Digital Forensics: DFIR-ORC (ANSSI Forensic Collection)

Overview#

DFIR-ORC (Digital Forensics and Incident Response - Offline Response Collector) is an open-source forensic collection and analysis framework developed by ANSSI (Agence nationale de la sécurité des systèmes d'information). It runs on Windows endpoints without installation, collecting forensic artefacts -- registry hives, event logs, MFT, prefetch files, network state, running processes, and memory dumps -- into a structured archive for analysis. Argus integrates DFIR-ORC to ingest collection archives from incident response engagements, parse artefacts, and make them searchable within the investigation workflow alongside other case evidence.

Key Features#

Archive Ingestion and Parsing#

Submit a DFIR-ORC collection archive encoded as base64 via

ingestDfirOrcArchive

. The

parse_orc_archive_b64

adapter unpacks the archive, enumerates the collected artefacts (event log entries, registry keys, process lists, network connections, file system entries), and persists each artefact as a structured record linked to the collection run. A single collection from one host may contain thousands of discrete artefacts.

Collection Inventory#

Query collections via

dfirOrcCollections

filtered by status (

pending

processing

complete

failed

). Each collection record includes the host identifier, collection timestamp, artefact count, tool version, and case reference. The timeline of collections across multiple hosts in an incident provides the analyst with a synchronized view of the event sequence.

Artefact-Level Querying#

Drill into the artefacts for a specific collection via

dfirOrcArtifacts

. Artefact records include type (event log, registry entry, process, network connection, file), content hash, path, and parsed value. This enables targeted queries -- "show all PowerShell executions captured in collection X" -- rather than requiring analysts to work through raw archive files.

Clearance-Level Filtering#

Collection records carry

secrecy_level

tags. Forensic archives from classified-network endpoints must be handled at the appropriate classification level, restricting access to cleared IR personnel.

EDF Audit Trail#

Each archive ingestion generates an interop ingest audit entry with source standard

DFIR_ORC

, satisfying EDF Golden Rule 15 data lineage requirements for forensic evidence chains.

Use Cases#

Enterprise Incident Response: During a ransomware investigation, collect DFIR-ORC archives from multiple endpoints simultaneously, ingest them all into Argus, and use the case evidence linking domain to correlate artefacts across hosts into a unified lateral movement timeline.
Classified Network Forensics: DFIR-ORC's no-install collection capability is well-suited to classified Windows environments where installing endpoint agents is not permitted -- the collected archives are ingested into Argus at the appropriate classification level.
Threat Hunting: Run DFIR-ORC collections on hosts of interest identified through Suricata alerts or MISP indicator matches and ingest the results for systematic artefact analysis without escalating to full IR.
Chain of Custody: Each ingested collection creates a timestamped and audited record linking the evidence to the case, supporting legal proceedings where forensic evidence provenance must be demonstrable.

Integration#

Available via GraphQL:

dfirOrcCollections

dfirOrcArtifacts

dfirOrcStats

(queries);

ingestDfirOrcArchive

(mutation). All operations require authentication and organisation scoping.

Works alongside the Autopsy Forensics domain (deeper disk analysis), CAPE Sandbox (malware detonation), Case domain (linking collections to cases), and Evidence domain (chain-of-custody management).

Last Reviewed: 2026-03-18

Metadane modulu

Renderowana dokumentacja