configuring_locations.html

<!DOCTYPE html>

<html>
  <head>
    <meta charset="utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <title>Configuring Locations &#8212; DFIR ORC  documentation</title>
    <link rel="stylesheet" href="_static/pygments.css" type="text/css" />
    <link rel="stylesheet" href="_static/solar.css" type="text/css" />
    <link rel="stylesheet" type="text/css" href="_static/css/custom.css" />
    <script id="documentation_options" data-url_root="./" src="_static/documentation_options.js"></script>
    <script src="_static/jquery.js"></script>
    <script src="_static/underscore.js"></script>
    <script src="_static/doctools.js"></script>
    <script src="_static/language_data.js"></script>
    <link rel="index" title="Index" href="genindex.html" />
    <link rel="search" title="Search" href="search.html" />
    <link rel="next" title="Configuring the Yara Scanner" href="configuring_yara.html" />
    <link rel="prev" title="Implementation Details About Parsers" href="fs_implem_details.html" /><link href='http://fonts.googleapis.com/css?family=Source+Code+Pro|Open+Sans:300italic,400italic,700italic,400,300,700' rel='stylesheet' type='text/css'>
<link href="_static/solarized-dark.css" rel="stylesheet">
  </head><body>
    <div class="related" role="navigation" aria-label="related navigation">
      <h3>Navigation</h3>
      <ul>
        
        
        <li class="right" >
          <a href="configuring_yara.html" title="Configuring the Yara Scanner"
             accesskey="N">next</a>
          
        
        
        <li class="right" >
          <a href="fs_implem_details.html" title="Implementation Details About Parsers"
             accesskey="P">previous</a>
           |</li>
          
        
        <li class="nav-item nav-item-0"><a href="index.html">DFIR ORC  documentation</a> &#187;</li>
          <li class="nav-item nav-item-1"><a href="embedded_tool_suite.html" >Embedded Tool Suite</a> &#187;</li>
          <li class="nav-item nav-item-2"><a href="info_tools.html" accesskey="U">Common Options &amp; Properties</a> &#187;</li> 
      </ul>
    </div>
      <div class="sphinxsidebar" role="navigation" aria-label="main navigation">
        <div class="sphinxsidebarwrapper">
            <p class="logo"><a href="index.html">
              <img class="logo" src="_static/logo.jpg" alt="Logo"/>
            </a></p>
<h3><a href="index.html">Table of Contents</a></h3>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="index.html">Introduction</a></li>
<li class="toctree-l1"><a class="reference internal" href="tuto.html">Tutorial</a></li>
<li class="toctree-l1"><a class="reference internal" href="platforms.html">Requirements</a></li>
<li class="toctree-l1"><a class="reference internal" href="intro_to_data_collection.html">Design and Architecture</a></li>
<li class="toctree-l1"><a class="reference internal" href="configuration.html">Configuration</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="embedded_tool_suite.html">Embedded Tool Suite</a><ul class="current">
<li class="toctree-l2 current"><a class="reference internal" href="info_tools.html">Common Options &amp; Properties</a></li>
<li class="toctree-l2"><a class="reference internal" href="FatInfo.html">FatInfo</a></li>
<li class="toctree-l2"><a class="reference internal" href="FastFind.html">FastFind</a></li>
<li class="toctree-l2"><a class="reference internal" href="GetThis.html">GetThis</a></li>
<li class="toctree-l2"><a class="reference internal" href="GetSamples.html">GetSamples</a></li>
<li class="toctree-l2"><a class="reference internal" href="GetSectors.html">GetSectors</a></li>
<li class="toctree-l2"><a class="reference internal" href="NTFSInfo.html">NTFSInfo</a></li>
<li class="toctree-l2"><a class="reference internal" href="NTFSUtil.html">NTFSUtil</a></li>
<li class="toctree-l2"><a class="reference internal" href="ObjInfo.html">ObjInfo</a></li>
<li class="toctree-l2"><a class="reference internal" href="RegInfo.html">RegInfo</a></li>
<li class="toctree-l2"><a class="reference internal" href="USNInfo.html">USNInfo</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="licenses.html">Licenses</a></li>
</ul>

<div id="searchbox" style="display: none" role="search">
  <h3 id="searchlabel">Quick search</h3>
    <div class="searchformwrapper">
    <form class="search" action="search.html" method="get">
      <input type="text" name="q" aria-labelledby="searchlabel" />
      <input type="submit" value="Go" />
    </form>
    </div>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
        </div>
      </div>

    <div class="document">
      <div class="documentwrapper">
        <div class="bodywrapper">
          <div class="body" role="main">
            
  <div class="section" id="configuring-locations">
<h1>Configuring Locations<a class="headerlink" href="#configuring-locations" title="Permalink to this headline">¶</a></h1>
<p>A location is an access path to a specific NTFS volume. Typically, an access path can be:</p>
<ul>
<li><p>a mounted volume path, such as:</p>
<blockquote>
<div><ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">\\.\HarddiskVolume6</span></code>,</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">E:\</span></code>,</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">\\?\Volume{3f0e57c9-debc-403d-b614-feb223750981}</span></code>,</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">\\.\Harddisk0Partition4</span></code>;</p></li>
</ul>
</div></blockquote>
</li>
<li><p>a system storage path, such as</p>
<blockquote>
<div><ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">\\.\STORAGE#Volume#...</span></code>;</p></li>
</ul>
</div></blockquote>
</li>
<li><p>a physical drive path, such as</p>
<blockquote>
<div><ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">\\.\PHYSICALDRIVE0,offset=512,size=2199023255040,sector=512</span></code>;</p></li>
</ul>
</div></blockquote>
</li>
<li><p>an interface path, such as</p>
<blockquote>
<div><ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">\\.\IDE#DiskVBOX_HARDDISK...offset=105906176,size=37474009088,sector=512</span></code>,</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">\\.\USBSTOR#Disk&amp;Ven_Kingston&amp;...,offset=1048576,size=62007541760,sector=512</span></code>,</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">\\.\SCSI#Disk&amp;Ven_Msft&amp;...,offset=1048576,size=136362065920,sector=512</span></code>;</p></li>
</ul>
</div></blockquote>
</li>
<li><p>a disk image path, such as</p>
<blockquote>
<div><ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">MyImage.dd</span></code>.</p></li>
</ul>
</div></blockquote>
</li>
<li><p>an environment variable or a dynamic variable, such as</p>
<blockquote>
<div><ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">%SYSTEMDRIVE%</span></code></p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">{UserProfiles</span></code>}</p></li>
</ul>
</div></blockquote>
</li>
</ul>
<p>Paths, file names and namespaces notations are <a class="reference external" href="https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file">documented on the MSDN</a>.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>When using the drive letter notation, a specific folder inside the volume can also be specified. This will cause the tools to collect information recursively only for entries that are subentities of the selected folders (the selected folder is excluded).</p>
</div>
<p>For some tools of the embedded tool suite (GetThis, NTFSInfo, FastFind,…), the location has to be specified.</p>
<p>Multiple locations to be inspected can either be passed as parameters on the command line:</p>
<div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>DFIR-Orc.exe NTFSInfo c: f:\Users \\.\PhysicalDrive0
</pre></div>
</div>
<p>or as a set of <code class="docutils literal notranslate"><span class="pre">location</span></code> elements in an XML configuration file with the following syntax:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt">&lt;location&gt;</span>C:<span class="nt">&lt;/location&gt;</span>
<span class="nt">&lt;location&gt;</span>F:\Users<span class="nt">&lt;/location&gt;</span>
<span class="nt">&lt;location&gt;</span>\\.\PhysicalDrive0<span class="nt">&lt;/location&gt;</span>
</pre></div>
</div>
<p>Environment variables are supported.</p>
<p>The special wildcard <code class="docutils literal notranslate"><span class="pre">*</span></code> can be used to inspect all mounted NTFS volumes on the system.</p>
<div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>DFIR-Orc.exe NTFSInfo *
</pre></div>
</div>
<p>The equivalent XML syntax is:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt">&lt;location&gt;</span>*<span class="nt">&lt;/location&gt;</span>
</pre></div>
</div>
<p>The locations specified in a file are all resolved before starting any actual parsing. Then, the most general locations to parse are determined.
Possible location attributes documented below such as <code class="docutils literal notranslate"><span class="pre">altitude</span></code> and <code class="docutils literal notranslate"><span class="pre">shadows</span></code> are taken into account globally: their value apply on all locations. The last occurrence within an XML file sets the global value of the attribute.</p>
<div class="section" id="locations">
<h2>Locations<a class="headerlink" href="#locations" title="Permalink to this headline">¶</a></h2>
<div class="section" id="locations-for-mounted-volumes">
<h3>Locations for Mounted Volumes<a class="headerlink" href="#locations-for-mounted-volumes" title="Permalink to this headline">¶</a></h3>
<p>Locations are simply added using full path names:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt">&lt;location&gt;</span>C:\Windows<span class="nt">&lt;/location&gt;</span>
<span class="nt">&lt;location&gt;</span>D:\MyFiles<span class="nt">&lt;/location&gt;</span>
<span class="nt">&lt;location&gt;</span>G:\Documents<span class="nt">&lt;/location&gt;</span>
<span class="nt">&lt;location&gt;</span>{UserProfiles}\Downloads<span class="nt">&lt;/location&gt;</span>
</pre></div>
</div>
<p>File System Entries are enumerated recursively for the specified locations.</p>
<p>The MFT parser has the ability to parse a mounted volume without using the drive letter convention. Typically, one can refer to a volume using the volume ID convention:</p>
<blockquote>
<div><p><code class="docutils literal notranslate"><span class="pre">\\?\Volume{4564119e-eb6c-11e0-92aa-442a60da9b94}</span></code></p>
</div></blockquote>
<p>This syntax can be used as a command-line argument:</p>
<div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>DFIR-Orc.exe NTFSInfo \\?\Volume{4564119e-eb6c-11e0-92aa-442a60da9b94}
</pre></div>
</div>
<p>It can also appear in an XML configuration file:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt">&lt;location&gt;</span>\\?\Volume{4564119e-eb6c-11e0-92aa-442a60da9b94}<span class="nt">&lt;/location&gt;</span>
</pre></div>
</div>
<p>Mounted volumes can also be specified using the following syntax:</p>
<blockquote>
<div><p><code class="docutils literal notranslate"><span class="pre">\\?\GLOBALROOT\Device\HarddiskVolume3</span></code></p>
</div></blockquote>
</div>
<div class="section" id="locations-for-physical-drives">
<h3>Locations for Physical Drives<a class="headerlink" href="#locations-for-physical-drives" title="Permalink to this headline">¶</a></h3>
<p>The MFT parser has the ability to parse the physical drive (non-mounted volumes).
When the syntax <code class="docutils literal notranslate"><span class="pre">\\.\PhysicalDrive0</span></code> is used, then the partitions of the disk are enumerated and all NTFS volumes are parsed.
One can also refer to a specific NTFS partition on a drive using the following convention:</p>
<blockquote>
<div><p><code class="docutils literal notranslate"><span class="pre">\\.\PhysicalDrive0,part=3</span></code></p>
</div></blockquote>
<p>In this example, 0 is the physical drive number and 3 is the enumerated partition number.</p>
<p>This syntax can be used as a command-line argument:</p>
<div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>.\DFIR-Orc.exe NTFSInfo \\.\PhysicalDrive0,part=3
</pre></div>
</div>
<p>or in a configuration file as follows:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt">&lt;location&gt;</span>\\.\PhysicalDrive0,part=3<span class="nt">&lt;/location&gt;</span>
</pre></div>
</div>
<p>In case the partition table is invalid or missing, one can use the following syntax:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt">&lt;location&gt;</span>\\.\PhysicalDrive0,offset=1048576,size=214748364800,sector=512<span class="nt">&lt;/location&gt;</span>
</pre></div>
</div>
<p>When using this notation</p>
<blockquote>
<div><ul class="simple">
<li><p>offset=1048576 represents the location of the NTFS volume in bytes,</p></li>
<li><p>size=214748364800 is the size in bytes of the partition (optional),</p></li>
<li><p>sector=512 is the size in bytes of the physical sector (optional).</p></li>
</ul>
</div></blockquote>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>Please note that the order matters: offset must come before size and then sector.</p>
</div>
</div>
<div class="section" id="locations-for-disk-images-dd">
<h3>Locations for Disk Images (.dd)<a class="headerlink" href="#locations-for-disk-images-dd" title="Permalink to this headline">¶</a></h3>
<p>The MFT parser has the ability to parse full disk images.</p>
<p>On a command line, the appropriate syntax is:</p>
<div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>DFIR-Orc.exe NTFSInfo <span class="s2">&quot;F:\TestCases\disk_image.dd&quot;</span>
</pre></div>
</div>
<p>while in a configuration file, one can use:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt">&lt;location&gt;</span>F:\TestCases\disk_image.dd<span class="nt">&lt;/location&gt;</span>
</pre></div>
</div>
<p>The partition table of the image is located, parsed, and then all NTFS partitions are parsed.</p>
</div>
<div class="section" id="locations-for-volumes-and-partitions-of-an-image-dd">
<h3>Locations for Volumes and Partitions of an Image (.dd)<a class="headerlink" href="#locations-for-volumes-and-partitions-of-an-image-dd" title="Permalink to this headline">¶</a></h3>
<p>The MFT parser can parse partitions of raw or dd images. This requires the presence of the NTFS signature in the header of the image.</p>
<p>The syntax below can be used as a command-line argument:</p>
<div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>DFIR-Orc.exe NTFSInfo <span class="s2">&quot;F:\TestCases\d_image.dd&quot;</span>
</pre></div>
</div>
<p>or in a configuration file as follows:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt">&lt;location&gt;</span>F:\TestCases\d_image.dd<span class="nt">&lt;/location&gt;</span>
</pre></div>
</div>
<p>When dealing with the image of a disk, parsing can be done by specifying the partition:</p>
<div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>DFIR-Orc.exe NTFSInfo <span class="s2">&quot;F:\TestCases\d_image.dd,part=N&quot;</span>
</pre></div>
</div>
<p>This command will parse the N-th partition in the order of the table.</p>
<p>The following command is also available, to parse the volume located at <code class="docutils literal notranslate"><span class="pre">&lt;Offset&gt;</span></code>, whose size is <code class="docutils literal notranslate"><span class="pre">&lt;Length&gt;</span></code> bytes, with sectors of <code class="docutils literal notranslate"><span class="pre">&lt;Size&gt;</span></code> bytes.</p>
<div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>DFIR-Orc.exe NTFSInfo <span class="s2">&quot;F:\TestCases\d_image.dd,offset=&lt;Offset&gt;,length=&lt;Length&gt;,sector=&lt;Size&gt;&quot;</span>
</pre></div>
</div>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>Please note that the order of offset, size and sector has to be respected.</p>
</div>
</div>
<div class="section" id="locations-for-volume-shadow-copies">
<h3>Locations for Volume Shadow Copies<a class="headerlink" href="#locations-for-volume-shadow-copies" title="Permalink to this headline">¶</a></h3>
<div class="section" id="explicit-volume-shadow-copy">
<h4>Explicit Volume Shadow Copy<a class="headerlink" href="#explicit-volume-shadow-copy" title="Permalink to this headline">¶</a></h4>
<p>The MFT parser has the ability to parse volume shadow copies (VSS).</p>
<p>On a command line, one can use:</p>
<div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>DFIR-Orc.exe NTFSInfo \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy10
</pre></div>
</div>
<p>and in a configuration file, the following line works:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt">&lt;location&gt;</span>\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy10<span class="nt">&lt;/location&gt;</span>
</pre></div>
</div>
</div>
<div class="section" id="automatic-shadow-copies-addition">
<span id="configuring-locations-automatic-shadow"></span><h4>Automatic Shadow Copies Addition<a class="headerlink" href="#automatic-shadow-copies-addition" title="Permalink to this headline">¶</a></h4>
<p>The volume shadow copies can be enumerated and added to the list of parsed locations.
This feature can be enabled by adding the attribute <code class="docutils literal notranslate"><span class="pre">shadows=&quot;yes&quot;</span></code> in a <code class="docutils literal notranslate"><span class="pre">location</span></code> element:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt">&lt;location</span> <span class="na">shadows=</span><span class="s">&quot;yes&quot;</span><span class="nt">&gt;</span>c:\<span class="nt">&lt;/location&gt;</span>
</pre></div>
</div>
<p>The location must be a mounted volume: parsing shadow copies is not supported for physical drive, raw disk images, or interfaces.</p>
<p>Using <code class="docutils literal notranslate"><span class="pre">shadows=&quot;yes&quot;</span></code> activates VSS parsing, not using it (rather than <code class="docutils literal notranslate"><span class="pre">shadows=&quot;no&quot;</span></code>) does not activate parsing. As noted in introduction, the presence of this attribute in an XML file sets the option globally.</p>
<p>The wildcard <code class="docutils literal notranslate"><span class="pre">*</span></code> is also supported:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt">&lt;location</span> <span class="na">shadows=</span><span class="s">&quot;yes&quot;</span><span class="nt">&gt;</span>*<span class="nt">&lt;/location&gt;</span>
</pre></div>
</div>
<p>The <code class="docutils literal notranslate"><span class="pre">/shadows</span></code> option can also be used on command lines and applies to all mounted volumes otherwise selected.</p>
</div>
</div>
<div class="section" id="locations-for-offline-mft">
<h3>Locations for Offline MFT<a class="headerlink" href="#locations-for-offline-mft" title="Permalink to this headline">¶</a></h3>
<p>The MFT parser can be used to parse the Master File Table in an offline manner, that is to say, the volume does not have to be parsed - or even present.
The following command allows to dump the MFT:</p>
<div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>DFIR-Orc.exe GetThis /sample=$Mft /out=d:\temp C:
</pre></div>
</div>
<p>Then the result can be passed to NTFSInfo.
This allows the MFT to be parsed without malware potentially intervening in the parsing (though it could still tamper with the capture).</p>
<p>The syntax is as follows:</p>
<div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>DFIR-Orc.exe NTFSInfo d:\temp\$MFT_data
</pre></div>
</div>
<p>or when using the XML configuration file:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt">&lt;location&gt;</span>d:\temp\$MFT_data<span class="nt">&lt;/location&gt;</span>
</pre></div>
</div>
</div>
<div class="section" id="location-variables">
<h3>Location variables<a class="headerlink" href="#location-variables" title="Permalink to this headline">¶</a></h3>
<p>Environment variables (ex: <code class="docutils literal notranslate"><span class="pre">SYSTEMROOT</span></code>) are resolved when executing DFIR-Orc.</p>
<p>The syntax is as follows:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt">&lt;location&gt;</span>%SYSTEMROOT%<span class="nt">&lt;/location&gt;</span>
</pre></div>
</div>
<p>DFIR-Orc can also define some dynamic variable like <code class="docutils literal notranslate"><span class="pre">UserProfiles</span></code>.</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt">&lt;location&gt;</span>{UserProfiles}\Downloads<span class="nt">&lt;/location&gt;</span>
</pre></div>
</div>
<ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">UserProfiles</span></code>: This variable will be expanded to the paths stored in <code class="docutils literal notranslate"><span class="pre">HKLM/SOFTWARE/Microsoft/Windows</span> <span class="pre">NT/CurrentVersion/ProfileList</span></code>. Once expanded it will have the same behavior as with multiple <cite>&lt;Location&gt;…</cite> for each a user profile directory.</p></li>
</ul>
</div>
</div>
<div class="section" id="usage">
<h2>Usage<a class="headerlink" href="#usage" title="Permalink to this headline">¶</a></h2>
<div class="section" id="altitude-attribute-altitude-strategy-option">
<h3><code class="docutils literal notranslate"><span class="pre">altitude</span></code> Attribute, <code class="docutils literal notranslate"><span class="pre">/Altitude=&lt;Strategy&gt;</span></code> Option<a class="headerlink" href="#altitude-attribute-altitude-strategy-option" title="Permalink to this headline">¶</a></h3>
<p>The location altitude defines the strategy used to translate a given location into the optimal access path to the volume. There are three strategies available for the altitude selection:</p>
<ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">Lowest</span></code> (default): translates the location to the lowest-level access path available for the volume,</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">Highest</span></code>: translates the location to the highest-level access path available for the volume,</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">Exact</span></code>: uses the given location as the exact access path and does not attempt altitude translation.</p></li>
</ul>
<p>For instance, if the location provided is <code class="docutils literal notranslate"><span class="pre">C:</span></code> and the altitude is set to choose the lowest-level access path available, then the tools internally translate the mounted volume path into an interface path (e.g., <code class="docutils literal notranslate"><span class="pre">\\.\IDE#DiskVBOX_HARDDISK...</span></code>), if available, and use the latter to collect data.</p>
<p>Selecting the lowest possible altitude is useful for avoiding potential malware hooks in the driver stack.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>There are some cases where the lowest possible altitude is not the interface path. This typically happens when using Full Volume Encryption software such as BitLocker. In this case, the physical drive and interface paths cannot be used and the altitude selector remains at the mounted volume level in order to read the decrypted data.</p>
</div>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>Some volume encryption solutions do not alter the NTFS Volume Boot Record, tricking the altitude selector into believing the volume is a non-encrypted NTFS volume. This situation results in the choice of a wrong access path translation, thus preventing normal data collection. To avoid such problems <strong>in this specific case only</strong>, altitude selection should be set to use the <code class="docutils literal notranslate"><span class="pre">Exact</span></code> strategy and the location should be a mounted volume path.</p>
</div>
<p>Altitude selection can either be configured via the command line</p>
<div class="highlight-bat notranslate"><div class="highlight"><pre><span></span>/Altitude=Exact<span class="p">|</span>Highest<span class="p">|</span>Lowest
</pre></div>
</div>
<p>or via the <code class="docutils literal notranslate"><span class="pre">altitude</span></code> attribute of the <code class="docutils literal notranslate"><span class="pre">location</span></code> element:</p>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt">&lt;location</span> <span class="na">altitude=</span><span class="s">&quot;highest&quot;</span><span class="nt">&gt;</span>C:\Windows<span class="nt">&lt;/location&gt;</span>
</pre></div>
</div>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Even if the attribute <code class="docutils literal notranslate"><span class="pre">altitude</span></code> can be set on all <code class="docutils literal notranslate"><span class="pre">location</span></code> element, only the last occurrence in an XML file is taken into account for the complete set of <code class="docutils literal notranslate"><span class="pre">location</span></code> elements.</p>
</div>
</div>
<div class="section" id="knownlocations-attribute-knownlocations-option">
<span id="configuring-locations-knowlocations"></span><h3><code class="docutils literal notranslate"><span class="pre">knownlocations</span></code> Attribute, <code class="docutils literal notranslate"><span class="pre">/knownlocations</span></code> Option<a class="headerlink" href="#knownlocations-attribute-knownlocations-option" title="Permalink to this headline">¶</a></h3>
<p>Some tools (NTFSInfo, FastFind, GetSamples, USNInfo, GetThis) provides the <code class="docutils literal notranslate"><span class="pre">/knownlocations</span></code> option in command line or the equivalent <code class="docutils literal notranslate"><span class="pre">&lt;knownlocations/&gt;</span></code> element in their XML configuration file.</p>
<p>This option collects information on the following locations of interest:</p>
<table class="colwidths-given docutils align-default">
<colgroup>
<col style="width: 33%" />
<col style="width: 67%" />
</colgroup>
<thead>
<tr class="row-odd"><th class="head"><p>Identifier</p></th>
<th class="head"><p>Typical path</p></th>
</tr>
</thead>
<tbody>
<tr class="row-even"><td><p>CSIDL_PROGRAMS</p></td>
<td><p>Start Menu\Programs</p></td>
</tr>
<tr class="row-odd"><td><p>CSIDL_FAVORITES</p></td>
<td><p>&lt;user name&gt;\Favorites</p></td>
</tr>
<tr class="row-even"><td><p>SIDL_STARTUP</p></td>
<td><p>Start Menu\Programs\Startup</p></td>
</tr>
<tr class="row-odd"><td><p>SIDL_BITBUCKET</p></td>
<td><p>&lt;desktop&gt;\Recycle Bin</p></td>
</tr>
<tr class="row-even"><td><p>CSIDL_STARTMENU</p></td>
<td><p>&lt;user name&gt;\Start Menu</p></td>
</tr>
<tr class="row-odd"><td><p>CSIDL_DESKTOPDIRECTORY</p></td>
<td><p>&lt;user name&gt;\Desktop</p></td>
</tr>
<tr class="row-even"><td><p>CSIDL_COMMON_STARTMENU</p></td>
<td><p>All Users\Start Menu</p></td>
</tr>
<tr class="row-odd"><td><p>CSIDL_COMMON_STARTUP</p></td>
<td><p>All Users\Startup</p></td>
</tr>
<tr class="row-even"><td><p>CSIDL_COMMON_DESKTOPDIRECTORY</p></td>
<td><p>All Users\Desktop</p></td>
</tr>
<tr class="row-odd"><td><p>CSIDL_APPDATA</p></td>
<td><p>&lt;user name&gt;\Application Data</p></td>
</tr>
<tr class="row-even"><td><p>CSIDL_LOCAL_APPDATA</p></td>
<td><p>&lt;user name&gt;\Local Settings\Application Data (non roaming)</p></td>
</tr>
<tr class="row-odd"><td><p>CSIDL_ALTSTARTUP</p></td>
<td><p>non localized startup</p></td>
</tr>
<tr class="row-even"><td><p>CSIDL_COMMON_ALTSTARTUP</p></td>
<td><p>non localized common startup</p></td>
</tr>
<tr class="row-odd"><td><p>CSIDL_COMMON_FAVORITES</p></td>
<td></td>
</tr>
<tr class="row-even"><td><p>CSIDL_INTERNET_CACHE</p></td>
<td></td>
</tr>
<tr class="row-odd"><td><p>CSIDL_COOKIES</p></td>
<td></td>
</tr>
<tr class="row-even"><td><p>CSIDL_HISTORY</p></td>
<td></td>
</tr>
<tr class="row-odd"><td><p>CSIDL_COMMON_APPDATA</p></td>
<td><p>All Users\Application Data</p></td>
</tr>
<tr class="row-even"><td><p>CSIDL_WINDOWS</p></td>
<td><p>GetWindowsDirectory()</p></td>
</tr>
<tr class="row-odd"><td><p>CSIDL_PROGRAM_FILES</p></td>
<td><p>C:\Program Files</p></td>
</tr>
<tr class="row-even"><td><p>CSIDL_PROFILE</p></td>
<td><p>%USERPROFILE%</p></td>
</tr>
<tr class="row-odd"><td><p>CSIDL_PROGRAM_FILESX86</p></td>
<td><p>C:\Program Files</p></td>
</tr>
<tr class="row-even"><td><p>CSIDL_COMMON_ADMINTOOLS</p></td>
<td><p>All Users\Start Menu\Programs\Administrative Tools</p></td>
</tr>
<tr class="row-odd"><td><p>CSIDL_ADMINTOOLS</p></td>
<td><p>&lt;user name&gt;\Start Menu\Programs\Administrative Tools</p></td>
</tr>
<tr class="row-even"><td><p>%Path%</p></td>
<td><p>Each directory in %Path% is added</p></td>
</tr>
<tr class="row-odd"><td><p>%ALLUSERSPROFILE%</p></td>
<td><p>All User profile</p></td>
</tr>
<tr class="row-even"><td><p>%temp%</p></td>
<td><p>%temp% is added if it exists</p></td>
</tr>
<tr class="row-odd"><td><p>%tmp%</p></td>
<td><p>%tmp% is added if it exists</p></td>
</tr>
<tr class="row-even"><td><p>%APPDATA%</p></td>
<td></td>
</tr>
</tbody>
</table>
<p>For more information, please refer to <a class="reference external" href="https://docs.microsoft.com/en-us/windows/win32/shell/csidl">the reference page for KnownLocations</a>.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Known locations cannot be used as a <code class="docutils literal notranslate"><span class="pre">location</span></code> value.</p>
</div>
</div>
<div class="section" id="shadows-attribute-shadows-option">
<h3><code class="docutils literal notranslate"><span class="pre">shadows</span></code> Attribute, <code class="docutils literal notranslate"><span class="pre">/shadows</span></code> Option<a class="headerlink" href="#shadows-attribute-shadows-option" title="Permalink to this headline">¶</a></h3>
<p>This option allows automatic parsing of the shadow copies on mounted volumes only. It is explained <a class="reference internal" href="#configuring-locations-automatic-shadow"><span class="std std-ref">above</span></a>.</p>
</div>
</div>
</div>


            <div class="clearer"></div>
          </div>
        </div>
      </div>
      <div class="clearer"></div>
    </div>
    <div class="related" role="navigation" aria-label="related navigation">
      <h3>Navigation</h3>
      <ul>
        
        
        <li class="right" >
          <a href="configuring_yara.html" title="Configuring the Yara Scanner"
             >next</a>
          
        
        
        <li class="right" >
          <a href="fs_implem_details.html" title="Implementation Details About Parsers"
             >previous</a>
           |</li>
          
        
        <li class="nav-item nav-item-0"><a href="index.html">DFIR ORC  documentation</a> &#187;</li>
          <li class="nav-item nav-item-1"><a href="embedded_tool_suite.html" >Embedded Tool Suite</a> &#187;</li>
          <li class="nav-item nav-item-2"><a href="info_tools.html" >Common Options &amp; Properties</a> &#187;</li> 
      </ul>
    </div>
 <script type="text/javascript">
    $(document).ready(function() {
        $(".toggle > *").hide();
        $(".toggle .header").show();
        $(".toggle .header").click(function() {
            $(this).parent().children().not(".header").toggle(400);
            $(this).parent().children(".header").toggleClass("open");
        })
    });
</script>

  </body>
</html>