dfir-orc / dfir-orc-config Goto Github PK

View Code? Open in Web Editor NEW

22.0 22.0 14.0 50 KB

Configurations for DFIR ORC

License: Other

Batchfile 9.12% YARA 2.22% PowerShell 88.66%

dfir-orc-config's Introduction

DFIR ORC

Documentation

https://dfir-orc.github.io

Build

Branch	Status
main
release/10.1
release/10.2

Requirements

Visual Studio
- From 2017 to 2022
- English only (vcpkg limitation)
- Use this installer configuration or alternatively use vstools
- Check also "Desktop development with C++"
Kitware's CMake >= 3.25 or Visual Studio integrated version

Build environment can be setup quickly using Microsoft's developer virtual machines. Import this .vsconfig from Visual Studio Installer.

Commands

Both 32-bit and 64-bit versions should be built for maximum compatiliby before deployment. See https://dfir-orc.github.io for more details about deployment and configuration.

In a prompt like Developer Command Prompt for VS 2019 (prefer to avoid using cmd.exe):

git clone --recursive https://github.com/dfir-orc/dfir-orc.git
cd dfir-orc
mkdir build-x86 build-x64

cd build-x86
cmake -G "Visual Studio 17 2022" -A Win32 -T v141_xp ..
cmake --build . --config MinSizeRel -- -maxcpucount

cd ../build-x64
cmake -G "Visual Studio 17 2022" -A x64 -T v141_xp ..
cmake --build . --config MinSizeRel -- -maxcpucount

The -T v141_xp option will allow compatibility with Windows XP SP2 and later, it can safely be removed if this is not required.
The default ORC_BUILD_VCPKG=ON option will build vcpkg packages in 'external/vcpkg' subdirectory.

Important Always do a git submodule update after any git pull to update submodules aswell. Alternatively, always pull with git pull --recurse-submodules

Options

CMake option	Default	Description
ORC_DOWNLOADS_ONLY	OFF	Only download vcpkg dependencies
ORC_BUILD_VCPKG	ON	Build vcpkg dependencies
ORC_BUILD_APACHE_ORC	OFF	Build Apache Orc module
ORC_BUILD_COMMAND	ON	Build OrcCommand library
ORC_BUILD_FASTFIND	OFF	Build FastFind binary
ORC_BUILD_ORC	ON	Build Orc binary
ORC_BUILD_PARQUET	OFF	Build Parquet module (x64)
ORC_BUILD_SSDEEP	OFF	Build with ssdeep support
ORC_BUILD_JSON	ON	Build with JSON enabled
ORC_USE_STATIC_CRT	ON	Use static runtime
ORC_VCPKG_ROOT	${ORC}/external/vcpkg	VCPKG root directory
ORC_XMLLITE_PATH		XmlLite.dll path (xp sp2)
VCPKG_TARGET_TRIPLET	Autodetect	VCPKG triplet to use
CMAKE_TOOLCHAIN_FILE	Autodetect	VCPKG's toolchain file

[1] The xmllite.dll is native after patched Windows XP SP2

Note: Some combinations may be irrelevant.

License

The contents of this repository is available under LGPL2.1+ license. The name DFIR ORC and the associated logo belongs to ANSSI, no use is permitted without express approval.

Le contenu de ce dépôt est disponible sous licence LGPL2.1+, tel qu'indiqué ici. Le nom DFIR ORC et le logo associé appartiennent à l'ANSSI, aucun usage n'est permis sans autorisation expresse.

Acknowledgments

DFIR ORC is disclosing Microsoft source code with Microsoft's permission.

dfir-orc-config's People

Contributors

Stargazers

Watchers

Forkers

averroes sydurand dvau26 zakaren lalalanddelo croko-fr whikernel zircocorp reynas mthcht bichoumac

dfir-orc-config's Issues

Offline mode not really offline for 2 modules

Step to reproduce :

Launch DFIR-Orc in offline mode on the drive where you mounted your disk image or an empty existing partition

DFIR-Orc.exe /offline=F:\

Resulting archive : DFIR-ORC_{SystemType}_{FullComputerName}_Offline.7z
Look at BootCode.log and UefiFull.log

# Content :
Disk Name : \\.\PhysicalDrive0

Explaination :

There is no configuration file to define %OfflineLocation% as scope like all other modules.
I don't even know if both modules GetLegacyBootCode_offline and GetUefiFull_offline take a partition as parameter.

Perhaps working on full disk only ?

ISSUE :

You will get informations from your analysis machine in the Offline results.

Which version of dumpIT & winpmem ?

I try to configure ORC but dumptIT not working which version or you using to have /q /n /u ?
Same question to winpmem.exe
Can you update the readme ?

Make fastfind package

Hi,

I would like to make a fastfind package.
I tried differents ways:

First way (tried to call self fastfind):
DFIR-ORC_embed.xml:

<?xml version="1.0" encoding="utf-8"?>
<toolembed>
    <input>.\tools\DFIR-Orc_x86.exe</input>
    <output>.\output\%ORC_OUTPUT%</output>

    <run32 args="WolfLauncher">self:#</run32>
    <run64 args="WolfLauncher">7z:#Tools|DFIR-Orc_x64.exe</run64>

    <file name="WOLFLAUNCHER_CONFIG" path=".\%ORC_CONFIG_FOLDER%\DFIR-ORC_config.xml"/>

    <file name="ruleset.yara" path=".\%ORC_CONFIG_FOLDER%\ruleset.yara"/>
    <file name="fastfind.xml" path=".\%ORC_CONFIG_FOLDER%\fastfind.xml"/>

    <archive name="Tools" format="7z" compression="Ultra">
        <file name="DFIR-Orc_x64.exe" path=".\tools\DFIR-Orc_x64.exe"/>
    </archive>
</toolembed>

DFIR-ORC_config.xml:

DFIR-ORC_config.xml:
<?xml version="1.0" encoding="utf-8"?>
<wolf childdebug="no" command_timeout="600">
  <command keyword="FastFind">
    <execute name="DFIR-Orc.exe" run="self:#FastFind"/>
    <argument>/config=res:#fastfind.xml</argument>
    <output name="FastFind_{SystemType}_{FullComputerName}_{TimeStamp}.log" source="File" argument="/out={FileName}"/>
  </command>
</wolf>

Second way (tried to call directly ORC with fastfind config):
DFIR-ORC_embed.xml:

<?xml version="1.0" encoding="utf-8"?>
<toolembed>
    <input>.\tools\DFIR-Orc_x86.exe</input>
    <output>.\output\%ORC_OUTPUT%</output>

    <run32 args="WolfLauncher">self:#</run32>
    <run64 args="WolfLauncher">7z:#Tools|DFIR-Orc_x64.exe</run64>

    <file name="WOLFLAUNCHER_CONFIG" path=".\%ORC_CONFIG_FOLDER%\fastfind.xml"/>

    <file name="ruleset.yara" path=".\%ORC_CONFIG_FOLDER%\ruleset.yara"/>

    <archive name="Tools" format="7z" compression="Ultra">
        <file name="DFIR-Orc_x64.exe" path=".\tools\DFIR-Orc_x64.exe"/>
    </archive>
</toolembed>

fastfind.xml (from eg in your doc)

<fastfind version="Test 2.0">
    <filesystem>
        <location shadows="yes">%SystemDrive%</location>
        <yara source="res:#ruleset.yara" block="2M" timeout="120" overlap="8192" scan_method="filemapping" />
        <ntfs_find size="694160" md5="1CECAFE147F1CC3E2B9804B8CDA593C9"/>
        <ntfs_find name_match="gdi*.dll"/>
        <ntfs_exclude path="\Windows\System32\ntdll.dll"/>
        <ntfs_exclude path_match="\Windows\System32\gdi*.dll"/>
        <ntfs_exclude sha1="c766364efd9c9b5aa3a7140a69f0cf5b147bc476"/>
        <ntfs_exclude size="14966411"/>
        <ntfs_exclude contains="bcryptprimitives.pdb"/>
    </filesystem>
    <registry>
        <location>%SystemDrive%\</location>
        <hive name="NTUSER">
            <ntfs_find name="NTUSER.DAT"/>
            <registry_find key_path="\Software\Microsoft\Internet Explorer\Main" value="Check_Associations" data="no"/>
        </hive>
        <hive name="SOFTWARE">
            <ntfs_find name="SOFTWARE"/>
            <registry_find key_path="\Microsoft\Windows\CurrentVersion\Run" value="SecurityHealth"/>
        </hive>
    </registry>
    <object>
        <object_find type="Mutant" name="foo"/>
        <object_find type="File" name="foobar"/>
    </object>
</fastfind>

In all case, build work but when i launch ORC_packaged.exe, execution return error because WOLFLAUNCHER_CONFIG file dont correct format...

Can you give me eg of config please?

Thanks.
Lionel

FastFind : Failed to parse default configuration

Hi,

I'm trying to use FastFind but I have some issues when I try to launch it.
I followed instructions to build and configure my DFIR-Orc.exe but everytime I try to use it with FastFind this message appear on my shell :

FastFind v10.1.0-rc5

IOC Finder

2021-06-11T13:50:17.590Z [C] Failed to parse default configuration [0x80070585: Index non valide.]

I used this version of the DFIR-ORC_embed.xml file when I launched the Configure.cmd file in my dfir-orc-config directory and this version of the DFIR-ORC_config.xml.

DFIR-ORC_embed.xml

<?xml version="1.0" encoding="utf-8"?>
<toolembed>
	<input>.\tools\DFIR-Orc_x86.exe</input>
	<output>.\output\%ORC_OUTPUT%</output>

	<run64 args="WolfLauncher" >7z:#Tools|DFIR-Orc_x64.exe</run64>
	<run32 args="WolfLauncher" >self:#</run32>

	<file name="WOLFLAUNCHER_CONFIG" path=".\%ORC_CONFIG_FOLDER%\DFIR-ORC_config.xml"/>

	<file name="GetADS_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetADS_config.xml"/>
	<file name="GetArtefacts_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetArtefacts_config.xml"/>
	<file name="GetExtAttrs_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetExtAttrs_config.xml"/>
	<file name="GetTextLogs_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetTextLogs_config.xml"/>
	<file name="GetSDS_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetSDS_config.xml"/>
	<file name="GetCatRoot_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetCatRoot_config.xml"/>
	<file name="GetEVT_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetEVT_config.xml"/>
	<file name="GetExeTMP_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetExeTMP_config.xml"/>
	<file name="GetBrowsersHistory_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetBrowsersHistory_config.xml"/>
	<file name="GetBrowsersArtefacts_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetBrowsersArtefacts_config.xml"/>
	<file name="GetScript_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetScript_config.xml"/>
	<file name="GetErrors_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetErrors_config.xml"/>
	<file name="GetSamples_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetSamples_config.xml" />
	<file name="GetSystemHives_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetSystemHives_config.xml"/>
	<file name="GetUserHives_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetUserHives_config.xml"/>
	<file name="GetSamHive_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetSamHive_config.xml"/>
	<file name="GetYaraSamples_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetYaraSamples_config.xml"/>
	<file name="NTFSInfoQuick_config.xml" path=".\%ORC_CONFIG_FOLDER%\NTFSInfoQuick_config.xml"/>
	<file name="NTFSInfoDetail_systemdrive_config.xml" path=".\%ORC_CONFIG_FOLDER%\NTFSInfoDetail_systemdrive_config.xml"/>
	<file name="NTFSInfoDetail_alldrives_config.xml" path=".\%ORC_CONFIG_FOLDER%\NTFSInfoDetail_alldrives_config.xml"/>
	<file name="GetFuzzyHash_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetFuzzyHash_config.xml"/>
	<file name="FatInfoDetail_config.xml" path=".\%ORC_CONFIG_FOLDER%\FatInfoDetail_config.xml"/>
	<file name="FatInfoHashPE_config.xml" path=".\%ORC_CONFIG_FOLDER%\FatInfoHashPE_config.xml"/>
	<file name="FatInfoFirstBytes_config.xml" path=".\%ORC_CONFIG_FOLDER%\FatInfoFirstBytes_config.xml"/>
	<file name="GetMemDmp_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetMemDmp_config.xml"/>
	<file name="GetResidents_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetResidents_config.xml"/>

	<file name="GetADS_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetADS_offline_config.xml"/>
	<file name="GetArtefacts_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetArtefacts_offline_config.xml"/>
	<file name="GetExtAttrs_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetExtAttrs_offline_config.xml"/>
	<file name="GetTextLogs_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetTextLogs_offline_config.xml"/>
	<file name="GetHives_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetHives_offline_config.xml"/>
	<file name="GetSDS_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetSDS_offline_config.xml"/>
	<file name="GetCatRoot_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetCatRoot_offline_config.xml"/>
	<file name="GetScript_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetScript_offline_config.xml"/>
	<file name="GetErrors_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetErrors_offline_config.xml"/>
	<file name="GetMemDmp_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetMemDmp_offline_config.xml"/>
	<file name="GetEVT_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetEVT_offline_config.xml"/>
	<file name="GetUserHives_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetUserHives_offline_config.xml"/>
	<file name="GetEXE_TMP_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetEXE_TMP_offline_config.xml"/>
	<file name="GetBrowsersComplet_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetBrowsersComplet_offline_config.xml"/>
	<!-- <file name="GetYaraSamples_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetYaraSamples_offline_config.xml"/> -->
	<file name="GetFuzzyHash_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetFuzzyHash_offline_config.xml"/>
	<file name="NTFSInfo_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\NTFSInfo_offline_config.xml"/>
	<file name="GetSAM_hive_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetSAM_hive_offline_config.xml"/>
	<file name="FatInfo_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\FatInfo_offline_config.xml"/>
	<file name="GetResidents_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetResidents_offline_config.xml"/>

	<file name="NTFSInfo_little_config.xml" path=".\%ORC_CONFIG_FOLDER%\NTFSInfo_little_config.xml" />
	<file name="GetEVT_little_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetEVT_little_config.xml" />
	<file name="GetSystemHives_little_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetSystemHives_little_config.xml" />
	<file name="GetArtefacts_little_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetArtefacts_little_config.xml" />
	<file name="GetScript_little_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetScript_little_config.xml" />

	<file name="FastFind_config.xml" path=".\%ORC_CONFIG_FOLDER%\FastFind_config.xml" />

	<file name="GetMFT_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetMFT_config.xml" />

	<file name="yara_rules" path=".\%ORC_CONFIG_FOLDER%\ruleset.yara" />

	<pair name="AUTORUNS"  value="7z:#Tools|autorunsc.exe" />

        <archive name="Tools" format="7z" compression="Ultra">
		<file name="DFIR-Orc_x64.exe" path=".\tools\DFIR-Orc_x64.exe"/>

		<!-- <file name="handle.exe" path=".\tools\handle.exe"/> -->
		<file name="autorunsc.exe" path=".\tools\autorunsc.exe"/>
		<!-- <file name="Tcpvcon.exe" path=".\tools\Tcpvcon.exe"/>
		<file name="PsService.exe" path=".\tools\PsService.exe"/>
		<file name="Listdlls.exe" path=".\tools\Listdlls.exe"/>

		<file name="dumpit" path=".\tools\DumpIt.exe" />
		<file name="winpmem" path=".\tools\winpmem.exe" /> -->

	</archive>
</toolembed>

After the Configuration.cmd I have tested DFIR-Orc.exe with this two command lines avalaible on the online documentation of the project here :

.\output\DFIR-Orc.exe NTFSInfo /out=C_drive.csv "C:\"
.\output\DFIR-Orc.exe GetThis /nolimits /sample=ntdll.dll /out=ntdll.7z "C:\"

This command lines worked properly but when I tried to launch the program with FastFind I faced the error message I posted above.
In order to use FastFind I use this command line that I found here in an admin Powershell :

.\output\DFIR-Orc.exe FastFind /config=fastfind.xml /out=fastfind_output.xml

The content of fastfind.xml used in the /config field is the same the one on the FastFind documentation :

<?xml version="1.0" encoding="utf-8"?>
<fastfind version="Test 2.0">
    <filesystem>
        <location shadows="yes">%SystemDrive%</location>
        <yara source="yara.rules" block="2M" timeout="120" overlap="8192" scan_method="filemapping" />
        <ntfs_find size="694160" md5="1CECAFE147F1CC3E2B9804B8CDA593C9"/>
        <ntfs_find name="ntdll.dll" yara_rule="is_dll"/>
        <ntfs_find name_match="gdi*.dll"/>
        <ntfs_exclude path="\Windows\System32\ntdll.dll"/>
        <ntfs_exclude path_match="\Windows\System32\gdi*.dll"/>
        <ntfs_exclude sha1="c766364efd9c9b5aa3a7140a69f0cf5b147bc476"/>
        <ntfs_exclude size="14966411"/>
        <ntfs_exclude contains="bcryptprimitives.pdb"/>
    </filesystem>
    <registry>
        <location>%SystemDrive%\</location>
        <hive name="NTUSER">
            <ntfs_find name="NTUSER.DAT"/>
            <registry_find key_path="\Software\Microsoft\Internet Explorer\Main" value="Check_Associations" data="no"/>
        </hive>
        <hive name="SOFTWARE">
            <ntfs_find name="SOFTWARE"/>
            <registry_find key_path="\Microsoft\Windows\CurrentVersion\Run" value="SecurityHealth"/>
        </hive>
    </registry>
    <object>
        <object_find type="Mutant" name="foo"/>
        <object_find type="File" name="foobar"/>
    </object>
</fastfind>

I also tried to use this command line in the \output directory but the same error occured.

Do you see why I'm facing this error ?
Thanks for your help !

Missing parquet documentation ?

Hi,
I would be very interested in producing parquet files with ORC. I then compiled ORC with the parquet format support but after that, I have just been able to produce CSV files.
Moreover, I have not seen any mention of the parquet format in the documentation. Maybe I missed it.

Any help would be really appreciated. Which embedded tools can produce parquet files and how?

Thanks,

Regards,
Pierre

No output after configuration

Hi,

I successfully compiled the ORC project.
To make a test configuration, I used the two binaries DFIR-ORC-x86.exe and DFIR-ORC-x64.exe from two folders build-x86\MinSizeRel and build-x64\MinSizeRel and I put them alongside autorunsc.exe on the tools folder.

I didn't change anything on the two other folders : output and config.

After executing the configure.cmd file, I got the following message :

Configuring Orc (.\output\DFIR-Orc.exe) with config: .\config

And an empty folder named %ORC_OUTPUT% is created after that in the output folder.

Could you please tell me if I did something wrong ?

fichier de sortie .data

Bonjour ,

En exécutant le BrowserHistory en fichier de sortie j'ai des fichiers .data que je n'arrive pas à bien lire, y'a t-il moyen d'avoir en sortie des fichiers .CSV concernant l'historique des browsers ou avez vous un logiciel à me conseiller pour lire les fichiers .data ?

Merci

I don't find DumpIt.exe and winpmem.exe

Hello,

I am installing the framework and I am at the configuration step. To complete the configuration, I can't find two tools: DumpIt.exe and winpmem.exe.

I have searched on this platform: "https://live.sysinternals.com" but I did not find anything.

I wonder where I can find these tools?

Thanks for your help