forked from DFIR-ORC/dfir-orc.github.io
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtool_list.html
112 lines (92 loc) · 5.73 KB
/
tool_list.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta charset="utf-8" />
<title>DFIR ORC Embedded Tool Suite — DFIR ORC documentation</title>
<link rel="stylesheet" href="_static/solar.css" type="text/css" />
<link rel="stylesheet" href="_static/pygments.css" type="text/css" />
<link rel="stylesheet" type="text/css" href="_static/css/custom.css" />
<script type="text/javascript" id="documentation_options" data-url_root="./" src="_static/documentation_options.js"></script>
<script type="text/javascript" src="_static/jquery.js"></script>
<script type="text/javascript" src="_static/underscore.js"></script>
<script type="text/javascript" src="_static/doctools.js"></script>
<script type="text/javascript" src="_static/language_data.js"></script>
<link rel="index" title="Index" href="genindex.html" />
<link rel="search" title="Search" href="search.html" />
<link rel="next" title="Licenses" href="licenses.html" />
<link rel="prev" title="DFIR ORC Local Configuration File" href="orc_local_config.html" /><link href='http://fonts.googleapis.com/css?family=Source+Code+Pro|Open+Sans:300italic,400italic,700italic,400,300,700' rel='stylesheet' type='text/css'>
<link href="_static/solarized-dark.css" rel="stylesheet">
</head><body>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" >
<a href="licenses.html" title="Licenses"
accesskey="N">next</a>
<li class="right" >
<a href="orc_local_config.html" title="DFIR ORC Local Configuration File"
accesskey="P">previous</a>
|</li>
<li class="nav-item nav-item-0"><a href="index.html">DFIR ORC documentation</a> »</li>
</ul>
</div>
<div class="sphinxsidebar" role="navigation" aria-label="main navigation">
<div class="sphinxsidebarwrapper">
<p class="logo"><a href="index.html">
<img class="logo" src="_static/logo.jpg" alt="Logo"/>
</a></p>
<h3><a href="index.html">Table of Contents</a></h3>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="index.html">Introduction</a></li>
<li class="toctree-l1"><a class="reference internal" href="platforms.html">Requirements & Supported Platforms</a></li>
<li class="toctree-l1"><a class="reference internal" href="intro_to_data_collection.html">DFIR ORC Design and Architecture</a></li>
<li class="toctree-l1"><a class="reference internal" href="configuration.html">DFIR ORC Configuration</a></li>
<li class="toctree-l1 current"><a class="current reference internal" href="#">DFIR ORC Embedded Tool Suite</a></li>
<li class="toctree-l1"><a class="reference internal" href="licenses.html">Licenses</a></li>
</ul>
</div>
</div>
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body" role="main">
<div class="section" id="dfir-orc-embedded-tool-suite">
<h1>DFIR ORC Embedded Tool Suite<a class="headerlink" href="#dfir-orc-embedded-tool-suite" title="Permalink to this headline">¶</a></h1>
<p>Utility tools embedded in the DFIR ORC binary are listed below. There is another tool which is not related to collection per se: <a class="reference internal" href="ToolEmbed.html"><span class="doc">ToolEmbed</span></a>.</p>
<ul class="simple">
<li><p>FastFind: Will locate and report presence of Indicators Of Compromise (FileSystem, Registry Keys, Windows Named Objects)</p></li>
<li><p>GetSectors: Collects MBR, VBR and partition slack space</p></li>
<li><p>GetThis: Collects sample data from the FileSystem (Files, ADS, Extended Attributes, …)</p></li>
<li><p>NTFSInfo: Collects NTFS meta data (File entries, timestamps, file hashes, authenticode data, etc..)</p></li>
<li><p>ObjInfo: Collects the named object list (named pipes, mutexes, …)</p></li>
<li><p>RegInfo: Collects registry related information (without mounting hives)</p></li>
<li><p>USNInfo: Collects USN Jounal</p></li>
<li><p>DD: Copies specified blocks from devices</p></li>
<li><p>NTFSUtil: NTFS Master File Table inspector</p></li>
</ul>
<p>The English version of the detailed documentation for these tools is being finalized and will appear shortly.</p>
</div>
</div>
</div>
</div>
<div class="clearer"></div>
</div>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" >
<a href="licenses.html" title="Licenses"
>next</a>
<li class="right" >
<a href="orc_local_config.html" title="DFIR ORC Local Configuration File"
>previous</a>
|</li>
<li class="nav-item nav-item-0"><a href="index.html">DFIR ORC documentation</a> »</li>
</ul>
</div>
<div class="footer">
© Copyright 2019, ANSSI. The contents of this documentation is available under the Open License version 2.0 as published by Etalab (French task force for Open Data). The name DFIR ORC and the associated logo belong to ANSSI, no use is permitted without its express approval. Le contenu de cette documentation est disponible sous license Open License version 2.0 telle que publiée par Etalab (organisation francaise pour Open Data). Le nom DFIR ORC et le logo associé appartiennent à l'ANSSI, tout usage doit être expressément autorisé par l'ANSSI..
Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> 2.2.0.Theme is <a href="http://github.com/vimalkvn/solar-theme">Solar</a>
</div>
</body>
</html>