Knogin
[Forensics]

Digital Forensics: DFIR-ORC (ANSSI Forensic Collection)

During a ransomware investigation, the IR team needs forensic artefacts from thirty endpoints simultaneously.

Module metadata

During a ransomware investigation, the IR team needs forensic artefacts from thirty endpoints simultaneously.

Back to All Modules

Source reference

content/modules/digital-forensics-dfir-orc.md

Last Updated

Mar 18, 2026

Category

Forensics

Content checksum

04d181249e5546e4

Tags

forensics

Overview#

During a ransomware investigation, the IR team needs forensic artefacts from thirty endpoints simultaneously. Installing an agent on each host is not an option: some systems are on classified networks, others are running bespoke configurations that preclude agent installation, and the incident is still active. DFIR-ORC runs on Windows endpoints without installation, collects registry hives, event logs, MFT, prefetch files, network state, running processes, and memory dumps into a structured archive, and exits cleanly. The resulting archives are ingested into Argus, parsed into searchable artefact records, and correlated across all affected hosts into a unified lateral movement timeline.

DFIR-ORC is an open-source forensic collection and analysis framework developed by ANSSI (Agence nationale de la sécurité des systèmes d'information), the French national cybersecurity agency. Its no-install design makes it particularly well-suited to classified environments and incident response scenarios where permanent agent deployment is not appropriate.

Mermaid diagram
flowchart TD
    A[DFIR-ORC executed on Windows endpoint] --> B[Artefacts collected: registry, event logs, MFT, prefetch, processes, network]
    B --> C[Collection archive created and removed from host]
    C --> D[Archive submitted to Argus as base64 via ingestDfirOrcArchive]
    D --> E[parse_orc_archive_b64 adapter unpacks archive]
    E --> F[Artefacts enumerated and typed]
    F --> G[Structured records persisted to PostgreSQL]
    G --> H[Collection record linked to case in Case domain]
    H --> I{Secrecy level check}
    I -->|Authorised personnel| J[Artefacts queryable via dfirOrcArtifacts]
    I -->|Insufficient clearance| K[Access denied - audit event recorded]
    J --> L[Cross-host correlation: lateral movement timeline]
    J --> M[Targeted queries: PowerShell executions, network connections, etc.]
    L --> N[EDF audit trail entry written - source standard DFIR_ORC]

Last Reviewed: 2026-03-18 Last Updated: 2026-04-14

Key Features#

Archive Ingestion and Parsing#

Submit a DFIR-ORC collection archive as base64 via 

ingestDfirOrcArchive
. The 
parse_orc_archive_b64
adapter unpacks the archive, enumerates the collected artefacts (event log entries, registry keys, process lists, network connections, file system entries), and persists each artefact as a structured record linked to the collection run. A single collection from one host may contain thousands of discrete artefacts.

Collection Inventory#

Query collections via 

dfirOrcCollections
filtered by status (
pending
, 
processing
, 
complete
, 
failed
). Each collection record includes the host identifier, collection timestamp, artefact count, tool version, and case reference. The timeline of collections across multiple hosts gives analysts a synchronised view of the incident event sequence.

Artefact-Level Querying#

Drill into the artefacts for a specific collection via 

dfirOrcArtifacts
. Artefact records include type, content hash, path, and parsed value. This enables targeted queries, such as "show all PowerShell executions captured in collection X", rather than requiring analysts to work through raw archive files.

Clearance-Level Filtering#

Collection records carry 

secrecy_level
tags. Forensic archives from classified-network endpoints are handled at the appropriate classification level, restricting access to cleared IR personnel. Access attempts are logged regardless of outcome.

EDF Audit Trail#

Each archive ingestion generates an interop ingest audit entry with source standard 

DFIR_ORC
, satisfying EDF Golden Rule 15 data lineage requirements for forensic evidence chains.

Use Cases#

  • Enterprise Incident Response: Collect DFIR-ORC archives from multiple endpoints simultaneously during a ransomware investigation, ingest them all into Argus, and correlate artefacts across hosts into a unified lateral movement timeline
  • Classified Network Forensics: DFIR-ORC's no-install collection is well-suited to classified Windows environments where installing endpoint agents is not permitted; archives are ingested into Argus at the appropriate classification level
  • Threat Hunting: Run targeted collections on hosts identified through Suricata alerts or MISP indicator matches and ingest results for systematic artefact analysis without escalating to full IR
  • Chain of Custody: Each ingested collection creates a timestamped and audited record linking evidence to the case, supporting legal proceedings where forensic evidence provenance must be demonstrable

Integration#

Available via GraphQL: 

dfirOrcCollections
, 
dfirOrcArtifacts
, 
dfirOrcStats
(queries); 
ingestDfirOrcArchive
(mutation). All operations require authentication and organisation scoping.

Works alongside the Autopsy Forensics domain for deeper disk analysis, CAPE Sandbox for malware detonation, the Case domain for linking collections to cases, and the Evidence domain for chain-of-custody management.