Hello,

I have some issue to compiling DFIR-ORC. The error appear with the command cmake --build . --config MinSizeRel -- -maxcpucount

Furthermore, I followed the step on Tutorial - Build ; and I had issue on the directory created: "build-x86". It's empty, so I ran the command make -G "Visual Studio 16 2019" -A x64 under the project directory (root) to do that works.

I use Microsoft Visual Studio Community 2019 - Version 16.8.3

Errors:

c1xx : error C3859: Failed to create virtual memory for PCH [C:\Users\abc\source\repos\dfir-orc_x64\tests\OrcLibTest\OrcLibTest.vcxproj]
c1xx : message : the system returned code 1455: Le fichier de pagination est insuffisant pour terminer cette opération. [C:\Users\abc\source\repos\dfir-orc_x64\tests\OrcLibTest\OrcLibTest.v
cxproj]
c1xx : message : please visit https://aka.ms/pch-help for more details [C:\Users\abc\source\repos\dfir-orc_x64\tests\OrcLibTest\OrcLibTest.vcxproj]
c1xx : fatal error C1076: compiler limit: internal heap limit reached [C:\Users\abc\source\repos\dfir-orc_x64\tests\OrcLibTest\OrcLibTest.vcxproj]
hash_stream_test.cpp
c1xx : error C3859: Failed to create virtual memory for PCH [C:\Users\abc\source\repos\dfir-orc_x64\tests\OrcLibTest\OrcLibTest.vcxproj]
c1xx : message : PCH: Unable to commit memory across file map [C:\Users\abc\source\repos\dfir-orc_x64\tests\OrcLibTest\OrcLibTest.vcxproj]
c1xx : message : please visit https://aka.ms/pch-help for more details [C:\Users\abc\source\repos\dfir-orc_x64\tests\OrcLibTest\OrcLibTest.vcxproj]
c1xx : fatal error C1076: compiler limit: internal heap limit reached [C:\Users\abc\source\repos\dfir-orc_x64\tests\OrcLibTest\OrcLibTest.vcxproj]
fuzzy_hash_stream.cpp
c1xx : error C3859: Failed to create virtual memory for PCH [C:\Users\abc\source\repos\dfir-orc_x64\tests\OrcLibTest\OrcLibTest.vcxproj]
c1xx : message : PCH: Unable to commit memory across file map [C:\Users\abc\source\repos\dfir-orc_x64\tests\OrcLibTest\OrcLibTest.vcxproj]
c1xx : message : please visit https://aka.ms/pch-help for more details [C:\Users\abc\source\repos\dfir-orc_x64\tests\OrcLibTest\OrcLibTest.vcxproj]
c1xx : fatal error C1076: compiler limit: internal heap limit reached [C:\Users\abc\source\repos\dfir-orc_x64\tests\OrcLibTest\OrcLibTest.vcxproj]
structured_output_test.cpp
c1xx : error C3859: Failed to create virtual memory for PCH [C:\Users\abc\source\repos\dfir-orc_x64\tests\OrcLibTest\OrcLibTest.vcxproj]
c1xx : message : PCH: Unable to commit memory across file map [C:\Users\abc\source\repos\dfir-orc_x64\tests\OrcLibTest\OrcLibTest.vcxproj]
c1xx : message : please visit https://aka.ms/pch-help for more details [C:\Users\abc\source\repos\dfir-orc_x64\tests\OrcLibTest\OrcLibTest.vcxproj]
c1xx : fatal error C1076: compiler limit: internal heap limit reached [C:\Users\abc\source\repos\dfir-orc_x64\tests\OrcLibTest\OrcLibTest.vcxproj]
running_code_test.cpp
c1xx : error C3859: Failed to create virtual memory for PCH [C:\Users\abc\source\repos\dfir-orc_x64\tests\OrcLibTest\OrcLibTest.vcxproj]
c1xx : message : PCH: Unable to commit memory across file map [C:\Users\abc\source\repos\dfir-orc_x64\tests\OrcLibTest\OrcLibTest.vcxproj]
c1xx : message : please visit https://aka.ms/pch-help for more details [C:\Users\abc\source\repos\dfir-orc_x64\tests\OrcLibTest\OrcLibTest.vcxproj]
c1xx : fatal error C1076: compiler limit: internal heap limit reached [C:\Users\abc\source\repos\dfir-orc_x64\tests\OrcLibTest\OrcLibTest.vcxproj]
authenticode_test.cpp
c1xx : error C3859: Failed to create virtual memory for PCH [C:\Users\abc\source\repos\dfir-orc_x64\tests\OrcLibTest\OrcLibTest.vcxproj]
c1xx : message : PCH: Unable to commit memory across file map [C:\Users\abc\source\repos\dfir-orc_x64\tests\OrcLibTest\OrcLibTest.vcxproj]
c1xx : message : please visit https://aka.ms/pch-help for more details [C:\Users\abc\source\repos\dfir-orc_x64\tests\OrcLibTest\OrcLibTest.vcxproj]
c1xx : fatal error C1076: compiler limit: internal heap limit reached [C:\Users\abc\source\repos\dfir-orc_x64\tests\OrcLibTest\OrcLibTest.vcxproj]
locations.cpp
c1xx : error C3859: Failed to create virtual memory for PCH [C:\Users\abc\source\repos\dfir-orc_x64\tests\OrcLibTest\OrcLibTest.vcxproj]
c1xx : message : PCH: Unable to commit memory across file map [C:\Users\abc\source\repos\dfir-orc_x64\tests\OrcLibTest\OrcLibTest.vcxproj]
c1xx : message : please visit https://aka.ms/pch-help for more details [C:\Users\abc\source\repos\dfir-orc_x64\tests\OrcLibTest\OrcLibTest.vcxproj]
c1xx : fatal error C1076: compiler limit: internal heap limit reached [C:\Users\abc\source\repos\dfir-orc_x64\tests\OrcLibTest\OrcLibTest.vcxproj]
yara_basic.cpp
c1xx : error C3859: Failed to create virtual memory for PCH [C:\Users\abc\source\repos\dfir-orc_x64\tests\OrcLibTest\OrcLibTest.vcxproj]
c1xx : message : PCH: Unable to commit memory across file map [C:\Users\abc\source\repos\dfir-orc_x64\tests\OrcLibTest\OrcLibTest.vcxproj]
c1xx : message : please visit https://aka.ms/pch-help for more details [C:\Users\abc\source\repos\dfir-orc_x64\tests\OrcLibTest\OrcLibTest.vcxproj]
c1xx : fatal error C1076: compiler limit: internal heap limit reached [C:\Users\abc\source\repos\dfir-orc_x64\tests\OrcLibTest\OrcLibTest.vcxproj]
yara_scanner.cpp
table_output.cpp
c1xx : error C3859: Failed to create virtual memory for PCH [C:\Users\abc\source\repos\dfir-orc_x64\tests\OrcLibTest\OrcLibTest.vcxproj]
c1xx : message : PCH: Unable to commit memory across file map [C:\Users\abc\source\repos\dfir-orc_x64\tests\OrcLibTest\OrcLibTest.vcxproj]
c1xx : message : please visit https://aka.ms/pch-help for more details [C:\Users\abc\source\repos\dfir-orc_x64\tests\OrcLibTest\OrcLibTest.vcxproj]
c1xx : fatal error C1076: compiler limit: internal heap limit reached [C:\Users\abc\source\repos\dfir-orc_x64\tests\OrcLibTest\OrcLibTest.vcxproj]
buffer.cpp
c1xx : error C3859: Failed to create virtual memory for PCH [C:\Users\abc\source\repos\dfir-orc_x64\tests\OrcLibTest\OrcLibTest.vcxproj]
c1xx : message : PCH: Unable to commit memory across file map [C:\Users\abc\source\repos\dfir-orc_x64\tests\OrcLibTest\OrcLibTest.vcxproj]
c1xx : message : please visit https://aka.ms/pch-help for more details [C:\Users\abc\source\repos\dfir-orc_x64\tests\OrcLibTest\OrcLibTest.vcxproj]
c1xx : fatal error C1076: compiler limit: internal heap limit reached [C:\Users\abc\source\repos\dfir-orc_x64\tests\OrcLibTest\OrcLibTest.vcxproj]

The $I30 parser did not parse and print the FileSize present on $I30

Hello,
I got the following error while compiling ORC (build-x64) :

C:\dfir-orc\build-x64>cmake -G "Visual Studio 16 2019" -A x64 -T v141_xp ..
-- Found SemVer: 10.1.0 (v10.1.0-rc5)
CMake Warning at CMakeLists.txt:63 (message):
BEWARE: VCPKG is currently compatible ONLY with ENGLISH version of Visual Studio.
CMake Warning at cmake/vcpkg_configure_triplets.cmake:22 (message):
vcpkg: using v141 toolset as v141_xp is not supported
Call Stack (most recent call first):
CMakeLists.txt:68 (vcpkg_configure_triplets)
-- Using vcpkg: C:/dfir-orc/external/vcpkg/vcpkg.exe All installed packages are up-to-date with the local portfiles. -- Install dependencies with: "C:/dfir-orc/external/vcpkg\vcpkg.exe"
--vcpkg-root "C:/dfir-orc/external/vcpkg"
--overlay-triplets=C:/dfir-orc/build-x64/vcpkg/tripletsinstall** 7zip:x64-windows-static boost-algorithm:x64-windows-static boost-dynamic-bitset:x64-windows-static boost-logic:x64-windows-static boost-multi-index:x64-windows-static boost-outcome:x64-windows-static boost-scope-exit:x64-windows-static fmt:x64-windows-static spdlog:x64-windows-static yara:x64-windows-static rapidjson:x64-windows-static cli11:x64-windows-static boost-stacktrace:x64-windows-static Computing installation plan...
warning: vcpkg appears to be in a Visual Studio prompt targeting x86 but is installing packages for x64-windows-static. Consider using --triplet x86-windows or --triplet x86-uwp.
The following packages are already installed: 7zip[core]:x64-windows-static
boost-algorithm[core]:x64-windows-static
boost-dynamic-bitset[core]:x64-windows-static
boost-logic[core]:x64-windows-static
boost-multi-index[core]:x64-windows-static
boost-outcome[core]:x64-windows-static
boost-scope-exit[core]:x64-windows-static
boost-stacktrace[core]:x64-windows-static
cli11[core]:x64-windows-static
fmt[core]:x64-windows-static
rapidjson[core]:x64-windows-static
The following packages will be built and installed:
spdlog[core]:x64-windows-static
yara[core]:x64-windows-static
Package 7zip:x64-windows-static is already installed
Package boost-algorithm:x64-windows-static is already installed
Package boost-dynamic-bitset:x64-windows-static is already installed
Package boost-logic:x64-windows-static is already installed
Package boost-multi-index:x64-windows-static is already installed
Package boost-outcome:x64-windows-static is already installed
Package boost-scope-exit:x64-windows-static is already installed
Package boost-stacktrace:x64-windows-static is already installed
Package cli11:x64-windows-static is already installed
Package fmt:x64-windows-static is already installed
Package rapidjson:x64-windows-static is already installed
Detecting compiler hash for triplet x64-windows-static...
Starting package 12/2: spdlog:x64-windows-static
Building package spdlog[core]:x64-windows-static...
Could not locate cached archive:
C:\Users\User\AppData\Local\vcpkg\archives\f7\f7d16c3f5f09a80f8ba67d97359fd474060dfe3a.zip
-- [OVERLAY] Loading triplet configuration from: C:\dfir-orc\build-x64\vcpkg\triplets\x64-windows-static.cmake
-- Using cached C:/dfir-orc/external/vcpkg/downloads/gabime-spdlog-cbe9448650176797739dbab13961ef4c07f4290f.tar.gz
-- Cleaning sources at C:/dfir-orc/external/vcpkg/buildtrees/spdlog/src/4c07f4290f-62f220f1e1.clean. Use --editable to skip cleaning for the packages you specify.
-- Extracting source C:/dfir-orc/external/vcpkg/downloads/gabime-spdlog-cbe9448650176797739dbab13961ef4c07f4290f.tar.gz
-- Applying patch fix-featurebuild.patch
-- Applying patch 0001-Perfect-forwarding-for-arguments.patch
-- Using source at C:/dfir-orc/external/vcpkg/buildtrees/spdlog/src/4c07f4290f-62f220f1e1.clean
-- Configuring x64-windows-static
-- Building x64-windows-static-dbg
CMake Error at scripts/cmake/vcpkg_execute_build_process.cmake:142 (message):
Command failed: "C:/Program Files/CMake/bin/cmake.exe" --build . --config Debug --target install -- -v -j2
Working Directory: C:/dfir-orc/external/vcpkg/buildtrees/spdlog/x64-windows-static-dbg See logs for more information:
C:\dfir-orc\external\vcpkg\buildtrees\spdlog\install-x64-windows-static-dbg-out.log
Call Stack (most recent call first):
scripts/cmake/vcpkg_build_cmake.cmake:93 (vcpkg_execute_build_process)
scripts/cmake/vcpkg_install_cmake.cmake:24 (vcpkg_build_cmake)
ports/spdlog/portfile.cmake:27 (vcpkg_install_cmake)
scripts/ports.cmake:135 (include)
Error: Building package spdlog:x64-windows-static failed with: BUILD_FAILED
Please ensure you're using the latest portfiles with .\vcpkg update, then submit an issue at https://github.com/Microsoft/vcpkg/issues including:
Package: spdlog:x64-windows-static
Vcpkg version: 2020.06.15-nohash
Additionally, attach any relevant sections from the log files above.
CMake Error at cmake/vcpkg.cmake:115 (message):
Failed to install packages: 1
Call Stack (most recent call first):
cmake/vcpkg.cmake:205 (vcpkg_install_packages)
CMakeLists.txt:129 (vcpkg_install)
-- Configuring incomplete, errors occurred!

(my vcpkg version is up to date)
Does someone know how to solve this problem ?
Thank you for your help

Hi,

We have seen cases where the OriginalFileName field of the NTFSInfo CSV file contains double quote characters that are not escaped. Thus the NTFSInfo CSV file is unparseable.

Thanks.
Pierre

Hello,
after compiling successfully unconfigured dfir-orc binary, when trying to configure it under admin powershell prompt, I have an issue.

** Before executing configure.ps1, here is the steps followed:
PS C:\Users\dib4> git clone "https://github.com/dfir-orc/dfir-orc-config.git"
Cloning into 'dfir-orc-config'...
remote: Enumerating objects: 121, done.
Receiving objects: 52% (63/121)79/79), done.
Receiving objects: 100% (121/121), 50.50
remote: Compressing objects: 30% (20/65) esolving deltas: 100% (34/34), done.
remote: Compressing objects: 100% (65/65), done.
remote: Total 121 (delta 22), reused 63 (delta 14), pack-reused 42
PS C:\Users\dib4> cd .\dfir-orc-config
PS C:\Users\dib4\dfir-orc-config> copy ..\dfir-orc\build-x86\MinSizeRel\DFIR-Orc_x86.exe .\tools
PS C:\Users\dib4\dfir-orc-config> copy ..\dfir-orc\build-x64\MinSizeRel\DFIR-Orc_x64.exe .\tools
PS C:\Users\dib4\dfir-orc-config> copy ..\autorunsc.exe .\tools
PS C:\Users\dib4\dfir-orc-config> dir tools
Directory: C:\Users\dib4\dfir-orc-config\tools
Mode LastWriteTime Length Name

-a---- 03/06/2021 14:46 708984 autorunsc.exe
-a---- 03/06/2021 08:59 7981568 DFIR-Orc_x64.exe
-a---- 03/06/2021 09:27 6416384 DFIR-Orc_x86.exe

** Executing the configuration script:
PS C:\Users\dib4\dfir-orc-config> .\configure.ps1
Found ToolEmbed configuration: '.\config/DFIR-ORC_embed.xml'
ToolEmbed v10.1.0-rc5

Embed/Extract configuration data and tools

2021-06-03T13:46:46.188Z [C] Failed to parse xml configuration [0x80070002: Le fichier sp´┐¢cifi´┐¢ est introuvable.]
Move-Item : Cannot find path 'C:\Users\dib4\dfir-orc-config\output\DFIR-Orc.exe' because it does not exist.
At C:\Users\dib4\dfir-orc-config\configure.ps1:163 char:9

•     Move-Item -Force -Path "${Configuration}/${ToolEmbedOutput}"  ...
  

•     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : ObjectNotFound: (C:\Users\dib4\d...ut\DFIR-Orc.exe:String) [Move-Item], ItemNotFoundException
  • FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.MoveItemCommand

What could be the problem ?

Many thanks in advance for your help and thanks a lot for developping and giving to community a such tool suite

Kindest regards
Dib4

Hello,

Assuming no transparent authentication or public share is available, is it possible to implement a kind of mechanism to avoid clear text password in the upload balise in the local configuration file ?

Thank for you job

Cert-Enedis

Hello,

I'm trying to execute a wolflauncher command that will launch a single powershell scripts. I succeeded with binary but not with scripts.
I would like to know if it is possible to add scripts to the tools embedded in DFIR-ORC?

Below is some wolflauncher configuration I tried:

<wolf>
[...]
        <command keyword="ScriptName" winver="6.0+">
            <execute name="powershell" run="%SystemRoot%\System32\WindowsPowerShell\V1.0\powershell.exe"/>
            <argument>-NonInteractive -WindowStyle Hidden -NoProfile</argument>
            <argument>7z:#Tools|ScriptName.ps1 -server "127.0.0.1"</argument>
            <output  name="ScriptName_powershell.log" source="StdOutErr" />
        </command>
[...]
</wolf>

Or

<wolf>
[...]
        <command keyword="ScriptName">
            <execute name="ScriptName.ps1" run="7z:#Tools|ScriptName.ps1"/>
            <argument>-server "127.0.0.1"</argument>
            <output  name="ScriptName.log" source="StdOutErr" />
        </command>
[...]
</wolf>

And the part related to the embed.xml file :

<toolembed>
[...]
	<archive name="Tools" format="7z" compression="Ultra">
		[...]
		<file name="ScriptName.ps1" path=".\tools\ScriptName.ps1"/>
	</archive>
[...]
</toolembed>

When DFIR-ORC.exe is runing, the error obtained is:
[E] Failed to CreateFile for '' [0x80070003: Le chemin d'accès spécifique est introuvable.]
Did I miss something?

In addition to this, is it possible to add / link a configuration file to a tool embed?
Or do I have to package the whole thing in a binary (and then embed it)?

I tried to declare the config file in differents ways:

<toolembed>
[...]
	<file name="Tool.config" path=".\%ORC_CONFIG_FOLDER%\tool.config" />
[...]
</toolembed>

with

<wolf>
[...]
        <command keyword="Tool">
            <execute name="Tool.exe" run="7z:#Tools|Tool.exe" />
            <argument>-a</argument>
            <argument>/config=res:#Tool.exe.config</argument>
            <output name="Tool.txt" source="StdOutErr" />
        </command>
[...]
</wolf>

Or,

<toolembed>
[...]
	<archive name="Tools" format="7z" compression="Ultra">
		[...]
		<file name="Tool.exe" path=".\tools\Tool.exe"/>
		<file name="Tool.exe" path=".\tools\Tool.exe.config"/>
	</archive>
[...]
</toolembed>

with,

<wolf>
[...]
        <command keyword="Tool">
            <execute name="Tool.exe" run="7z:#Tools|Tool.exe" />
            <argument>-a</argument>
            <argument>7z:#Tools|Tool.exe.config</argument>
            <output name="Tool.txt" source="StdOutErr" />
        </command>
[...]
</wolf>

I got issues during the configuration or the following error during runtime:
[E] Failed to CreateFile for '' [0x80070003: Le chemin d'accès spécifique est introuvable.]

Hello,
I'm using the Micorsoft's virtual machine for development, downloaded a month ago. On it, Visual Studio 2019 16.7.3 is preinstalled.
I did the import with the ".vsconfig" given in the ORC installation procedure and followed the rest of the instructions.

However, when I do the following command :
cmake -G "Visual Studio 16 2019" -A Win32 -T v141_xp ..
I got the following error :

CMake Error at C:/Program Files (x86)/Microsoft Visual Studio/2019/Community/Common7/IDE/CommonExtensions/Microsoft/CMake/CMake/share/cmake-3.17/Modules/FindPackageHandleStandardArgs.cmake:164 (message):
Could NOT find VisualStudio (missing: CPPUNITTEST_INCLUDE_DIR)
Call Stack (most recent call first):
C:/Program Files (x86)/Microsoft Visual Studio/2019/Community/Common7/IDE/CommonExtensions/Microsoft/CMake/CMake/share/cmake-3.17/Modules/FindPackageHandleStandardArgs.cmake:445 (_FPHSA_FAILURE_MESSAGE)
cmake/FindVisualStudio.cmake:62 (find_package_handle_standard_args)
external/vcpkg/scripts/buildsystems/vcpkg.cmake:331 (_find_package)
src/OrcLib/CMakeLists.txt:17 (find_package)

Do you have an idea where it may come from ? Don't hesitate to ask if you need more details.
Thank you.

Hi,
Option to run autorunsc maybe not complet:

Add "*" at end for all user.

Usage: autorunsc [-a <*|bdeghiklmoprsw>] [-c|-ct] [-h] [-m] [-s] [-u] [-vt] [[-z ] | [user]]]
user Specifies the name of the user account for which autorun items will be shown. Specify '*' to scan all user profiles.

Thanks,
Lionel

Hi,

Is it possible to configure GetThis to catch only files that are not signed by Microsoft ? I think, this could be usefull in directories like %WINDIR%... or Program Files...

If it could be interresting, maybe a feature more complete to deal with signed binaries (whitelisting on known unsigned binaries, regexp on signature 's issuer ...) ?

Thank for your work

Regards

Hello,

I got an issue when using the following DFIR-ORC local configuration file :

<dfir-orc>
    <upload job="orc" method="bits"
    server="http://[SERVER_FQDN]"
    path="upload"
    mode="async"
    operation="move" />
</dfir-orc>

Mothership v10.0.14
DFIR-Orc v10.0.14

When attempting a BITS transfer with ORC, the following error code appear: 0x800704dd.

ERROR (L’opération demandée n’a pas été effectuée car l’utilisateur n’est pas connecté au réseau. Le service spéci, hr=0x800704dd): Failed to add file [ORC_RESULT_FILEPATH] to BITS job orc

ERROR (L’opération demandée n’a pas été effectuée car l’utilisateur n’est pas connecté au réseau. Le service spéci, hr=0x800704dd): UPLOAD: Operation for [ORC_RESULT_FILEPATH] failed "Failed to upload file to destination server"

I’ve searched in the list of BITS error codes and I found this error with the name ERROR_NOT_LOGGED_ON.

The cause: The SENS service is not receiving user logon notifications. BITS (version 2.0 and up) depends on logon notifications from Service Control Manager, which in turn depends on the SENS service. Ensure that the SENS service is started and running correctly.

The SENS service seems to be started :

Command : sc query SENS

SERVICE_NAME: SENS
        TYPE               : 30  WIN32
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

But the privileged account session that I use to launch ORC does not seem to appear on standard session query.

Command : query session

 SESSION           UTILISATEUR              ID  ÉTAT    TYPE        PÉRIPHÉRIQUE
 services                                    0  Déco
>console           STANDARD_USER             1  Actif

It only appears if I use logonsessions.exe from SysInternals.

It seems to be a bad implementation of BITS component into Windows.

The only workaround I found is to execute ORC through a schedule task with NT AUTHORITY\SYSTEM privileges :

schtasks /Create /SC ONCE /TN [TASK_NAME] /ST HH:mm /RU system /TR [DFIR-ORC_PATH]

Not sure if I missed this in the documentation of the project.
It would be nice to have to option to recreate the directory/folder structure of the files and folders that are collected from a system.

As an example:
Currently, with the config GetUserHives.xml : the user registry hives are collected from all users and outputted in one folder.
It could be more clear to have these hives located in their original folder structure. It could also help identify collection problems, having a clear directory structure that you expect to have or not.

Is there an option I'm missing or is this not possible with dfir-orc?
Thanks!

Hello,

For example if I use the config file below for FastFind with a syntax error (missing quote around yara.rules)

<?xml version="1.0" encoding="utf-8"?>
<fastfind version="v0.0">
  <filesystem>
    <location shadows="yes">%SystemDrive%\</location>
    ...
    <yara source=yara.rules block="2M" timeout="120" overlap="8192" scan_method="filemapping" />
    ...
  </filesystem>
</fastfind>

I got the following error message:

FastFind - IOC Finder Version 10.0.2.000
ERROR (hr=0xc00cee24): Failed to parse node filesystem
ERROR (hr=0xc00cee24): Error parsing root fastfind element
ERROR (hr=0xc00cee24): Failed to read config file .\config\FastFind_config.xml
ERROR (hr=0xc00cee24): Failed to lookup and read item schema

It's difficult to spot the error quickly. Is it possible to improve the reporting for this kind of error ?

Thanks,

Hello,

With FastFind, when I use ntfs_find to mach empty file by hash (md5, sha1 or sha26) I get the following error:

ERROR (Unspecified error, hr=E_FAIL 0x80004005):
Parsing record 0000000000000003 threw an exception

Example of configuration:

<ntfs_find sha256="e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"/>

Hi,

I tried compiling dfir-orc by following the Readme, but still got issues.

Here is what i did, from a Windows 10 (Microsoft Windows [version 10.0.19044.1645]):

• Installed VS Community 2019 (also tried all the next steps with 2022):
• Installed english package, imported the .vsconfig provided here and also got the "Desktop Development in C++" package.
• From the Developer Command Prompt of VS 2019:

git clone --recursive https://github.com/dfir-orc/dfir-orc.git
cd dfir-orc
git pull --recurse-submodules
mkdir build-x86 build-x64
cd build-x86
cmake -G "Visual Studio 16 2019" -A Win32 ..

From here, several issues:

1. The libwinpthread can't be found:

[DEBUG] Downloading https://repo.msys2.org/mingw/i686/mingw-w64-i686-libwinpthread-git-8.0.0.5906.c9a21571-1-any.pkg.tar.zst
[...]
[DEBUG] Downloading https://mirrors.sjtug.sjtu.edu.cn/msys2/mingw/i686/mingw-w64-i686-libwinpthread-git-8.0.0.5906.c9a21571-1-any.pkg.tar.zst
Error: Failed to download from mirror set:
https://repo.msys2.org/mingw/i686/mingw-w64-i686-libwinpthread-git-8.0.0.5906.c9a21571-1-any.pkg.tar.zst: failed: status code 404
https://www2.futureware.at/~nickoe/msys2-mirror/mingw/i686/mingw-w64-i686-libwinpthread-git-8.0.0.5906.c9a21571-1-any.pkg.tar.zst: failed: status code 404
[...]
https://mirrors.ustc.edu.cn/msys2/mingw/i686/mingw-w64-i686-libwinpthread-git-8.0.0.5906.c9a21571-1-any.pkg.tar.zst: failed: status code 404
https://mirror.bit.edu.cn/msys2/mingw/i686/mingw-w64-i686-libwinpthread-git-8.0.0.5906.c9a21571-1-any.pkg.tar.zst: WinHttpSendRequest() failed: 12007
https://mirror.bit.edu.cn/msys2/mingw/i686/mingw-w64-i686-libwinpthread-git-8.0.0.5906.c9a21571-1-any.pkg.tar.zst: WinHttpSendRequest() failed: 12175
[...]
https://mirrors.sjtug.sjtu.edu.cn/msys2/mingw/i686/mingw-w64-i686-libwinpthread-git-8.0.0.5906.c9a21571-1-any.pkg.tar.zst: failed: status code 404

2. If i switch to the branch "master" of vcpkg and regenerate it (bootstrap-vcpkg.bat), the packages are found and installed. But then, the exact same issue as #61 appears.

3. Trying my luck, i removed this dependency in the project and this step finally succeeds (reminder: cmake -G "Visual Studio 16 2019" -A Win32 ..):

[...]
-- Using toolchain: C:/Users/forensics/source/repos/dfir-orc/external/vcpkg\scripts\buildsystems\vcpkg.cmake
-- Using vcpkg triplet: x86-windows-static
-- Selecting Windows SDK version 10.0.19041.0 to target Windows 6.1.
-- The C compiler identification is MSVC 19.29.30143.0
-- The CXX compiler identification is MSVC 19.29.30143.0
-- The ASM_MASM compiler identification is MSVC
-- Found assembler: C:/Program Files (x86)/Microsoft Visual Studio/2019/Community/VC/Tools/MSVC/14.29.30133/bin/Hostx64/x86/ml.exe
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working C compiler: C:/Program Files (x86)/Microsoft Visual Studio/2019/Community/VC/Tools/MSVC/14.29.30133/bin/Hostx64/x86/cl.exe - skipped
-- Detecting C compile features
-- Detecting C compile features - done
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Check for working CXX compiler: C:/Program Files (x86)/Microsoft Visual Studio/2019/Community/VC/Tools/MSVC/14.29.30133/bin/Hostx64/x86/cl.exe - skipped
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Found Boost: C:/Users/forensics/source/repos/dfir-orc/external/vcpkg/installed/x86-windows-static/include (found version "1.79.0")
-- Found VisualStudio: C:/Program Files (x86)/Microsoft Visual Studio/2019/Community
-- RapidJSON found. Headers: C:/Users/forensics/source/repos/dfir-orc/external/vcpkg/installed/x86-windows-static/share/rapidjson/../../include
-- Looking for pthread.h
-- Looking for pthread.h - found
-- Performing Test CMAKE_HAVE_LIBC_PTHREAD
-- Performing Test CMAKE_HAVE_LIBC_PTHREAD - Failed
-- Looking for pthread_create in pthreads
-- Looking for pthread_create in pthreads - not found
-- Looking for pthread_create in pthread
-- Looking for pthread_create in pthread - not found
-- Check if compiler accepts -pthread
-- Check if compiler accepts -pthread - no
-- Found Threads: TRUE
-- Configuring done
-- Generating done
-- Build files have been written to: C:/Users/forensics/source/repos/dfir-orc/build-x86

5. Onto the next command then: cmake --build . --config MinSizeRel -- -maxcpucount. But here, i get a TON of build errors... Example for OrcLib:

  Generating Code...
C:\Users\forensics\source\repos\dfir-orc\src\OrcLib\Log\Logger.h(69,26): error C2664: 'OutputIt fmt::v8::format_to<std::back_insert_iterator<fmt::v8::basic_memory_buffer<wchar_t,500,std::allocator<wchar_t>>>,,0>(OutputIt,fmt::v8::basic_
format_string<char>)': cannot convert argument 2 from 'const wchar_t [27]' to 'fmt::v8::basic_format_string<char>' [C:\Users\forensics\source\repos\dfir-orc\build-x86\src\OrcLib\OrcLib.vcxproj]
          with
          [
              OutputIt=std::back_insert_iterator<fmt::v8::basic_memory_buffer<wchar_t,500,std::allocator<wchar_t>>>
          ] (compiling source file C:\Users\forensics\source\repos\dfir-orc\src\OrcLib\UnitTestHelper.cpp)
C:\Users\forensics\source\repos\dfir-orc\src\OrcLib\Log\Logger.h(51,5): message : No constructor could take the source type, or constructor overload resolution was ambiguous (compiling source file C:\Users\forensics\source\repos\dfir-or
c\src\OrcLib\UnitTestHelper.cpp) [C:\Users\forensics\source\repos\dfir-orc\build-x86\src\OrcLib\OrcLib.vcxproj]
C:\Users\forensics\source\repos\dfir-orc\external\vcpkg\installed\x86-windows-static\include\fmt\core.h(3146,17): message : see declaration of 'fmt::v8::format_to' (compiling source file C:\Users\forensics\source\repos\dfir-orc\src\OrcL
ib\UnitTestHelper.cpp) [C:\Users\forensics\source\repos\dfir-orc\build-x86\src\OrcLib\OrcLib.vcxproj]
C:\Users\forensics\source\repos\dfir-orc\src\OrcLib\Log\Logger.h(86): message : see reference to function template instantiation 'void Orc::Log::Logger::Log<FacilityIt,std::chrono::system_clock::time_point,const wchar_t(&)[27],>(Facilit
yIt,FacilityIt,const Timepoint &,Orc::Log::Level,Arg0)' being compiled [C:\Users\forensics\source\repos\dfir-orc\build-x86\src\OrcLib\OrcLib.vcxproj]
          with
          [
              FacilityIt=std::_Tree_const_iterator<std::_Tree_val<std::_Tree_simple_types<std::shared_ptr<Orc::Log::SpdlogLogger>>>>,
              Timepoint=std::chrono::system_clock::time_point,
              Arg0=const wchar_t (&)[27]
          ] (compiling source file C:\Users\forensics\source\repos\dfir-orc\src\OrcLib\UnitTestHelper.cpp)
C:\Users\forensics\source\repos\dfir-orc\src\OrcLib\Log\Logger.h(188): message : see reference to function template instantiation 'void Orc::Log::Logger::Log<std::_Tree_const_iterator<std::_Tree_val<std::_Tree_simple_types<std::shared_p
tr<Orc::Log::SpdlogLogger>>>>,const wchar_t(&)[27]>(FacilityIt,FacilityIt,Orc::Log::Level,const wchar_t (&)[27])' being compiled [C:\Users\forensics\source\repos\dfir-orc\build-x86\src\OrcLib\OrcLib.vcxproj]
          with
          [
              FacilityIt=std::_Tree_const_iterator<std::_Tree_val<std::_Tree_simple_types<std::shared_ptr<Orc::Log::SpdlogLogger>>>>
          ] (compiling source file C:\Users\forensics\source\repos\dfir-orc\src\OrcLib\UnitTestHelper.cpp)
C:\Users\forensics\source\repos\dfir-orc\src\OrcLib\Log/Log.h(64): message : see reference to function template instantiation 'void Orc::Log::Logger::Error<const wchar_t(&)[27]>(const wchar_t (&)[27])' being compiled (compiling source f
ile C:\Users\forensics\source\repos\dfir-orc\src\OrcLib\UnitTestHelper.cpp) [C:\Users\forensics\source\repos\dfir-orc\build-x86\src\OrcLib\OrcLib.vcxproj]
C:\Users\forensics\source\repos\dfir-orc\src\OrcLib\UnitTestHelper.cpp(50): message : see reference to function template instantiation 'void Orc::Log::Error<const wchar_t(&)[27]>(const wchar_t (&)[27])' being compiled [C:\Users\forensic
s\source\repos\dfir-orc\build-x86\src\OrcLib\OrcLib.vcxproj]
C:\Users\forensics\source\repos\dfir-orc\src\OrcLib\Log\Logger.h(69,26): error C2664: 'OutputIt fmt::v8::format_to<std::back_insert_iterator<fmt::v8::basic_memory_buffer<wchar_t,500,std::allocator<wchar_t>>>,,0>(OutputIt,fmt::v8::basic_
format_string<char>)': cannot convert argument 2 from 'const wchar_t [26]' to 'fmt::v8::basic_format_string<char>' [C:\Users\forensics\source\repos\dfir-orc\build-x86\src\OrcLib\OrcLib.vcxproj]
          with
          [
              OutputIt=std::back_insert_iterator<fmt::v8::basic_memory_buffer<wchar_t,500,std::allocator<wchar_t>>>
          ] (compiling source file C:\Users\forensics\source\repos\dfir-orc\src\OrcLib\UnitTestHelper.cpp)
C:\Users\forensics\source\repos\dfir-orc\src\OrcLib\Log\Logger.h(51,5): message : No constructor could take the source type, or constructor overload resolution was ambiguous (compiling source file C:\Users\forensics\source\repos\dfir-or
c\src\OrcLib\UnitTestHelper.cpp) [C:\Users\forensics\source\repos\dfir-orc\build-x86\src\OrcLib\OrcLib.vcxproj]
C:\Users\forensics\source\repos\dfir-orc\external\vcpkg\installed\x86-windows-static\include\fmt\core.h(3146,17): message : see declaration of 'fmt::v8::format_to' (compiling source file C:\Users\forensics\source\repos\dfir-orc\src\OrcL
ib\UnitTestHelper.cpp) [C:\Users\forensics\source\repos\dfir-orc\build-x86\src\OrcLib\OrcLib.vcxproj]
C:\Users\forensics\source\repos\dfir-orc\src\OrcLib\Log\Logger.h(86): message : see reference to function template instantiation 'void Orc::Log::Logger::Log<FacilityIt,std::chrono::system_clock::time_point,const wchar_t(&)[26],>(Facilit
yIt,FacilityIt,const Timepoint &,Orc::Log::Level,Arg0)' being compiled [C:\Users\forensics\source\repos\dfir-orc\build-x86\src\OrcLib\OrcLib.vcxproj]
          with
          [
              FacilityIt=std::_Tree_const_iterator<std::_Tree_val<std::_Tree_simple_types<std::shared_ptr<Orc::Log::SpdlogLogger>>>>,
              Timepoint=std::chrono::system_clock::time_point,
              Arg0=const wchar_t (&)[26]
          ] (compiling source file C:\Users\forensics\source\repos\dfir-orc\src\OrcLib\UnitTestHelper.cpp)
C:\Users\forensics\source\repos\dfir-orc\src\OrcLib\Log\Logger.h(188): message : see reference to function template instantiation 'void Orc::Log::Logger::Log<std::_Tree_const_iterator<std::_Tree_val<std::_Tree_simple_types<std::shared_p
tr<Orc::Log::SpdlogLogger>>>>,const wchar_t(&)[26]>(FacilityIt,FacilityIt,Orc::Log::Level,const wchar_t (&)[26])' being compiled [C:\Users\forensics\source\repos\dfir-orc\build-x86\src\OrcLib\OrcLib.vcxproj]
          with
          [
              FacilityIt=std::_Tree_const_iterator<std::_Tree_val<std::_Tree_simple_types<std::shared_ptr<Orc::Log::SpdlogLogger>>>>
          ] (compiling source file C:\Users\forensics\source\repos\dfir-orc\src\OrcLib\UnitTestHelper.cpp)
C:\Users\forensics\source\repos\dfir-orc\src\OrcLib\Log/Log.h(64): message : see reference to function template instantiation 'void Orc::Log::Logger::Error<const wchar_t(&)[26]>(const wchar_t (&)[26])' being compiled (compiling source f
ile C:\Users\forensics\source\repos\dfir-orc\src\OrcLib\UnitTestHelper.cpp) [C:\Users\forensics\source\repos\dfir-orc\build-x86\src\OrcLib\OrcLib.vcxproj]
C:\Users\forensics\source\repos\dfir-orc\src\OrcLib\UnitTestHelper.cpp(58): message : see reference to function template instantiation 'void Orc::Log::Error<const wchar_t(&)[26]>(const wchar_t (&)[26])' being compiled [C:\Users\forensic
s\source\repos\dfir-orc\build-x86\src\OrcLib\OrcLib.vcxproj]

The issues are the same for the x64 version.

Any help would be appreciated 🙏

Cheers

Hi,

I would like to know if you possible to add new feature in FastFind to find special event (ID, content, ...).

E.G. :

• search mimikaz in xml_string
• wannamine (less file malware, content in memory by wmi subscribtion => OBJECTS.DATA is not readable, you can to find IOC in evtx [powershell, WMI, ...])

I think there are different ways to do it:

• parse evtx to extract each event in field to apply signatures (eg SIGMA - https://github.com/Neo23x0/sigma - regex)
• translate evtx in readable format and apply yara signature (more simple)
• extract event from evtx with minimal field (like plaso): datetime, event_identifier, source_name, event_level, xml_string; and apply signature like plaso tag (https://github.com/log2timeline/plaso/blob/master/data/tag_windows.txt)

If you choose the second case, the configuration file could be:

<fastfind version="Test 2.0">
    <event>
         <yara source="res:#ruleset_evtx.yara" timeout="120" events_filename="*"/>
    </event>
</fastfind>

Output result can be like this:

<fast_find computer="JEANGABOOK" os="Microsoft Windows 10 Enterprise Edition (build 18362), 64-bit" role="WorkStation">
    <output>C:\temp\FastFind_output.xml</output>
    <event>
        <event_match description="Name of signature yara matched">
            <filename fullname="Windows PowerShell.evtx" creation="2019-09-30 13:29:17.691" lastmodification="2019-09-30 13:29:17.691" lastaccess="2019-09-30 13:29:17.691" lastentrychange="2019-09-30 13:29:17.691" />
        </object_match>
    </event>
</fast_find>

If you choose the last case, the configuration file could be:

<fastfind version="Test 2.0">
    <event>
         <yara source="res:#ruleset_evtx.tag" timeout="120" events_filename="*"/>
    </event>
</fastfind>

Output result can be like this:

<fast_find computer="JEANGABOOK" os="Microsoft Windows 10 Enterprise Edition (build 18362), 64-bit" role="WorkStation">
    <output>C:\temp\FastFind_output.xml</output>
    <event>
        <event_match description="Name of signature tag matched">
            <events fullname="Windows PowerShell.evtx" datetime="2020-09-12T14:03:42.000", event_identifier="5805", source_name="NETLOGON", event_level="2", xml_string="<Event xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"><System><Provider Name=\"NETLOGON\"/><EventID Qualifiers=\"0\">5805</EventID><Level>2</Level><Task>0</Task><Keywords>0x0080000000000000</Keywords><TimeCreated SystemTime=\"2020-09-12T14:03:42.000000000Z\"/><EventRecordID>XXXXX</EventRecordID><Channel>System</Channel><Computer>victim</Computer><Security/></System><EventData><Data>mimikatz</Data><Data>%%5</Data><Binary>220000C0</Binary></EventData></Event>"/>
        </object_match>
    </event>
</fast_find>

Thank for you help!

Sorry, i cannot reopen issue 6.
I would extract valid archive 7z from "jrnl" format with linux.
Have you solution?

Thank you
Lionel

Hello,

With Orc version v10.0.22, we are facing two errors related to the local configuration file, the upload balise and the password to authenticate on a network SMB share.

Error 1:

1. upload to a network SMB share with filecopy and negotiate with a valid account
2. modify account's password
3. next upload will failed before submit the login/password with the following error "WideCharToMultiByte failed" (WideAnsi)
4. reboot the machine will correct the "bug"

Any help will be appreciate on this topic (maybe Windows related.... cached mechanism ? )

Error 2:
All authentication with a password greater than 20 characteres will failed (20 char is OK, 25 char is KO), could you plz confirme, there is no size or characteres restrictions in the password field in the local configuration file ?

Thanks you for your work.

Regards,

CERT-ENEDIS

GetSamples do not embed autorun for both architecture.

#41

Dear,

Thanks for your DIFR tool.
I try to compile it by following instructions.
I have an error :
`C:\tools\dfir-orc\build-x64>"C:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\Common7\IDE\CommonExtensions\Microsoft\CMake\CMake\bin\cmake.exe" -G "Visual Studio 16 2019" -A x64 -DORC_BUILD_VCPKG=ON ..
-- Using vcpkg: C:/tools/dfir-orc/external/vcpkg/vcpkg.exe
-- Install dependencies with: "C:/tools/dfir-orc/external/vcpkg\vcpkg.exe" --vcpkg-root "C:/tools/dfir-orc/external/vcpkg" install 7zip:x64-windows-static boost-algorithm:x64-windows-static boost-dynamic-bitset:x64-windows-static boost-format:x64-windows-static boost-logic:x64-windows-static boost-multi-index:x64-windows-static boost-scope-exit:x64-windows-static fmt:x64-windows-static tlsh:x64-windows-static yara:x64-windows-static cli11:x64-windows-static spdlog:x64-windows-static

The following packages are already installed:
7zip[core]:x64-windows-static
boost-algorithm[core]:x64-windows-static
boost-dynamic-bitset[core]:x64-windows-static
boost-format[core]:x64-windows-static
boost-logic[core]:x64-windows-static
boost-multi-index[core]:x64-windows-static
boost-scope-exit[core]:x64-windows-static
cli11[core]:x64-windows-static
fmt[core]:x64-windows-static
spdlog[core]:x64-windows-static
tlsh[core]:x64-windows-static
yara[core]:x64-windows-static
Starting package 1/12: 7zip:x64-windows-static
Package 7zip:x64-windows-static is already installed
Elapsed time for package 7zip:x64-windows-static: 50.3 us
Starting package 2/12: fmt:x64-windows-static
Package fmt:x64-windows-static is already installed
Elapsed time for package fmt:x64-windows-static: 10.6 us
Starting package 3/12: boost-algorithm:x64-windows-static
Package boost-algorithm:x64-windows-static is already installed
Elapsed time for package boost-algorithm:x64-windows-static: 10.5 us
Starting package 4/12: boost-dynamic-bitset:x64-windows-static
Package boost-dynamic-bitset:x64-windows-static is already installed
Elapsed time for package boost-dynamic-bitset:x64-windows-static: 11 us
Starting package 5/12: boost-scope-exit:x64-windows-static
Package boost-scope-exit:x64-windows-static is already installed
Elapsed time for package boost-scope-exit:x64-windows-static: 11.4 us
Starting package 6/12: spdlog:x64-windows-static
Package spdlog:x64-windows-static is already installed
Elapsed time for package spdlog:x64-windows-static: 9.2 us
Starting package 7/12: boost-format:x64-windows-static
Package boost-format:x64-windows-static is already installed
Elapsed time for package boost-format:x64-windows-static: 27.1 us
Starting package 8/12: boost-logic:x64-windows-static
Package boost-logic:x64-windows-static is already installed
Elapsed time for package boost-logic:x64-windows-static: 10.6 us
Starting package 9/12: boost-multi-index:x64-windows-static
Package boost-multi-index:x64-windows-static is already installed
Elapsed time for package boost-multi-index:x64-windows-static: 10.2 us
Starting package 10/12: tlsh:x64-windows-static
Package tlsh:x64-windows-static is already installed
Elapsed time for package tlsh:x64-windows-static: 10.9 us
Starting package 11/12: yara:x64-windows-static
Package yara:x64-windows-static is already installed
Elapsed time for package yara:x64-windows-static: 9.4 us
Starting package 12/12: cli11:x64-windows-static
Package cli11:x64-windows-static is already installed
Elapsed time for package cli11:x64-windows-static: 9.7 us

Total elapsed time: 269.7 us

The package 7zip:x64-windows-static provides CMake targets:

find_package(7zip CONFIG REQUIRED)
target_link_libraries(main PRIVATE 7zip::7zip 7zip::extras)

The package fmt:x64-windows-static provides CMake targets:

find_package(fmt CONFIG REQUIRED)
target_link_libraries(main PRIVATE fmt::fmt fmt::fmt-header-only)

The package spdlog:x64-windows-static provides CMake targets:

find_package(spdlog CONFIG REQUIRED)
target_link_libraries(main PRIVATE spdlog::spdlog)

The package tlsh:x64-windows-static provides CMake targets:

find_package(tlsh CONFIG REQUIRED)
target_link_libraries(main PRIVATE tlsh::tlsh tlsh::winfunc)

The package cli11:x64-windows-static provides CMake targets:

find_package(CLI11 CONFIG REQUIRED)
target_link_libraries(main PRIVATE CLI11::CLI11)

-- The C compiler identification is MSVC 19.23.28105.4
-- The CXX compiler identification is MSVC 19.23.28105.4
-- The ASM_MASM compiler identification is MSVC
-- Found assembler: C:/Program Files (x86)/Microsoft Visual Studio/2019/Community/VC/Tools/MSVC/14.23.28105/bin/Hostx64/x64/ml64.exe
-- Check for working C compiler: C:/Program Files (x86)/Microsoft Visual Studio/2019/Community/VC/Tools/MSVC/14.23.28105/bin/Hostx64/x64/cl.exe
-- Check for working C compiler: C:/Program Files (x86)/Microsoft Visual Studio/2019/Community/VC/Tools/MSVC/14.23.28105/bin/Hostx64/x64/cl.exe -- works
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Detecting C compile features
-- Detecting C compile features - done
-- Check for working CXX compiler: C:/Program Files (x86)/Microsoft Visual Studio/2019/Community/VC/Tools/MSVC/14.23.28105/bin/Hostx64/x64/cl.exe
-- Check for working CXX compiler: C:/Program Files (x86)/Microsoft Visual Studio/2019/Community/VC/Tools/MSVC/14.23.28105/bin/Hostx64/x64/cl.exe -- works
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Found Boost: C:/tools/dfir-orc/external/vcpkg/installed/x64-windows-static/include (found version "1.70.0")
CMake Error at C:/Program Files (x86)/Microsoft Visual Studio/2019/BuildTools/Common7/IDE/CommonExtensions/Microsoft/CMake/CMake/share/cmake-3.15/Modules/FindPackageHandleStandardArgs.cmake:137 (message):
Could NOT find VisualStudio (missing: ATLS_LIB_DIR CPPUNITTEST_INCLUDE_DIR)
Call Stack (most recent call first):
C:/Program Files (x86)/Microsoft Visual Studio/2019/BuildTools/Common7/IDE/CommonExtensions/Microsoft/CMake/CMake/share/cmake-3.15/Modules/FindPackageHandleStandardArgs.cmake:378 (_FPHSA_FAILURE_MESSAGE)
cmake/FindVisualStudio.cmake:62 (find_package_handle_standard_args)
external/vcpkg/scripts/buildsystems/vcpkg.cmake:256 (_find_package)
src/OrcLib/CMakeLists.txt:17 (find_package)

-- Configuring incomplete, errors occurred!
See also "C:/tools/dfir-orc/build-x64/CMakeFiles/CMakeOutput.log".
See also "C:/tools/dfir-orc/build-x64/CMakeFiles/CMakeError.log".`

**Here you can see content of CMakeError.log : **
`Checking whether the ASM_MASM compiler is GNU using "--version" did not match "(GNU assembler)|(GCC)|(Free Software Foundation)":
Microsoft (R) Macro Assembler (x64) Version 14.23.28105.4
Copyright (C) Microsoft Corporation. All rights reserved.

MASM : warning A4018:invalid command-line option : --version
MASM : fatal error A1017:missing source filename
Checking whether the ASM_MASM compiler is Clang using "--version" did not match "(clang version)":
Microsoft (R) Macro Assembler (x64) Version 14.23.28105.4
Copyright (C) Microsoft Corporation. All rights reserved.

MASM : warning A4018:invalid command-line option : --version
MASM : fatal error A1017:missing source filename
Checking whether the ASM_MASM compiler is AppleClang using "--version" did not match "(Apple LLVM version)":
Microsoft (R) Macro Assembler (x64) Version 14.23.28105.4
Copyright (C) Microsoft Corporation. All rights reserved.

MASM : warning A4018:invalid command-line option : --version
MASM : fatal error A1017:missing source filename
Checking whether the ASM_MASM compiler is ARMClang using "--version" did not match "armclang":
Microsoft (R) Macro Assembler (x64) Version 14.23.28105.4
Copyright (C) Microsoft Corporation. All rights reserved.

MASM : warning A4018:invalid command-line option : --version
MASM : fatal error A1017:missing source filename
Checking whether the ASM_MASM compiler is HP using "-V" did not match "HP C":
Microsoft (R) Macro Assembler (x64) Version 14.23.28105.4
Copyright (C) Microsoft Corporation. All rights reserved.

MASM : warning A4018:invalid command-line option : -V
MASM : fatal error A1017:missing source filename
Checking whether the ASM_MASM compiler is Intel using "--version" did not match "(ICC)":
Microsoft (R) Macro Assembler (x64) Version 14.23.28105.4
Copyright (C) Microsoft Corporation. All rights reserved.

MASM : warning A4018:invalid command-line option : --version
MASM : fatal error A1017:missing source filename
Checking whether the ASM_MASM compiler is SunPro using "-V" did not match "Sun C":
Microsoft (R) Macro Assembler (x64) Version 14.23.28105.4
Copyright (C) Microsoft Corporation. All rights reserved.

MASM : warning A4018:invalid command-line option : -V
MASM : fatal error A1017:missing source filename
Checking whether the ASM_MASM compiler is XL using "-qversion" did not match "XL C":
Microsoft (R) Macro Assembler (x64) Version 14.23.28105.4
Copyright (C) Microsoft Corporation. All rights reserved.

MASM : warning A4018:invalid command-line option : -qversion
MASM : fatal error A1017:missing source filename
`

Could you help me ?

Regards

Hi,

I'm trying to produce zip output from GetThis.

Problem

I tried using both XML configuraiton and specific command line, but I found out that the archives are actually generated using 7-zip format, despite the ".zip" file extension.

I tried to use "zip", "Zip" and "ZIP", but these three options are failing to trigger using the zip compressor.

Steps to reproduce the problem :

1. create sample txt file in C:\somewhere\file.txt
2. run:

DFIR-Orc.exe GetThis /nolimits /sample=t*.txt /out=c:\temp\zip.zip c:\somewhere

3. Then, from a Linux VM or git bash:

User@WinDev2108Eval MINGW64 /c/temp
$ file *
zip.zip:      7-zip archive data, version 0.4
7z.7z:        7-zip archive data, version 0.4
ZIPCAPS.ZIP:  7-zip archive data, version 0.4
ZipCamel.Zip: 7-zip archive data, version 0.4

4. You can also confirm using 7z cli:

7z l 7z.7z
...
Listing archive: zip.zip
"Open WARNING: Can not open the file as [zip] archive
Type = 7z
...

I am trying to integrate Zircolite in the DFIR Orc configuration.
However, there seems to be a problem when the main executable tries to use the evtx_dump binary.

Config:

Indeed, the extracted binary (indicated in input argument and added in tools folder) doesn't seem to be executable and the execution comes back with errors.

Hi,

It seems we have an issue to upload the result archive on a Linux SMB share. We are facing with authentication issue. It's seems like ORC add a \ in the begining of username and this cause a bad authentication.

method=filecopy
mode=sync
operation=move
authscheme=[negotiate or basic]

Great thanks for your work

Hello,
I am using the default configuration to fetch user-related artefacts such as NTUSER.DAT. With the current naming method of artefacts (HEXCODE_ARTEFACTNAME.EXTENSION), I find it not very convient to know which artefact belongs to which user. Is it possible to name the acquired file by adding the username ? Such as Administrator_NTUSER.DAT and guest_NTUSER.DAT.
By the way, the way I'm using to extract username from these artefacts is processing the artefacts with RegRipper. Do you have a better suggestion with DFIR-Orc?
Thank you for developping such a nice tool though.

Hello,

I'm trying to execute a wolflauncher command generating several output files into a folder. I would like to copy the output folder into the final ORC archive, but I can't figure out how to do so. I tried to use the Directory source type of the output attribute (https://dfir-orc.github.io/wolf_config.html#id35) without success.

Here is the wolflauncher config:

<!-- ORC version : 10.0.22 -->
        <command keyword="GetCommand" systemtype="DomainController">
            <execute name="cmd.exe" run="%SystemRoot%\System32\cmd.exe"/>
            <argument>/c builtin_command.exe</argument>
            <output name="Command" source="Directory" argument="{DirectoryName}"/>
       <!-- <output name="Command" source="Directory" argument="{DirectoryName}" filematch="*" /> same behavior -->
       <!-- <output name="Command" source="Directory" argument="{DirectoryName}" filematch="\*" /> same behavior -->
            <output name="command.log" source="StdOutErr"/> <!-- command.log is correctly generated and merged in the final archive -->
        </command>

Here is the output on a Windows Server 2016 :

[...]
                         ARC: Command_20211220_110840_DomainController_DC01.LAB.LOCAL.7z started
pid=1964    GetCommand: Start
pid=1964    GetCommand: Hanged for 1 secs
pid=1964    GetCommand: Successfully terminates
                  Full: Complete! (commands took 16 seconds)
                  ARC: File Config.xml added
                  ARC: File JobStatistics.csv added
                  ARC: File command.log added
                  ARC: File ProcessStatistics.csv added
                  ARC: Command_20211220_110840_DomainController_DC01.LAB.LOCAL.7z is complete
ERROR (The directory is not empty, hr=0x80070091): Failed to delete directory C:\Users\ADMINI~1\AppData\Local\Temp\WorkingTemp\Command)
                 Full: Command_20211220_110840_DomainController_DC01.LAB.LOCAL.7z (took 16 seconds, size 3245 bytes)

Finish time           : 12/20/2021 11:08:58.782 (UTC)

The Command folder is correctly generated with the proper output of the command (executed without any error), but not merged into the final archive which remains empty.

Thanks!

This line:

Now prints:

ex: \\.\c:\

Should be:

ex: \\.\c:

The error message is:

NTFSUtil v10.0.8-18-gb5f71fa
Various NTFS related utilities

Start time            : 03/19/2020 13:27:18.387 (UTC)

Computer              : DESKTOP-RD341HA
Volume name           : \\.\c:\
ERROR (The system cannot find the path specified, hr=0x80070003): Failed to open image \\.\c:\
ERROR (The system cannot find the path specified, hr=0x80070003): Could not open Location \\.\c:\
ERROR (Unspecified error, hr=E_FAIL 0x80004005): Failed to load partition table for \\.\c:\

Hi,

ORC don't allow to insert environment variable in command->argument.
E.G:

<command keyword="sigcheck.exe system32">
            <execute name="sigcheck.exe" run32="7z:#Tools|sigcheck.exe" run64="7z:#Tools|sigcheck64.exe"/>
            <argument>-accepteula -h -e -a -c %windir%\system32</argument>
            <output name="system32_infos.csv" source="StdOut"/>
            <output name="system32_infos.log" source="StdErr"/>
</command>

Please, can you improve this feature, by allow var env in argument or by directory in "input".

Thanks.
Lionel

I am trying to output a folder using GetThis for all the collected files, instead of a zip archive. The documentation page mentions that the included output options are not working for GetThis so I have not been able to get it to work.

I have tried using <output name="Artifacts" source="File" argument="/out=Artifacts"/> in the XML config file (using source="Folder" does not work either)
It always fails with: (console)

pid=7996  ArtifactModuleFolder: Terminates (exitcode=0x2)
ERROR (The System cannot find the File specified, hr=0x80070002): no file to cab for path C:\correct\path, ignored

When I try adding /out=Artifacts in arguments of the XML config file instead, it always fails with a similar error: (log file)

Copying matching samples to Artifacts
ERROR (The System cannot find the File specified, hr=0x80070003): CreateFile(Artifacts\AmCache\0013000000048E1A_Amcache.hve.LOG2_data) failed
ERROR (The System cannot find the File specified, hr=0x80070003): Failed to create sample file Artifacts\AmCache\0013000000048E1A_Amcache.hve.LOG2_data

The folder is always created in the right place for both versions and the csv and log file stored inside, but never one of the collected files.

Hello,

Following fix on issue #49 I downloaded 10.0.22 release and unfortunately I still have an error when I tried to extract the archive with py7zr:

$ py7zr x Collect_Full_DESKTOP-S3MCBR3_20211202_181230_System.7z out
Traceback (most recent call last):
  File "/usr/local/bin/py7zr", line 8, in <module>
    sys.exit(main())
  File "/home/user/.local/lib/python3.8/site-packages/py7zr/__main__.py", line 25, in main
    return cli.Cli().run()
  File "/home/user/.local/lib/python3.8/site-packages/py7zr/cli.py", line 99, in run
    return args.func(args)
  File "/home/user/.local/lib/python3.8/site-packages/py7zr/cli.py", line 356, in run_extract
    a.extractall(path=args.odir, callback=cb)
  File "/home/user/.local/lib/python3.8/site-packages/py7zr/py7zr.py", line 948, in extractall
    self._extract(path=path, return_dict=False, callback=callback)
  File "/home/user/.local/lib/python3.8/site-packages/py7zr/py7zr.py", line 604, in _extract
    self.worker.extract(
  File "/home/user/.local/lib/python3.8/site-packages/py7zr/py7zr.py", line 1198, in extract
    if not any([self.target_filepath.get(f.id, None) for f in folders[i].files]):
TypeError: 'NoneType' object is not iterable


$ py7zr t Collect_Full_DESKTOP-S3MCBR3_20211202_181230_System.7z
Testing archive: Collect_Full_DESKTOP-S3MCBR3_20211202_181230_System.7z
--
Path = Collect_Full_DESKTOP-S3MCBR3_20211202_181230_System.7z
Type = 7z
Phisical Size = 173442461
Headers Size = 1108
Method = LZMA2
Solid = +
Blocks = 44

Bad 7zip file

If I uncompress then recompress the archive using 7-Zip tool without modification to files, the new archive can be proceed without issues:

$ py7zr t Collect_Full_DESKTOP-S3MCBR3_20211202_181230_System_repaired.7z
Testing archive: Collect_Full_DESKTOP-S3MCBR3_20211202_181230_System_repaired.7z
--
Path = Collect_Full_DESKTOP-S3MCBR3_20211202_181230_System_repaired.7z
Type = 7z
Phisical Size = 173337431
Headers Size = 1004
Method = LZMA2
Solid = +
Blocks = 1

Everything is Ok


$ py7zr x Collect_Full_DESKTOP-S3MCBR3_20211202_181230_System_repaired.7z out2
$ echo $?
0

Sample and configuration are available here: https://e1.pcloud.link/publink/show?code=XZQWkFZciR11eziyhJxn3IfHQYxoSWRGuyy

Regards

Hi,

When launch NTFSinfo with this config (below) and compare with sigcheck result (command "sigcheck -h -e -a -c c:\windows\system32"), the "OriginalFileName" dont display on ORC NTFS info result.

<?xml version="1.0"?>
<ntfsinfo walker="MFT" resurrect="yes">
    <location>*</location>
    <columns>
        <default>ComputerName,VolumeID,Default,ExtendedAttribute,RecordInUse,SecDescrID,ADS,FirstBytes,OriginalFileName,ProductName,FullName,File,FileNameCreationDate,FileNameLastAccessDate,FileNameLastAttrModificationDate,FileNameLastModificationDate,LastAccessDate,LastAttrChangeDate,LastModificationDate,Owner,OwnerId,OwnerSid,SizeInBytes</default>
        <add SizeLT="10M" Ext=".docx,.zip,.7z,.ace,.cmd,.bat,.ps1,.chm,.application,.appref-ms,.pdf,.jar,.js,.jse,.rtf,.doc,.xls,.xslx,.ini,.inf,.hta,.hlp,.reg,.tmp,.lnk,.scf,.sdb,.url,vba,.vbs,.vbe,.jnlp,.ppt,.pptx,.swf">MD5,SHA1,SHA256</add>
        <omit SizeGT="10M">MD5,SHA1,SHA256,PeMD5,PeSHA1,PeSHA256,Authenticode,TimeStamp,AuthenticodeStatus,AuthenticodeCA</omit>
        <add HasPE="">AuthenticodeCA,AuthenticodeStatus,MD5,SHA1,SHA256,PeMD5,PeSHA1,PeSHA256,Authenticode,TimeStamp</add>
   </columns>
</ntfsinfo>

NTFSINFO log:

NTFSInfo v10.0.16
NTFS File system enumeration
ERROR (Paramètre incorrec, hr=0x80070057): Ignored criteria SizeLT, critera already defined

Start time            : 12/01/2020 19:15:46.384 (UTC)

Computer              : MSEDGEWIN10
Operating System      : Microsoft Windows 10  (build 17763), 64-bit

Walker used           : MFT
FileInfo archive      : C:\Users\IEUser\AppData\Local\Temp\WorkingTemp\NTFSInfo.7z (encoding=UTF8)
AttrInfo              : Empty
I30Info  archive      : C:\Users\IEUser\AppData\Local\Temp\WorkingTemp\NTFSInfo_i30Info.7z (encoding=UTF8)
Timeline              : Empty
SecDescr archive      : C:\Users\IEUser\AppData\Local\Temp\WorkingTemp\NTFSInfo_SecDesc.7z (encoding=UTF8)

CSV Columns           :

	ComputerName VolumeID File 
	ParentName FullName Extension 
	SizeInBytes Attributes CreationDate 
	LastModificationDate LastAccessDate LastAttrChangeDate 
	FileNameCreationDate FileNameLastModificationDate FileNameLastAccessDate 
	FileNameLastAttrModificationDate USN FRN 
	ParentFRN ExtendedAttribute ADS 
	FilenameID DataID RecordInUse 
	MD5 SHA1 FirstBytes 
	OwnerId ProductName OriginalFileName 
	TimeStamp FilenameFlags SHA256 
	PeSHA1 PeSHA256 SecDescrID 
	AuthenticodeStatus AuthenticodeSigner AuthenticodeSignerThumbprint 
	AuthenticodeCA AuthenticodeCAThumbprint PeMD5 
	FilenameIndex DataIndex SnapshotID 
	SignedHash 

Default columns       :

	ComputerName VolumeID File 
	ParentName FullName Extension 
	SizeInBytes Attributes CreationDate 
	LastModificationDate LastAccessDate LastAttrChangeDate 
	FileNameCreationDate FileNameLastModificationDate FileNameLastAccessDate 
	FileNameLastAttrModificationDate USN FRN 
	ParentFRN ExtendedAttribute ADS 
	FilenameID DataID RecordInUse 
	FirstBytes OwnerId ProductName 
	OriginalFileName FilenameFlags SecDescrID 
	FilenameIndex DataIndex SnapshotID 


Filters:

	if file is smaller than 10485760 bytes include columns: 

		MD5 SHA1 SHA256 

	if file has valid PE header include columns: 

		MD5 SHA1 TimeStamp 
		SHA256 PeSHA1 PeSHA256 
		AuthenticodeStatus AuthenticodeSigner AuthenticodeSignerThumbprint 
		AuthenticodeCA AuthenticodeCAThumbprint PeMD5 
		SignedHash 

	if file is bigger than 10485760 bytes  exclude columns: 

		MD5 SHA1 TimeStamp 
		SHA256 PeSHA1 PeSHA256 
		AuthenticodeStatus AuthenticodeSigner AuthenticodeSignerThumbprint 
		AuthenticodeCA AuthenticodeCAThumbprint PeMD5 
		SignedHash 

Volumes, Folders to parse:
	DiskInterfaceVolume   : \\.\SCSI#Disk&Ven_QEMU&Prod_HARDDISK#4&2749002f&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b},offset=1048576,size=42947575808,sector=512 - NTFS - Valid (serial : 0xa8b4a72fb4a6fec6) *
 "C:\" 
	"\windows\system32" 


Parsing \\.\SCSI#Disk&Ven_QEMU&Prod_HARDDISK#4&2749002f&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b},offset=1048576,size=42947575808,sector=512: "C:\" 
Archive: C:\Users\IEUser\AppData\Local\Temp\WorkingTemp\NTFSInfo_i30Info.7z started
Archive: C:\Users\IEUser\AppData\Local\Temp\WorkingTemp\NTFSInfo_SecDesc.7z started
Archive: C:\Users\IEUser\AppData\Local\Temp\WorkingTemp\NTFSInfo.7z started
ERROR (hr=0x90090006): Failed to fixup $INDEX_ALLOCATION header
ERROR (hr=0x90090006): Failed to read from $INDEX_ALLOCATION
.................................................
.............................................. Done!

WARNING: Heap still maintains 78 entries
Archive: File NTFSInfo_00000000_DiskInterface_0xa8b4a72fb4a6fec6_.csv added
Archive: File I30Info_00000000_DiskInterface_0xa8b4a72fb4a6fec6_.csv added
Archive: File SecDescr_00000000_DiskInterface_0xa8b4a72fb4a6fec6_.csv added
Archive: File volstats.csv added
Archive: C:\Users\IEUser\AppData\Local\Temp\WorkingTemp\NTFSInfo.7z is complete
Archive: C:\Users\IEUser\AppData\Local\Temp\WorkingTemp\NTFSInfo_i30Info.7z is complete
Archive: C:\Users\IEUser\AppData\Local\Temp\WorkingTemp\NTFSInfo_SecDesc.7z is complete

Lines processed       : 26341
Finish time           : 12/01/2020 19:21:47.767 (UTC)
Elapsed time          : 6 min(s), 1 sec(s), 391 msecs

Information           : 3 errors occurred during program execution

I copy result on sethc.exe file (below).

"c:\windows\system32\sethc.exe","Signed","23:22 14/09/2018","Microsoft Windows","Microsoft Corporation","Accessibility shortcut keys","Microsoft� Windows� Operating System","10.0.17763.1","10.0.17763.1 (WinBuild.160101.0800)","64-bit","10.0.17763.1","sethc.exe","sethc.exe","� Microsoft Corporation. All rights reserved.","n/a","6.858","F00FAB17E7FE21D930AA4A6CABD2381F","F8DF7CD7482FCF621924C97BBB44DF380CC612BB","1B79622D2009F259A2197E4B66DDF43121F8DB3F","A9BBDBB6038AB7CDB3E52BE9477526818AA9E2183C22C8CB2201548717E222F1","746D48A2FC0198E20C6ABCB301ED5C0FFEBDE33D0C0C890044EC98C9EE5E21EC","3C1A53A9971C1924A1A24E822BFFC8E3"
"MSEDGEWIN10",0xA8B4A72FB4A6FEC6,"sethc.exe","\Windows\System32\","\Windows\System32\sethc.exe",".exe",299520,"A....N.......",2018-09-15 07:28:43.201,2018-09-15 07:28:43.201,2020-12-01 17:17:01.549,2019-03-19 19:41:55.255,2019-03-19 19:41:55.238,2019-03-19 19:41:55.255,2019-03-19 19:41:55.238,2019-03-19 19:41:55.255,0x0000000000000000,0x0001000000009DDA,0x0001000000000DC3,"$CI.CATALOGHINT;",,5,4,Y,,F00FAB17E7FE21D930AA4A6CABD2381F,F8DF7CD7482FCF621924C97BBB44DF380CC612BB,4D5A90000300000004000000FFFF0000,0,,,,,,,,2100-06-05 01:47:25.000,,,,0,746D48A2FC0198E20C6ABCB301ED5C0FFEBDE33D0C0C890044EC98C9EE5E21EC,1B79622D2009F259A2197E4B66DDF43121F8DB3F,A9BBDBB6038AB7CDB3E52BE9477526818AA9E2183C22C8CB2201548717E222F1,456,,,CatalogSignedVerified,"Microsoft Windows","ae9c1ae54763822eec42474983d8b635116c8452","Microsoft Root Certificate Authority 2010","3b1efd3a66ea28b16697394703a72ca340a05bd5",89ADFB6E88C52B80F42DB3780ADAF259,1,0,{00000000-0000-0000-0000-000000000000},,,,,

Please, can you fix this problem.

Thanks.

Hello,

I use a vm with .vsconfig. But i alaways the same error :

Downloading https://mirrors.sjtug.sjtu.edu.cn/msys2/mingw/i686/mingw-w64-i686-pkg-config-0.29.2-1-any.pkg.tar.xz... Failed. Status: 22;"HTTP response code said error"
CMake Error at scripts/cmake/vcpkg_download_distfile.cmake:182 (message):

  Failed to download file.

....

Error: Building package bzip2:x64-windows-static failed with: BUILD_FAILED
Please ensure you're using the latest portfiles with .\vcpkg update, then
submit an issue at https://github.com/Microsoft/vcpkg/issues including:
Package: bzip2:x64-windows-static
Vcpkg version: 2020.06.15-nohash

Hello,

I follow the tutorial steps, and in the step "3 - Test the Configuration" when I run the following command:
.\output\DFIR-Orc.exe GetThis /nolimits /sample=ntdll.dll /out=ntdll.7z "C:\"

I hahe the error output:

...
2021-02-16T22:49:42.274Z [T] Record 281474977160597 entry is null, skipped
2021-02-16T22:49:42.274Z [T] Record 281474977160612 entry is null, skipped
2021-02-16T22:49:42.274Z [T] Record 844424930581957 entry is null, skipped
2021-02-16T22:49:42.274Z [D] Done!
2021-02-16T22:49:42.275Z [D] MFT Walker statistics: Done
2021-02-16T22:49:42.275Z [D] Map Count: 450001
2021-02-16T22:49:42.295Z [T] Total -> Available: 0, Directories: 0, Not parsed: 0, Incomplete: 0
2021-02-16T22:49:42.404Z [D] Archive7z: SetCompressionLevel to 4
2021-02-16T22:49:42.405Z [E] Failed to update archive [0x80070057: The parameter is incorrect.]
2021-02-16T22:49:42.427Z [E] Failed to compress 'GetThis.7z' [-2147024809]
2021-02-16T22:49:42.427Z [D] Archive7z: SetCompressionLevel to 4
2021-02-16T22:49:42.428Z [E] Failed to update compression level to 4 [0x80070057: The parameter is incorrect.]
2021-02-16T22:49:42.428Z [E] Failed to compress stream [0x80070057: The parameter is incorrect.]
2021-02-16T22:49:42.428Z [E] Failed to flush stream [0x80070057: The parameter is incorrect.]
2021-02-16T22:49:42.428Z [E] Failed to close archive [-2147024809]
2021-02-16T22:49:42.436Z [C] Dump log backtrace due to some previously encoutered error(s). This could probably be ignored, you may NOT have encoutered any critical error. Error levels are being reevaluated and this backtrace could help in case of mistakes.
2021-02-16T22:49:42.493Z [I] ****************** Backtrace End ********************

If I set csv file in output, I have

...
2021-02-17T00:25:48.892Z [T] EnumProcess 'VSSVC.exe'
2021-02-17T00:25:48.892Z [T] EnumProcess 'DFIR-Orc.exe'
2021-02-17T00:25:48.892Z [T] EnumProcess 'WmiPrvSE.exe'
2021-02-17T00:25:48.892Z [D] Opening 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' for ressource 'vssapi.dll' of type 'VALUES'
2021-02-17T00:25:48.892Z [D] Opening 'C:\Windows\explorer.exe' for ressource 'vssapi.dll' of type 'VALUES'
2021-02-17T00:25:48.893Z [D] ExtensionLibrary: Loaded 'vssapi.dll' successfully
2021-02-17T00:25:48.893Z [D] ExtensionLibrary: Loaded 'C:\WINDOWS\SYSTEM32\vssapi.dll' successfully
2021-02-17T00:25:48.893Z [D] TryLoad succeeded for reference 'vssapi.dll'
2021-02-17T00:25:48.893Z [D] Failed GetProcAddress on 'CreateVssBackupComponents' [0x8007007f: The specified procedure could not be found.]
2021-02-17T00:25:48.893Z [D] Library class Orc::VssAPIExtension is loaded and initialized
2021-02-17T00:25:48.900Z [W] Failed to initalise VSS service, most likely cause: you are running a 32 bits process on x64 system [0x80042302: unknown error]
2021-02-17T00:25:48.900Z [W] VSS functionatility is not available [0x80042302: unknown error]
2021-02-17T00:25:48.900Z [T] End of location enumeration
2021-02-17T00:25:48.900Z [E] None of the supported output for option /Out matched out=ntdll.csv
2021-02-17T00:25:48.956Z [C] Failed to parse command line arguments [0x80070057: The parameter is incorrect.]
2021-02-17T00:25:49.131Z [I] ****************** Backtrace End ********************

And a directory:

...
2021-02-17T00:26:39.368Z [T] Record 281474977198242 entry is null, skipped
2021-02-17T00:26:39.368Z [T] Record 2251799814172836 entry is null, skipped
2021-02-17T00:26:39.368Z [D] Done!
2021-02-17T00:26:39.368Z [D] MFT Walker statistics: Done
2021-02-17T00:26:39.368Z [D] Map Count: 487583
2021-02-17T00:26:39.384Z [T] Total -> Available: 0, Directories: 0, Not parsed: 0, Incomplete: 0
2021-02-17T00:26:39.491Z [C] Dump log backtrace due to some previously encoutered error(s). This could probably be ignored, you may NOT have encoutered any critical error. Error levels are being reevaluated and this backtrace could help in case of mistakes.
2021-02-17T00:26:39.572Z [I] ****************** Backtrace End ********************

A directory is created, but remains empty

I have no issue with the previous command line like .\output\DFIR-Orc.exe NTFSInfo /out=C_drive.csv "C:\" or .\DFIR-Orc_x64.exe NTFSUtil /USN "\\.\c:"
I find a similar topic, recommended to run it with /Compression=Fastest or lower; but the result is the same.
I also run it on another workstation, it doesn't change anything.

Any idea?

I am currently working on several custom tools to embed in the ORC binary. I would like to send certain status updates not only to the log but also to the console, to allow the user to react and estimate the current progress.

The problem is that when I specify log files for StdOut, StdError or StdOutError in the config files, the console output seems to be siphoned away and only appear in the log files.

Is there a configuration that I might have missed that allows me to have Stdout and StdError output be visible in the console and show up in the logs?

Hello,

I use the last version of DFIR-Orc.

In one of my configuration file I use the following configuration :

<?xml version="1.0"?>
<getthis reportall="">
    <output compression="normal"/>
    <location altitude="highest" shadows="yes">%SystemDrive%</location>
    <samples MaxTotalBytes="1GB" MaxPerSampleBytes="650MB">

        <sample name="INF" MaxPerSampleBytes="1MB">
            <ntfs_find name_match="*.inf"/>
            <ntfs_exclude path_match="\Windows\*"/>
            <ntfs_exclude path_match="\Program Files\*"/>
            <ntfs_exclude path_match="\Program Files (x86)\*"/>
        </sample>

        <sample name="Prefetch" MaxPerSampleBytes="20MB">
            <ntfs_find path_match="\Windows\Prefetch\*.pf"/>
            <ntfs_find path_match="\Windows\Prefetch\layout.ini"/>
        </sample>

        <sample name="SuperFetch" MaxPerSampleBytes="20MB">
            <ntfs_find name_match="Ag*.db"/>
        </sample>
        
        <sample name="Lnk" MaxPerSampleBytes="20MB">
            <ntfs_find name_match="*.lnk"/>
        </sample>
...
    </samples>
</getthis>

But the ntfs_exclude directives present in "INF" sample section seems to be applied globally (cf. log extract below).
Is it a normal behaviour ? If yes how I can exclude paths only in for a specific sample section ?

Best Regards,

Samples looked after:

   Sample: INF (max 1048576 bytes per sample) (copy data)

      Name matches *.inf

   Sample: Prefetch (max 20971520 bytes per sample) (copy data)

      Path matches \Windows\Prefetch\*.pf
      Path matches \Windows\Prefetch\layout.ini

   Sample: SuperFetch (max 20971520 bytes per sample) (copy data)

      Name matches Ag*.db

   Sample: Lnk (max 20971520 bytes per sample) (copy data)

      Name matches *.lnk

Samples excluded:

      Path matches \Windows\*
      Path matches \Program Files\*
      Path matches \Program Files (x86)\*

Hello,

While testing GetSamples command, I try to output a timeline via XML configuration file:

<?xml version="1.0"?>
<GetSamples>
    <Samples MaxTotalBytes="20GB" MaxSampleCount="200000" MaxPerSampleBytes="1GB" />
    <timeline encoding="utf8">GetSamples_timeline.csv</timeline>
    <Autoruns></Autoruns>
</GetSamples>

The timeline is well executed but the output location of the csv file associated is at the same level as the archive generated by DFIR ORC. :

The csv output is not included within the p7b archive:

Is there a way to have the timeline inside the 7z where output files of GetSamples command are located?

Thanks.

I have a tool to embed in ORC that needs multiple files (rules, config..) and preserve a certain folder tree to work.
For e.g. this concept/idea doesn't work in DFIR-ORC_embed.xml :

<?xml version="1.0" encoding="utf-8"?>
<toolembed>
...
<archive name="SpecTool" format="7z" compression="Ultra">
        <file name="myprogram" path=".\SpecFolder\program.exe"/>
        <file name="SpecFolder" path=".\SpecFolder\*"/>
</archive>
...
</toolembed>

I need to specify all the content of SpecFolder manually :

...
<file name="SpecFolder_fileA" path=".\SpecFolder\fileA"/>
<file name="SpecFolder_fileB" path=".\SpecFolder\fileB"/>
<file name="SpecFolder_folderA_fileA" path=".\SpecFolder\folderA\fileA"/>
...

This same disadvantage appear with Yara rules, who are often organized by file name (like apt1.yara, apt2.yara...). It would be very useful to embed easily a complete folder structure with a tag like in .

Hi,

I encounter issues opening dfir-orc crafted 7z archives using py7z python library.
According to @miurahr from py7z, something is wrong on the dfir-orc side, see: issue 359 at py7zr.
Could you please have a look a the problem ? Test cases are attached to the issue.

Best regards

Hello,

While testing GetSamples command, I tried to display verbose information via XML configuration file (cf https://dfir-orc.github.io/GetSamples.html#output):

<getsamples nolimits="">
        <logging verbose="" debug="" />
</getsamples>

Here is the commandline:

C:\> DFIR-Orc_x64.exe GetSamples /config=test.xml

The nolimits attribute seems to be taken into account (otherwise, the command wouldn't execute), but not the "logging" element:

The "equivalent" commandline is verbose, as expected:

C:\> DFIR-Orc_x64.exe GetSamples /verbose /debug /nolimits

Am I missing anything?

Thanks

A sample file system image: https://mega.nz/#!uVdHmAKD!8piInddWWdV0qsMuy9j6KYlGrxGY7IZmGs1Xz1IpzXI

The output is:

C:\Users\U\Downloads>DFIR-Orc_x64.exe ntfsutil /mft /record=0 \\.\e:

NTFSUtil v10.0.8-18-gb5f71fa
Various NTFS related utilities

Start time            : 03/19/2020 13:35:06.150 (UTC)

Computer              : DESKTOP-RD341HA
Volume name           : \\.\e:

C:\Users\U\Downloads>

The output is as expected for other volumes.
The fsutil file layout E:\$MFT command gives this output:

********* File 0x0001000000000000 *********
File reference number   : 0x0001000000000000
File attributes         : 0x00000006: Hidden | System
File entry flags        : 0x00000000
Link (ParentID: Name)   : 0x0005000000000005: NTFS+DOS Name: \$Mft
Creation Time           : 5/6/2019 0:40:19
Last Access Time        : 5/6/2019 0:40:19
Last Write Time         : 5/6/2019 0:40:19
Change Time             : 5/6/2019 0:40:19
LastUsn                 : 0
OwnerId                 : 0
SecurityId              : 256
StorageReserveId        : 0
Stream                  : 0x010  ::$STANDARD_INFORMATION
    Attributes          : 0x00000000: *NONE*
    Flags               : 0x0000000c: Resident | No clusters allocated
    Size                : 72
    Allocated Size      : 72
Stream                  : 0x030  ::$FILE_NAME
    Attributes          : 0x00000000: *NONE*
    Flags               : 0x0000000c: Resident | No clusters allocated
    Size                : 74
    Allocated Size      : 80
Stream                  : 0x080  ::$DATA
    Attributes          : 0x00000000: *NONE*
    Flags               : 0x00000010: Has Parsed Information
    Size                : 52,166,656,000 (48.6 GB)
    Allocated Size      : 52,166,656,000 (48.6 GB)
    Vdl                 : 52,166,656,000 (48.6 GB)
    Extents             : 238 Extents
Stream                  : 0x0b0  ::$BITMAP
    Attributes          : 0x00000000: *NONE*
    Flags               : 0x00000000: *NONE*
    Size                : 6,369,280
    Allocated Size      : 6,369,280
    Extents             : 1,555 Extents
Stream                  : 0x020  ::$ATTRIBUTE_LIST
    Attributes          : 0x00000000: *NONE*
    Flags               : 0x00000000: *NONE*
    Size                : 448
    Allocated Size      : 262,144
    Extents             : 1 Extents

It seems that the problem is in this function:

It doesn't read mapping pairs (data runs) outside of the first file record segment.

Dans le cadre de l'extraction du RDP Bitmap Cache, j'ai essayé d'utiliser la variable {UserProfiles} dans la configuration suivante :

<?xml version="1.0"?>
<getthis nolimits="" reportall="">
    <location>%systemdrive%\users\{UserProfiles}\AppData\Local\Microsoft\Terminal Server Client\Cache\</location>
    <location>%systemdrive%\Documents and Settings\{UserProfiles}\Local Settings\Application Data\Microsoft\Terminal Server Client\Cache\</location>
    <samples>
        <sample>
            <ntfs_find name_match="*"/>
        </sample>
    </samples>
</getthis>

J'obtient l'erreur suivante lors de l'execution (RdpBitmapCache.log) :

GetThis v10.0.23
Sample collection
ERROR (Unspecified error, hr=E_FAIL 0x80004005): Could not determine reader for C:\users\{UserProfiles}\AppData\Local\Microsoft\Terminal Server Client\Cache\
ERROR (Unspecified error, hr=E_FAIL 0x80004005): Could not determine reader for C:\Documents and Settings\{UserProfiles}\Local Settings\Application Data\Microsoft\Terminal Server Client\Cache\
ERROR (Unspecified error, hr=E_FAIL 0x80004005): Syntax error in specific locations parsing in config file

Si je modifie {UserProfiles} par le nom du compte utilisateur, l'execution se déroule parfaitement.

La documentation mentionne les éléments suivants :

Configuring Locations
A location is an access path to a specific NTFS volume. Typically, an access path can be:
...
    an environment variable or a dynamic variable, such as
            %SYSTEMDRIVE%
            {UserProfiles}

Avec l'exemple suivant :

<location>{UserProfiles}\Downloads</location>

Pourriez-vous me dire si cette variable fonctionne correctement ou si je fait une errreur de syntaxe ?

Hello team,
I cannot compile DFIR_Orc on my Windows 10 with VS 2022. I tried to compile using the following commands (I changed the -G to adapt to VS 2022) :

git clone --recursive https://github.com/dfir-orc/dfir-orc.git
cd dfir-orc
mkdir build-x86 build-x64
cd build-x86
cmake -G "Visual Studio 17 2022" -A Win32 -T v141_xp ..
cmake --build .--config MinSizeRel -- -maxcpucount
cd ../build-x64
cmake -G "Visual Studio 17 2022" -A x64 -T v141_xp ..
cmake --build .--config MinSizeRel -- -maxcpucount

Below is the console output I received. I noticed many "7zip::extras target not found" errors, do you have any idea about it?
Thx!

-- Found SemVer: 10.1.0 (v10.1.0-rc9)
CMake Warning at CMakeLists.txt:77 (message):
  BEWARE: VCPKG is currently compatible ONLY with ENGLISH version of Visual
  Studio.


CMake Warning at cmake/vcpkg_configure_triplets.cmake:22 (message):
  vcpkg: using v141 toolset as v141_xp is not supported
Call Stack (most recent call first):
  CMakeLists.txt:82 (vcpkg_configure_triplets)


-- Using vcpkg: C:/Users/dev/Documents/user/tool/DFIR_Orc/dfir-orc/external/vcpkg/vcpkg.exe
All installed packages are up-to-date with the local portfiles.
-- Install dependencies with: "C:/Users/dev/Documents/user/tool/DFIR_Orc/dfir-orc/external/vcpkg\vcpkg.exe" --vcpkg-root "C:/Users/dev/Documents/user/tool/DFIR_Orc/dfir-orc/external/vcpkg" --overlay-triplets=C:/Users/dev/Documents/user/tool/DFIR_Orc/dfir-orc/build-x86/vcpkg/tripletsinstall 7zip:x86-windows-static boost-algorithm:x86-windows-static boost-dynamic-bitset:x86-windows-static boost-logic:x86-windows-static boost-multi-index:x86-windows-static boost-outcome:x86-windows-static boost-scope-exit:x86-windows-static boost-system:x86-windows-static boost-tokenizer:x86-windows-static fmt:x86-windows-static ms-gsl:x86-windows-static spdlog:x86-windows-static yara:x86-windows-static rapidjson:x86-windows-static cli11:x86-windows-static boost-stacktrace:x86-windows-static

Computing installation plan...
The following packages are already installed:
    7zip[core]:x86-windows-static -> 19.00#4
    boost-algorithm[core]:x86-windows-static -> 1.78.0
    boost-dynamic-bitset[core]:x86-windows-static -> 1.78.0
    boost-logic[core]:x86-windows-static -> 1.78.0
    boost-multi-index[core]:x86-windows-static -> 1.78.0
    boost-outcome[core]:x86-windows-static -> 1.78.0
    boost-scope-exit[core]:x86-windows-static -> 1.78.0
    boost-stacktrace[core]:x86-windows-static -> 1.78.0
    boost-system[core]:x86-windows-static -> 1.78.0
    boost-tokenizer[core]:x86-windows-static -> 1.78.0
    cli11[core]:x86-windows-static -> 2.1.2#1
    fmt[core]:x86-windows-static -> 8.1.1
    ms-gsl[core]:x86-windows-static -> 4.0.0
    rapidjson[core]:x86-windows-static -> 2020-09-14#2
    spdlog[core]:x86-windows-static -> 1.9.2
    yara[core]:x86-windows-static -> 4.1.1
Package 7zip:x86-windows-static is already installed
Package boost-algorithm:x86-windows-static is already installed
Package boost-dynamic-bitset:x86-windows-static is already installed
Package boost-logic:x86-windows-static is already installed
Package boost-multi-index:x86-windows-static is already installed
Package boost-outcome:x86-windows-static is already installed
Package boost-scope-exit:x86-windows-static is already installed
Package boost-stacktrace:x86-windows-static is already installed
Package boost-system:x86-windows-static is already installed
Package boost-tokenizer:x86-windows-static is already installed
Package cli11:x86-windows-static is already installed
Package fmt:x86-windows-static is already installed
Package ms-gsl:x86-windows-static is already installed
Package rapidjson:x86-windows-static is already installed
Package spdlog:x86-windows-static is already installed
Package yara:x86-windows-static is already installed
Restored 0 packages from C:\Users\dev\AppData\Local\vcpkg\archives in 249.8 us. Use --debug to see more details.

Total elapsed time: 314.3 ms

The package 7zip provides CMake targets:

    find_package(7zip CONFIG REQUIRED)
    target_link_libraries(main PRIVATE 7zip::7zip)

The package boost is compatible with built-in CMake targets:

    find_package(Boost REQUIRED [COMPONENTS <libs>...])
    target_link_libraries(main PRIVATE Boost::boost Boost::<lib1> Boost::<lib2> ...)

The package cli11 provides CMake targets:

    find_package(CLI11 CONFIG REQUIRED)
    target_link_libraries(main PRIVATE CLI11::CLI11)

The package fmt provides CMake targets:

    find_package(fmt CONFIG REQUIRED)
    target_link_libraries(main PRIVATE fmt::fmt)

    # Or use the header-only version
    find_package(fmt CONFIG REQUIRED)
    target_link_libraries(main PRIVATE fmt::fmt-header-only)

The package ms-gsl provides CMake targets:

    find_package(Microsoft.GSL CONFIG REQUIRED)
    target_link_libraries(main PRIVATE Microsoft.GSL::GSL)

The package rapidjson provides CMake targets:

    find_package(RapidJSON CONFIG REQUIRED)
    target_link_libraries(main PRIVATE rapidjson)

The package spdlog provides CMake targets:

    find_package(spdlog CONFIG REQUIRED)
    target_link_libraries(main PRIVATE spdlog::spdlog spdlog::spdlog_header_only)

-- Using toolchain: C:/Users/dev/Documents/user/tool/DFIR_Orc/dfir-orc/external/vcpkg/scripts/buildsystems/vcpkg.cmake
-- Using vcpkg triplet: x86-windows-static
-- Selecting Windows SDK version 10.0.20348.0 to target Windows 5.1.
-- RapidJSON found. Headers: C:/Users/dev/Documents/user/tool/DFIR_Orc/dfir-orc/external/vcpkg/installed/x86-windows-static/share/rapidjson/../../include
CMake Warning at src/Orc/CMakeLists.txt:71 (message):
  : not found, it could be required on some XP SP2 installation


CMake Warning at src/FastFind/CMakeLists.txt:64 (message):
  : not found, it could be required on some XP SP2 installation


-- Configuring done
CMake Error at external/vcpkg/scripts/buildsystems/vcpkg.cmake:545 (_add_executable):
  Target "Orc" links to target "7zip::extras" but the target was not found.
  Perhaps a find_package() call is missing for an IMPORTED target, or an
  ALIAS target is missing?
Call Stack (most recent call first):
  src/Orc/CMakeLists.txt:46 (add_executable)


CMake Error at external/vcpkg/scripts/buildsystems/vcpkg.cmake:545 (_add_executable):
  Target "Orc" links to target "7zip::extras" but the target was not found.
  Perhaps a find_package() call is missing for an IMPORTED target, or an
  ALIAS target is missing?
Call Stack (most recent call first):
  src/Orc/CMakeLists.txt:46 (add_executable)


CMake Error at external/vcpkg/scripts/buildsystems/vcpkg.cmake:545 (_add_executable):
  Target "Orc" links to target "7zip::extras" but the target was not found.
  Perhaps a find_package() call is missing for an IMPORTED target, or an
  ALIAS target is missing?
Call Stack (most recent call first):
  src/Orc/CMakeLists.txt:46 (add_executable)


CMake Error at external/vcpkg/scripts/buildsystems/vcpkg.cmake:545 (_add_executable):
  Target "Orc" links to target "7zip::extras" but the target was not found.
  Perhaps a find_package() call is missing for an IMPORTED target, or an
  ALIAS target is missing?
Call Stack (most recent call first):
  src/Orc/CMakeLists.txt:46 (add_executable)


CMake Error at external/vcpkg/scripts/buildsystems/vcpkg.cmake:545 (_add_executable):
  Target "FastFind" links to target "7zip::extras" but the target was not
  found.  Perhaps a find_package() call is missing for an IMPORTED target, or
  an ALIAS target is missing?
Call Stack (most recent call first):
  src/FastFind/CMakeLists.txt:30 (add_executable)


CMake Error at external/vcpkg/scripts/buildsystems/vcpkg.cmake:545 (_add_executable):
  Target "FastFind" links to target "7zip::extras" but the target was not
  found.  Perhaps a find_package() call is missing for an IMPORTED target, or
  an ALIAS target is missing?
Call Stack (most recent call first):
  src/FastFind/CMakeLists.txt:30 (add_executable)


CMake Error at external/vcpkg/scripts/buildsystems/vcpkg.cmake:545 (_add_executable):
  Target "FastFind" links to target "7zip::extras" but the target was not
  found.  Perhaps a find_package() call is missing for an IMPORTED target, or
  an ALIAS target is missing?
Call Stack (most recent call first):
  src/FastFind/CMakeLists.txt:30 (add_executable)


CMake Error at external/vcpkg/scripts/buildsystems/vcpkg.cmake:545 (_add_executable):
  Target "FastFind" links to target "7zip::extras" but the target was not
  found.  Perhaps a find_package() call is missing for an IMPORTED target, or
  an ALIAS target is missing?
Call Stack (most recent call first):
  src/FastFind/CMakeLists.txt:30 (add_executable)


CMake Error at external/vcpkg/scripts/buildsystems/vcpkg.cmake:545 (_add_executable):
  Target "rcedit" links to target "7zip::extras" but the target was not
  found.  Perhaps a find_package() call is missing for an IMPORTED target, or
  an ALIAS target is missing?
Call Stack (most recent call first):
  tools/rcedit/CMakeLists.txt:65 (add_executable)


CMake Error at external/vcpkg/scripts/buildsystems/vcpkg.cmake:545 (_add_executable):
  Target "rcedit" links to target "7zip::extras" but the target was not
  found.  Perhaps a find_package() call is missing for an IMPORTED target, or
  an ALIAS target is missing?
Call Stack (most recent call first):
  tools/rcedit/CMakeLists.txt:65 (add_executable)


CMake Error at external/vcpkg/scripts/buildsystems/vcpkg.cmake:545 (_add_executable):
  Target "rcedit" links to target "7zip::extras" but the target was not
  found.  Perhaps a find_package() call is missing for an IMPORTED target, or
  an ALIAS target is missing?
Call Stack (most recent call first):
  tools/rcedit/CMakeLists.txt:65 (add_executable)


CMake Error at external/vcpkg/scripts/buildsystems/vcpkg.cmake:545 (_add_executable):
  Target "rcedit" links to target "7zip::extras" but the target was not
  found.  Perhaps a find_package() call is missing for an IMPORTED target, or
  an ALIAS target is missing?
Call Stack (most recent call first):
  tools/rcedit/CMakeLists.txt:65 (add_executable)


CMake Error at external/vcpkg/scripts/buildsystems/vcpkg.cmake:583 (_add_library):
  Target "OrcLibTest" links to target "7zip::extras" but the target was not
  found.  Perhaps a find_package() call is missing for an IMPORTED target, or
  an ALIAS target is missing?
Call Stack (most recent call first):
  tests/OrcLibTest/CMakeLists.txt:149 (add_library)


CMake Error at external/vcpkg/scripts/buildsystems/vcpkg.cmake:583 (_add_library):
  Target "OrcLibTest" links to target "7zip::extras" but the target was not
  found.  Perhaps a find_package() call is missing for an IMPORTED target, or
  an ALIAS target is missing?
Call Stack (most recent call first):
  tests/OrcLibTest/CMakeLists.txt:149 (add_library)


CMake Error at external/vcpkg/scripts/buildsystems/vcpkg.cmake:583 (_add_library):
  Target "OrcLibTest" links to target "7zip::extras" but the target was not
  found.  Perhaps a find_package() call is missing for an IMPORTED target, or
  an ALIAS target is missing?
Call Stack (most recent call first):
  tests/OrcLibTest/CMakeLists.txt:149 (add_library)


CMake Error at external/vcpkg/scripts/buildsystems/vcpkg.cmake:583 (_add_library):
  Target "OrcLibTest" links to target "7zip::extras" but the target was not
  found.  Perhaps a find_package() call is missing for an IMPORTED target, or
  an ALIAS target is missing?
Call Stack (most recent call first):
  tests/OrcLibTest/CMakeLists.txt:149 (add_library)


CMake Error at external/vcpkg/scripts/buildsystems/vcpkg.cmake:583 (_add_library):
  Target "OrcLib" links to target "7zip::extras" but the target was not
  found.  Perhaps a find_package() call is missing for an IMPORTED target, or
  an ALIAS target is missing?
Call Stack (most recent call first):
  src/OrcLib/CMakeLists.txt:902 (add_library)


CMake Error at external/vcpkg/scripts/buildsystems/vcpkg.cmake:583 (_add_library):
  Target "OrcLib" links to target "7zip::extras" but the target was not
  found.  Perhaps a find_package() call is missing for an IMPORTED target, or
  an ALIAS target is missing?
Call Stack (most recent call first):
  src/OrcLib/CMakeLists.txt:902 (add_library)


CMake Error at external/vcpkg/scripts/buildsystems/vcpkg.cmake:583 (_add_library):
  Target "OrcLib" links to target "7zip::extras" but the target was not
  found.  Perhaps a find_package() call is missing for an IMPORTED target, or
  an ALIAS target is missing?
Call Stack (most recent call first):
  src/OrcLib/CMakeLists.txt:902 (add_library)


CMake Error at external/vcpkg/scripts/buildsystems/vcpkg.cmake:583 (_add_library):
  Target "OrcLib" links to target "7zip::extras" but the target was not
  found.  Perhaps a find_package() call is missing for an IMPORTED target, or
  an ALIAS target is missing?
Call Stack (most recent call first):
  src/OrcLib/CMakeLists.txt:902 (add_library)


CMake Error at external/vcpkg/scripts/buildsystems/vcpkg.cmake:583 (_add_library):
  Target "OrcCommand" links to target "7zip::extras" but the target was not
  found.  Perhaps a find_package() call is missing for an IMPORTED target, or
  an ALIAS target is missing?
Call Stack (most recent call first):
  src/OrcCommand/CMakeLists.txt:295 (add_library)


CMake Error at external/vcpkg/scripts/buildsystems/vcpkg.cmake:583 (_add_library):
  Target "OrcCommand" links to target "7zip::extras" but the target was not
  found.  Perhaps a find_package() call is missing for an IMPORTED target, or
  an ALIAS target is missing?
Call Stack (most recent call first):
  src/OrcCommand/CMakeLists.txt:295 (add_library)


CMake Error at external/vcpkg/scripts/buildsystems/vcpkg.cmake:583 (_add_library):
  Target "OrcCommand" links to target "7zip::extras" but the target was not
  found.  Perhaps a find_package() call is missing for an IMPORTED target, or
  an ALIAS target is missing?
Call Stack (most recent call first):
  src/OrcCommand/CMakeLists.txt:295 (add_library)


CMake Error at external/vcpkg/scripts/buildsystems/vcpkg.cmake:583 (_add_library):
  Target "OrcCommand" links to target "7zip::extras" but the target was not
  found.  Perhaps a find_package() call is missing for an IMPORTED target, or
  an ALIAS target is missing?
Call Stack (most recent call first):
  src/OrcCommand/CMakeLists.txt:295 (add_library)


-- Generating done
CMake Generate step failed.  Build files cannot be regenerated correctly.

Hello,

Both reports from NTFSInfo and USNInfo are using a VolumeID to identify the disk which is not easily mapped to a drive letter.
Having this information (drive letter for a VolumeID) displayed either in the volstats.csv file from NTFSInfo or DFIR_ORC json report could make sense.

Currently the information is visible in the log files but not well formatted. This can help during automated ingestion of Orc results for hosts having multiple drives.

Hello,

Do you know whether it's possible to build a standalone binary for the ExtractData command during ORC compilation (like FastFind)? Probably via a cmake option ORC_BUILD_EXRACTDATA or by modifying CMakeLists.txt appropriately but I'm not familiar with cmake syntax :(

Thanks !

Hello and thanks for the tool it is so handy,

Using VS studio 2019

I try to compile ORC for XP using cmake -G "Visual Studio 16 2019" -A Win32 -T v141_xp ..

I have the current warnings :

vcpkg: using v141 toolset as v141_xp is not supported

CMake Warning at src/Orc/CMakeLists.txt:71 (message):
: not found, it could be required on some XP SP2 installation

witch correspond to the code :

    if(NOT EXISTS "${ORC_XMLLITE_PATH}")
        # The xmllite.dll is only available on an enoughly patched Windows XP SP2
        message(WARNING "${ORC_XMLLITE_PATH}: not found, it could be required on some XP SP2 installation")

and

CMake Warning at src/FastFind/CMakeLists.txt:64 (message):
: not found, it could be required on some XP SP2 installation

to

 if(NOT EXISTS "${ORC_XMLLITE_PATH}")
        # The xmllite.dll is only available on an enoughly patched Windows XP SP2
        message(WARNING "${ORC_XMLLITE_PATH}: not found, it could be required on some XP SP2 installation")

Everything compile fine and the binary works well but not on XP.

I'm assuming i need to setup the build tools for v141_xp and set the platform Toolset for vs-2017 - Windows XP in the Vs project config but i don"t know which project to use since it is already configured in the project as shown in the screen.

I have enabled the windows XP compatibility for C++ in VStudio installer

PS: i tried to use the official binary release but i think it's not compiled for XP as well.

Any advice plz ?

Thanks for the help.

Hugo

Hi ! I am trying to do a project using DFIR ORC. I have to install it on a Windows 21h1 (inside a Virtuale Machine). But sadly, I have this error saying the package "cli11[core]:x8-windows-static" can't be dowloaded (404 error). I correctly imported the .vsconfig in my Visual Studio (2019 v.16.11) and the C++ Desktop utilities.

Just to add precision, I did the same thing on my personnal computer, on Windows 11 and I had no problem to compile on it. It works perfectly fine. Do you have any idea why this is not working on Windows 10 ? Is it because it is inside a virtual machine ? Of course, my virtual machine have access over internet.

I thank you in advance if you can help me !

Below, the error:

PS C:\Users\dfir\source\repos\dfir-orc\build-x86> cmake -G "Visual Studio 16 2019" -A Win32 ..
-- Found SemVer: 10.1.0 (v10.1.0)
CMake Warning at CMakeLists.txt:77 (message):
BEWARE: VCPKG is currently compatible ONLY with ENGLISH version of Visual
Studio.
-- Using vcpkg: C:/Users/dfir/source/repos/dfir-orc/external/vcpkg/vcpkg.exe
All installed packages are up-to-date with the local portfiles.
-- Install dependencies with: "C:/Users/dfir/source/repos/dfir-orc/external/vcpkg\vcpkg.exe" --vcpkg-root "C:/Users/dfir/source/repos/dfir-orc/external/vcpkg" --overlay-triplets=C:/Users/dfir/source/repos/dfir-orc/build-
x86/vcpkg/tripletsinstall 7zip:x86-windows-static boost-algorithm:x86-windows-static boost-dynamic-bitset:x86-windows-static boost-logic:x86-windows-static boost-multi-index:x86-windows-static boost-outcome:x86-windows-s
tatic boost-scope-exit:x86-windows-static boost-system:x86-windows-static boost-tokenizer:x86-windows-static fmt:x86-windows-static ms-gsl:x86-windows-static spdlog:x86-windows-static yara:x86-windows-static rapidjson:x8
6-windows-static cli11:x86-windows-static boost-stacktrace:x86-windows-static
Computing installation plan...
The following packages are already installed:
7zip[core]:x86-windows-static -> 19.00#3
boost-algorithm[core]:x86-windows-static -> 1.77.0
boost-dynamic-bitset[core]:x86-windows-static -> 1.77.0
boost-logic[core]:x86-windows-static -> 1.77.0
boost-multi-index[core]:x86-windows-static -> 1.77.0
boost-outcome[core]:x86-windows-static -> 1.77.0
boost-scope-exit[core]:x86-windows-static -> 1.77.0
boost-stacktrace[core]:x86-windows-static -> 1.77.0
boost-system[core]:x86-windows-static -> 1.77.0
boost-tokenizer[core]:x86-windows-static -> 1.77.0
The following packages will be built and installed:
cli11[core]:x86-windows-static -> 2.1.2#1
fmt[core]:x86-windows-static -> 8.0.1
ms-gsl[core]:x86-windows-static -> 3.1.0#1
rapidjson[core]:x86-windows-static -> 2020-09-14#2
spdlog[core]:x86-windows-static -> 1.9.2
yara[core]:x86-windows-static -> 4.1.3
Package 7zip:x86-windows-static is already installed
Package boost-algorithm:x86-windows-static is already installed
Package boost-dynamic-bitset:x86-windows-static is already installed
Package boost-logic:x86-windows-static is already installed
Package boost-multi-index:x86-windows-static is already installed
Package boost-outcome:x86-windows-static is already installed
Package boost-scope-exit:x86-windows-static is already installed
Package boost-stacktrace:x86-windows-static is already installed
Package boost-system:x86-windows-static is already installed
Package boost-tokenizer:x86-windows-static is already installed
Detecting compiler hash for triplet x86-windows-static...
Restored 0 packages from C:\Users\dfir\AppData\Local\vcpkg\archives in 272.2 us. Use --debug to see more details.
Starting package 1/6: cli11:x86-windows-static
Building package cli11[core]:x86-windows-static...
-- [OVERLAY] Loading triplet configuration from: C:\Users\dfir\source\repos\dfir-orc\build-x86\vcpkg\triplets\x86-windows-static.cmake
-- Using cached CLIUtils-CLI11-v2.1.2.tar.gz.
-- Cleaning sources at C:/Users/dfir/source/repos/dfir-orc/external/vcpkg/buildtrees/cli11/src/v2.1.2-57e44f74f5.clean. Use --editable to skip cleaning for the packages you specify.
-- Extracting source C:/Users/dfir/source/repos/dfir-orc/external/vcpkg/downloads/CLIUtils-CLI11-v2.1.2.tar.gz
-- Using source at C:/Users/dfir/source/repos/dfir-orc/external/vcpkg/buildtrees/cli11/src/v2.1.2-57e44f74f5.clean
-- Found external ninja('1.10.2').
-- Configuring x86-windows-static
-- Building x86-windows-static-dbg
-- Building x86-windows-static-rel
-- Fixing pkgconfig file: C:/Users/dfir/source/repos/dfir-orc/external/vcpkg/packages/cli11_x86-windows-static/share/pkgconfig/CLI11.pc
-- Using cached msys-mingw-w64-i686-pkg-config-0.29.2-2-any.pkg.tar.zst.
-- Downloading https://repo.msys2.org/mingw/i686/mingw-w64-i686-libwinpthread-git-8.0.0.5906.c9a21571-1-any.pkg.tar.zst;https://www2.futureware.at/~nickoe/msys2-mirror/mingw/i686/mingw-w64-i686-libwinpthread-git-8.0.0.59
06.c9a21571-1-any.pkg.tar.zst;https://mirror.yandex.ru/mirrors/msys2/mingw/i686/mingw-w64-i686-libwinpthread-git-8.0.0.5906.c9a21571-1-any.pkg.tar.zst;https://mirrors.tuna.tsinghua.edu.cn/msys2/mingw/i686/mingw-w64-i686-
libwinpthread-git-8.0.0.5906.c9a21571-1-any.pkg.tar.zst;https://mirrors.ustc.edu.cn/msys2/mingw/i686/mingw-w64-i686-libwinpthread-git-8.0.0.5906.c9a21571-1-any.pkg.tar.zst;https://mirror.bit.edu.cn/msys2/mingw/i686/mingw
-w64-i686-libwinpthread-git-8.0.0.5906.c9a21571-1-any.pkg.tar.zst;https://mirror.selfnet.de/msys2/mingw/i686/mingw-w64-i686-libwinpthread-git-8.0.0.5906.c9a21571-1-any.pkg.tar.zst;https://mirrors.sjtug.sjtu.edu.cn/msys2/
mingw/i686/mingw-w64-i686-libwinpthread-git-8.0.0.5906.c9a21571-1-any.pkg.tar.zst -> msys-mingw-w64-i686-libwinpthread-git-8.0.0.5906.c9a21571-1-any.pkg.tar.zst...
[DEBUG] Feature flag 'binarycaching' unset
[DEBUG] Feature flag 'manifests' = off
[DEBUG] Feature flag 'compilertracking' unset
[DEBUG] Feature flag 'registries' unset
[DEBUG] Feature flag 'versions' unset
[DEBUG] Downloading https://repo.msys2.org/mingw/i686/mingw-w64-i686-libwinpthread-git-8.0.0.5906.c9a21571-1-any.pkg.tar.zst
[DEBUG] Downloading https://www2.futureware.at/~nickoe/msys2-mirror/mingw/i686/mingw-w64-i686-libwinpthread-git-8.0.0.5906.c9a21571-1-any.pkg.tar.zst
[DEBUG] Downloading https://mirror.yandex.ru/mirrors/msys2/mingw/i686/mingw-w64-i686-libwinpthread-git-8.0.0.5906.c9a21571-1-any.pkg.tar.zst
[DEBUG] Downloading https://mirrors.tuna.tsinghua.edu.cn/msys2/mingw/i686/mingw-w64-i686-libwinpthread-git-8.0.0.5906.c9a21571-1-any.pkg.tar.zst
[DEBUG] Downloading https://mirrors.ustc.edu.cn/msys2/mingw/i686/mingw-w64-i686-libwinpthread-git-8.0.0.5906.c9a21571-1-any.pkg.tar.zst
[DEBUG] Downloading https://mirror.bit.edu.cn/msys2/mingw/i686/mingw-w64-i686-libwinpthread-git-8.0.0.5906.c9a21571-1-any.pkg.tar.zst
[DEBUG] Download failed -- retrying after 1000 ms.
[DEBUG] Download failed -- retrying after 2000 ms.
[DEBUG] Download failed -- retrying after 4000 ms.
[DEBUG] Downloading https://mirror.selfnet.de/msys2/mingw/i686/mingw-w64-i686-libwinpthread-git-8.0.0.5906.c9a21571-1-any.pkg.tar.zst
[DEBUG] Download failed -- retrying after 1000 ms.
[DEBUG] Download failed -- retrying after 2000 ms.
[DEBUG] Download failed -- retrying after 4000 ms.
[DEBUG] Downloading https://mirrors.sjtug.sjtu.edu.cn/msys2/mingw/i686/mingw-w64-i686-libwinpthread-git-8.0.0.5906.c9a21571-1-any.pkg.tar.zst
Error: Failed to download from mirror set:
https://repo.msys2.org/mingw/i686/mingw-w64-i686-libwinpthread-git-8.0.0.5906.c9a21571-1-any.pkg.tar.zst: failed: status code 404
https://www2.futureware.at/~nickoe/msys2-mirror/mingw/i686/mingw-w64-i686-libwinpthread-git-8.0.0.5906.c9a21571-1-any.pkg.tar.zst: failed: status code 404
https://mirror.yandex.ru/mirrors/msys2/mingw/i686/mingw-w64-i686-libwinpthread-git-8.0.0.5906.c9a21571-1-any.pkg.tar.zst: failed: status code 404
https://mirrors.tuna.tsinghua.edu.cn/msys2/mingw/i686/mingw-w64-i686-libwinpthread-git-8.0.0.5906.c9a21571-1-any.pkg.tar.zst: failed: status code 404
https://mirrors.ustc.edu.cn/msys2/mingw/i686/mingw-w64-i686-libwinpthread-git-8.0.0.5906.c9a21571-1-any.pkg.tar.zst: failed: status code 404
https://mirror.bit.edu.cn/msys2/mingw/i686/mingw-w64-i686-libwinpthread-git-8.0.0.5906.c9a21571-1-any.pkg.tar.zst: WinHttpSendRequest() failed: 12007
https://mirror.bit.edu.cn/msys2/mingw/i686/mingw-w64-i686-libwinpthread-git-8.0.0.5906.c9a21571-1-any.pkg.tar.zst: WinHttpSendRequest() failed: 12007
https://mirror.bit.edu.cn/msys2/mingw/i686/mingw-w64-i686-libwinpthread-git-8.0.0.5906.c9a21571-1-any.pkg.tar.zst: WinHttpSendRequest() failed: 12007
https://mirror.bit.edu.cn/msys2/mingw/i686/mingw-w64-i686-libwinpthread-git-8.0.0.5906.c9a21571-1-any.pkg.tar.zst: WinHttpSendRequest() failed: 12007
https://mirror.selfnet.de/msys2/mingw/i686/mingw-w64-i686-libwinpthread-git-8.0.0.5906.c9a21571-1-any.pkg.tar.zst: WinHttpSendRequest() failed: 12175
https://mirror.selfnet.de/msys2/mingw/i686/mingw-w64-i686-libwinpthread-git-8.0.0.5906.c9a21571-1-any.pkg.tar.zst: WinHttpSendRequest() failed: 12175
https://mirror.selfnet.de/msys2/mingw/i686/mingw-w64-i686-libwinpthread-git-8.0.0.5906.c9a21571-1-any.pkg.tar.zst: WinHttpSendRequest() failed: 12175
https://mirror.selfnet.de/msys2/mingw/i686/mingw-w64-i686-libwinpthread-git-8.0.0.5906.c9a21571-1-any.pkg.tar.zst: WinHttpSendRequest() failed: 12175
https://mirrors.sjtug.sjtu.edu.cn/msys2/mingw/i686/mingw-w64-i686-libwinpthread-git-8.0.0.5906.c9a21571-1-any.pkg.tar.zst: failed: status code 404
[DEBUG] D:\a_work\1\s\src\vcpkg\base\downloads.cpp(656)
[DEBUG] Time in subprocesses: 0 us
[DEBUG] Time in parsing JSON: 5 us
[DEBUG] Time in JSON reader: 0 us
[DEBUG] Time in filesystem: 13940 us
[DEBUG] Time in loading ports: 0 us
[DEBUG] Exiting after 19.98 s (19781247 us)
CMake Error at scripts/cmake/vcpkg_download_distfile.cmake:84 (message):
Failed to download file with error: 1
If you use a proxy, please check your proxy setting. Possible causes are:
1. You are actually using an HTTP proxy, but setting HTTPS_PROXY variable
to https://address:port. This is not correct, because https:// prefix
claims the proxy is an HTTPS proxy, while your proxy (v2ray, shadowsocksr
, etc..) is an HTTP proxy. Try setting http://address:port to both
HTTP_PROXY and HTTPS_PROXY instead.
2. You are using Fiddler. Currently a bug (microsoft/vcpkg#17752)
will set HTTPS_PROXY to https://fiddler_address:port which lead to problem 1 above.
Workaround is open Windows 10 Settings App, and search for Proxy Configuration page,
Change http=address:port;https=address:port to address, and fill the port number.
3. You proxy's remote server is out of service.
In future vcpkg releases, if you are using Windows, you no longer need to set
HTTP(S)_PROXY environment variables. Vcpkg will simply apply Windows IE Proxy
Settings set by your proxy software. See (microsoft/vcpkg-tool#49)
and (microsoft/vcpkg-tool#77)
Otherwise, please submit an issue at https://github.com/Microsoft/vcpkg/issues
Call Stack (most recent call first):
scripts/cmake/vcpkg_download_distfile.cmake:309 (z_vcpkg_download_distfile_show_proxy_and_fail)
scripts/cmake/vcpkg_acquire_msys.cmake:84 (vcpkg_download_distfile)
scripts/cmake/vcpkg_acquire_msys.cmake:174 (z_vcpkg_acquire_msys_download_package)
scripts/cmake/vcpkg_find_acquire_program.cmake:547 (vcpkg_acquire_msys)
scripts/cmake/vcpkg_fixup_pkgconfig.cmake:198 (vcpkg_find_acquire_program)
ports/cli11/portfile.cmake:20 (vcpkg_fixup_pkgconfig)
scripts/ports.cmake:142 (include)
Error: Building package cli11:x86-windows-static failed with: BUILD_FAILED
Please ensure you're using the latest portfiles with git pull and .\vcpkg update.
Then check for known issues at:
https://github.com/microsoft/vcpkg/issues?q=is%3Aissue+is%3Aopen+in%3Atitle+cli11
You can submit a new issue at:
https://github.com/microsoft/vcpkg/issues/new?template=report-package-build-failure.md&title=[cli11]+Build+error
including:
package: cli11[core]:x86-windows-static -> 2.1.2#1
vcpkg-tool version: 2021-11-24-48b94a6946b8a70abd21529218927fd478d02b6c
vcpkg-scripts version: 355d732e5 2022-01-03 (3 months ago)
Additionally, attach any relevant sections from the log files above.
CMake Error at cmake/vcpkg.cmake:115 (message):
Failed to install packages: 1
Call Stack (most recent call first):
cmake/vcpkg.cmake:205 (vcpkg_install_packages)
CMakeLists.txt:151 (vcpkg_install)
-- Configuring incomplete, errors occurred!

Hi,

I would like create ORC config for extract ADS infos from all mounted NTFS, like this:
Get-Wmiobject -Class Win32_Logicaldisk | foreach-object { $vol=$_.deviceID if ($_.FileSystem -like "NTFS") { try { if ($os -like "*32*") { #32bits $sb = "$($currentPath)\streams.exe -accepteula -s $vol\ >> $($currentPath)/output/ADS-streams.log" iex $sb } else { $sb = "$($currentPath)\streams64.exe -accepteula -s $vol\ >> $($currentPath)/output/ADS-streams.log" iex $sb } } catch { echo "Error to create ADS for $vol" } } }

I dont find equivalent in ORC Conf:
<command keyword="streams.exe"> <execute name="streams.exe" run="7z:#Tools|streams.exe"/> <argument>-accepteula -s %SystemDrive%</argument> <output name="ADS-streams.log" source="StdOut"/> <output name="ADS-streams.err" source="StdErr"/> </command>

It's possible to extract streams.exe (from orc embeded) and run command powershell, like this:
<command keyword="Processes" winver="6.1+"> <execute name="powershell" run="%SystemRoot%\System32\WindowsPowerShell\V1.0\powershell.exe"/> <argument>-NonInteractive -WindowStyle Hidden</argument> <argument>Get-Wmiobject -Class Win32_Logicaldisk | foreach-object { $vol=$_.deviceID if ($_.FileSystem -like "NTFS") { try { iex "$($extracted_path_from_orc)\streams.exe -accepteula -s $vol" } catch { echo "Error to create ADS for $vol" }}}</argument> <output name="ADS-streams.log" source="File" argument="-Path {FileName}"/> <output name="ADS-streams.err" source="StdOutErr"/> </command>

Second question, i would like to exract memory with winpmem.exe. This tool extract memory to file: "\winpmem.exe -t -dd --volume_format raw --format raw -o MEM_ram.raw". How to include the file generated by the tool 'MEM_ram.raw' in orc output archive (use source="File"?), and where write file "MEM_ram.raw" (%temp%)?

Thanks.
Lionel

Hi,

It's a repost of an issue I posted on the dfir-orc-config github last friday but I think I should have posted it here in the first place.

I'm trying to use FastFind but I have some issues when I try to launch it.
I followed instructions to build and configure my DFIR-Orc.exe but everytime I try to use it with FastFind this message appear on my shell :

FastFind v10.1.0-rc5

IOC Finder

2021-06-11T13:50:17.590Z [C] Failed to parse default configuration [0x80070585: Index non valide.]

I used this version of the DFIR-ORC_embed.xml file when I launched the Configure.cmd file in my dfir-orc-config directory and this version of the DFIR-ORC_config.xml.

DFIR-ORC_embed.xml

<?xml version="1.0" encoding="utf-8"?>
<toolembed>
	<input>.\tools\DFIR-Orc_x86.exe</input>
	<output>.\output\%ORC_OUTPUT%</output>

	<run64 args="WolfLauncher" >7z:#Tools|DFIR-Orc_x64.exe</run64>
	<run32 args="WolfLauncher" >self:#</run32>

	<file name="WOLFLAUNCHER_CONFIG" path=".\%ORC_CONFIG_FOLDER%\DFIR-ORC_config.xml"/>

	<file name="GetADS_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetADS_config.xml"/>
	<file name="GetArtefacts_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetArtefacts_config.xml"/>
	<file name="GetExtAttrs_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetExtAttrs_config.xml"/>
	<file name="GetTextLogs_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetTextLogs_config.xml"/>
	<file name="GetSDS_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetSDS_config.xml"/>
	<file name="GetCatRoot_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetCatRoot_config.xml"/>
	<file name="GetEVT_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetEVT_config.xml"/>
	<file name="GetExeTMP_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetExeTMP_config.xml"/>
	<file name="GetBrowsersHistory_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetBrowsersHistory_config.xml"/>
	<file name="GetBrowsersArtefacts_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetBrowsersArtefacts_config.xml"/>
	<file name="GetScript_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetScript_config.xml"/>
	<file name="GetErrors_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetErrors_config.xml"/>
	<file name="GetSamples_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetSamples_config.xml" />
	<file name="GetSystemHives_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetSystemHives_config.xml"/>
	<file name="GetUserHives_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetUserHives_config.xml"/>
	<file name="GetSamHive_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetSamHive_config.xml"/>
	<file name="GetYaraSamples_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetYaraSamples_config.xml"/>
	<file name="NTFSInfoQuick_config.xml" path=".\%ORC_CONFIG_FOLDER%\NTFSInfoQuick_config.xml"/>
	<file name="NTFSInfoDetail_systemdrive_config.xml" path=".\%ORC_CONFIG_FOLDER%\NTFSInfoDetail_systemdrive_config.xml"/>
	<file name="NTFSInfoDetail_alldrives_config.xml" path=".\%ORC_CONFIG_FOLDER%\NTFSInfoDetail_alldrives_config.xml"/>
	<file name="GetFuzzyHash_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetFuzzyHash_config.xml"/>
	<file name="FatInfoDetail_config.xml" path=".\%ORC_CONFIG_FOLDER%\FatInfoDetail_config.xml"/>
	<file name="FatInfoHashPE_config.xml" path=".\%ORC_CONFIG_FOLDER%\FatInfoHashPE_config.xml"/>
	<file name="FatInfoFirstBytes_config.xml" path=".\%ORC_CONFIG_FOLDER%\FatInfoFirstBytes_config.xml"/>
	<file name="GetMemDmp_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetMemDmp_config.xml"/>
	<file name="GetResidents_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetResidents_config.xml"/>

	<file name="GetADS_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetADS_offline_config.xml"/>
	<file name="GetArtefacts_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetArtefacts_offline_config.xml"/>
	<file name="GetExtAttrs_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetExtAttrs_offline_config.xml"/>
	<file name="GetTextLogs_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetTextLogs_offline_config.xml"/>
	<file name="GetHives_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetHives_offline_config.xml"/>
	<file name="GetSDS_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetSDS_offline_config.xml"/>
	<file name="GetCatRoot_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetCatRoot_offline_config.xml"/>
	<file name="GetScript_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetScript_offline_config.xml"/>
	<file name="GetErrors_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetErrors_offline_config.xml"/>
	<file name="GetMemDmp_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetMemDmp_offline_config.xml"/>
	<file name="GetEVT_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetEVT_offline_config.xml"/>
	<file name="GetUserHives_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetUserHives_offline_config.xml"/>
	<file name="GetEXE_TMP_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetEXE_TMP_offline_config.xml"/>
	<file name="GetBrowsersComplet_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetBrowsersComplet_offline_config.xml"/>
	<!-- <file name="GetYaraSamples_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetYaraSamples_offline_config.xml"/> -->
	<file name="GetFuzzyHash_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetFuzzyHash_offline_config.xml"/>
	<file name="NTFSInfo_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\NTFSInfo_offline_config.xml"/>
	<file name="GetSAM_hive_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetSAM_hive_offline_config.xml"/>
	<file name="FatInfo_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\FatInfo_offline_config.xml"/>
	<file name="GetResidents_offline_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetResidents_offline_config.xml"/>

	<file name="NTFSInfo_little_config.xml" path=".\%ORC_CONFIG_FOLDER%\NTFSInfo_little_config.xml" />
	<file name="GetEVT_little_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetEVT_little_config.xml" />
	<file name="GetSystemHives_little_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetSystemHives_little_config.xml" />
	<file name="GetArtefacts_little_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetArtefacts_little_config.xml" />
	<file name="GetScript_little_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetScript_little_config.xml" />

	<file name="FastFind_config.xml" path=".\%ORC_CONFIG_FOLDER%\FastFind_config.xml" />

	<file name="GetMFT_config.xml" path=".\%ORC_CONFIG_FOLDER%\GetMFT_config.xml" />

	<file name="yara_rules" path=".\%ORC_CONFIG_FOLDER%\ruleset.yara" />

	<pair name="AUTORUNS"  value="7z:#Tools|autorunsc.exe" />

        <archive name="Tools" format="7z" compression="Ultra">
		<file name="DFIR-Orc_x64.exe" path=".\tools\DFIR-Orc_x64.exe"/>

		<!-- <file name="handle.exe" path=".\tools\handle.exe"/> -->
		<file name="autorunsc.exe" path=".\tools\autorunsc.exe"/>
		<!-- <file name="Tcpvcon.exe" path=".\tools\Tcpvcon.exe"/>
		<file name="PsService.exe" path=".\tools\PsService.exe"/>
		<file name="Listdlls.exe" path=".\tools\Listdlls.exe"/>

		<file name="dumpit" path=".\tools\DumpIt.exe" />
		<file name="winpmem" path=".\tools\winpmem.exe" /> -->

	</archive>
</toolembed>

After the Configuration.cmd I have tested DFIR-Orc.exe with this two command lines avalaible on the online documentation of the project here :

.\output\DFIR-Orc.exe NTFSInfo /out=C_drive.csv "C:\"
.\output\DFIR-Orc.exe GetThis /nolimits /sample=ntdll.dll /out=ntdll.7z "C:\"

This command lines worked properly but when I tried to launch the program with FastFind I faced the error message I posted above.
In order to use FastFind I use this command line that I found here in an admin Powershell :

.\output\DFIR-Orc.exe FastFind /config=fastfind.xml /out=fastfind_output.xml

The content of fastfind.xml used in the /config field is the same as the one on the FastFind documentation :

<?xml version="1.0" encoding="utf-8"?>
<fastfind version="Test 2.0">
    <filesystem>
        <location shadows="yes">%SystemDrive%</location>
        <yara source="yara.rules" block="2M" timeout="120" overlap="8192" scan_method="filemapping" />
        <ntfs_find size="694160" md5="1CECAFE147F1CC3E2B9804B8CDA593C9"/>
        <ntfs_find name="ntdll.dll" yara_rule="is_dll"/>
        <ntfs_find name_match="gdi*.dll"/>
        <ntfs_exclude path="\Windows\System32\ntdll.dll"/>
        <ntfs_exclude path_match="\Windows\System32\gdi*.dll"/>
        <ntfs_exclude sha1="c766364efd9c9b5aa3a7140a69f0cf5b147bc476"/>
        <ntfs_exclude size="14966411"/>
        <ntfs_exclude contains="bcryptprimitives.pdb"/>
    </filesystem>
    <registry>
        <location>%SystemDrive%\</location>
        <hive name="NTUSER">
            <ntfs_find name="NTUSER.DAT"/>
            <registry_find key_path="\Software\Microsoft\Internet Explorer\Main" value="Check_Associations" data="no"/>
        </hive>
        <hive name="SOFTWARE">
            <ntfs_find name="SOFTWARE"/>
            <registry_find key_path="\Microsoft\Windows\CurrentVersion\Run" value="SecurityHealth"/>
        </hive>
    </registry>
    <object>
        <object_find type="Mutant" name="foo"/>
        <object_find type="File" name="foobar"/>
    </object>
</fastfind>

I also tried to use this command line in the \output directory but the same error occured.

Do you see why I'm facing this error ?
Thanks for your help !

Hello,

Big thanks for release this tool.

I have an issue and i can't find how to solve it. I compiled with no error the two mothership executable both 64 et x86. I am able to build simple or more complexe configured binary files however the only way to run the configured binary file is with a command line. Running the binary by double-clicking on it or with a taskscheduler result in a failure.

I see in the documentation

"The Mothership mechanism allows DFIR ORC to be executed in any compatible context (Scheduled Task, Logon Script, Startup script, x86/x64…). The configuration allows the Mothership to launch the subsequent execution which suits the context. Specific command-line options can be used to customize this behavior."

I haven't success to pass argument like NoWait, WMI or PreserveJob to the mothership. I have at this time no idea why the execution failed if i double-click on exe file and why it successed if i run it from cmd.exe

please see below the screenshot of failure (At this time, i have no more details)

Feel free to ask any information needed for debugging purpose.

Apologize for a non correct english syntax

Regards

Hi,

I just gave a try to CAB archives support in DFIR-ORC and I did not manage to get it to work.

Here is the minimal DFIR-ORC_config.xml file I'm using :

<?xml version="1.0" encoding="utf-8"?>

<wolf childdebug="no" command_timeout="600">

    <log disposition="truncate">DFIR-ORC_{SystemType}_{FullComputerName}_{TimeStamp}.log</log>
    <outline disposition="truncate">DFIR-ORC_{SystemType}_{FullComputerName}_{TimeStamp}.json</outline>

    <archive name="7z_test.7z"  keyword="7z" concurrency="2" repeat="Once" archive_timeout="120">
        <restrictions ElapsedTimeLimit="480" />
        <command keyword="BITS_jobs" winver="6.0+">
            <execute name="bitsadmin.exe" run="%windir%\System32\bitsadmin.exe" />
            <argument>/list /allusers /verbose</argument>
            <output  name="BITS_jobs.txt" source="StdOutErr" />
        </command>

    </archive>

    <archive name="CAB_test.cab"  keyword="cab" concurrency="2" repeat="Once" archive_timeout="120">
        <restrictions ElapsedTimeLimit="480" />
        <command keyword="BITS_jobs" winver="6.0+">
            <execute name="bitsadmin.exe" run="%windir%\System32\bitsadmin.exe" />
            <argument>/list /allusers /verbose</argument>
            <output  name="BITS_jobs.txt" source="StdOutErr" />
        </command>
    </archive>

    <archive name="ZIP_test.zip"  keyword="zip" concurrency="2" repeat="Once" archive_timeout="120">
        <restrictions ElapsedTimeLimit="480" />
        <command keyword="BITS_jobs" winver="6.0+">
            <execute name="bitsadmin.exe" run="%windir%\System32\bitsadmin.exe" />
            <argument>/list /allusers /verbose</argument>
            <output  name="BITS_jobs.txt" source="StdOutErr" />
        </command>
    </archive>

</wolf>

I managed to get a 7-ZIP archive using the following command:
c:\Users\User\source\repos\dfir-orc-config>output\DFIR-Orc.exe /out=\Temp\test /key=7z

I managed to get a ZIP archive using the following command:
c:\Users\User\source\repos\dfir-orc-config>output\DFIR-Orc.exe /out=\Temp\test /key=zip

But I could not get a CAB archive using the following command:
c:\Users\User\source\repos\dfir-orc-config>output\DFIR-Orc.exe /out=\Temp\test /key=cab
The process gets stuck, I have to press Ctrl+C to exit.

I'm using the official unconfigured build of DFIR-ORC v10.0.20 inside a "developer virtual machine" from Microsoft.
Console logs for 7-ZIP and CAB calls are attached to this issue.

Am I missing something or is this a bug ?

Best regards

console_log_cab.txt
console_log_7z.txt

Hello,

When I use GetThis command to compress files (7z output) larger than 2GB it failed, below an excerpt of the output :

$> .\DFIR-Orc.exe GetThis /sample="plop2G.plop" "D:\" /out=test.7z /MaxTotalBytes=10GB

[...]

Global limits imposed on collection:
        Maximum bytes per sample  = Unlimited
        Maximum bytes collected   = 10737418240
        Maximum number of samples = Unlimited
        Default content copied is attribute's data

Samples looked after:

   Sample:  (copy data)

      Name is plop2G.plop


Start time            : 09/16/2020 08:54:36.894 (UTC)
        \plop2G.plop matched (-2147483115 bytes)

Adding matching samples to archive:
ERROR (Not enough memory resources are available to complete this operation, hr=0x8007000e): Failed to update test.7z
ERROR (Not enough memory resources are available to complete this operation, hr=0x8007000e): Failed to flush queue to test.7z
ERROR (Not enough memory resources are available to complete this operation, hr=0x8007000e):
GetThis failed while collecting samples

However, it works fine using zip instead of 7z. I guess the file size is wrong -2147483115 bytes. Am I doing something wrong here, or is this an overflow ?

Thanks for the tool ;)