forked from DFIR-ORC/dfir-orc.github.io
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathorc_local_config.html
389 lines (368 loc) · 24.4 KB
/
orc_local_config.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>DFIR ORC Local Configuration File — DFIR ORC documentation</title>
<link rel="stylesheet" href="_static/pygments.css" type="text/css" />
<link rel="stylesheet" href="_static/solar.css" type="text/css" />
<link rel="stylesheet" type="text/css" href="_static/css/custom.css" />
<script id="documentation_options" data-url_root="./" src="_static/documentation_options.js"></script>
<script src="_static/jquery.js"></script>
<script src="_static/underscore.js"></script>
<script src="_static/doctools.js"></script>
<script src="_static/language_data.js"></script>
<link rel="index" title="Index" href="genindex.html" />
<link rel="search" title="Search" href="search.html" />
<link rel="next" title="Embedded Tool Suite" href="embedded_tool_suite.html" />
<link rel="prev" title="ToolEmbed" href="ToolEmbed.html" /><link href='http://fonts.googleapis.com/css?family=Source+Code+Pro|Open+Sans:300italic,400italic,700italic,400,300,700' rel='stylesheet' type='text/css'>
<link href="_static/solarized-dark.css" rel="stylesheet">
</head><body>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" >
<a href="embedded_tool_suite.html" title="Embedded Tool Suite"
accesskey="N">next</a>
<li class="right" >
<a href="ToolEmbed.html" title="ToolEmbed"
accesskey="P">previous</a>
|</li>
<li class="nav-item nav-item-0"><a href="index.html">DFIR ORC documentation</a> »</li>
<li class="nav-item nav-item-1"><a href="configuration.html" accesskey="U">Configuration</a> »</li>
</ul>
</div>
<div class="sphinxsidebar" role="navigation" aria-label="main navigation">
<div class="sphinxsidebarwrapper">
<p class="logo"><a href="index.html">
<img class="logo" src="_static/logo.jpg" alt="Logo"/>
</a></p>
<h3><a href="index.html">Table of Contents</a></h3>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="index.html">Introduction</a></li>
<li class="toctree-l1"><a class="reference internal" href="tuto.html">Tutorial</a></li>
<li class="toctree-l1"><a class="reference internal" href="platforms.html">Requirements</a></li>
<li class="toctree-l1"><a class="reference internal" href="intro_to_data_collection.html">Design and Architecture</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="configuration.html">Configuration</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="resources.html">Referencing Resources in Configurations</a></li>
<li class="toctree-l2"><a class="reference internal" href="cli_options.html">DFIR ORC Command-line Options</a></li>
<li class="toctree-l2"><a class="reference internal" href="wolf_config.html">WolfLauncher Configuration File</a></li>
<li class="toctree-l2"><a class="reference internal" href="ToolEmbed.html">ToolEmbed</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">DFIR ORC Local Configuration File</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="embedded_tool_suite.html">Embedded Tool Suite</a></li>
<li class="toctree-l1"><a class="reference internal" href="licenses.html">Licenses</a></li>
</ul>
<div id="searchbox" style="display: none" role="search">
<h3 id="searchlabel">Quick search</h3>
<div class="searchformwrapper">
<form class="search" action="search.html" method="get">
<input type="text" name="q" aria-labelledby="searchlabel" />
<input type="submit" value="Go" />
</form>
</div>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
</div>
</div>
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body" role="main">
<div class="section" id="dfir-orc-local-configuration-file">
<h1>DFIR ORC Local Configuration File<a class="headerlink" href="#dfir-orc-local-configuration-file" title="Permalink to this headline">¶</a></h1>
<p>DFIR ORC can be locally configured to specify a limited set of configuration elements. Typically, those elements are the client’s specific configuration options (like the upload method, priority, temporary folder, etc.). The local configuration can be specified using:</p>
<blockquote>
<div><ul>
<li><p>The <code class="docutils literal notranslate"><span class="pre">/local=<LocalConfigFile></span></code> command-line option</p></li>
<li><p>A file in the same directory as DFIR ORC, with the same base name and .xml extension, e.g.:</p>
<blockquote>
<div><ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre"><SomeDirectory>\\DFIR-Orc.exe</span></code></p></li>
<li><p><code class="docutils literal notranslate"><span class="pre"><SomeDirectory>\\DFIR-Orc.xml</span></code></p></li>
</ul>
</div></blockquote>
</li>
</ul>
</div></blockquote>
<p id="anchor-root">The index of this sections consists in the following XML skeleton file, which features all the elements that can appear
in a real configuration file.
It is not a usable configuration, in the sense that it does not contain any attribute key or value, and can exhibit incompatible elements.
Its point is to be exhaustive from the point of view of existing usable elements.</p>
<div class="line-block">
<div class="line"><<a class="reference external" href="#dfir-orc-element">dfir-orc</a> <em>attributes=”…”</em>></div>
<div class="line-block">
<div class="line"><<a class="reference external" href="#temporary-element">temporary</a>> <em>value</em> <<a class="reference external" href="#temporary-element">/temporary</a>></div>
<div class="line"><<a class="reference external" href="#output-element">output</a>> <em>value</em> <<a class="reference external" href="#output-element">/output</a>></div>
<div class="line"><<a class="reference external" href="#upload-element">upload</a> <em>attributes=”…”</em> /></div>
<div class="line"><<a class="reference external" href="#recipient-element">recipient</a> <em>attributes=”…”</em>> <em>value</em> <<a class="reference external" href="#recipient-element">/recipient</a>></div>
<div class="line"><<a class="reference external" href="#key-element">key</a>> <em>value</em> <<a class="reference external" href="#key-element">/key</a>></div>
<div class="line"><<a class="reference external" href="#enable-key-and-disable-key-elements">enable_key</a>> <em>value</em> <<a class="reference external" href="#enable-key-and-disable-key-elements">/enable_key</a>></div>
<div class="line"><<a class="reference external" href="#enable-key-and-disable-key-elements">disable_key</a>> <em>value</em> <<a class="reference external" href="#enable-key-and-disable-key-elements">/disable_key</a>></div>
</div>
<div class="line"><<a class="reference external" href="#dfir-orc-element">/dfir-orc</a>></div>
</div>
<div class="section" id="dfir-orc-element">
<span id="orc-local-config-dfir-orc-element"></span><h2><code class="docutils literal notranslate"><span class="pre">dfir-orc</span></code> Element<a class="headerlink" href="#dfir-orc-element" title="Permalink to this headline">¶</a></h2>
<p><em>optional=no, default=N/A</em></p>
<p>Root element</p>
<div class="section" id="attributes">
<h3>Attributes<a class="headerlink" href="#attributes" title="Permalink to this headline">¶</a></h3>
<ul>
<li><dl class="simple">
<dt><strong>priority</strong> <em>(optional=yes, default=normal)</em></dt><dd><p>Configures Windows process (and thread) priority class. Available values for this attribute are: Low, Normal & High.</p>
</dd>
</dl>
</li>
<li><dl>
<dt><strong>powerstate</strong> <em>(optional=yes, default=unmodified power state)</em></dt><dd><p>Configures DFIR ORC’s main thread power state to optionally prevent the system from going to sleep when DFIR ORC is running. Allowed value is a comma separated list of</p>
<ul class="simple">
<li><p>SystemRequired</p></li>
<li><p>Displayrequired</p></li>
<li><p>UserPresent</p></li>
<li><p>AwayMode.</p></li>
</ul>
<p>When only looking to prevent sleep, recommended value for this option is SystemRequired,AwayMode.
More information on power states: <a class="reference external" href="https://docs.microsoft.com/en-us/windows/desktop/api/winbase/nf-winbase-setthreadexecutionstate">https://docs.microsoft.com/en-us/windows/desktop/api/winbase/nf-winbase-setthreadexecutionstate</a></p>
</dd>
</dl>
</li>
</ul>
<p><a class="reference external" href="#anchor-root">Back to Root</a></p>
</div>
</div>
<div class="section" id="temporary-element">
<span id="orc-local-config-temporary-element"></span><h2><code class="docutils literal notranslate"><span class="pre">temporary</span></code> Element<a class="headerlink" href="#temporary-element" title="Permalink to this headline">¶</a></h2>
<p><em>optional=yes, default=%temp%</em>, <a class="reference external" href="#dfir-orc-element">parent element: dfir-orc</a></p>
<p>This element configures the location of temporary files created by the tool. The inner text of this element contains the name of the folder. Environment variables will be substituted.</p>
<div class="section" id="id8">
<h3>Attributes<a class="headerlink" href="#id8" title="Permalink to this headline">¶</a></h3>
<p>None</p>
</div>
<div class="section" id="example">
<h3>Example<a class="headerlink" href="#example" title="Permalink to this headline">¶</a></h3>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><temporary></span>%Temp%\WorkingTemp<span class="nt"></temporary></span>
</pre></div>
</div>
<p><a class="reference external" href="#anchor-root">Back to Root</a></p>
</div>
</div>
<div class="section" id="output-element">
<span id="orc-local-config-output-element"></span><h2><code class="docutils literal notranslate"><span class="pre">output</span></code> Element<a class="headerlink" href="#output-element" title="Permalink to this headline">¶</a></h2>
<p><em>optional=no, default=’.’</em>, <a class="reference external" href="#dfir-orc-element">parent element: dfir-orc</a></p>
<p>This element configures the folder where the various archives will be created. A local drive or a remote SMB share can be specified (in the latter, the upload syntax should be privileged to reduce network congestion). Environment variables will be substituted.</p>
<div class="section" id="id11">
<h3>Attributes<a class="headerlink" href="#id11" title="Permalink to this headline">¶</a></h3>
<p>None</p>
</div>
<div class="section" id="id12">
<h3>Example<a class="headerlink" href="#id12" title="Permalink to this headline">¶</a></h3>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><output></span>%Temp%<span class="nt"></output></span>
</pre></div>
</div>
<p><a class="reference external" href="#anchor-root">Back to Root</a></p>
</div>
</div>
<div class="section" id="upload-element">
<span id="orc-local-config-upload-element"></span><h2><code class="docutils literal notranslate"><span class="pre">upload</span></code> Element<a class="headerlink" href="#upload-element" title="Permalink to this headline">¶</a></h2>
<p><em>optional=yes, default=no upload</em>, <a class="reference external" href="#dfir-orc-element">parent element: dfir-orc</a></p>
<p>The upload element is used to configure an optional upload operation when an archive is created.</p>
<div class="section" id="id15">
<h3>Attributes<a class="headerlink" href="#id15" title="Permalink to this headline">¶</a></h3>
<ul class="simple">
<li><dl class="simple">
<dt><strong>job</strong> <em>(optional=yes, default=none)</em></dt><dd><p>Describes the upload operation.</p>
</dd>
</dl>
</li>
<li><dl class="simple">
<dt><strong>method</strong> <em>(optional=no, default=N/A)</em></dt><dd><p>Describes the method to upload the files. Currently only “filecopy” (uses SMB) or “BITS” are allowed values.</p>
</dd>
</dl>
</li>
<li><dl class="simple">
<dt><strong>server</strong> <em>(optional=no, default=N/A)</em></dt><dd><p>Specifies the server name (e.g. <cite>file://servername</cite> or <cite>http://servername</cite>, or <cite>https://servername</cite>) when using BITS or SMB.</p>
</dd>
</dl>
</li>
<li><dl class="simple">
<dt><strong>path</strong> <em>(optional=no, default= / or \ depending on the method)</em></dt><dd><p>Specifies the file share or folder for the upload</p>
</dd>
</dl>
</li>
<li><dl class="simple">
<dt><strong>user</strong> <em>(optional=yes, default=the current user (executing DFIR ORC))</em></dt><dd><p>Specifies the user name to be used to connect to the remote server.</p>
</dd>
</dl>
</li>
<li><dl class="simple">
<dt><strong>password</strong> <em>(optional=yes, default=N/A)</em></dt><dd><p>Specifies the password to use (for the user defined above)</p>
</dd>
</dl>
</li>
<li><dl class="simple">
<dt><strong>authscheme</strong> <em>(optional=yes, default=Negotiate (if a user name is specified, anonymous otherwise))</em></dt><dd><p>Specifies the authentication scheme for the connection. Possible scheme values are:</p>
<ul>
<li><p>Anonymous</p></li>
<li><p>Basic</p></li>
<li><p>NTLM</p></li>
<li><p>Kerberos</p></li>
<li><p>Negotiate</p></li>
</ul>
</dd>
</dl>
</li>
<li><dl class="simple">
<dt><strong>operation</strong> <em>(optional=yes, default=copy)</em></dt><dd><p>“copy” or “move” the archives to the upload server.</p>
</dd>
</dl>
</li>
<li><dl class="simple">
<dt><strong>mode</strong> <em>(optional=yes, default=sync)</em></dt><dd><p>“sync” or “async”: upload can be synchronous or asynchronous (asynchronous allows DFIR ORC to exit prior to BITS jobs completes). “async” is <strong>not</strong> supported for “filecopy” method.</p>
</dd>
</dl>
</li>
<li><dl class="simple">
<dt><strong>include</strong> <em>(optional=yes, default=none)</em></dt><dd><p>Specifies a comma (or semicolon) separated list of patterns, matching the file name of archives, that determine whether an output archive from <code class="docutils literal notranslate"><span class="pre">DFIR-Orc.exe</span></code> will be uploaded to the specified location. When missing, all archives are uploaded (if not explicitly excluded, see below). When specified, only archives whose name matches one of the patterns will be uploaded.</p>
</dd>
</dl>
</li>
<li><dl class="simple">
<dt><strong>exclude</strong> <em>(optional=yes, default=none)</em></dt><dd><p>Specifies a comma (or semicolon) separated list of patterns, matching the file name of archives, that determine whether an output archive should not be uploaded. When excluded, an output archive is left intact in the output directory (i.e. regardless of the <code class="docutils literal notranslate"><span class="pre">operation</span></code> attribute). The <code class="docutils literal notranslate"><span class="pre">exclude</span></code> attribute takes precedence over the <code class="docutils literal notranslate"><span class="pre">include</span></code> attribute, meaning an archive whose name matches both <code class="docutils literal notranslate"><span class="pre">include</span></code> and <code class="docutils literal notranslate"><span class="pre">exclude</span></code> patterns will be excluded.</p>
</dd>
</dl>
</li>
</ul>
</div>
<div class="section" id="id16">
<h3>Example<a class="headerlink" href="#id16" title="Permalink to this headline">¶</a></h3>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><upload</span> <span class="na">job=</span><span class="s">"DFIR-ORC"</span> <span class="na">method=</span><span class="s">"BITS"</span>
<span class="na">server=</span><span class="s">"http://MyBits.MyOrg.com"</span>
<span class="na">path=</span><span class="s">"upload"</span>
<span class="na">user=</span><span class="s">"MyORG\BITSUploadClient"</span> <span class="na">password=</span><span class="s">"P@ssw0rd!"</span>
<span class="na">operation=</span><span class="s">"move"</span>
<span class="na">include=</span><span class="s">"DFIR-ORC_*_Hives.7z"</span> <span class="nt">/></span>
</pre></div>
</div>
<p><a class="reference external" href="#anchor-root">Back to Root</a></p>
</div>
</div>
<div class="section" id="recipient-element">
<span id="orc-local-config-recipient-element"></span><h2><code class="docutils literal notranslate"><span class="pre">recipient</span></code> Element<a class="headerlink" href="#recipient-element" title="Permalink to this headline">¶</a></h2>
<p><em>optional=yes, default=N/A</em>, <a class="reference external" href="#dfir-orc-element">parent element: dfir-orc</a></p>
<p>The recipient element is used to create the list of recipients able to open the enveloped CMS archives. It basically consists of a list of encoded certificates. This element is used to add a recipient’s certificate to the list of possible recipients for individual archives. This element implies encryption of the archives specified in its compulsory archive attribute.</p>
<div class="section" id="id19">
<h3>Attributes<a class="headerlink" href="#id19" title="Permalink to this headline">¶</a></h3>
<ul class="simple">
<li><dl class="simple">
<dt><strong>name</strong> <em>(optional=no, default=N/A)</em></dt><dd><p>Name of the recipient</p>
</dd>
</dl>
</li>
<li><dl class="simple">
<dt><strong>archive</strong> <em>(optional=no, default=Does not encrypt any archive)</em></dt><dd><p>Comma separated list of archive keyword specs to match against archive names. Specifies one or more archives encrypted in a CMS PKCS#7 message (cf <a class="reference external" href="http://tools.ietf.org/html/rfc2315">http://tools.ietf.org/html/rfc2315</a> )</p>
</dd>
</dl>
</li>
</ul>
</div>
<div class="section" id="id20">
<h3>Example<a class="headerlink" href="#id20" title="Permalink to this headline">¶</a></h3>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><recipient</span> <span class="na">name=</span><span class="s">'certfr'</span> <span class="na">archive=</span><span class="s">'*'</span> <span class="nt">></span>
-----BEGIN CERTIFICATE-----
MIIC7TCCAdmgAwIBAgIQR5AF92Ti8qtEwuT3PMVrJzAJBgUrDgMCHQUAMBIxEDAO
BgNVBAMTB0NFUlQtRlIwHhcNMDQxMjMxMjIwMDAwWhcNMTQxMjMxMjIwMDAwWjAS
MRAwDgYDVQQDEwdDRVJULUZSMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAiufyRATXw5Kc/DUcEr/5nNygcbluyS5gkUd1pGaUqKHMSMEVOBzYqcvq3cMw
4shAL3TSgYdoOJaLG4ErvyRU87fWYRcwiHzGdFg89E3pBEWnyV3j3fR0fVB5t3MD
jbooTGI/qQGl1l3MZ+bOiHkYcIG50R5343VT5vjRLmPv16iopGczLXKkNFxN480f
BnCF8HcJesFiMIDUI+d9OWpLJNDSCerouMr75HVD47+gBKKgH2PrxWozk2L6R9gQ
l8/6xzM4VKiNt4BTGfChG8AnO8sJzPETjJaDXrIGaYVLxU4OxFh/a9x61dlM/5A/
TASXpLhXrsi+ib3YLLl+pNh+aQIDAQABo0cwRTBDBgNVHQEEPDA6gBD47GaJKs91
qsThQIQ7f8Y5oRQwEjEQMA4GA1UEAxMHQ0VSVC1GUoIQR5AF92Ti8qtEwuT3PMVr
JzAJBgUrDgMCHQUAA4IBAQBgvEE7qyLVV+Y5B0sR5VuPmfeqakOxBxLmb8VoTNKn
/7ai1XwtJeWD1vumKx5Q29GiUfVhvBgn0zhjM5syVDFCqEcp+eu6l2XbN8uvllCY
daTOT/9UylLxu1L/epiWiYtqRZOO/9i1fyqrkguIww7EjXXT3ybL5U/BakEC2Yg5
6vUoxbo2EbA1UoMWurRxYNYxyFfHpvBYXFf4uDaAFIVMtEgH5VkKyM3Kj2hi/PJH
/a30ndTWVSY/82hoRGCa+SkevR5VbDsxTqHtEHys4K+ETVTNXp29HwG+1YG7BTTc
4VdFRqUm7e3o6VUArFar8I01oHiHzqKJiu1Omm2Fkmc1
-----END CERTIFICATE-----
<span class="nt"></recipient></span>
</pre></div>
</div>
<p><a class="reference external" href="#anchor-root">Back to Root</a></p>
</div>
</div>
<div class="section" id="key-element">
<span id="orc-local-config-key-element"></span><h2><code class="docutils literal notranslate"><span class="pre">key</span></code> Element<a class="headerlink" href="#key-element" title="Permalink to this headline">¶</a></h2>
<p><em>optional=yes, default=N/A</em>, <a class="reference external" href="#dfir-orc-element">parent element: dfir-orc</a></p>
<p>The key element allows to select only specific commands to be executed or archives to be generated. All non-matching keywords or archives are not executed or generated. This element is exclusive with <code class="docutils literal notranslate"><span class="pre">enable_key</span></code> and <code class="docutils literal notranslate"><span class="pre">disable_key</span></code>.</p>
<div class="section" id="id23">
<h3>Attributes<a class="headerlink" href="#id23" title="Permalink to this headline">¶</a></h3>
<p>None</p>
</div>
<div class="section" id="id24">
<h3>Example<a class="headerlink" href="#id24" title="Permalink to this headline">¶</a></h3>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><dfir-orc></span>
<span class="nt"><key></span>ORC_Quick<span class="nt"></ key></span>
<span class="nt"><key></span>GetRam_winpmem1,Flashback<span class="nt"></key></span>
<span class="nt"></dfir-orc></span>
</pre></div>
</div>
<p><a class="reference external" href="#anchor-root">Back to Root</a></p>
</div>
</div>
<div class="section" id="enable-key-and-disable-key-elements">
<span id="orc-local-config-enable-key-and-disable-key-elements"></span><h2><code class="docutils literal notranslate"><span class="pre">enable_key</span></code> and <code class="docutils literal notranslate"><span class="pre">disable_key</span></code> Elements<a class="headerlink" href="#enable-key-and-disable-key-elements" title="Permalink to this headline">¶</a></h2>
<p><em>optional=yes, default=N/A</em>, <a class="reference external" href="#dfir-orc-element">parent element: dfir-orc</a></p>
<p>The <code class="docutils literal notranslate"><span class="pre">enable_key</span></code> element will enable an optional archive or command (cf. <a class="reference external" href="wolf_config.html#the-archive-element">archive element</a> , <a class="reference external" href="wolf_config.html#command-element">command element</a>).
The <code class="docutils literal notranslate"><span class="pre">disable_key</span></code> element will disable an archive generation or command execution. Elements <code class="docutils literal notranslate"><span class="pre">enable_key</span></code> and <code class="docutils literal notranslate"><span class="pre">disable_key</span></code> can be combined and repeated. All <code class="docutils literal notranslate"><span class="pre">enable_key</span></code> elements take effect before the <code class="docutils literal notranslate"><span class="pre">disable_key</span></code> elements. Keywords are case insensitive. The data in the element can be a comma separated list of keywords.</p>
<div class="section" id="id27">
<h3>Attributes<a class="headerlink" href="#id27" title="Permalink to this headline">¶</a></h3>
<p>None</p>
</div>
<div class="section" id="id28">
<h3>Example<a class="headerlink" href="#id28" title="Permalink to this headline">¶</a></h3>
<div class="highlight-xml notranslate"><div class="highlight"><pre><span></span><span class="nt"><dfir-orc></span>
<span class="nt"><disable_key></span>DFIR-ORC_Detail<span class="nt"></disable_key></span>
<span class="nt"><enable_key></span>GetRam_winpmem1<span class="nt"></enable_key></span>
<span class="nt"></dfir-orc></span>
</pre></div>
</div>
<p><a class="reference external" href="#anchor-root">Back to Root</a></p>
</div>
</div>
</div>
<div class="clearer"></div>
</div>
</div>
</div>
<div class="clearer"></div>
</div>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" >
<a href="embedded_tool_suite.html" title="Embedded Tool Suite"
>next</a>
<li class="right" >
<a href="ToolEmbed.html" title="ToolEmbed"
>previous</a>
|</li>
<li class="nav-item nav-item-0"><a href="index.html">DFIR ORC documentation</a> »</li>
<li class="nav-item nav-item-1"><a href="configuration.html" >Configuration</a> »</li>
</ul>
</div>
<script type="text/javascript">
$(document).ready(function() {
$(".toggle > *").hide();
$(".toggle .header").show();
$(".toggle .header").click(function() {
$(this).parent().children().not(".header").toggle(400);
$(this).parent().children(".header").toggleClass("open");
})
});
</script>
</body>
</html>