Ce site est une archive officieuse de l'ancien site de l'ANSSI, remplacé fin novembre 2023.
Veuillez aller sur https://cyber.gouv.fr/ pour naviguer le site officiel.
Veuillez aller sur https://cyber.gouv.fr/ pour naviguer le site officiel.
In the last decade, the DFIR community has had to deal with ever-growing installed bases and address Advanced Persistent Threats. In an effort to face these challenges, ANSSI has reviewed its investigation methodology and developed suitable tooling. DFIR ORC is a direct result of this change in paradigm.
DFIR ORC, where ORC stands for « Outil de Recherche de Compromission » in French, is a set of specialized tools dedicated to the reliable parsing and collection of critical forensic artefacts. Designed to scale up, it gathers data in a decentralized manner. It is meant to be used easily in the Microsoft Windows ecosystem, and to have low impact on production environments.
« Incident responders have used DFIR ORC successfully on more than 150K machines to fulfill their operational missions. » François Deruty, ANSSI’s Deputy Director of Operations
ANSSI wants to contribute to the digital security community. This is why the DFIR ORC framework, resulting from 8 years of active development, is now open-sourced.
DFIR ORC is meant to be used by computer security professionals to collect forensically relevant data without altering them. It can also inspire security developers and analysts, who can contribute to the project.
Meant to scale up for use on large installed bases, DFIR ORC also supports fine-tuning to suit specific forensics use-cases as well as information system particularities. DFIR ORC collects data, but does not analyze it: it is not meant to triage machines. It rather provides a forensically relevant snapshot of machines running Microsoft Windows, which expert analysts then have to examine.
DFIR ORC is a modular framework which requires configuration. It can embed tools amongst those proposed, as well as external tools.
ANSSI releases the source code of the framework and documents its compilation process, which only requires free software. Moreover, examples of relevant configurations are provided, allowing users to build their own customized version of the tool.
Further information about the framework
« Through the DFIR ORC, we aspire to contribute actively to the DFIR community, by providing it the chance to appropriate and develop the tool. » François Deruty
The DFIR ORC framework developers at ANSSI hope that a community of users and developers will emerge following this release. This can only result in a better and more suitable tool. Software updates will be released in the future, as developers keep working on the tool internally.
ANSSI invites the DFIR community to take part in the evolution of this framework.
*Published under the LGPL 2.1+ licence
