Knogin
[Developers]

Digital Forensics: DFIR-ORC (ANSSI Forensic Collection)

Collect and analyse forensic artefacts from Windows endpoints at scale, without installing any agent, and correlate them into a unified investigation timeline inside Argus.

Back to All Modules
Category: ForensicsLast Updated: Mar 18, 2026
forensicsblockchain

Overview#

Collect and analyse forensic artefacts from Windows endpoints at scale, without installing any agent, and correlate them into a unified investigation timeline inside Argus.

DFIR-ORC is an open-source forensic collection and analysis framework developed by ANSSI (the French national cybersecurity agency). It runs on Windows endpoints without installation, gathers registry hives, Windows Event Logs, Master File Table (MFT) entries, prefetch files, network state, running process lists, and memory dumps into a structured archive, then exits cleanly. The resulting archives are submitted to Argus, parsed into searchable artefact records, and correlated across all affected hosts into a single lateral movement timeline.

Its no-install design makes it particularly well-suited to classified environments and live-incident scenarios where permanent endpoint agent deployment is not appropriate or not permitted.

Key Features#

  • Agentless archive ingestion: Submit a DFIR-ORC collection archive (ZIP, 7z, or CAB format) as a Base64-encoded payload via the platform API. The platform unpacks the archive, enumerates its contents, event log entries, registry keys, process lists, network connections, and file system entries, and persists each artefact as a structured, searchable record linked to the collection run. A single collection from one host may contain thousands of discrete artefacts.

  • Collection inventory and status tracking: Query collections filtered by status (pending, processing, complete, or failed). Each collection record includes the host identifier, collection timestamp, artefact count, tool version, and case reference. The timeline of collections across multiple hosts gives analysts a synchronised view of the incident event sequence.

  • Artefact-level querying: Drill into the artefacts for a specific collection. Artefact records include type, content hash, path, and parsed value. This enables targeted queries, such as retrieving all PowerShell execution events from a specific collection, without analysts having to work through raw archive files.

  • Classification-level filtering: Collection records carry classification tags. Forensic archives from restricted or classified-network endpoints are handled at the appropriate classification level, restricting access to cleared IR personnel. All access attempts are logged regardless of outcome.

  • Immutable audit trail: Each archive ingestion generates an interop ingest audit entry with a defined source standard identifier. This satisfies data lineage requirements for forensic evidence chains and supports legal proceedings where artefact provenance must be demonstrable.

Use Cases#

Enterprise Incident Response#

During a ransomware investigation the IR team needs forensic artefacts from dozens of endpoints simultaneously. DFIR-ORC can collect from each host concurrently. The resulting archives are ingested into Argus in parallel and correlated across all affected hosts into a unified lateral movement timeline, dramatically compressing the analysis cycle.

Classified Network Forensics#

DFIR-ORC's no-install collection is well-suited to classified Windows environments where permanent endpoint agents are not permitted. Archives are ingested into Argus at the appropriate classification level, ensuring that access is restricted to cleared personnel throughout the investigation.

Threat Hunting#

Run targeted DFIR-ORC collections on hosts identified through network-based detections or threat intelligence indicator matches. Ingest the results for systematic artefact analysis without escalating to full incident response, enabling proactive hunting at scale.

Chain-of-Custody for Legal Proceedings#

Each ingested collection creates a timestamped and audited record linking evidence to an investigation case. The immutable audit trail and classification controls satisfy chain-of-custody requirements where forensic evidence provenance must be demonstrable in legal or regulatory proceedings.

Integration#

DFIR-ORC collections are accessible via GraphQL. Queries allow retrieval of collection inventories, individual artefact records, and aggregate statistics scoped to your organisation. A mutation accepts a Base64-encoded archive payload along with the host identifier and optional case reference, triggering ingestion and returning a collection identifier and initial status.

All operations require OAuth 2.0 authentication and are scoped to your tenant. The platform integrates DFIR-ORC alongside disk analysis, malware detonation sandbox, case management, and evidence chain-of-custody capabilities, enabling end-to-end investigation workflows from initial triage through to evidence submission.

Webhook notifications can be configured to signal ingestion completion, allowing downstream automation to begin correlation or reporting steps as soon as a collection is processed.

Open Standards#

  • DFIR-ORC (ANSSI): The forensic collection tool itself is the open-source ANSSI DFIR-ORC framework; Argus consumes its native archive formats (ZIP, 7z, CAB) without modification.
  • Windows Event Log (EVTX/EVT): Artefact classification and parsing covers the Windows Event Log binary format, enabling structured querying of event log entries extracted by DFIR-ORC.
  • NTFS / MFT: Master File Table entries collected by DFIR-ORC are stored and queryable as structured file system artefacts, aligned with NTFS on-disk structures.
  • Base64 (RFC 4648): Archives are transported to the platform as Base64-encoded payloads, using the encoding defined in RFC 4648.
  • OAuth 2.0 / OpenID Connect: All API operations are protected by OAuth 2.0 bearer tokens with OIDC identity assertions for authenticated, organisation-scoped access.
  • W3C Verifiable Credentials Data Model v2.0: The connected Evidence domain issues W3C Verifiable Credentials for evidence items, providing cryptographically verifiable chain-of-custody records that can be independently verified by third parties.
  • RFC 3161 (Trusted Timestamping): Evidence records linked from DFIR-ORC collections can be sealed with RFC 3161 trusted timestamps, providing non-repudiable proof of the time at which evidence was ingested.
  • ISO/IEC 27037:2012 (Digital Evidence Identification and Collection): The collection and ingestion workflow aligns with ISO/IEC 27037 guidance on identifying, collecting, and preserving digital evidence in a forensically sound manner.

Security & Compliance#

Every archive ingestion is recorded in the platform's immutable audit log with a defined source standard identifier, the authenticated user, the organisation scope, and a timestamp. Access to collection records and artefacts is enforced against the classification level of the collection; attempts by users without the required clearance are denied and logged. The no-agent collection model reduces the attack surface on the investigated hosts and avoids leaving persistent tooling behind after collection completes.

Last Reviewed: 2026-03-18 / Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.