24, 28, 32], "operatingsystem": [0, 8], "string": [0, 1, 4, 6, 9, 10, 17, 31, 33], "objecttyp": [0, 8], "mutex": [0, 22], "etc": [0, 1, 2, 3, 4, 6, 12, 21, 22, 28, 29, 32, 34, 35], "objectnam": [0, 8], "objectpath": [0, 8], "linktarget": [0, 8], "symbol": [0, 8], "when": [0, 1, 2, 3, 4, 6, 7, 9, 10, 11, 12, 13, 16, 17, 19, 20, 23, 24, 28, 29, 32, 33, 34, 35], "linkcreationtim": [0, 8], "As": [0, 1, 3, 7, 8, 9, 11, 12, 13, 14, 16, 17, 24, 33, 34], "everi": [0, 4, 8, 9, 11, 12, 16, 17, 19, 23], "log": [0, 1, 2, 3, 4, 6, 8, 9, 11, 13, 21, 24, 25, 30, 32, 34], "avail": [0, 1, 2, 3, 6, 7, 8, 9, 11, 12, 13, 15, 16, 20, 21, 28, 29, 32, 33, 34, 35], "command": [0, 1, 2, 6, 7, 8, 9, 10, 11, 14, 16, 18, 19, 21, 24, 25, 26, 29, 30, 31, 33, 34], "line": [0, 1, 2, 6, 7, 8, 9, 10, 11, 14, 16, 17, 18, 19, 20, 21, 24, 26, 29, 31, 33, 34, 35], "syntax": [0, 1, 2, 3, 4, 6, 7, 8, 9, 10, 11, 13, 15, 16, 17, 19, 29, 34, 35], "consol": [0, 1, 2, 3, 4, 6, 8, 9, 11, 25], "dfir": [0, 1, 2, 3, 4, 6, 7, 8, 9, 10, 11, 14, 15, 16, 19, 22, 25, 26, 32, 33, 34, 35], "orc": [0, 1, 2, 3, 4, 6, 7, 8, 9, 10, 11, 14, 15, 16, 19, 22, 25, 26, 32, 33, 34, 35], "ex": [0, 1, 2, 3, 4, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 19, 20, 21, 25, 29, 30, 31, 32, 33, 34, 35], "default": [0, 1, 2, 3, 4, 7, 8, 9, 10, 11, 13, 15, 16, 17, 19, 25, 29, 31, 33, 34, 35], "n": [0, 1, 2, 3, 4, 5, 6, 9, 10, 11, 15, 16, 29, 35], "take": [0, 2, 4, 7, 9, 10, 12, 13, 19, 21, 24, 29, 34, 35], "argument": [0, 1, 2, 4, 6, 7, 9, 10, 11, 12, 16, 19, 21, 33, 34], "typic": [0, 2, 3, 8, 9, 10, 11, 12, 13, 16, 19, 20, 21, 25, 29, 33, 34, 35], "like": [0, 1, 3, 4, 6, 7, 8, 9, 11, 12, 15, 16, 19, 23, 29, 33, 34, 35], "2": [0, 1, 6, 7, 9, 13, 16, 24, 30, 35], "locat": [0, 3, 7, 11, 13, 17, 22, 23, 25, 29, 31, 34, 35], "shadow": [0, 6, 7, 25], "ye": [0, 1, 2, 3, 4, 6, 8, 9, 10, 11, 15, 16, 24, 29, 34, 35], "systemdr": [0, 4, 6, 9, 16], "sourc": [0, 4, 5, 12, 24, 25, 27, 28, 34, 35], "block": [0, 4, 13, 25, 35], "2m": [0, 4, 20], "timeout": [0, 4, 13, 25, 34, 35], "120": [0, 20], "overlap": [0, 4, 25], "8192": [0, 20], "scan_method": [0, 25], "filemap": [0, 20], "ntfs_find": [0, 25, 34], "694160": 0, "1cecafe147f1cc3e2b9804b8cda593c9": 0, "ntdll": [0, 34], "yara_rul": [0, 4, 17], "is_dll": [0, 17], "name_match": [0, 4, 17], "ntfs_exclud": [0, 25], "path_match": [0, 17, 34], "c766364efd9c9b5aa3a7140a69f0cf5b147bc476": 0, "14966411": 0, "contain": [0, 1, 2, 3, 4, 6, 7, 9, 10, 12, 14, 15, 17, 21, 24, 28, 29, 34, 35], "bcryptprimit": 0, "pdb": 0, "ntuser": [0, 17], "dat": [0, 17], "registry_find": 0, "key_path": [0, 9], "internet": 0, "explor": [0, 17], "main": [0, 13, 18, 24, 29, 34], "check_associ": 0, "object_find": 0, "mutant": [0, 8], "foo": [0, 19, 30], "foobar": 0, "root": [0, 1, 2, 4, 6, 9, 10, 15, 29, 35], "displai": [0, 7, 9, 13, 25, 32, 34], "identifi": [0, 2, 4, 5, 6, 9, 16, 23, 28, 31, 35], "campaign": 0, "addit": [0, 9, 10, 25, 34], "where": [0, 2, 3, 4, 9, 10, 11, 16, 19, 24, 29, 31, 32, 34], "describ": [0, 2, 4, 6, 9, 10, 11, 14, 17, 29, 34, 35], "scanner": [0, 4, 25], "document": [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 16, 17, 22, 24, 26, 28, 34], "reginfo": [0, 17, 19, 20, 21, 22, 24, 33], "objinfo": [0, 21, 22, 24, 33], "accept": [0, 18], "resurrect": [0, 1, 4, 6], "delet": [0, 1, 4, 6, 21, 29], "should": [0, 2, 4, 7, 9, 10, 11, 12, 16, 17, 19, 20, 23, 28, 29, 34, 35], "resurrectrecord": [0, 1, 4, 6], "resid": [0, 1, 4, 6], "includ": [0, 1, 2, 4, 6, 9, 24, 28, 29, 34, 35], "provid": [0, 1, 2, 4, 6, 7, 9, 10, 11, 16, 19, 21, 22, 23, 24, 34, 35], "about": [0, 1, 2, 3, 4, 6, 7, 8, 22, 25, 31, 34], "recent": [0, 4, 6, 11, 16, 28], "design": [0, 1, 3, 4, 6, 8, 12, 14, 24, 28, 34], "incur": [0, 4, 6], "unpredict": [0, 1, 4, 6], "we": [0, 1, 2, 4, 6, 12, 21, 23, 24, 33, 34], "ar": [0, 1, 2, 3, 4, 6, 7, 8, 9, 10, 12, 13, 15, 16, 17, 19, 20, 21, 22, 23, 25, 27, 28, 29, 31, 32, 33, 34, 35], "unreli": [0, 1, 4, 6, 20], "partial": [0, 1, 4, 6], "One": [0, 1, 4, 6, 9, 16, 20, 23, 26], "gener": [0, 1, 2, 3, 4, 6, 9, 13, 16, 17, 24, 29, 35], "assum": [0, 1, 4, 6, 34], "those": [0, 1, 2, 4, 6, 9, 17, 28, 29], "valid": [0, 1, 4, 6, 7, 9, 21, 35], "unlik": [0, 1, 4, 6], "nonresid": [0, 4, 6], "most": [0, 1, 4, 6, 7, 9, 10, 11, 12, 16, 24, 28, 34], "quickli": [0, 1, 4, 6, 10, 24], "invalid": [0, 1, 4, 6, 9, 16], "after": [0, 1, 3, 4, 6, 13, 20, 21, 34], "limit": [0, 2, 6, 9, 13, 15, 20, 21, 29, 34, 35], "ones": [0, 4, 6, 13, 17, 23, 34], "recoveri": [0, 4, 6], "do": [0, 3, 4, 6, 7, 8, 9, 16, 19, 21, 24, 25, 28, 34, 35], "try": [0, 3, 4, 6, 12, 34], "recov": [0, 4, 6], "allow": [0, 1, 2, 3, 4, 6, 7, 9, 10, 12, 13, 16, 17, 21, 23, 24, 29, 32, 34, 35], "add": [0, 2, 10, 14, 29, 34, 35], "must": [0, 1, 2, 3, 4, 6, 9, 10, 13, 15, 16, 17, 19, 24, 28, 29, 32, 34, 35], "have": [0, 2, 4, 6, 8, 12, 13, 16, 17, 19, 21, 23, 24, 32, 34, 35], "extens": [0, 1, 2, 3, 6, 19, 29], "creat": [0, 1, 2, 4, 6, 8, 10, 11, 12, 13, 15, 16, 19, 20, 21, 24, 28, 29, 31, 32, 33, 34, 35], "inact": [0, 2, 4], "ignor": [0, 2, 4], "thei": [0, 1, 6, 7, 9, 15, 17, 19, 24, 28, 34], "against": [0, 9, 17, 29, 35], "more": [0, 1, 2, 3, 4, 6, 7, 9, 11, 12, 13, 16, 19, 21, 24, 29, 32, 33, 35], "myfil": [0, 16], "txt": [0, 4], "my": [0, 17], "sy": [0, 1, 4, 6, 16, 17], "eanam": 0, "overrid": [0, 10, 13, 14, 34, 35], "diskpart": 0, "v1": 0, "comma": [0, 1, 4, 6, 13, 17, 20, 29, 35], "semicolon": [0, 17, 20, 29, 35], "ad": [0, 1, 4, 6, 10, 16, 17, 21, 22, 24, 32, 33, 34], "exist": [0, 2, 4, 9, 10, 13, 15, 16, 17, 19, 21, 28, 29, 34, 35], "intend": [1, 6, 7, 8, 9, 11, 21, 24, 28, 35], "store": [1, 2, 4, 6, 10, 16, 17, 34], "fat": [1, 6, 22], "raw": [1, 4, 6, 9, 16, 34], "disk": [1, 4, 6, 7, 12, 13, 20, 21, 23, 24, 25, 31, 34], "imag": [1, 3, 6, 7, 9, 25], "basic": [1, 6, 12, 26, 29, 34, 35], "enumer": [1, 2, 4, 6, 7, 9, 11, 12, 16, 17, 34], "file": [1, 2, 3, 4, 6, 7, 8, 9, 11, 12, 13, 14, 16, 17, 20, 21, 22, 23, 24, 25, 27, 30, 31, 32, 33], "system": [1, 2, 3, 4, 6, 7, 8, 9, 10, 13, 16, 17, 18, 19, 20, 21, 22, 24, 25, 29, 32, 34, 35], "user": [1, 3, 6, 10, 13, 16, 17, 21, 24, 29, 30, 34, 35], "chosen": [1, 17, 34], "folder": [1, 2, 3, 4, 6, 11, 12, 13, 16, 20, 29, 34, 35], "archiv": [1, 2, 3, 4, 5, 6, 8, 11, 13, 14, 15, 21, 24, 25, 29, 30, 31, 33, 34], "instead": [1, 2, 6, 9, 16], "uniqu": [1, 6, 9, 21, 35], "name": [1, 2, 3, 4, 6, 7, 8, 9, 11, 12, 14, 16, 17, 20, 22, 24, 28, 29, 30, 31, 33, 34, 35], "volstat": 1, "present": [1, 4, 6, 7, 8, 9, 10, 12, 13, 16, 17, 34], "identif": [1, 6, 11], "standard": [1, 6, 9, 21, 31], "parentnam": [1, 6], "split": [1, 6], "000": [1, 6, 7, 13, 34], "recordinus": [1, 6], "boolean": [1, 6], "free": [1, 6, 24, 28, 34], "short": [1, 6, 9, 17, 34], "3": [1, 2, 4, 6, 7, 13, 16, 24, 35], "authenticod": [1, 6, 22], "hex": [1, 6], "pemd5": [1, 6], "pesha1": [1, 6], "pesha256": [1, 6], "authenticodestatu": [1, 6], "statu": [1, 6, 23, 28, 31], "possibl": [1, 4, 6, 7, 9, 13, 14, 16, 21, 23, 24, 25, 28, 29, 32, 33, 34, 35], "unknown": [1, 6], "fail": [1, 6, 7, 8, 21, 32, 35], "determin": [1, 2, 4, 6, 7, 16, 24, 29, 35], "empti": [1, 4, 6, 8, 16, 33, 35], "signedverifi": [1, 6], "sign": [1, 2, 6], "verifi": [1, 2, 6, 17], "catalogsignedverifi": [1, 6], "catalog": [1, 6, 17], "signednotverifi": [1, 6], "notsign": [1, 6], "No": [1, 6, 13, 34], "could": [1, 2, 6, 13, 16, 17, 32], "authenticodesign": [1, 6], "signer": [1, 6], "": [1, 3, 5, 6, 7, 8, 16, 17, 28, 29, 33, 34, 35], "certif": [1, 6, 21, 29, 34, 35], "first": [1, 4, 6, 9, 10, 12, 13, 17, 21, 23, 24, 28, 34, 35], "occurr": [1, 6, 16], "szoid_common_nam": [1, 6], "szoid_organizational_unit_nam": [1, 6], "szoid_organization_nam": [1, 6], "szoid_rsa_emailaddr": [1, 6], "authenticodesignerthumbprint": [1, 6], "authenticodeca": [1, 6], "ca": [1, 5, 6], "authenticodecathumbprint": [1, 6], "securitydirectori": [1, 6], "base64": [1, 6], "encod": [1, 2, 4, 6, 9, 13, 17, 25, 29, 34, 35], "secur": [1, 6, 19, 23, 24, 34], "version": [1, 5, 6, 7, 13, 21, 24, 27, 28, 30, 31, 32, 34, 35], "fileo": [1, 6], "versioninfo": [1, 6], "tag": [1, 6, 9, 13, 31, 34], "filetyp": [1, 6], "companynam": [1, 6], "compani": [1, 6], "productnam": [1, 6], "product": [1, 6, 24, 28], "originalfilenam": [1, 6], "origin": [1, 4, 6, 12, 21, 24, 28, 34], "header": [1, 3, 6, 16, 17, 34], "relat": [1, 2, 3, 4, 5, 6, 7, 9, 17, 21, 22, 25, 28, 34], "platform": [1, 6, 9, 10, 12, 21, 32, 35], "timestamp": [1, 6, 11, 15, 22, 29, 30, 31, 35], "subsystem": [1, 6], "firstbyt": [1, 6], "mostli": [1, 2, 6, 7], "ident": [1, 2, 6], "function": [1, 2, 3, 4, 6, 7, 14, 24, 35], "even": [1, 2, 6, 9, 16, 24], "complex": [1, 2, 6, 10, 12], "paramet": [1, 2, 4, 6, 12, 13, 16, 34], "simpl": [1, 10, 19], "friendli": 1, "f": [1, 7, 16, 19, 34], "logfil": [1, 6, 34], "easier": 1, "completeusn": 1, "config": [1, 2, 4, 6, 10, 12, 13, 17, 30, 31, 34, 35], "fatinfoconfig": 1, "all": [1, 2, 4, 6, 7, 8, 9, 10, 11, 12, 13, 16, 17, 18, 23, 26, 28, 29, 34, 35], "environ": [1, 2, 6, 10, 16, 24, 29, 31, 34, 35], "variabl": [1, 2, 6, 9, 10, 20, 25, 29, 35], "true": [1, 29, 31, 34], "yield": [1, 10, 12, 17, 34], "non": [1, 4, 5, 9, 13, 16, 17, 28, 29, 34], "deactiv": 1, "featur": [1, 4, 7, 16, 17, 19, 23, 24, 29, 35], "done": [1, 2, 16, 17, 24, 25, 34], "machin": [1, 11, 21, 31], "substitut": [1, 10, 29, 35], "popsysobj": 1, "fals": [1, 3, 31, 34, 35], "probe": 1, "object": [1, 8, 12, 21, 22, 24, 32], "hidden": 1, "filesystem": 1, "lead": [1, 4, 13], "unexpect": 1, "behavior": [1, 3, 6, 7, 10, 13, 16, 20, 21, 22, 34, 35], "form": [1, 6, 7, 9, 11, 19, 24, 31, 35], "end": [1, 3, 4, 6, 7, 11, 13, 15, 17, 19, 29, 30, 34, 35], "location1": [1, 4, 6], "location2": [1, 4, 6], "alia": [1, 6], "defin": [1, 4, 6, 10, 12, 13, 16, 17, 21, 24, 28, 29, 33, 35], "below": [1, 4, 6, 7, 9, 10, 12, 13, 16, 17, 21, 22, 28, 29, 33, 34, 35], "select": [1, 4, 6, 7, 9, 13, 16, 17, 19, 29, 34], "than": [1, 2, 4, 6, 7, 9, 16, 17, 19, 28], "Or": [1, 16, 17, 19], "group": [1, 4, 6], "conveni": [1, 6, 35], "wai": [1, 4, 6, 9, 10, 11, 12, 19, 32, 34], "alias": [1, 6], "set": [1, 2, 4, 6, 7, 8, 9, 10, 12, 13, 16, 17, 18, 21, 24, 28, 29, 34, 35], "simplifi": [1, 6, 9], "instanc": [1, 6, 7, 9, 12, 16, 17, 24, 34, 35], "regroup": [1, 4, 6], "under": [1, 6, 9, 13, 17, 21, 24, 28, 35], "print": [1, 6], "definit": [1, 6, 17], "along": [1, 4, 6, 17, 24, 34], "remov": [1, 6, 16], "depend": [1, 4, 6, 7, 9, 12, 17, 21, 24, 29, 32, 35], "criterion": [1, 4, 6], "met": [1, 4], "help": [1, 4, 6, 7, 11, 14, 16, 24, 34], "reduc": [1, 6, 19, 29], "consumpt": [1, 6], "some": [1, 3, 6, 9, 12, 14, 16, 19, 21, 34], "g": [1, 6, 7, 9, 16, 17, 20, 21, 28, 29, 33, 34, 35], "filter": [1, 6, 12, 35], "hasversioninfo": [1, 6], "version_info": [1, 6], "hasp": [1, 6], "extbinari": [1, 6], "scr": [1, 6], "extarch": [1, 6], "zip": [1, 3, 4, 6, 10, 25, 35], "cab": [1, 3, 4, 6, 10, 19, 33], "ext": [1, 6], "ext1": [1, 6], "ext2": [1, 6], "sizelt": [1, 6], "sizegt": [1, 6], "smaller": [1, 2, 4, 6, 7, 11], "bigger": [1, 4, 6, 7], "note": [1, 6, 16, 35], "express": [1, 5, 6, 9, 17, 28, 35], "kb": [1, 2, 4, 6], "25k": [1, 6], "mb": [1, 2, 4, 6, 7, 19], "5m": [1, 6, 17], "affect": [1, 13], "1m": [1, 6, 7, 17], "put": [1, 21, 34], "equival": [1, 4, 6, 10, 15, 16, 34], "import": [1, 6], "appli": [1, 2, 4, 7, 13, 16, 20, 25], "evalu": [1, 4, 6, 12, 25, 35], "among": [1, 6], "thing": [1, 6, 34], "impli": [1, 6, 9, 13, 15, 19, 20, 29], "consum": [1, 6, 20, 35], "impact": [1, 6, 13, 17, 18, 24, 34], "overal": [1, 6], "perform": [1, 6, 9, 17, 24], "match": [1, 2, 4, 6, 9, 13, 17, 20, 29, 34, 35], "order": [1, 3, 6, 9, 12, 16, 19, 24, 25, 28, 35], "appear": [1, 4, 6, 7, 16, 24, 29, 35], "matter": [1, 6, 13, 16], "1mb": [1, 6], "howev": [1, 2, 4, 6, 12, 13, 17, 21, 24, 32, 34], "revers": [1, 6], "would": [1, 4, 6, 17, 20, 24, 33], "attach": [1, 6, 15, 35], "volumeentri": 1, "extract": [1, 2, 3, 4, 6, 10, 12, 14, 34, 35], "extra": [1, 6], "pull": [1, 6, 24], "subset": [1, 6, 35], "systemat": [1, 6], "obtain": [1, 3, 6, 9, 10, 13, 24, 28, 34], "walker": [1, 6, 7], "code": [1, 3, 5, 6, 7, 10, 12, 24, 27, 28, 34], "exclud": [1, 2, 4, 6, 17, 25, 29, 35], "big": [1, 6, 20], "develop": [2, 4, 12, 21], "automat": [2, 25, 35], "artefact": [2, 17, 22, 32, 34], "turn": 2, "analyst": [2, 21, 24], "pivot": 2, "examin": [2, 4], "beforehand": 2, "chanc": 2, "get": [2, 4, 14, 17, 24, 25, 34], "back": [2, 10, 14, 15, 20, 24, 29, 35], "binari": [2, 7, 9, 10, 12, 13, 14, 17, 20, 22, 24, 25, 26, 33, 34, 35], "regist": [2, 17], "asep": [2, 21], "autostart": 2, "point": [2, 12, 24, 28, 29, 34, 35], "startup": [2, 13, 16], "load": 2, "process": [2, 7, 11, 13, 16, 20, 21, 25, 26, 29, 30, 31, 32, 33, 34, 35], "autom": [2, 22], "malici": [2, 4, 19], "happen": [2, 7, 9, 10, 12, 13, 16, 21, 24, 34], "becaus": [2, 6], "heurist": 2, "goe": [2, 34], "through": [2, 10, 12, 15, 23, 29, 32, 34, 35], "distinct": 2, "step": [2, 9, 12, 14, 21, 24, 31], "candid": 2, "autorunsc": [2, 7, 10, 33, 34], "sysintern": [2, 12, 21, 34], "modul": [2, 20], "welcom": 2, "submiss": 2, "improv": [2, 24], "getthi": [2, 6, 9, 12, 13, 16, 17, 19, 20, 21, 22, 24, 33, 34], "verbos": [2, 6, 25, 35], "Such": [2, 33], "switch": [2, 4, 10, 12], "exampl": [2, 3, 7, 9, 12, 13, 16, 19, 24, 25, 33, 34], "maxpersamplebyt": [2, 4, 34], "16mb": 2, "maxtotalbyt": [2, 4, 34], "512mb": 2, "maxsamplecount": [2, 4], "200000": 2, "7z": [2, 3, 4, 8, 10, 11, 12, 13, 25, 29, 30, 31, 33, 34, 35], "nolimit": [2, 4, 12, 34], "written": [2, 4, 6, 9, 13, 15, 17, 19, 29], "reli": [2, 4, 9, 22, 23, 33], "constraint": [2, 4], "absenc": [2, 5, 7, 28], "either": [2, 4, 9, 16, 17, 19, 24, 35], "upper": 2, "silent": 2, "dynam": [2, 16], "similar": [2, 6, 34], "mandatori": 2, "trigger": [2, 12, 15, 17, 29, 35], "consid": [2, 9, 21, 28], "part": [2, 4, 12, 16, 22, 24, 26, 28], "start": [2, 3, 7, 10, 11, 13, 14, 16, 24, 30, 31, 34], "format": [2, 4, 6, 10, 11, 13, 21, 25, 33], "utf16": [2, 9, 19], "time": [2, 3, 4, 6, 7, 13, 21, 24, 31, 32, 34, 35], "processid": 2, "parentid": 2, "utf8": [2, 9, 13, 19, 34], "been": [2, 4, 16, 17, 21, 24, 28, 34], "see": [2, 6, 7, 9, 10, 13, 16, 19, 29, 33, 34, 35], "warn": [2, 7, 13, 15, 29, 35], "integ": [2, 4, 17, 20], "maximum": [2, 3, 4, 7, 10, 13, 19, 28, 35], "number": [2, 4, 6, 7, 9, 13, 16, 20, 35], "expect": [2, 4, 7, 8, 12, 21, 35], "unit": [2, 4, 21, 28, 31], "b": [2, 4, 6, 31], "gb": [2, 4], "cannot": [2, 4, 9, 13, 15, 16, 19, 24, 28, 29, 32], "until": [2, 4, 16, 35], "uncompress": [2, 4], "cumul": [2, 4, 34], "reach": [2, 4, 35], "explicitli": [2, 4, 19, 24, 29, 35], "meaning": [2, 4, 21], "combin": [2, 3, 4, 5, 7, 9, 13, 17, 28, 29, 34, 35], "mainli": 2, "make": [2, 3, 7, 17], "complet": [2, 4, 6, 7, 9, 11, 13, 16, 17, 21, 23, 29, 34, 35], "place": [2, 9, 17, 34], "abl": [2, 4, 7, 9, 10, 21, 23, 29, 32, 35], "prepar": 2, "toolemb": [2, 12, 14, 22, 24, 33, 34], "later": [2, 4, 11], "forward": 2, "flushregistri": [2, 4, 34], "temporari": [2, 4, 12, 13, 21, 34, 35], "d": [2, 3, 5, 6, 7, 9, 16, 17], "return": [2, 6, 7, 9, 13], "still": [2, 4, 9, 16, 32], "low": [3, 13, 18, 24, 29, 34], "level": [3, 4, 10, 14, 16, 17, 19, 24, 25, 32, 35], "boot": [3, 16, 23], "sector": [3, 7, 16, 23], "partit": [3, 7, 22, 25], "tabl": [3, 7, 9, 12, 16, 22, 23, 34], "slack": [3, 22], "space": [3, 4, 6, 11, 13, 21, 22], "request": [3, 12, 23, 24], "dump": [3, 7, 9, 16, 34, 35], "metadata": [3, 7, 22, 23], "column": [3, 4, 8, 9, 11], "dumpdescript": 3, "mbr": [3, 22], "gpt": 3, "primari": [3, 24], "dumpnam": 3, "dumpoffset": 3, "offset": [3, 7, 16], "region": [3, 20], "dumpsiz": 3, "readingtim": 3, "diskinterfaceus": 3, "actual": [3, 6, 8, 9, 13, 16, 17, 20, 28, 34], "disksectors": 3, "concaten": 3, "replac": [3, 4, 31], "_": [3, 4, 7, 15, 29, 35], "_off_": 3, "_len_": 3, "length": [3, 4, 16, 17], "efi": 3, "uefi": 3, "master": [3, 7, 12, 16, 22, 23, 34], "vbr": [3, 22], "backup": 3, "ipl": 3, "initi": 3, "program": [3, 4, 6, 7, 14, 16, 24, 35], "loader": 3, "portion": 3, "bin": [3, 4, 16], "__": 3, "_physicaldrive0_off_0_len_512_mbr": 3, "bootcod": 3, "someth": 3, "least": [3, 4, 7, 14, 17, 20, 28], "amongst": [3, 17], "window": [3, 4, 7, 8, 13, 16, 17, 21, 24, 25, 29, 31, 34, 35], "physicaldrive0": [3, 7, 16, 31], "myimag": [3, 16], "propos": [3, 5, 7, 12, 24, 28], "sens": [3, 7, 29, 35], "predefin": 3, "logic": [3, 4, 7, 9], "cf": [3, 13, 15, 29, 31, 34, 35], "http": [3, 6, 12, 28, 29, 34, 35], "en": [3, 5, 6, 29, 31], "wikipedia": 3, "org": [3, 19, 29, 35], "wiki": 3, "off": [3, 15, 29, 35], "entir": [3, 9, 25, 28, 34], "400m": 3, "larger": [3, 4], "truncat": [3, 15, 29, 35], "outsid": 3, "5mb": 3, "unalloc": 3, "activ": [3, 4, 16, 21, 23, 24, 31, 35], "extent": [3, 4, 7, 14, 23], "512": [3, 4, 7, 9, 16], "interfac": [3, 13, 16], "setupapi": 3, "inde": [3, 7, 17, 32, 34], "attempt": [3, 13, 16, 32], "lowest": [3, 6, 16], "mode": [3, 7, 13, 15, 16, 29, 31, 35], "mean": [3, 13, 14, 17, 28, 29, 35], "open": [3, 4, 8, 9, 23, 24, 29, 35], "usual": [3, 7, 12, 14, 19, 21, 24, 34, 35], "bu": 3, "disabl": [3, 13, 15, 16, 29, 35], "assist": 4, "evolv": [4, 24], "while": [4, 6, 16, 17, 34], "onc": [4, 12, 16, 24, 34, 35], "potenti": [4, 6, 10, 14, 16, 21, 24, 28], "copi": [4, 6, 7, 10, 25, 28, 29, 34, 35], "abil": [4, 10, 16, 23, 32], "variou": [4, 7, 17, 21, 24, 29], "condit": [4, 5, 17, 28], "pattern": [4, 9, 15, 29, 35], "restrict": [4, 15, 16, 23, 29], "interest": [4, 16, 17], "algorithm": [4, 9, 25], "bypass": 4, "lock": [4, 6, 9, 20, 23, 32], "permiss": [4, 6, 9, 32], "therefor": [4, 9, 17, 24], "registri": [4, 9, 13, 17, 21, 22, 24], "pagefil": [4, 20, 31, 32], "hyberfil": 4, "acl": [4, 23], "exclus": [4, 5, 16, 17, 28, 29], "right": [4, 34], "share": [4, 9, 12, 20, 23, 28, 29, 35], "malwar": [4, 16, 23], "api": [4, 7, 9, 21, 29], "hook": [4, 9, 16], "made": [4, 28], "k": [4, 13, 20, 35], "segment": [4, 7, 23], "directli": [4, 9, 10, 13, 15, 23, 26, 28, 33, 34, 35], "via": [4, 9, 16, 28, 33, 34], "handl": [4, 16, 24], "avoid": [4, 12, 13, 16, 24], "violat": 4, "strict": [4, 21, 23], "dacl": [4, 23], "issu": [4, 9, 19, 21, 24, 28], "prevent": [4, 13, 16, 29, 32, 35], "interfer": [4, 28], "anti": [4, 19], "viru": 4, "recommend": [4, 9, 13, 29], "password": [4, 25, 29, 35], "protect": [4, 5, 12, 19, 28], "encrypt": [4, 12, 13, 16, 19, 21, 29, 34, 35], "occur": [4, 32, 35], "memori": [4, 20, 21, 32, 35], "befor": [4, 9, 10, 13, 14, 16, 21, 24, 29, 34, 35], "clear": [4, 13, 33], "text": [4, 13, 29, 33], "hit": [4, 17], "white": 4, "charact": [4, 9, 17, 25], "underscor": 4, "deprec": [4, 6, 15, 23], "case": [4, 9, 13, 16, 17, 28, 29, 32, 35], "xor": 4, "prefix": [4, 9, 17], "xor_": 4, "xorpattern": 4, "unxor": 4, "preserv": [4, 35], "reason": [4, 11, 21, 24, 32, 34], "keyword": [4, 29, 31, 34, 35], "append": [4, 34, 35], "what": [4, 7, 10, 12, 13, 21, 34], "alreadi": [4, 9, 13, 19, 32, 34, 35], "suffix": [4, 20, 35], "_1_data": 4, "_2_data": 4, "so": [4, 17, 28, 34, 35], "kernel32": 4, "0000000000000026_kernel32": 4, "dll_data": 4, "0000000000000026": 4, "0x0badf00d": 4, "xor_0badfood_0000000000000026_kernel32": 4, "fulli": [4, 35], "grasp": 4, "repres": [4, 9, 16, 21, 35], "complic": 4, "organ": [4, 21, 24], "samplenam": 4, "correspond": [4, 12, 17, 19, 34], "findmatch": 4, "were": [4, 6, 16, 24, 34], "satisfi": [4, 28], "contenttyp": 4, "filenamelastattrmodificationd": [4, 6], "attrtyp": 4, "attrnam": 4, "attrid": 4, "ssdeep": [4, 6], "fuzzi": [4, 6], "yararul": 4, "mutual": 4, "manner": [4, 16, 22, 24, 34], "etih": 4, "prefer": [4, 9], "better": [4, 9], "especi": [4, 9], "git": [4, 15, 34], "20m": [4, 7], "20": [4, 7, 31], "getthissampl": 4, "50mb": 4, "15000": 4, "1024mb": 4, "150": 4, "150mb": 4, "wstcodec": 4, "notdll": 4, "80mb": 4, "is_not_dl": 4, "7zip": [4, 10, 19, 33, 35], "modulo": 4, "suppli": [4, 17, 28], "typicalconfig": 4, "reportal": [4, 34], "otherwis": [4, 7, 16, 17, 29, 35], "nevertheless": [4, 28], "just": [4, 7, 9, 10, 34], "li": 4, "being": [4, 12, 13, 21, 23, 34, 35], "state": [4, 24, 28, 29, 31], "applic": [4, 16, 21, 23, 35], "cach": 4, "structur": 4, "mai": [4, 6, 12, 13, 17, 20, 21, 28], "incorrect": [4, 7], "incomplet": 4, "corrupt": 4, "appropri": [4, 7, 12, 13, 16, 21, 24, 32], "volatil": 4, "high": [4, 13, 15, 29], "fidel": 4, "you": [4, 6, 7, 17, 21, 34], "call": [4, 6, 7, 9, 12, 21, 23, 34], "regflushkei": 4, "hkey_us": 4, "hkey_local_machin": 4, "reliabl": [4, 21, 22, 24], "hash1": 4, "suppress": 4, "There": [4, 9, 10, 16, 22, 34], "fuzzyhash": [4, 6], "none": [4, 7, 10, 13, 19, 29, 35], "fhash1": 4, "pathtodirorarch": 4, "virus": [4, 19], "control": [4, 7, 9, 13, 19, 21, 24, 31, 32, 35], "amount": [4, 13, 21, 24, 28, 35], "global": [4, 5, 13, 16, 17, 34, 35], "local": [4, 12, 13, 14, 15, 16, 24, 30, 31, 35], "closest": 4, "taken": [4, 9, 16, 34, 35], "account": [4, 16, 34, 35], "futur": [4, 7, 16], "unless": 4, "waiv": 4, "500mb": [4, 34], "stop": [4, 7, 35], "them": [4, 9, 12, 20, 26, 32, 34], "addition": 4, "singl": [4, 8, 12, 24, 35], "50": [4, 7], "500": 4, "top": [4, 7, 17, 21], "notic": 4, "impos": [4, 17, 21, 34], "individu": [4, 20, 28, 29, 35], "bound": 4, "80": 4, "total": [4, 13, 34], "context": [4, 13, 24, 35], "influenc": [4, 14, 24], "realiz": 4, "ascii": [4, 17], "unicod": [4, 9], "min": 4, "max": 4, "rang": 4, "minimum": [4, 24], "int": 4, "By": [4, 13], "1024": [4, 17], "compress": [4, 10, 21, 25, 33, 35], "5": [4, 7, 13, 24, 31, 35], "buffer": [4, 20], "second": [4, 9, 20, 21, 34], "utf": 4, "_data": 4, "_string": 4, "_raw": 4, "classic": [4, 10, 34], "lot": [4, 20, 24, 35], "precis": [4, 9, 17, 34], "scope": [4, 17, 34], "whole": [4, 12, 17, 21, 24], "within": [4, 13, 15, 16, 17, 28, 32], "given": [4, 10, 16, 20, 24, 34], "dure": [4, 10, 13, 20, 34, 35], "triag": [4, 24], "anad": 4, "aka": 4, "anea": 4, "ea": [4, 6, 17], "rather": [4, 16, 24, 32], "sake": 4, "cabinet": [4, 19], "recognit": [4, 28], "pathtocab": 4, "need": [4, 9, 10, 12, 13, 17, 20, 21, 29, 32, 34, 35], "xore": 4, "xor_xorpattern": 4, "xor_pattern": 4, "ker": 4, "drive": [4, 6, 7, 9, 25, 29], "calc": 4, "hostfilenam": 4, "ea_match": [4, 17], "le": [5, 28], "conc\u00e9dant": 5, "conc\u00e8d": 5, "au": 5, "r\u00e9utilisateur": 5, "un": 5, "exclusif": 5, "et": [5, 28], "gratuit": 5, "libr": 5, "objet": 5, "fin": 5, "commercial": 5, "ou": 5, "dan": 5, "mond": 5, "entier": 5, "pour": 5, "dur\u00e9": 5, "illimit\u00e9": 5, "exprim\u00e9": 5, "ci": 5, "dessou": 5, "est": 5, "communiqu": 5, "reproduir": 5, "copier": 5, "adapt": [5, 12, 28, 31, 34], "modifi": [5, 6, 7, 12, 13, 28, 32, 34], "extrair": 5, "transform": [5, 9, 28], "notam": 5, "cr\u00e9er": 5, "d\u00e9riv\u00e9": 5, "diffus": 5, "redistribu": 5, "publier": 5, "transmettr": 5, "exploit": [5, 28], "titr": 5, "commerci": [5, 28], "par": 5, "exempl": 5, "avec": 5, "autr": 5, "incluant": 5, "votr": 5, "propr": 5, "produit": 5, "r\u00e9serv": 5, "mentionn": 5, "paternit\u00e9": 5, "sa": 5, "minima": 5, "nom": 5, "du": 5, "derni\u00e8r": 5, "mise": 5, "jour": 5, "r\u00e9utilis\u00e9": 5, "peut": 5, "acquitt": 5, "indiqu": 5, "adress": 5, "url": 5, "renvoy": 5, "ver": 5, "assur": 5, "mention": 5, "effect": [5, 13, 23, 29, 34], "siren": 5, "inse": 5, "www": [5, 6, 19, 28], "fr": [5, 24, 28], "ne": 5, "doit": 5, "ni": 5, "conf\u00e9rer": 5, "officiel": 5, "sugg\u00e9rer": 5, "quelconqu": 5, "reconnaiss": 5, "caution": 5, "tout": 5, "entit\u00e9": 5, "publiqu": 5, "disposit": [5, 15, 29, 35], "contenir": 5, "pouvant": 5, "fair": 5, "alor": 5, "tou": 5, "moyen": 5, "leur": 5, "pr\u00e9senc": 5, "\u00eatre": 5, "librement": 5, "san": 5, "obstacl": 5, "aux": 5, "libert\u00e9": 5, "accord\u00e9": 5, "respect": [5, 13, 16, 17, 20, 28, 34], "cadr": 5, "l\u00e9gal": 5, "relatif": 5, "il": 5, "garanti": 5, "que": 5, "contient": 5, "pa": 5, "apparten": 5, "tier": 5, "qui": 5, "pourraient": 5, "lui": 5, "sont": 5, "\u00e9ventuel": 5, "d\u00e9tenu": 5, "sur": 5, "font": 5, "lorsqu": 5, "d\u00e9tient": 5, "c\u00e8de": 5, "fa\u00e7on": 5, "gracieux": 5, "usag": [5, 21, 24, 25, 34], "conform\u00e9": 5, "d\u00e9fini": 5, "tell": 5, "re\u00e7u": 5, "tacit": [5, 28], "pr\u00e9vue": 5, "d\u00e9faut": 5, "erreur": 5, "contenu": 5, "comm": 5, "fournitur": 5, "continu": [5, 28], "tenu": 5, "respons": [5, 24, 28, 34], "pert": 5, "pr\u00e9judic": 5, "dommag": 5, "quelqu": 5, "sort": [5, 6, 28], "caus\u00e9": 5, "fait": 5, "seul": 5, "induir": 5, "quant": 5, "r\u00e9gie": 5, "fran\u00e7ai": 5, "ell": 5, "\u00e9t\u00e9": 5, "con\u00e7u": 5, "compat": [5, 13], "exig": 5, "ant\u00e9rieur": 5, "ainsi": 5, "qu": 5, "govern": [5, 28], "ogl": [5, 28], "royaum": 5, "uni": 5, "creativ": [5, 28], "common": [5, 16, 24, 28], "cc": [5, 28], "BY": [5, 28], "odc": [5, 28], "knowledg": [5, 28], "foundat": [5, 28], "consid\u00e9r\u00e9": 5, "sen": 5, "personn": 5, "figur": [5, 12], "communiqu\u00e9": 5, "publi\u00e9": 5, "administr": [5, 8, 12, 13, 16, 24, 28, 32, 34], "mentionn\u00e9": 5, "premier": 5, "alin\u00e9a": 5, "articl": [5, 28], "300": [5, 28], "crpa": [5, 28], "selon": 5, "term": [5, 9, 17, 28], "utilis": 5, "cell": 5, "lesquel": 5, "se": [5, 22], "rapport": 5, "physiqu": 5, "identifi\u00e9": 5, "direct": [5, 9, 12, 24], "indirect": [5, 10], "subordonn\u00e9": 5, "juridiqu": 5, "vigueur": 5, "nouvel": 5, "cr\u00e9\u00e9e": 5, "partir": 5, "combinaison": 5, "soumis": 5, "tel": 5, "auteur": 5, "voisin": 5, "sui": [5, 28], "generi": [5, 28], "producteur": 5, "vocat": 5, "utilis\u00e9": 5, "\u00e9galement": 5, "souhait": 5, "mettr": 5, "franc": [5, 28], "dot\u00e9": 5, "visant": 5, "spontan\u00e9": 5, "afin": 5, "permettr": 5, "plu": [5, 21, 34], "r\u00e9gi": 5, "entr": [5, 28], "public": [5, 24, 28, 31, 34], "\u00e9ch\u00e9ant": 5, "patrimoin": 5, "livr": 5, "ii": 5, "facilit": [5, 28], "parmi": 5, "peuvent": 5, "vertu": 5, "d\u00e9cret": 5, "pri": 5, "323": [5, 28], "etalab": [5, 28], "mission": [5, 28], "charg\u00e9": 5, "autorit\u00e9": 5, "ministr": 5, "ouvrir": 5, "grand": 5, "nombr": 5, "\u00e9tat": 5, "\u00e9tabliss": 5, "r\u00e9alis\u00e9": 5, "ce": 5, "l321": 5, "facult\u00e9": 5, "cepend": 5, "pourront": 5, "dispon": 5, "walk": [6, 7, 23], "differ": [6, 7, 9, 12, 17, 21, 34], "techniqu": [6, 9, 24], "usn": [6, 11, 22, 25, 34], "journal": [6, 7, 11, 13, 22, 23, 34], "Their": 6, "implement": [6, 11, 25], "between": [6, 10, 12, 16, 20, 23, 34], "approach": [6, 26], "file_nam": [6, 7, 17, 23], "adss": 6, "referenc": [6, 10, 14, 24, 34], "0x00db00000002442b": 6, "long": [6, 9, 21], "altern": [6, 35], "stream": [6, 7, 17], "zone": 6, "sever": [6, 17, 24, 34, 35], "particular": [6, 17], "itself": [6, 9, 10, 12, 13, 16, 21, 23, 24], "five": 6, "filenamelastdatamodificationd": 6, "ownersid": 6, "sid": [6, 31], "owner": 6, "secdescrid": 6, "descriptor": 6, "shortnam": 6, "_not_": 6, "storag": [6, 13, 16], "area": [6, 21], "extendedattribut": 6, "colon": 6, "extend": [6, 17, 22], "updat": [6, 25, 28, 32], "sequenc": [6, 12], "index": [6, 29, 35], "filenameflag": [6, 7], "posix": 6, "dos83": 6, "filenameid": [6, 7], "dataid": 6, "createfil": [6, 23], "ownerid": [6, 7], "quota": 6, "filenameindex": 6, "dataindex": 6, "tlsh": 6, "trend": 6, "micro": 6, "signedhash": 6, "flag": [6, 7, 9], "letter": [6, 7, 16], "file_attribute_arch": 6, "file_attribute_compress": 6, "file_attribute_directori": 6, "file_attribute_encrypt": 6, "file_attribute_hidden": 6, "h": [6, 19, 34], "file_attribute_norm": 6, "file_attribute_offlin": 6, "file_attribute_readonli": 6, "r": [6, 7, 31], "file_attribute_reparse_point": 6, "l": [6, 7, 28], "file_attribute_sparse_fil": 6, "p": [6, 29, 35], "file_attribute_system": 6, "file_attribute_temporari": 6, "t": [6, 7, 19, 34], "file_attribute_virtu": 6, "v": [6, 7], "file_attribute_devic": 6, "file_attribute_not_content_index": 6, "file_attribute_integrity_stream": 6, "file_attribute_no_scrub_data": 6, "file_attribute_ea": 6, "file_attribute_pin": 6, "file_attribute_unpin": 6, "u": [6, 7, 29, 31, 34], "file_attribute_recall_on_open": 6, "file_attribute_recall_on_data_access": 6, "doc": [6, 29], "com": [6, 12, 29, 31, 34, 35], "fileio": 6, "constant": 6, "hostfrn": 6, "host": [6, 25], "child": [6, 13, 35], "lowestvcn": [6, 7], "virtual": [6, 7], "cluster": 6, "vcn": 6, "cover": [6, 7], "unus": 6, "standard_inform": [6, 7, 17], "attribute_list": [6, 17], "object_id": [6, 7, 17], "security_descriptor": [6, 17], "volume_nam": [6, 17], "volume_inform": [6, 17], "index_root": [6, 7, 17], "index_alloc": [6, 17], "bitmap": [6, 17], "reparse_point": [6, 17], "ea_inform": [6, 17], "logged_utility_stream": [6, 17], "first_user_defined_attribut": [6, 17], "attribute_flag_compression_mask": 6, "0x00ff": 6, "attribute_flag_spars": 6, "0x8000": 6, "attribute_flag_encrypt": 6, "0x4000": 6, "carvedentri": 6, "y": [6, 7, 17], "carv": 6, "vss": [6, 9, 16], "kindofd": 6, "natur": [6, 21, 28], "hold": [6, 28], "creationtim": [6, 7], "lastmodificationtim": [6, 7], "lastaccesstim": [6, 7], "lastchangetim": [6, 7], "sd": 6, "sddl": 6, "secdescrs": 6, "declar": 6, "getsecuritydescriptorlength": 6, "normaliseds": 6, "normalis": 6, "convertstringsecuritydescriptortosecuritydescriptor": 6, "datas": [6, 7], "blob": 6, "htm": 6, "ntfsinfoconfig": 6, "choic": [6, 10, 12, 16, 21], "veri": [6, 17, 21, 34], "faster": [6, 9, 23], "certain": [6, 9, 13], "circumst": 6, "maintain": 6, "slow": [6, 21], "out": [6, 7, 12, 16, 19, 24, 28, 34], "view": [6, 24, 29, 35], "sub": [6, 10], "fine": [6, 24], "grain": 6, "author": [6, 27, 28, 31], "thumbprint": 6, "regard": [6, 13, 19], "easiz": 6, "pre": [6, 12], "freed": 6, "deepscan": 6, "pehash": 6, "refnum": 6, "built": [6, 34], "action": 6, "know": [6, 21, 34], "volumesentri": 6, "swiss": 7, "armi": 7, "knife": 7, "investig": [7, 24], "expans": 7, "inspect": [7, 9, 16], "output": [7, 13, 14, 21, 25, 31, 33, 34], "util": [7, 22], "39": 7, "11": 7, "878": 7, "utc": [7, 13, 31, 34], "desktop": [7, 13, 16, 24, 29, 34], "8b106qg": 7, "32": [7, 10, 30, 32, 34, 35], "33554432": 7, "alloc": 7, "delta": 7, "8388608": 7, "finish": [7, 13, 24, 34], "elaps": [7, 13, 34, 35], "msec": [7, 13, 34], "maxsiz": 7, "allocdelta": 7, "sizeatleast": 7, "noth": [7, 34], "abov": [7, 12, 16, 17, 24, 29, 34, 35], "multipli": [7, 17, 20, 35], "1k": [7, 17], "1g": [7, 17, 35], "quit": [7, 24], "suit": [7, 12, 13, 16, 21, 24, 32, 34], "ambit": 7, "safe": [7, 24], "increas": 7, "new": [7, 10, 21, 24, 28, 33, 34, 35], "expand": [7, 16, 35], "obvious": 7, "plan": 7, "sometim": [7, 34], "40m": 7, "512k": 7, "100m": 7, "12m": 7, "03": 7, "40": 7, "492": 7, "41943040": 7, "10485760": 7, "successfulli": [7, 12], "100": 7, "104857600": [7, 17], "12582912": 7, "523": 7, "31": [7, 31], "45": 7, "260": 7, "orblvtg": [7, 13], "seem": [7, 19, 34], "augment": [7, 10, 34], "behav": [7, 34], "bug": [7, 24], "underli": 7, "deal": [7, 16, 20, 24], "architectur": [7, 10, 14, 21, 24, 31], "54": 7, "220": 7, "hr": 7, "0x80042302": 7, "initialis": 7, "servic": [7, 9, 24, 28, 31], "caus": [7, 16, 28], "error": [7, 8, 13, 15, 28, 29, 32, 35], "mimic": 7, "wolflauch": 7, "choos": [7, 16, 26, 34], "unconfigur": [7, 10, 12, 25, 33, 34], "orc_x64": [7, 10, 12, 25, 30, 31, 34], "23": 7, "755": 7, "guid": [7, 16, 24], "dde981e2": 7, "0b1d": 7, "41d8": 7, "8ca5": 7, "ba4d87b7d2ca": 7, "globalroot": [7, 16], "harddiskvolumeshadowcopy1": 7, "4cada720": 7, "c048": 7, "4361": 7, "96f8": 7, "56ae661f8fca": 7, "24": 7, "36": 7, "44": 7, "481": 7, "vss_volsnap_attr_persist": 7, "vss_volsnap_attr_client_access": 7, "vss_volsnap_attr_no_auto_releas": 7, "vss_volsnap_attr_differenti": 7, "vss_volsnap_attr_autorecov": 7, "a90ec9f3": 7, "2125": 7, "4c12": 7, "9579": 7, "0f5acee8e6a4": 7, "harddiskvolumeshadowcopy2": 7, "37": 7, "722": 7, "978": 7, "219": 7, "anoth": [7, 8, 9, 16, 22, 34], "treat": [7, 17], "live": [7, 12, 20, 21, 34, 35], "familiar": 7, "offer": [7, 21], "247": 7, "initalis": 7, "functionatil": 7, "fonction": 7, "0x80070001": 7, "ioctl_storage_query_properti": 7, "storageaccessalignmentproperti": 7, "harddiskvolume16": 7, "bd14675a": 7, "c284": 7, "11e9": 7, "8e1b": 7, "fb1948d83d59": 7, "serial": [7, 31], "0x40b699c7b699bdba": 7, "diskinterfacevolum": 7, "scsi": [7, 16], "ven_toshiba": 7, "prod_mq01acf050": 7, "4": [7, 24, 31], "132ac043": 7, "000000": 7, "53f56307": 7, "b6bf": 7, "11d0": 7, "94f2": 7, "00a0c91efb8b": 7, "1048576": [7, 16, 19], "523238912": 7, "physicaldrivevolum": 7, "mountedvolum": 7, "harddiskvolume1": 7, "0x4a9b3ee8": 7, "524288000": 7, "104857088": 7, "fat32": 7, "harddiskvolume2": 7, "0x60669db9669d9080": 7, "645922816": 7, "499461914112": 7, "harddiskvolume4": 7, "0x692a9cf683ceb91": 7, "usbstor": [7, 16], "ven": 7, "prod_usb_disk_2": 7, "rev_pmap": 7, "90007947c54f9a42": 7, "7745830912": 7, "physicaldrive1": 7, "357": 7, "110": 7, "explan": 7, "why": [7, 10, 16, 21, 34], "messag": [7, 8, 13, 15, 29, 32, 35], "paragraph": [7, 28, 34], "On": [7, 10, 12, 16, 21, 24, 35], "third": [7, 9, 21, 28], "fourth": 7, "come": [7, 16, 24], "address": [7, 15, 21, 24, 29, 31], "shortli": [7, 24], "pertain": 7, "queri": [7, 9], "hardwar": 7, "properti": [7, 24], "physic": [7, 9, 25, 31, 35], "ioctl_disk_get_drive_geometry_ex": 7, "interpret": [7, 9, 11], "reader": 7, "desir": [7, 9], "579": 7, "0x100000": 7, "0x1f3ffe00": 7, "0x1f2ffe00": 7, "esp": 7, "0x1f400000": 7, "0x257ffe00": 7, "0x63ffe00": 7, "microsoft_reserv": 7, "0x25800000": 7, "0x267ffe00": 7, "0xfffe00": 7, "0x26800000": 7, "0x7470bffe00": 7, "0x744a3ffe00": 7, "physicaldrive_0_offset_1048576": 7, "physicaldrive_0_offset_524288000": 7, "physicaldrive_0_offset_629145600": 7, "physicaldrive_0_offset_645922816": 7, "593": 7, "70th": 7, "70": 7, "22": [7, 13, 31], "280": 7, "0x0001000000000046": 7, "fileattribut": [7, 11], "630": 7, "964": 7, "53": 7, "093": 7, "securityid": 7, "265": 7, "parentdirectori": 7, "0x0001000000000028": 7, "file_name_win32": 7, "file_name_dos83": 7, "indexedattributetyp": 7, "sizeperindex": 7, "4096": 7, "blocksperindex": 7, "indexedattrown": 7, "0x0001000000000047": 7, "022": 7, "autoru": 7, "0x0001000000000049": 7, "475": 7, "473": 7, "600": 7, "sec": 7, "329": 7, "These": [7, 10, 12, 13, 24], "easili": [7, 13, 24], "0x000100000000049": 7, "672": 7, "nr": 7, "266": 7, "datanam": 7, "0x00000000005d8600": 7, "allocateds": 7, "0x00000000005d9000": 7, "0x000000000d295000": 7, "785": 7, "109": 7, "752": 7, "4d": 7, "5a": [7, 29, 34], "90": 7, "ff": 7, "mz": [7, 17, 34], "0016": 7, "b8": 7, "0032": 7, "0048": 7, "0064": 7, "0e": 7, "1f": 7, "ba": 7, "b4": 7, "cd": [7, 34], "21": [7, 31], "4c": 7, "68": 7, "th": [7, 16], "0080": 7, "69": 7, "73": 7, "72": 7, "6f": 7, "67": 7, "61": 7, "6d": 7, "63": 7, "6e": [7, 31], "canno": 7, "0096": 7, "74": 7, "62": 7, "65": 7, "75": 7, "4f": 7, "0112": 7, "2e": 7, "0d": 7, "0a": 7, "0128": 7, "55": [7, 34], "d2": 7, "e6": 7, "79": 7, "b3": 7, "2a": 7, "0144": 7, "a5": 7, "2f": 7, "1e": 7, "7b": 7, "aa": 7, "0160": 7, "7a": 7, "0f": 7, "cb": 7, "z": 7, "0176": 7, "8f": 7, "43": [7, 15, 30], "db": 7, "8c": 7, "2b": 7, "35": 7, "0192": 7, "8b": 7, "1a": 7, "0b": 7, "0208": 7, "8d": 7, "9": [7, 25], "25": [7, 31], "444": 7, "storageaccessalignmentprop": 7, "ty": 7, "256": [7, 31], "ofset": 7, "0x0000000000004000": 7, "0x0000000000040000": 7, "0x00000000000000": 7, "insequ": 7, "162": 7, "28": 7, "meta": 7, "incl": 7, "protector": 7, "onlin": [7, 9], "129256914944": 7, "380912008704": 7, "sectors": 7, "0x4d00000": 7, "65536": 7, "0x44d00000": 7, "0x84d00000": 7, "407896064": 7, "128849018368": 7, "0x30bb24000": 7, "0x30bb34000": 7, "0x30bb44000": 7, "393836756992": 7, "0x4e00000": 7, "0x44e00000": 7, "0x84e00000": 7, "offlin": [7, 9, 25], "vhd": 7, "16777216": 7, "hyper": 7, "0x2200000": 7, "0x9200000": 7, "0x10200000": 7, "oper": [8, 10, 13, 21, 29, 31, 34, 35], "session": [8, 21], "windowst": 8, "keyedev": 8, "callback": 8, "job": [8, 13, 21, 29, 32, 35], "semaphor": 8, "alpcport": 8, "filterconnectionport": 8, "alwai": [8, 9, 12, 24, 35], "fastfind": [8, 9, 16, 17, 19, 20, 21, 22, 24], "umdfcommunicationport": 8, "enough": 8, "privileg": [8, 12, 24, 29, 32, 34], "without": [9, 10, 12, 16, 22, 24, 28, 34], "simpli": [9, 12, 16], "work": [9, 12, 16, 24, 26, 34, 35], "capabl": 9, "That": [9, 13], "give": 9, "evad": [9, 19], "hide": 9, "accomplish": [9, 21], "independ": [9, 17, 21], "parti": [9, 21, 24, 28], "librari": [9, 21, 31], "permit": [9, 35], "cross": [9, 21], "produc": [9, 28, 34, 35], "kind": [9, 24, 28, 34], "ddmp": 9, "whose": [9, 16, 17, 29, 35], "exce": 9, "threshold": 9, "templatenam": 9, "searchterm": 9, "criteria": [9, 12, 21], "keynam": 9, "keytre": 9, "valuenam": 9, "valuetyp": 9, "values": 9, "valueflag": 9, "explain": [9, 12, 14, 17, 26, 33, 34], "valuedata": 9, "valuedumpfil": 9, "field": [9, 17], "alongsid": [9, 13], "self": [9, 10, 33, 34, 35], "explanatori": 9, "four": 9, "value_pres": 9, "value_notinh": 9, "flush": [9, 34, 35], "value_hasbadchar": 9, "printabl": 9, "value_dumpfil": 9, "too": [9, 10, 13], "reginfo_config": 9, "reginfo_output": 9, "filefind": 9, "key_path_regex": 9, "controlset001": 9, "value_regex": 9, "currentmajorversionnumb": 9, "data_hex": 9, "0000000a": 9, "tsv": 9, "insensit": [9, 13, 29], "fill": [9, 11], "highli": 9, "capit": 9, "reginfo_templ": 9, "runonc": 9, "previous": [9, 17, 34], "AND": [9, 17], "exact": [9, 16, 21], "key_regex": 9, "regular": [9, 17], "tree": 9, "value_typ": 9, "content": [9, 17, 20, 23, 28, 33, 34, 35], "hexadecim": [9, 11, 17], "dword": 9, "qword": 9, "data_regex": 9, "data_size_gt": 9, "greater": [9, 17], "data_size_g": 9, "equal": [9, 17], "data_size_lt": 9, "lower": [9, 32], "data_size_l": 9, "data_contain": 9, "sensit": [9, 17, 21], "data_contains_hex": 9, "reg_non": 9, "reg_sz": 9, "reg_binari": 9, "reg_dword": 9, "reg_dword_little_endian": 9, "reg_dword_big_endian": 9, "reg_link": 9, "reg_multi_sz": 9, "reg_ressource_list": 9, "reg_full_ressource_descriptor": 9, "reg_ressource_requirements_list": 9, "reg_qword": 9, "reg_qword_little_endian": 9, "method": [9, 12, 13, 20, 29, 32, 35], "input": [9, 12, 21], "multi": 9, "sz": 9, "yet": [9, 34], "0x": [9, 17], "compar": 9, "except": [9, 10, 17, 34, 35], "correct": [9, 34], "endian": 9, "ansi": [9, 17], "despit": 9, "comparison": [9, 17], "regex": 9, "less": [9, 17, 23, 34], "compact": 9, "ecmascript": 9, "forbidden": 9, "thu": [9, 12, 13, 16, 21, 24, 32, 33, 34], "fix": [9, 24, 31], "boyermoor": 9, "suffici": [9, 34], "subkei": 9, "understand": [10, 14, 24], "tutori": [10, 14], "how": [10, 12, 14, 17, 21, 34], "reconfigur": [10, 34], "daili": [10, 34], "life": 10, "repositori": [10, 12, 24, 27, 34], "github": [10, 12, 24, 27, 34], "script": [10, 13, 17, 21], "cmd": [10, 34], "essenti": 10, "few": [10, 14], "thank": 10, "illustr": [10, 34], "scenario": [10, 12, 14, 34], "layout": 10, "orc_x86": [10, 12, 33, 34], "arg": 10, "wolflaunch": [10, 12, 13, 14, 15, 24, 29, 30, 31, 33, 34], "wolflauncher_config": [10, 33], "orc_config": [10, 34], "gethives_config": 10, "getuserhives_config": 10, "getsamhive_config": 10, "getevents_config": [10, 33], "ntfsinfo_config": [10, 34, 35], "ntfsinfohashpe_config": 10, "fatinfo_config": 10, "fatinfohashpe_config": 10, "getartefacts_config": 10, "getyarasamples_config": [10, 34], "ruleset": [10, 20, 34], "yara": [10, 12, 13, 17, 25, 34], "ultra": [10, 13, 19, 33, 35], "necessari": [10, 24, 34], "orc_emb": [10, 34], "dir": [10, 31, 35], "mothership": [10, 12, 30, 33], "remain": [10, 16, 24, 35], "unmodifi": [10, 29], "compulsori": [10, 29], "contrari": 10, "irrelev": 10, "overridden": [10, 12, 35], "pass": [10, 11, 15, 16, 29, 33, 35], "relaunch": 10, "schedul": [10, 12, 13, 24], "notat": [10, 16, 33], "transmit": [10, 28], "launch": [10, 12, 13, 32], "emb": [10, 12, 14, 24, 26, 33, 34], "destin": [10, 34], "intern": [10, 16], "xmllite_x86dl": [10, 33], "xmllite": [10, 33], "mechan": [10, 13], "deem": 10, "fast": [10, 13, 19, 21, 35], "fastest": [10, 13, 19, 35], "normal": [10, 13, 16, 19, 29, 35], "rel": [10, 20, 35], "revert": 10, "dumpdir": 10, "routin": 11, "fsctl_read_usn_journ": 11, "oldest": [11, 16], "fullpath": 11, "human": [11, 35], "readabl": [11, 35], "reserv": [11, 28], "much": [11, 21, 23], "ultim": 12, "orchestr": [12, 24, 34], "task": [12, 13, 35], "option": [12, 14, 17, 18, 19, 20, 21, 24, 34, 35], "final": [12, 16, 24], "upload": [12, 13, 15, 34], "central": 12, "smb": [12, 29, 35], "compil": [12, 24, 25, 34], "project": [12, 24, 34], "principl": [12, 24, 26], "framework": [12, 22, 26, 28, 34], "meant": [12, 24, 34], "extern": [12, 14, 24, 34], "your": [12, 26], "own": [12, 14, 28], "toolset": 12, "gather": [12, 14, 21, 24], "readi": [12, 14, 34], "relev": [12, 24], "dedic": [12, 24], "go": [12, 13, 29, 32, 34], "over": [12, 23, 24, 29, 34, 35], "clarifi": 12, "ntfsutil": [12, 19, 21, 22, 24, 25, 34], "usabl": [12, 24, 29, 35], "enumloc": 12, "advanc": [12, 24], "Of": [12, 24, 34], "cours": [12, 24, 34], "involv": [12, 17, 34, 35], "absent": 12, "uac": 12, "elev": [12, 13, 31, 34], "prompt": [12, 13, 34], "seen": 12, "around": [12, 24], "fiddl": 12, "nativ": [12, 25], "reexecut": 12, "shown": [12, 13], "proce": 12, "grandpar": 12, "unnecessari": 12, "children": [12, 13, 32], "subprocess": [12, 35], "sole": [13, 28], "never": 13, "often": 13, "misus": 13, "misspel": 13, "misunderstood": 13, "resili": 13, "deliv": 13, "said": 13, "myserv": 13, "myshar": 13, "mytemp": 13, "workingtemp": [13, 29, 31, 34], "visual": [13, 24, 25, 34], "956": 13, "osbuild": [13, 31, 34], "releas": [13, 31, 34], "windows10": [13, 31, 34], "profession": [13, 24], "orc_workstation_desktop": 13, "orblvt_20191022_090707": 13, "repeat": [13, 29, 34, 35], "x": [13, 17, 34, 35], "orblvtg_main": 13, "systeminfo": [13, 34], "getev": [13, 34], "autorun": [13, 21, 34], "ntfsinfohashp": [13, 34], "fatinfo": [13, 21, 22, 24, 34], "fatinfohashp": [13, 34], "usninfo": [13, 16, 21, 22, 24, 33, 34, 35], "getartefact": [13, 34], "orblvtg_hiv": 13, "getsystemh": [13, 34], "getuserh": [13, 34], "getsamh": [13, 34], "orblvtg_yara": 13, "getyara": [13, 34], "show": [13, 34], "previou": [13, 28, 35], "nor": [13, 28], "enable_kei": [13, 34], "disable_kei": [13, 34], "conjunct": 13, "debugg": [13, 15, 35], "wolf": [13, 15], "launcher": 13, "minut": [13, 35], "word": 13, "cancel": [13, 35], "termin": [13, 35], "span": [13, 34], "engin": [13, 20, 21, 25, 34, 35], "180": 13, "hour": [13, 35], "pend": [13, 35], "kill": [13, 35], "properli": 13, "close": 13, "debug": [13, 25, 29, 35], "recipi": [13, 21, 34], "pkc": [13, 21, 29, 35], "cm": [13, 21, 29, 35], "envelop": [13, 29, 35], "expens": [13, 17], "crash": [13, 21, 35], "ask": 13, "loss": [13, 28], "concurr": [13, 35], "eventu": [13, 17, 24, 34], "hang": [13, 21], "ui": [13, 32, 35], "temporarili": [13, 32], "wer": [13, 35], "reset": 13, "twice": 13, "hkey_current_us": 13, "dontshowui": 13, "experi": 13, "descript": [13, 21, 31, 33, 35], "below_normal_priority_class": [13, 18], "normal_priority_class": 13, "above_normal_priority_class": 13, "let": [13, 34], "sleep": [13, 29], "standbi": 13, "s3": 13, "power": [13, 29], "awai": [13, 32], "systemrequir": [13, 29, 34], "displayrequir": [13, 29], "userpres": [13, 29], "awaymod": [13, 29, 34], "safeti": 13, "getsampl": [13, 16, 19, 22, 24, 33, 34], "subcommand": 13, "bewar": 13, "recommand": 13, "getfoo": 13, "getbar": 13, "logon": 13, "x86": [13, 31, 33, 34], "subsequ": 13, "custom": [13, 16, 17, 24], "With": [13, 35], "create_suspend": 13, "create_breakaway_from_job": 13, "immedi": [13, 16, 21, 23, 35], "win32_process": 13, "alter": [13, 16], "job_object_limit_breakaway_ok": [13, 32], "failur": [13, 21], "breakawayfromjob": 13, "latter": [14, 16, 29], "But": [14, 34], "firstli": [14, 24, 34], "secondli": [14, 24, 34], "unleash": 14, "simultan": 15, "critic": [15, 24, 29, 32, 35], "info": [15, 29, 35], "progress": [15, 19, 24, 29], "tail": [15, 19, 29], "redirect": [15, 29], "514": [15, 29], "orc_": [15, 29, 35], "systemtyp": [15, 29, 35], "fullcomputernam": [15, 29, 35], "dev": [15, 29, 30, 35], "127": [15, 29], "2021": [15, 30], "08t17": 15, "41": 15, "200z": 15, "v10": [15, 16, 30, 31], "rc3": 15, "115": 15, "ge4123652": 15, "66613f2cdbc7fd9241eb9acabfab7a6ac19a242b": 15, "anyth": [15, 21], "quiet": 15, "path": [16, 17, 20, 23, 25, 31, 33, 34, 35], "harddiskvolume6": 16, "3f0e57c9": 16, "debc": 16, "403d": 16, "b614": 16, "feb223750981": 16, "harddisk0partition4": 16, "2199023255040": 16, "diskvbox_harddisk": 16, "105906176": 16, "37474009088": 16, "ven_kingston": 16, "62007541760": 16, "ven_msft": 16, "136362065920": 16, "userprofil": 16, "namespac": 16, "msdn": [16, 32], "recurs": 16, "subent": 16, "special": [16, 21, 24], "wildcard": 16, "resolv": [16, 31], "Then": [16, 17, 34], "download": [16, 28, 34], "convent": 16, "4564119e": 16, "eb6c": 16, "11e0": 16, "92aa": 16, "442a60da9b94": 16, "harddiskvolume3": 16, "miss": [16, 17, 29, 33, 35], "214748364800": 16, "testcas": 16, "disk_imag": 16, "d_imag": 16, "harddiskvolumeshadowcopy10": 16, "introduct": 16, "newest": 16, "mid": 16, "04c16363": 16, "68ec": 16, "4f94": 16, "a956": 16, "abd80375c89f": 16, "shadows_pars": 16, "volsnap": 16, "drawback": 16, "did": 16, "now": [16, 23, 34], "sai": [16, 17], "interven": 16, "though": 16, "tamper": 16, "captur": [16, 35], "mft_data": 16, "systemroot": [16, 34], "hklm": 16, "nt": [16, 31], "profilelist": 16, "profil": 16, "translat": 16, "optim": 16, "highest": 16, "stack": 16, "bitlock": 16, "selector": 16, "decrypt": [16, 34], "solut": [16, 34], "trick": 16, "believ": 16, "situat": [16, 24], "wrong": 16, "problem": 16, "csidl_program": 16, "menu": [16, 25], "csidl_favorit": 16, "favorit": 16, "sidl_startup": 16, "sidl_bitbucket": 16, "recycl": 16, "csidl_startmenu": 16, "csidl_desktopdirectori": 16, "csidl_common_startmenu": 16, "csidl_common_startup": 16, "csidl_common_desktopdirectori": 16, "csidl_appdata": 16, "csidl_local_appdata": 16, "roam": 16, "csidl_altstartup": 16, "csidl_common_altstartup": 16, "csidl_common_favorit": 16, "csidl_internet_cach": 16, "csidl_cooki": 16, "csidl_histori": 16, "csidl_common_appdata": 16, "csidl_window": 16, "getwindowsdirectori": 16, "csidl_program_fil": 16, "csidl_profil": 16, "csidl_program_filesx86": 16, "csidl_common_admintool": 16, "csidl_admintool": 16, "allusersprofil": 16, "tmp": 16, "appdata": [16, 30, 31, 34], "page": [16, 17], "assign": [16, 28, 32], "eldest": 16, "vssadmin": 16, "particularli": 16, "overload": 16, "want": [17, 21, 34], "item": [17, 34], "reject": 17, "conduct": 17, "possibli": 17, "elimin": 17, "qfe": [17, 31], "OR": 17, "detect": [17, 34], "discard": 17, "class": [17, 18, 29], "furthermor": 17, "posit": 17, "alwi": 17, "utmost": 17, "emphas": 17, "unnam": 17, "_regex": 17, "ecma": 17, "coincid": 17, "q": 17, "name_regex": 17, "mgr": 17, "path_regex": 17, "kilobyt": [17, 20], "megabyt": [17, 20], "size_gt": 17, "size_g": 17, "size_lt": 17, "size_l": 17, "myad": 17, "ads_match": 17, "ads_regex": 17, "ea_regex": 17, "b092e1d683fc21cea137dba2a8b4b08b": 17, "be0ccf54cdb3ec100de233b393d936d2ee1c33a3": 17, "4cdb3ec100de233b393d936d2ee1c33a3": 17, "128": 17, "header_hex": 17, "ccf54cdb": 17, "header_regex": 17, "header_length": 17, "header_len": 17, "m": [17, 20, 34, 35], "hello": 17, "world": [17, 21], "contains_hex": 17, "arrai": 17, "0x0badf00dbaadf000d": 17, "arbitrari": 17, "apt": [17, 24], "_rat": 17, "attr_nam": 17, "attr_match": 17, "attr_regex": 17, "attr_typ": 17, "pair": 17, "myea": 17, "At": [17, 32], "justifi": [17, 21], "constrain": 17, "placement": 17, "cost": 17, "cheap": 17, "wherea": 17, "coupl": 17, "dramat": 17, "enhanc": 17, "size_eq": 17, "regf": [17, 34], "nffs_find": 17, "catroot": 17, "cat": 17, "138618": 17, "d2182e5de2b13d2e68ee66d1bb44fe34": 17, "7894ec01651ff3fcdf9d117f416875bbaef03b6d": 17, "toto": 17, "workload": 18, "thread": [18, 29], "thread_priority_below_norm": 18, "unifi": 19, "straightforward": 19, "myoutput": 19, "vari": 19, "mytool": 19, "simplest": 19, "doesn": 19, "writabl": 19, "overwritten": [19, 35], "getsector": [19, 21, 22, 24], "lzma": 19, "mscf": 19, "avproof": 19, "wolf_config": 19, "eas": [19, 21], "linux": 19, "libyara": 20, "scan": 20, "ioc": 20, "re": [20, 33, 34, 35], "myyaracont": 20, "chunk": 20, "map": 20, "yarac": 20, "hazard": 20, "discourag": 20, "gigabyt": 20, "awar": 20, "entireti": 20, "becom": [20, 24], "4k": 20, "abort": 20, "histor": 21, "team": 21, "hoc": 21, "monolith": 21, "prone": 21, "jeopardi": 21, "moreov": 21, "huge": 21, "side": 21, "benefit": [21, 23], "wide": 21, "varieti": 21, "effici": 21, "technolog": 21, "network": [21, 29, 31, 34], "enorm": [21, 34], "reinvent": 21, "wheel": 21, "carri": 21, "burden": 21, "integr": [21, 24], "mine": 21, "best": 21, "reus": 21, "manag": 21, "churn": 21, "whenev": 21, "asap": 21, "whatev": 21, "strive": 21, "predetermin": 21, "commun": [21, 24], "kernel": 21, "obsolet": 21, "modern": [21, 24], "person": 21, "next": [21, 34, 35], "assembl": 21, "tcpdump": 21, "flexibl": 21, "tune": [21, 24], "well": [21, 23, 28], "idea": [21, 24], "pace": 21, "quick": [21, 34, 35], "easi": 21, "massiv": 21, "phase": 21, "arriv": 21, "deleg": 21, "treatment": 21, "segreg": 21, "inspector": 22, "circumv": 23, "geometri": 23, "deduc": 23, "fsctl": 23, "fsctl_enum_usn_data": 23, "fallback": 23, "zero": 23, "maxlonglong": 23, "fragil": 23, "interf": 23, "ntopenfil": 23, "stand": 24, "outil": 24, "de": [24, 28], "recherch": 24, "compromiss": 24, "french": [24, 27, 28], "spy": 24, "attack": 24, "edr": 24, "hid": 24, "hip": 24, "year": 24, "stabl": 24, "faithfulli": 24, "unalt": 24, "scale": 24, "box": 24, "everyth": [24, 34], "studio": [24, 25, 34], "difficult": 24, "6": [24, 31], "challeng": 24, "licens": 24, "english": [24, 27, 31], "modular": 24, "scalabl": 24, "decentr": 24, "studi": 24, "left": [24, 29, 35], "track": [24, 34], "hack": 24, "crimin": 24, "incid": [24, 34], "respond": [24, 34], "breach": 24, "restor": [24, 35], "wish": [24, 28], "audienc": 24, "deploi": 24, "multin": 24, "corpor": 24, "strictli": 24, "speak": 24, "diagnos": 24, "aris": 24, "decad": 24, "had": 24, "ever": 24, "grow": 24, "persist": 24, "effort": 24, "face": 24, "revamp": 24, "methodologi": 24, "suitabl": 24, "paradigm": 24, "consist": [24, 29, 35], "cap": 24, "review": 24, "cite": 24, "numer": 24, "institut": [24, 28], "privat": 24, "firm": 24, "signific": 24, "hope": 24, "emerg": 24, "evolut": 24, "keep": [24, 35], "push": 24, "Its": [24, 28, 29, 35], "advantag": 24, "languag": [24, 31], "mind": 24, "hijack": 24, "henc": [24, 33, 34], "trust": 24, "good": [24, 34], "risk": 24, "legal": [24, 28], "publish": [24, 28], "warranti": 24, "footprint": 24, "noisi": 24, "obei": 24, "restrain": 24, "necessarili": 24, "abid": 24, "deploy": [24, 26, 32, 34], "wait": [24, 35], "toward": 24, "submit": 24, "feedback": 24, "soon": 24, "question": 24, "sent": 24, "mail": 24, "ssi": 24, "gouv": [24, 28], "2017": [25, 28], "explicit": 25, "altitud": 25, "strategi": 25, "knownloc": 25, "drivelist": 25, "claus": 25, "sink": 25, "backtrac": [25, 35], "syslog": 25, "ip4_or_ip6": 25, "port": 25, "noconsol": 25, "prioriti": [25, 29, 34], "inner": [26, 29], "arsen": 26, "invok": [26, 33, 34], "contributor": 27, "grantor": 28, "grant": 28, "reuser": 28, "subject": 28, "worldwid": 28, "unlimit": [28, 35], "period": 28, "accord": [28, 34], "reproduc": 28, "deriv": 28, "dissemin": 28, "redistribut": [28, 33], "hi": 28, "her": 28, "acknowledg": 28, "authorship": 28, "hypertext": 28, "ministri": 28, "xxx": 28, "dataset": 28, "februari": 28, "confer": 28, "offici": 28, "suggest": 28, "endors": 28, "entiti": 28, "freeli": 28, "complianc": 28, "guarante": [28, 34], "held": 28, "transfer": [28, 34], "he": 28, "she": 28, "basi": 28, "charg": 28, "durat": 28, "compli": 28, "receiv": 28, "inaccuraci": 28, "prejudic": 28, "damag": 28, "mislead": 28, "law": 28, "kingdom": 28, "disclos": 28, "who": 28, "indirectli": 28, "la": 28, "propri\u00e9t\u00e9": 28, "intellectuel": 28, "copyright": 28, "databas": 28, "comprehens": 28, "spontan": 28, "ensur": 28, "widest": 28, "unrestrict": 28, "pursuant": 28, "decre": 28, "prime": 28, "minist": 28, "mandat": 28, "drawn": 28, "321": 28, "client": [29, 35], "localconfigfil": 29, "somedirectori": 29, "skeleton": [29, 34, 35], "real": [29, 35], "exhibit": [29, 35], "incompat": [29, 35], "exhaust": [29, 35], "powerst": [29, 34], "winbas": 29, "nf": 29, "setthreadexecutionst": 29, "remot": [29, 34, 35], "congest": 29, "filecopi": [29, 35], "servernam": [29, 35], "connect": [29, 35], "authschem": [29, 35], "negoti": [29, 35], "anonym": [29, 35], "authent": [29, 35], "scheme": [29, 35], "ntlm": [29, 35], "kerbero": [29, 35], "move": [29, 35], "sync": [29, 35], "async": [29, 35], "synchron": [29, 35], "asynchron": [29, 35], "exit": [29, 35], "intact": [29, 35], "regardless": [29, 35], "preced": [29, 35], "delete_smb_shar": 29, "net": 29, "del": 29, "serv": 29, "samba": 29, "mybit": [29, 35], "myorg": [29, 35], "bitsuploadcli": [29, 35], "ssw0rd": [29, 35], "_hive": [29, 35], "spec": [29, 35], "ietf": [29, 35], "html": [29, 35], "rfc2315": [29, 35], "certfr": [29, 34, 35], "begin": [29, 34, 35], "miic7tccadmgawibagiqr5af92ti8qtewut3pmvrjzajbgurdgmchquambixedao": [29, 34], "bgnvbamtb0nfulqtrliwhhcnmdqxmjmxmjiwmdawwhcnmtqxmjmxmjiwmdawwja": [29, 34], "mrawdgydvqqdewddrvjuluzsmiibijanbgkqhkig9w0baqefaaocaq8amiibcgkc": [29, 34], "aqeaiufyratxw5kc": [29, 34], "ducer": [29, 34], "5nnygcbluys5gkud1pgauqkhmsmevobzyqcvq3cmw": [29, 34], "4shal3tsgydoojalg4ervyru87fwyrcwihzgdfg89e3pbewnyv3j3fr0fvb5t3md": [29, 34], "jbootgi": [29, 34], "qqgl1l3mz": [29, 34], "boihkycig50r5343vt5vjrlmpv16iopgczlxkknfxn480f": [29, 34], "bncf8hcjesfimidui": [29, 34], "d9owpljndsceroumr75hvd47": [29, 34], "gbkkgh2prxwozk2l6r9gq": [29, 34], "l8": [29, 34], "6xzm4vkint4btgfchg8ano8sjzpetjjadxrigayvlxu4oxfh": [29, 34], "a9x61dlm": [29, 34], "tasxplhxrsi": [29, 34], "ib3yll": [29, 34], "pnh": [29, 34], "aqidaqabo0cwrtbdbgnvhqeepda6gbd47gajks91": [29, 34], "qsthqiq7f8y5orqwejeqma4ga1ueaxmhq0vsvc1guoiqr5af92ti8qtewut3pmvr": [29, 34], "jzajbgurdgmchquaa4ibaqbgvee7qylvv": [29, 34], "y5b0sr5vupmfeqakoxbxlmb8votnkn": [29, 34], "7ai1xwtjewd1vumkx5q29giufvhvbgn0zhjm5syvdfcqecp": [29, 34], "eu6l2xbn8uvllci": [29, 34], "datot": [29, 34], "9uyllxu1l": [29, 34], "epiwiytqrzoo": [29, 34], "9i1fyqrkguiww7ejxxt3ybl5u": [29, 34], "bakec2yg5": [29, 34], "6vuoxbo2eba1uomwurrxynyxyffhpvbyxff4udaafivmtegh5vkkym3kj2hi": [29, 34], "pjh": [29, 34], "a30ndtwvsi": [29, 34], "82horgca": [29, 34], "skevr5vbdsxtqhtehys4k": [29, 34], "etvtnxp29hwg": [29, 34], "1yg7bttc": [29, 34], "4vdfrqum7e3o6vuarfar8i01ohihzqkjiu1omm2fkmc1": [29, 34], "orc_quick": 29, "getram_winpmem1": 29, "flashback": 29, "orc_detail": 29, "introduc": [30, 31, 34], "json": [30, 31, 35], "summar": [30, 31], "01t14": 30, "42": [30, 31], "34z": 30, "computer_nam": 30, "pc": 30, "e237f80302f43d0ac04a3b866e4fb6d11f0d6a115a7d93344bc4c9d8d05fe6d5": 30, "command_lin": [30, 31], "getevt_littl": 30, "overwrit": [30, 34, 35], "wolf_launch": 30, "6e566af08d5cf9b236f26b20d1b243be4567fc5f76822108f167d76cf0b35bad": 30, "14_dfir": 30, "command_set": 30, "orc_custom": 30, "33z": 30, "statist": 30, "io_count": 30, "read_oper": 30, "91546": 30, "read_transf": 30, "2974589180": 30, "write_oper": 30, "write_transf": 30, "8162543": 30, "other_oper": 30, "1078": 30, "other_transf": 30, "756578": 30, "process_memory_peak": 30, "3296743424": 30, "job_memory_peak": 30, "active_proc": 30, "terminated_process": 30, "page_fault": 30, "1194396": 30, "orc_workstation_pc_orc_custom": 30, "8079202": 30, "35904": 30, "8066849": 30, "53834": 30, "41672": 30, "32z": 30, "exit_cod": 30, "pid": 30, "13560": 30, "user_tim": 30, "48": 30, "kernel_tim": 30, "1028": 30, "754256": 30, "schema": [31, 33], "dfir_orc_id": 31, "throughout": 31, "yyyymmdd_hhmmss": [31, 35], "fot": 31, "2020": 31, "51": 31, "937": 31, "20200731_105120": 31, "jean": [31, 34], "orc_arch": 31, "orc_workstation_machine_arch": 31, "usernam": 31, "machinenam": 31, "164153534902": 31, "4134548383802": 31, "265243332323": 31, "1001": 31, "domaincontrol": [31, 35], "operating_system": 31, "time_zon": 31, "physical_dr": 31, "mounted_volum": 31, "physical_memori": 31, "cpu": [31, 35], "domain": [31, 35], "19041": 31, "2004": 31, "daylight": 31, "romanc": 31, "daylight_bia": 31, "60": 31, "standard_bia": 31, "current_bia": 31, "hotfix_id": 31, "kb4565627": 31, "installed_on": 31, "media": 31, "512105932800": 31, "ok": 31, "label": 31, "3471674564": 31, "file_system": 31, "device_id": 31, "214de6b9": 31, "8fa1": 31, "4b0e": 31, "9e83": 31, "3b41cdb194f9": 31, "is_boot": 31, "is_system": 31, "128178376704": 31, "freespac": 31, "15089700864": 31, "current_load": 31, "56": 31, "17097428992": 31, "22244237312": 31, "available_phys": 31, "7437279232": 31, "available_pagefil": 31, "8191057920": 31, "intel": 31, "core": 31, "tm": 31, "i7": 31, "8650u": 31, "90ghz": 31, "intel64": 31, "famili": 31, "model": 31, "142": 31, "enabled_cor": 31, "logical_processor": 31, "ab41c39a": 31, "e91b": 31, "4da1": 31, "b697": 31, "74ff38f4bea0": 31, "friendly_nam": 31, "wi": 31, "fi": 31, "marvel": 31, "avastar": 31, "wireless": 31, "ac": 31, "f0": 31, "9d": 31, "dns_suffix": 31, "home": 31, "ipv6": 31, "2a01": 31, "cb04": 31, "119": 31, "5600": 31, "b475": 31, "1fbb": 31, "8110": 31, "8dd1": 31, "unicast": 31, "d77": 31, "2a0": 31, "bdd8": 31, "6835": 31, "fe80": 31, "ipv4": 31, "192": 31, "168": 31, "dns_server": 31, "a21b": 31, "29ff": 31, "feff": 31, "4300": 31, "default_profil": 31, "profiles_directori": 31, "program_data": 31, "programdata": 31, "public_path": 31, "hkey_local_machinesoftwaremicrosoftwindow": 31, "ntcurrentversionprofilelist": 31, "key_last_writ": 31, "profile_list": 31, "systemprofil": 31, "27": 31, "19": 31, "serviceprofil": 31, "localservic": 31, "networkservic": 31, "16443543502": 31, "41343243243202": 31, "264324343432": 31, "local_load_tim": 31, "47": 31, "209": 31, "local_unload_tim": 31, "06": 31, "433": 31, "denial": 32, "monitor": 32, "io": 32, "break": 32, "nest": 32, "unabl": 32, "corner": 32, "oppos": 33, "ressource_nam": 33, "getthis_evt": 33, "orc_config_fold": [33, 34], "archive_format": 33, "archive_nam": 33, "resource_nam": 33, "lastli": 33, "our": [33, 34], "mayb": 33, "wolflauncher_sqlschema": 33, "wolflaunchersqlschema": 33, "fastfind_sqlschema": 33, "getsamples_sqlschema": 33, "getsamplesschema": 33, "getthis_sqlschema": 33, "getthissqlschema": 33, "importcsv_sqlschema": 33, "importcsv": 33, "reginfo_sqlschema": 33, "reginfosqlschema": 33, "usninfo_sqlschema": 33, "usninfosqlschema": 33, "ntfsinfo_sqlschema": 33, "ntfsinfosqlschema": 33, "toolembed_sqlschema": 33, "objinfo_schema": 33, "objinfoschema": 33, "dbghelp_x86dll": 33, "dbgeng": 33, "dbghelp_x64dll": 33, "embark": 33, "xmllite_x86_xpsp2": 33, "powershel": 34, "shell": 34, "toolchain": 34, "instruct": 34, "procedur": 34, "further": [34, 35], "busybox": 34, "fact": 34, "exactli": 34, "hint": 34, "answer": 34, "clone": 34, "minsizerel": 34, "websit": 34, "webrequest": 34, "outfil": 34, "suppos": 34, "c_drive": 34, "57": 34, "198": 34, "orc_workstation_jeangabook_20190926_145755": 34, "orc_workstation_jeangabook_main": 34, "orc_workstation_jeangabook_h": 34, "orc_workstation_jeangabook_yara": 34, "banner": 34, "compris": 34, "deselect": 34, "sam": 34, "dry": 34, "again": 34, "bear": 34, "counterpart": 34, "confirm": 34, "supersed": 34, "marc": 34, "proceed": 34, "focu": 34, "accepteula": 34, "stdout": [34, 35], "stderr": [34, 35], "establish": 34, "bullet": 34, "queue": [34, 35], "ntfsinfo_secdesc": 34, "secdescr": 34, "ntfsinfo_i30info": 34, "i30info": 34, "stdouterr": [34, 35], "recreat": 34, "dine": 34, "littl": 34, "mysteri": 34, "amcach": 34, "beyond": 34, "systemwid": 34, "transact": 34, "getsystemhives_config": 34, "excerpt": 34, "2048mb": 34, "hve": 34, "log1": 34, "log2": 34, "somehow": 34, "dump_dir": 34, "new_dfir": 34, "reveal": 34, "statement": 34, "nearli": 34, "recompil": 34, "disconnect": 34, "site": 34, "reconstruct": 34, "archive_timeout": [34, 35], "great": 34, "forens": 34, "win": 34, "pe": [34, 35], "highlight": 34, "getexeintemp_config": 34, "somelimitofyourchoic": 34, "someotherlimittochoos": 34, "insert": 34, "getexeintemp": 34, "exeintemp": 34, "childdebug": 35, "unhandl": 35, "faulti": 35, "command_timeout": 35, "werdontshowui": 35, "visibl": 35, "complementari": 35, "orc_w7_computer_1010": 35, "netbio": 35, "qualifi": 35, "dn": 35, "getcomputernameex": 35, "create_new": 35, "summari": 35, "mark": 35, "rerun": 35, "createnew": 35, "_1": 35, "_2": 35, "skip": 35, "mini": 35, "jobmemorylimit": 35, "3g": 35, "jobcpulimit": 35, "processmemorylimit": 35, "elapsedtimelimit": 35, "360": 35, "processcpulimit": 35, "commit": 35, "3gb": 35, "2g": 35, "prerequisit": 35, "winver": 35, "major": 35, "minor": 35, "successor": 35, "predecessor": 35, "queu": 35, "ntfsinfo_bas": 35, "filematch": 35, "fileinfo": 35, "directorynam": 35, "run64": 35, "similarli": 35, "run32": 35, "ipconfig": 35, "windir": 35, "ntfsinfo_allrecord": 35, "myconfig": 35}, "objects": {}, "objtypes": {}, "objnames": {}, "titleterms": {"fastfind": 0, "descript": [0, 1, 2, 3, 4, 6, 7, 8, 9, 11], "output": [0, 1, 2, 3, 4, 6, 8, 9, 10, 11, 15, 19, 29, 35], "file": [0, 10, 15, 19, 29, 34, 35], "system": [0, 12, 31], "match": 0, "registri": 0, "window": [0, 1, 6, 32], "object": 0, "usag": [0, 1, 2, 3, 4, 6, 7, 8, 9, 10, 11, 15, 16, 17], "config": [0, 9], "path": [0, 1, 2, 3, 4, 6, 8, 9, 10, 11, 15, 29], "option": [0, 1, 2, 3, 4, 6, 7, 8, 9, 10, 11, 13, 15, 16, 25, 29], "out": [0, 1, 2, 3, 4, 8, 9, 10, 11, 13], "filesystem": 0, "skipdelet": 0, "name": [0, 10], "file1": 0, "version": [0, 25], "versionstr": 0, "yara": [0, 4, 20], "yarafile1": 0, "fatinfo": 1, "element": [1, 2, 4, 6, 9, 10, 15, 17, 29, 35], "attribut": [1, 2, 4, 6, 10, 15, 16, 17, 20, 29, 35], "locat": [1, 4, 6, 9, 16], "column": [1, 6], "column1": 1, "add": [1, 6], "omit": [1, 6], "columnselect": [1, 6], "criteria": [1, 6], "valu": [1, 6, 10], "typic": [1, 4, 6, 15, 17], "exampl": [1, 4, 5, 6, 10, 15, 17, 28, 29, 30, 31, 35], "quick": [1, 6], "discoveri": [1, 6], "volum": [1, 6, 16], "content": [1, 4, 6, 24, 25], "get": [1, 6], "detail": [1, 6, 23], "inform": [1, 5, 6, 9, 28, 31], "binari": [1, 6, 21, 31], "pe": [1, 6], "getsampl": 2, "sampleinfo": 2, "timelin": [2, 6], "sampl": [2, 4], "autorun": 2, "getthisconfig": 2, "getthisarg": 2, "arg1": 2, "arg2": 2, "tempdir": [2, 13], "nosigcheck": 2, "getsector": 3, "disk": [3, 16], "devic": 3, "legacybootcod": 3, "uefiful": 3, "uefifullmaxs": 3, "slackspac": 3, "slackspacedumps": 3, "size": 3, "custom": 3, "customoffset": 3, "customs": 3, "notlowinterfac": 3, "getthi": 4, "specifi": 4, "limit": 4, "retriev": 4, "ntfs_exclud": [4, 9, 17], "filenam": [4, 9], "ntfs_find": [4, 9, 17], "addit": [4, 16], "command": [4, 12, 13, 35], "line": [4, 12, 13], "wildcard": 4, "from": [4, 12], "an": [4, 16, 24], "altern": 4, "data": [4, 28], "stream": 4, "extend": 4, "licenc": [5, 28], "ouvert": [5, 28], "2": [5, 28, 34], "0": [5, 28], "open": [5, 28], "r\u00e9utilis": 5, "de": 5, "l": 5, "sou": 5, "cett": 5, "donn\u00e9": 5, "\u00e0": 5, "caract\u00e8r": 5, "personnel": 5, "droit": 5, "propri\u00e9t\u00e9": 5, "intellectuel": 5, "responsabilit\u00e9": 5, "applic": [5, 28], "compatibilit\u00e9": 5, "la": 5, "pr\u00e9sent": 5, "d\u00e9finit": 5, "propo": 5, "ntfsinfo": 6, "fileinfo": 6, "attrinfo": 6, "i30info": 6, "secdescr": 6, "default": 6, "defaultcolumnselect": 6, "ntfsutil": 7, "usn": [7, 23], "vss": 7, "enumloc": 7, "loc": 7, "record": 7, "frn": 7, "hexdump": 7, "mft": [7, 16, 23], "bitlock": 7, "objinfo": 8, "reginfo": 9, "hive": 9, "templat": 9, "registry_find": 9, "toolemb": 10, "input": [10, 35], "run": [10, 21, 24], "ressourc": 10, "run32": 10, "run64": 10, "addfil": 10, "pair": 10, "archiv": [10, 19, 35], "dump": 10, "usninfo": 11, "compact": 11, "architectur": [12, 26], "configur": [12, 14, 15, 16, 17, 18, 19, 20, 21, 29, 31, 33, 34, 35], "process": [12, 18], "tool": [12, 19, 21, 22, 24], "invok": 12, "directli": 12, "deploy": 12, "specif": [12, 13], "dfir": [12, 13, 21, 24, 29, 30, 31], "orc": [12, 13, 21, 24, 29, 30, 31], "execut": [12, 30, 31, 35], "32": 12, "bit": 12, "64": 12, "outputfold": 13, "tempfold": 13, "kei": [13, 29], "keyword": 13, "childdebug": 13, "nochilddebug": 13, "onc": 13, "overwrit": 13, "createnew": 13, "compress": [13, 19], "compressionlevel": 13, "archive_timeout": 13, "timeoutvalu": 13, "command_timeout": 13, "tee_cleartext": 13, "no_journ": 13, "werdontshowui": 13, "prioriti": [13, 18], "level": [13, 15, 29], "powerst": 13, "requir": [13, 32], "nolimit": 13, "command1": 13, "command2": 13, "mothership": 13, "nowait": 13, "wmi": 13, "preservejob": 13, "consol": [15, 29, 35], "log": [15, 29, 35], "sink": [15, 29, 35], "backtrac": [15, 29], "syslog": [15, 29], "host": [15, 29], "ip4_or_ip6": [15, 29], "port": [15, 29], "noconsol": 15, "verbos": 15, "debug": 15, "mount": 16, "physic": 16, "drive": 16, "imag": 16, "dd": 16, "partit": 16, "shadow": 16, "copi": 16, "explicit": 16, "automat": 16, "parser": [16, 23], "engin": 16, "offlin": 16, "variabl": [16, 33], "altitud": 16, "strategi": 16, "knownloc": 16, "exclud": 16, "drivelist": 16, "search": 17, "algorithm": 17, "result": 17, "possibl": 17, "order": 17, "evalu": 17, "claus": 17, "directori": 19, "onli": 19, "zip": 19, "7z": 19, "format": 19, "password": 19, "charact": 19, "encod": 19, "scanner": 20, "sourc": 20, "scan_method": 20, "block": 20, "overlap": 20, "timeout": 20, "design": [21, 26], "principl": 21, "The": [21, 34], "approach": 21, "One": 21, "them": 21, "all": 21, "main": 21, "motto": 21, "behind": 21, "choos": 21, "your": 21, "arsen": 21, "emb": 21, "A": [21, 24, 34], "framework": [21, 24], "embed": [22, 34], "suit": 22, "implement": 23, "about": [23, 28], "introduct": 24, "how": 24, "build": [24, 34], "tutori": [24, 34], "tabl": [24, 25], "few": [24, 34], "q": [24, 34], "introduc": 24, "what": 24, "i": 24, "artefact": 24, "digit": 24, "forens": 24, "who": 24, "can": 24, "us": [24, 34], "expertis": 24, "need": 24, "identifi": 24, "compromis": 24, "machin": 24, "why": 24, "ha": 24, "anssi": 24, "develop": 24, "releas": 24, "ar": 24, "still": 24, "maintain": 24, "Will": 24, "other": 24, "written": 24, "c": 24, "malici": 24, "wai": 24, "warn": [24, 32], "make": 24, "sound": 24, "should": 24, "contribut": 24, "common": 25, "properti": [25, 28], "support": 25, "help": 25, "licens": 27, "reus": 28, "cover": 28, "thi": 28, "person": 28, "intellectu": 28, "right": 28, "liabil": 28, "legisl": 28, "compat": 28, "definit": 28, "local": [29, 34], "temporari": 29, "upload": [29, 35], "recipi": [29, 35], "enable_kei": 29, "disable_kei": 29, "outcom": [30, 35], "outlin": [31, 35], "context": 31, "": 31, "hardwar": 31, "user": 31, "profil": 31, "7": 32, "xp": 32, "sp3": 32, "vista": 32, "server": 32, "2003": 32, "2008": 32, "r2": 32, "referenc": 33, "resourc": 33, "syntax": 33, "well": 33, "known": 33, "list": 34, "step": 34, "1": 34, "mini": 34, "challeng": 34, "3": 34, "test": 34, "4": 34, "5": 34, "edit": 34, "6": 34, "final": 34, "warm": 34, "up": 34, "boss": 34, "wolflaunch": 35, "wolf": 35, "restrict": 35, "argument": 35}, "envversion": {"sphinx.domains.c": 2, "sphinx.domains.changeset": 1, "sphinx.domains.citation": 1, "sphinx.domains.cpp": 8, "sphinx.domains.index": 1, "sphinx.domains.javascript": 2, "sphinx.domains.math": 2, "sphinx.domains.python": 3, "sphinx.domains.rst": 2, "sphinx.domains.std": 2, "sphinx.ext.todo": 2, "sphinx": 57}, "alltitles": {"FastFind": [[0, "fastfind"]], "Description": [[0, "description"], [1, "description"], [2, "description"], [3, "description"], [4, "description"], [6, "description"], [7, "description"], [8, "description"], [9, "description"], [11, "description"]], "Output": [[0, "output"], [1, "output"], [2, "output"], [3, "output"], [4, "output"], [6, "output"], [8, "output"], [9, "output"], [11, "output"]], "File System Match": [[0, "file-system-match"]], "Registry Match": [[0, "registry-match"]], "Windows Object Match": [[0, "windows-object-match"]], "Usage": [[0, "usage"], [1, "usage"], [2, "usage"], [3, "usage"], [4, "usage"], [6, "usage"], [7, "usage"], [8, "usage"], [9, "usage"], [10, "usage"], [11, "usage"], [15, "usage"], [16, "usage"]], "/config=<Path> Option": [[0, "config-path-option"], [9, "config-path-option"]], "/out=<Path> Option": [[0, "out-path-option"], [8, "out-path-option"], [11, "out-path-option"]], "/filesystem=<Path> Option": [[0, "filesystem-path-option"]], "/object=<Path> Option": [[0, "object-path-option"]], "/SkipDeleted Option": [[0, "skipdeleted-option"]], "/Names=<File1>,... Option": [[0, "names-file1-option"]], "/Version=<VersionString> Option": [[0, "version-versionstring-option"]], "/Yara=<YaraFile1>,... Option": [[0, "yara-yarafile1-option"]], "FatInfo": [[1, "fatinfo"]], "fatinfo Element": [[1, "fatinfo-element"]], "Attributes": [[1, "attributes"], [2, "attributes"], [2, "id1"], [4, "attributes"], [4, "id1"], [6, "attributes"], [10, "attributes"], [10, "id9"], [10, "id12"], [10, "id15"], [10, "id18"], [10, "id21"], [10, "id24"], [29, "attributes"], [29, "id9"], [29, "id12"], [29, "id16"], [29, "id20"], [29, "id24"], [29, "id28"], [35, "attributes"], [35, "id4"], [35, "id6"], [35, "id14"], [35, "id19"], [35, "id24"], [35, "id28"], [35, "id33"], [35, "id37"], [35, "id40"], [35, "id43"], [35, "id47"], [35, "id52"], [35, "id55"]], "output Element, /out=<Path> Option": [[1, "output-element-out-path-option"], [4, "output-element-out-path-option"], [9, "output-element-out-path-option"], [10, "output-element-out-path-option"]], "location Element": [[1, "location-element"], [4, "location-element"], [6, "location-element"], [9, "location-element"]], "columns Element, /<Column1>,... Option": [[1, "columns-element-column1-option"]], "add or omit Element, /(+|-)<ColumnSelection>:criteria=<value> Option": [[1, "add-or-omit-element-columnselection-criteria-value-option"]], "Typical Usage Examples": [[1, "typical-usage-examples"], [4, "typical-usage-examples"], [6, "typical-usage-examples"], [17, "typical-usage-examples"]], "Quick Discovery of Volume Content": [[1, "quick-discovery-of-volume-content"], [6, "quick-discovery-of-volume-content"]], "Getting Detailed Information on Binaries": [[1, "getting-detailed-information-on-binaries"], [6, "getting-detailed-information-on-binaries"]], "Getting Windows PE Binaries Details": [[1, "getting-windows-pe-binaries-details"], [6, "getting-windows-pe-binaries-details"]], "GetSamples": [[2, "getsamples"]], "GetSamples Element": [[2, "getsamples-element"]], "Output Element, /out=<Path> Option": [[2, "output-element-out-path-option"]], "SampleInfo Element, /SampleInfo=<Path> Option": [[2, "sampleinfo-element-sampleinfo-path-option"]], "TimeLine Element, /TimeLine=<Path> Option": [[2, "timeline-element-timeline-path-option"], [6, "timeline-element-timeline-path-option"]], "Samples Element": [[2, "samples-element"]], "Autoruns Element, /Autoruns[=<Path>] Option": [[2, "autoruns-element-autoruns-path-option"]], "GetThisConfig Element, /GetThisConfig=<Path> Option": [[2, "getthisconfig-element-getthisconfig-path-option"]], "GetThisArgs Element, /GetThisArgs=\"<Arg1 Arg2 ...>\"": [[2, "getthisargs-element-getthisargs-arg1-arg2"]], "TempDir Element, /TempDir=<Path>": [[2, "tempdir-element-tempdir-path"]], "NoSigCheck Element, /NoSigCheck Option": [[2, "nosigcheck-element-nosigcheck-option"]], "GetSectors": [[3, "getsectors"]], "/Disk=<Device> Option": [[3, "disk-device-option"]], "/LegacyBootCode Option": [[3, "legacybootcode-option"]], "/UefiFull Option": [[3, "uefifull-option"]], "/UefiFullMaxSize Option": [[3, "uefifullmaxsize-option"]], "/SlackSpace Option": [[3, "slackspace-option"]], "/SlackSpaceDumpSize=<Size> Option": [[3, "slackspacedumpsize-size-option"]], "/Custom Option": [[3, "custom-option"]], "/CustomOffset=<Size> Option": [[3, "customoffset-size-option"]], "/CustomSize=<Size> Option": [[3, "customsize-size-option"]], "/Out=<Path> Option": [[3, "out-path-option"]], "/NotLowInterface Option": [[3, "notlowinterface-option"]], "GetThis": [[4, "getthis"]], "getthis Element": [[4, "getthis-element"]], "yara Element or /yara=<Path> Option": [[4, "yara-element-or-yara-path-option"]], "samples Element": [[4, "samples-element"]], "Specifying Limits": [[4, "specifying-limits"]], "Retrieved Content: the Content Attribute": [[4, "retrieved-content-the-content-attribute"]], "ntfs_exclude Element": [[4, "ntfs-exclude-element"]], "sample Element, /sample=<FileName> Option": [[4, "sample-element-sample-filename-option"]], "ntfs_find Element": [[4, "ntfs-find-element"]], "Additional Command-line Usage": [[4, "additional-command-line-usage"]], "Samples with Wildcards": [[4, "samples-with-wildcards"]], "Samples from an Alternate Data Stream": [[4, "samples-from-an-alternate-data-stream"]], "Samples from an Extended Attribute": [[4, "samples-from-an-extended-attribute"]], "LICENCE OUVERTE 2.0/OPEN LICENCE 2.0": [[5, "licence-ouverte-2-0-open-licence-2-0"]], "R\u00e9utilisation de l\u2019\u00ab\u00a0Information \u00bb sous cette licence": [[5, "reutilisation-de-l-information-sous-cette-licence"]], "Example": [[5, null], [10, "example"], [10, "id5"], [10, "id7"], [10, "id10"], [10, "id13"], [10, "id16"], [10, "id19"], [10, "id22"], [10, "id25"], [15, "example"], [28, null], [29, "example"], [29, "id13"], [29, "id17"], [29, "id21"], [29, "id25"], [29, "id29"], [29, "id33"], [30, "example"], [31, "example"], [31, "id1"], [31, "id2"], [31, "id3"], [35, "example"], [35, "id11"], [35, "id16"], [35, "id21"], [35, "id25"], [35, "id29"], [35, "id34"], [35, "id38"], [35, "id41"], [35, "id44"], [35, "id48"], [35, "id56"]], "Donn\u00e9es \u00e0 caract\u00e8re personnel": [[5, "donnees-a-caractere-personnel"]], "Droits de propri\u00e9t\u00e9 intellectuelle": [[5, "droits-de-propriete-intellectuelle"]], "Responsabilit\u00e9": [[5, "responsabilite"]], "Droit applicable": [[5, "droit-applicable"]], "Compatibilit\u00e9 de la pr\u00e9sente licence": [[5, "compatibilite-de-la-presente-licence"]], "D\u00e9finitions": [[5, "definitions"]], "\u00c0 propos de cette licence": [[5, "a-propos-de-cette-licence"]], "NTFSInfo": [[6, "ntfsinfo"]], "FileInfo": [[6, "fileinfo"]], "AttrInfo": [[6, "attrinfo"]], "I30Info": [[6, "i30info"]], "TimeLine": [[6, "timeline"]], "SecDescr": [[6, "secdescr"]], "ntfsinfo Element": [[6, "ntfsinfo-element"]], "FileInfo Element, /FileInfo=<Path> Option": [[6, "fileinfo-element-fileinfo-path-option"]], "AttrInfo Element, /AttrInfo=<Path> Option": [[6, "attrinfo-element-attrinfo-path-option"]], "I30info Element, /I30info=<Path> Option": [[6, "i30info-element-i30info-path-option"]], "SecDescr Element, /SecDescr=<Path> Option": [[6, "secdescr-element-secdescr-path-option"]], "Columns Element": [[6, "columns-element"]], "Default Element (in Columns), /<DefaultColumnSelection>,... Option": [[6, "default-element-in-columns-defaultcolumnselection-option"]], "add and omit Elements (in Columns), /(+|-)<ColumnSelection>:criteria=<value> Option": [[6, "add-and-omit-elements-in-columns-columnselection-criteria-value-option"]], "NTFSUtil": [[7, "ntfsutil"]], "/USN Option": [[7, "usn-option"]], "/vss Option": [[7, "vss-option"]], "/enumlocs Option": [[7, "enumlocs-option"]], "/loc Option": [[7, "loc-option"]], "/record=<FRN> Option": [[7, "record-frn-option"]], "/hexdump Option": [[7, "hexdump-option"]], "/mft Option": [[7, "mft-option"]], "/bitlocker Option": [[7, "bitlocker-option"]], "ObjInfo": [[8, "objinfo"]], "RegInfo": [[9, "reginfo"]], "reginfo Element": [[9, "reginfo-element"]], "information Element": [[9, "information-element"]], "hive Element": [[9, "hive-element"]], "filename Element": [[9, "filename-element"]], "template Element": [[9, "template-element"]], "ntfs_find or ntfs_exclude Element": [[9, "ntfs-find-or-ntfs-exclude-element"]], "registry_find Element": [[9, "registry-find-element"]], "ToolEmbed": [[10, "toolembed"]], "toolembed Element": [[10, "toolembed-element"]], "input Element, /input=<Path> Option": [[10, "input-element-input-path-option"]], "run Element, /run=<Ressource> Option": [[10, "run-element-run-ressource-option"]], "run32 Element, /run32=<Ressource> Option": [[10, "run32-element-run32-ressource-option"]], "run64 Element, /run64=<Ressource> Option": [[10, "run64-element-run64-ressource-option"]], "file Element, /AddFile=<Path>,<Name> Option": [[10, "file-element-addfile-path-name-option"]], "pair Element, /name=<Value> Option": [[10, "pair-element-name-value-option"]], "archive Element": [[10, "archive-element"], [35, "wolf-config-archive-element"]], "file Element (in archive)": [[10, "file-element-in-archive"]], "/dump[=<Path>] Option": [[10, "dump-path-option"]], "USNInfo": [[11, "usninfo"]], "/Compact Option": [[11, "compact-option"]], "Architecture": [[12, "architecture"]], "Configuration Process": [[12, "configuration-process"]], "Tools Invoked Directly From Command-line": [[12, "tools-invoked-directly-from-command-line"]], "Deployment-specific Configuration": [[12, "deployment-specific-configuration"]], "DFIR ORC Execution": [[12, "dfir-orc-execution"]], "DFIR ORC on 32-bit Systems": [[12, "dfir-orc-on-32-bit-systems"]], "DFIR ORC on 64-bit Systems": [[12, "dfir-orc-on-64-bit-systems"]], "DFIR ORC Command-line Options": [[13, "dfir-orc-command-line-options"]], "/out=<OutputFolder> Option": [[13, "out-outputfolder-option"]], "/TempDir=<TempFolder> Option": [[13, "tempdir-tempfolder-option"]], "/Keys Option": [[13, "keys-option"]], "/Key=<Keyword>, /+Key=<Keyword> and /-Key=<Keyword> Options": [[13, "key-keyword-key-keyword-and-key-keyword-options"]], "/ChildDebug and /NoChildDebug Options": [[13, "childdebug-and-nochilddebug-options"]], "/Once, /Overwrite and /CreateNew Options": [[13, "once-overwrite-and-createnew-options"]], "/Compression=<CompressionLevel> Option": [[13, "compression-compressionlevel-option"]], "/archive_timeout=<TimeoutValue> Option": [[13, "archive-timeout-timeoutvalue-option"]], "/command_timeout=<TimeoutValue> Option": [[13, "command-timeout-timeoutvalue-option"]], "/tee_cleartext Option": [[13, "tee-cleartext-option"]], "/no_journaling Option": [[13, "no-journaling-option"]], "/WERDontShowUI Option": [[13, "werdontshowui-option"]], "/Priority=<Level> Option": [[13, "priority-level-option"]], "/PowerState=<Requirements> Option": [[13, "powerstate-requirements-option"]], "/NoLimits[:<Command1>,<Command2>,...] Option": [[13, "nolimits-command1-command2-option"]], "Mothership Specific Command-line Options": [[13, "mothership-specific-command-line-options"]], "-NoWait Option": [[13, "nowait-option"]], "-WMI Option": [[13, "wmi-option"]], "-PreserveJob Option": [[13, "preservejob-option"]], "Configuration": [[14, "configuration"]], "Configuring Console Output, Logging": [[15, "configuring-console-output-logging"]], "log Element": [[15, "log-element"], [29, "log-element"], [35, "log-element"]], "Console sink element, /log:console,... Option": [[15, "console-sink-element-log-console-option"], [29, "console-sink-element-log-console-option"]], "level Attribute, /log:console,level=<Level>,... Option": [[15, "level-attribute-log-console-level-level-option"], [29, "level-attribute-log-console-level-level-option"]], "backtrace Attribute, /log:console,backtrace=<Level>,... Option": [[15, "backtrace-attribute-log-console-backtrace-level-option"], [29, "backtrace-attribute-log-console-backtrace-level-option"]], "File sink element, /log:file,... Option": [[15, "file-sink-element-log-file-option"], [29, "file-sink-element-log-file-option"]], "level Attribute, /log:file,level=<Level>,... Option": [[15, "level-attribute-log-file-level-level-option"], [29, "level-attribute-log-file-level-level-option"]], "backtrace Attribute, /log:file,backtrace=<Level>,... Option": [[15, "backtrace-attribute-log-file-backtrace-level-option"], [29, "backtrace-attribute-log-file-backtrace-level-option"]], "output Element, /log:file,output=Path>,... Option": [[15, "output-element-log-file-output-path-option"], [29, "output-element-log-file-output-path-option"]], "Syslog sink element, /log:syslog,... Option": [[15, "syslog-sink-element-log-syslog-option"], [29, "syslog-sink-element-log-syslog-option"]], "level Attribute, /log:syslog,level=<Level>,... Option": [[15, "level-attribute-log-syslog-level-level-option"], [29, "level-attribute-log-syslog-level-level-option"]], "backtrace Attribute, /log:syslog,backtrace=<Level>,... Option": [[15, "backtrace-attribute-log-syslog-backtrace-level-option"], [29, "backtrace-attribute-log-syslog-backtrace-level-option"]], "host Attribute, /log:syslog,host=<ip4_or_ip6>,... Option": [[15, "host-attribute-log-syslog-host-ip4-or-ip6-option"], [29, "host-attribute-log-syslog-host-ip4-or-ip6-option"]], "port Attribute, /log:syslog,port=<port>,... Option": [[15, "port-attribute-log-syslog-port-port-option"], [29, "port-attribute-log-syslog-port-port-option"]], "noconsole Attribute, /noconsole Option": [[15, "noconsole-attribute-noconsole-option"]], "verbose Attribute, /verbose Option": [[15, "verbose-attribute-verbose-option"]], "debug Attribute, /debug Option": [[15, "debug-attribute-debug-option"]], "Typical Usage Example": [[15, "typical-usage-example"]], "Configuring Locations": [[16, "configuring-locations"]], "Locations": [[16, "locations"]], "Locations for Mounted Volumes": [[16, "locations-for-mounted-volumes"]], "Locations for Physical Drives": [[16, "locations-for-physical-drives"]], "Locations for Disk Images (.dd)": [[16, "locations-for-disk-images-dd"]], "Locations for Volumes and Partitions of an Image (.dd)": [[16, "locations-for-volumes-and-partitions-of-an-image-dd"]], "Locations for Volume Shadow Copies": [[16, "locations-for-volume-shadow-copies"]], "Explicit Volume Shadow Copy": [[16, "explicit-volume-shadow-copy"]], "Automatic Shadow Copies Addition": [[16, "automatic-shadow-copies-addition"]], "Shadow copy parser engine": [[16, "shadow-copy-parser-engine"]], "Locations for Offline MFT": [[16, "locations-for-offline-mft"]], "Location variables": [[16, "location-variables"]], "altitude Attribute, /Altitude=<Strategy> Option": [[16, "altitude-attribute-altitude-strategy-option"]], "knownlocations Attribute, /knownlocations Option": [[16, "knownlocations-attribute-knownlocations-option"]], "shadows Attribute, /shadows Option": [[16, "shadows-attribute-shadows-option"]], "exclude Attribute, /Exclude=\"<DriveList>\" Option": [[16, "exclude-attribute-exclude-drivelist-option"]], "Configuring Attributes of ntfs_find and ntfs_exclude Elements": [[17, "configuring-attributes-of-ntfs-find-and-ntfs-exclude-elements"]], "Search Algorithm and Result of a Search": [[17, "search-algorithm-and-result-of-a-search"]], "Possible Attributes of a ntfs_find Element": [[17, "possible-attributes-of-a-ntfs-find-element"]], "Possible Attributes of a ntfs_exclude Element": [[17, "possible-attributes-of-a-ntfs-exclude-element"]], "Order of Evaluation of Attributes in Clauses": [[17, "order-of-evaluation-of-attributes-in-clauses"]], "Configuring Process Priority": [[18, "configuring-process-priority"]], "Configuring Tool Output": [[19, "configuring-tool-output"]], "File Output": [[19, "file-output"]], "Directory Output": [[19, "directory-output"]], "Archive Output": [[19, "archive-output"]], "Compression (only for zip and 7z Format)": [[19, "compression-only-for-zip-and-7z-format"]], "Password (only for zip and 7z Format)": [[19, "password-only-for-zip-and-7z-format"]], "File Character Encoding": [[19, "file-character-encoding"]], "Configuring the Yara Scanner": [[20, "configuring-the-yara-scanner"]], "source Attribute": [[20, "source-attribute"]], "scan_method Attribute": [[20, "scan-method-attribute"]], "block Attribute": [[20, "block-attribute"]], "overlap Attribute": [[20, "overlap-attribute"]], "timeout Attribute": [[20, "timeout-attribute"]], "Design Principles": [[21, "design-principles"]], "The Approach: One Binary to Run Them All": [[21, "the-approach-one-binary-to-run-them-all"]], "The main design motto behind DFIR ORC": [[21, null]], "Choosing Your Arsenal: Tools to Embed": [[21, "choosing-your-arsenal-tools-to-embed"]], "A Configurable Framework": [[21, "a-configurable-framework"]], "Embedded Tool Suite": [[22, "embedded-tool-suite"]], "Implementation Details About Parsers": [[23, "implementation-details-about-parsers"]], "MFT Parser": [[23, "mft-parser"]], "USN Parser": [[23, "usn-parser"]], "Introduction": [[24, "introduction"]], "How to build DFIR ORC?": [[24, null]], "Tutorial": [[24, null], [34, "tutorial"]], "Table of Contents": [[24, "table-of-contents"]], "A Few Q&A to Introduce DFIR ORC": [[24, "a-few-q-a-to-introduce-dfir-orc"]], "What is DFIR ORC?": [[24, "what-is-dfir-orc"]], "What is an artefact? What is digital forensics?": [[24, "what-is-an-artefact-what-is-digital-forensics"]], "Who can use DFIR ORC?": [[24, "who-can-use-dfir-orc"]], "Is DFIR expertise needed to run DFIR ORC?": [[24, "is-dfir-expertise-needed-to-run-dfir-orc"]], "Can DFIR ORC identify compromised machines?": [[24, "can-dfir-orc-identify-compromised-machines"]], "Why has ANSSI developed DFIR ORC?": [[24, "why-has-anssi-developed-dfir-orc"]], "What is released?": [[24, "what-is-released"]], "Why is DFIR ORC released?": [[24, "why-is-dfir-orc-released"]], "Are the tools still maintained? Will there be other releases?": [[24, "are-the-tools-still-maintained-will-there-be-other-releases"]], "Why is it written in C++?": [[24, "why-is-it-written-in-c"]], "Can DFIR ORC be used in malicious ways?": [[24, "can-dfir-orc-be-used-in-malicious-ways"]], "Warning": [[24, null]], "What makes DFIR ORC a forensically sound framework?": [[24, "what-makes-dfir-orc-a-forensically-sound-framework"]], "Why and how should I contribute?": [[24, "why-and-how-should-i-contribute"]], "Common Options & Properties": [[25, "common-options-properties"]], "Supported Versions": [[25, "supported-versions"]], "Help": [[25, "help"]], "Table of Contents of Common Options & Properties": [[25, "table-of-contents-of-common-options-properties"]], "Design and Architecture": [[26, "design-and-architecture"]], "Licenses": [[27, "licenses"]], "OPEN LICENCE 2.0/LICENCE OUVERTE 2.0": [[28, "open-licence-2-0-licence-ouverte-2-0"]], "\u201cReuse\u201d of the \u201cInformation\u201d covered by this licence": [[28, "reuse-of-the-information-covered-by-this-licence"]], "Personal data": [[28, "personal-data"]], "Intellectual property rights": [[28, "intellectual-property-rights"]], "Liability": [[28, "liability"]], "Applicable legislation": [[28, "applicable-legislation"]], "Compatibility of this licence": [[28, "compatibility-of-this-licence"]], "Definitions": [[28, "definitions"]], "About this licence": [[28, "about-this-licence"]], "DFIR ORC Local Configuration File": [[29, "dfir-orc-local-configuration-file"]], "dfir-orc Element": [[29, "dfir-orc-element"]], "temporary Element": [[29, "temporary-element"]], "output Element": [[29, "output-element"], [35, "output-element"], [35, "id9"], [35, "id50"]], "upload Element": [[29, "upload-element"], [35, "upload-element"]], "recipient Element": [[29, "recipient-element"], [35, "recipient-element"]], "key Element": [[29, "key-element"]], "enable_key and disable_key Elements": [[29, "enable-key-and-disable-key-elements"]], "DFIR-ORC Execution Outcome": [[30, "dfir-orc-execution-outcome"]], "DFIR-ORC Execution Outline": [[31, "dfir-orc-execution-outline"]], "DFIR-ORC binary executed": [[31, "dfir-orc-binary-executed"]], "DFIR-ORC execution context": [[31, "dfir-orc-execution-context"]], "System\u2019s hardware and configuration information": [[31, "system-s-hardware-and-configuration-information"]], "User Profile information": [[31, "user-profile-information"]], "Requirements": [[32, "requirements"]], "Warning for Windows 7, XP SP3, Vista, and Windows Server 2003, 2008, 2008 R2": [[32, null]], "Referencing Resources in Configurations": [[33, "referencing-resources-in-configurations"]], "Syntax": [[33, "syntax"]], "Well-known Resources or Variables": [[33, "well-known-resources-or-variables"]], "List of the steps": [[34, "list-of-the-steps"]], "1. Build": [[34, "build"]], "Mini-challenge 1": [[34, "mini-challenge-1"]], "2. Configure": [[34, "configure"]], "Mini-challenge 2": [[34, "mini-challenge-2"]], "3. Test the Configuration": [[34, "test-the-configuration"]], "Mini-challenge 3": [[34, "mini-challenge-3"]], "4. Use Local Configuration Files": [[34, "use-local-configuration-files"]], "Mini-challenge 4": [[34, "mini-challenge-4"]], "5. Edit Embedded Configurations": [[34, "edit-embedded-configurations"]], "Mini-challenge 5": [[34, "mini-challenge-5"]], "6. The Final Challenge": [[34, "the-final-challenge"]], "A Few Q&A to Warm Up": [[34, "a-few-q-a-to-warm-up"]], "The Final Boss": [[34, "the-final-boss"]], "WolfLauncher Configuration File": [[35, "wolflauncher-configuration-file"]], "wolf Element": [[35, "wolf-element"]], "Console sink element": [[35, "console-sink-element"]], "File sink element": [[35, "file-sink-element"]], "console Element": [[35, "console-element"]], "outline Element": [[35, "outline-element"]], "outcome Element": [[35, "outcome-element"]], "restrictions Element": [[35, "restrictions-element"]], "command Element": [[35, "command-element"]], "execute Element": [[35, "execute-element"]], "input Element": [[35, "input-element"]], "Examples": [[35, "examples"]], "argument Element": [[35, "argument-element"]]}, "indexentries": {}})