The French National Agency for the Security of Information Systems (ANSSI) has made the incident response tool for compromised systems, DFIR ORC, available on GitHub. DFIR ORC is intended for computer security professionals wishing to collect forensically relevant data.
ANSSI initially designed the tool in 2011 for conducting investigations and for incident response, in particular, for collecting reliable data on potentially compromised systems. The tool provides a forensically relevant snapshot of machines running Microsoft Windows.
Digital forensics investigators study traces left by various activities on computing systems. These traces are named artefacts. Usually, analysts track traces of computer hacks or criminal activities. When incident responders analyse machines following a security breach, they use forensic investigation techniques to understand what happened and when. This helps restoring a safe production environment as quickly as possible.
In its press release, ANSSI states that, through the release of the DFIR ORC source code, it aims to facilitate the emergence of new functionalities and to contribute to communities working on incident response. The release includes the main programme orchestrating the collection on a machine, tools to parse file systems and data collection tools. Furthermore, the release also provides configuration examples, a tutorial on how to customise configurations and a compilation guide. According to François Deruty, ANSSI's Deputy Director of Operations, the solution has been used by over 150,000 workstations. The solution supports Windows versions from XP SP2 to 10, and from Server 2003 R2 SP3 to 2019
The DFIR ORC tool is largely modular and integrates existing or independent tools under a single engine that allows for greater control to help in the search for compromise indicators, the collection of critical information on storage devices and their file systems or registry. An XML configuration file designates the components to be executed, and according to which parameters.
DFIR ORC is intended for computer security professionals wishing to collect forensically relevant data. The incident responders addressing security breaches on bases running Microsoft Windows are the primary target audience.