DFIR-ORC/dfir-orc

# DFIR ORC [](./LICENSE.txt) [](https://github.com/DFIR-ORC/dfir-orc) [](https://documentation.ouvert.numerique.gouv.fr/les-parcours-de-documentation/ouvrir-un-projet-num%C3%A9rique/#niveau-ouverture) ## 法国网络安全局（ANSSI） *This project is managed by [ANSSI](https://cyber.gouv.fr/). To find out more, you can visit the [page](https://cyber.gouv.fr/enjeux-technologiques/open-source/) (in French) dedicated to ANSSI’s open-source strategy. You can also click on the badges above to learn more about their meaning.* ## 文档 https://dfir-orc.github.io ## 构建状态 | Branch | Status | |:-------------|:-------| | main | [](https://github.com/DFIR-ORC/dfir-orc/actions/workflows/build.yml) | | release/10.3 | [](https://github.com/DFIR-ORC/dfir-orc/actions/workflows/build.yml) | ## 快速开始 ``` winget install Microsoft.Git # 复制 .vsconfig 文件或克隆仓库并安装 Visual Studio git clone --recursive https://github.com/dfir-orc/dfir-orc.git cd dfir-orc winget install --id Microsoft.VisualStudio.2022.BuildTools --override "--passive --config .vsconfig" Import-Module "C:\Program Files (x86)\Microsoft Visual Studio\2022\BuildTools\Common7\Tools\Microsoft.VisualStudio.DevShell.dll" Enter-VsDevShell -VsInstallPath "C:\Program Files (x86)\Microsoft Visual Studio\2022\BuildTools" -SkipAutomaticLocation .\Build-Orc.ps1 # Powershell >=5.1 ``` The script builds the x86-xp, x64-xp versions of DFIR-ORC and then packages them into `DFIR-ORC.exe`. To also embed a configuration at build time using ToolEmbed: ``` .\Build-Orc.ps1 -ToolEmbed .\config ``` To build specific platforms or multiple configurations: ``` .\Build-Orc.ps1 -BuildConfig Debug,MinSizeRel -Platform x64-xp,x86-xp,x64,x86 ``` ## 构建参考 ### 要求 - **Visual Studio** 2022 to 2026, **English language pack only** (vcpkg limitation) - Select workload: *Desktop development with C++* - Import the provided [.vsconfig](.vsconfig) in Visual Studio Installer - To build test add: - "Microsoft.VisualStudio.Component.VC.TestAdapterForBoostTest" - "Microsoft.VisualStudio.Component.VC.TestAdapterForGoogleTest", - "Microsoft.VisualStudio.Component.VC.UnitTest" - **PowerShell** 5.1+ (for `Build-Orc.ps1`) A clean Windows 11 build environment can be provisioned using **Hyper-V Quick Create** (search for *Hyper-V Quick Create* in the Start menu). This creates a local VM from an evaluation image without requiring a separate download. Remaining dependencies can be installed inside the VM using 'Visual Studio Installer' by selecting 'Desktop development with C++'. ### 使用 Build-Orc.ps1 (`Build-Orc.ps1`) To build without the script, see [Manual Build](#manual-build). The script drives the full pipeline: configure > build > package with OrcCapsule > optionally embed a configuration with ToolEmbed. ``` .\Build-Orc.ps1 [[-Source] ] [[-BuildConfig] [,...]] [[-Platform] [,...]] [[-BuildDir] ] [[-ToolEmbed] ] [-ConfigureOnly] [-BuildOnly] [-FastFind] ``` | Parameter | Default | Description | |:-----------------|:---------------------|:------------| | `-Source` | *(current dir)* | Root of the DFIR-ORC source tree | | `-BuildConfig` | `MinSizeRel` | One or more CMake build configurations: `Debug`, `MinSizeRel`, `RelWithDebInfo` | | `-Platform` | `x64-xp`, `x86-xp` | One or more target platforms; each must match a `dfir-orc-` CMake preset | | `-BuildDir` | `.\build` | Root directory for all CMake artifacts and packaged output | | `-ToolEmbed` | *(none)* | If set, runs a ToolEmbed step using this directory as configuration source | | `-ConfigureOnly` | *(off)* | Run cmake configure for all presets then stop; skip build and packaging | | `-BuildOnly` | *(off)* | Run configure and build, but skip the packaging step | | `-FastFind` | *(off)* | Also build and package `FastFind.exe` in addition to `DFIR-ORC.exe` Packaged executables are written to `\\DFIR-ORC.exe` (and `FastFind.exe` when `-FastFind` is set). When `-ToolEmbed` is used the configuration-embedded output is written to `\\DFIR-ORC-ready.exe`. **Examples:** ``` # 默认发布构建 .\Build-Orc.ps1 # 调试构建（自定义构建目录） .\Build-Orc.ps1 -BuildConfig Debug -BuildDir .\out\debug # 一次性构建所有默认平台的两个配置 .\Build-Orc.ps1 -BuildConfig Debug,MinSizeRel # 为附加平台（包括 Seven/2008-R1 预设）构建 .\Build-Orc.ps1 -Platform x64-xp,x86-xp,x64,x86 # 嵌入配置的发布构建 .\Build-Orc.ps1 -BuildConfig RelWithDebInfo -ToolEmbed .\config # 同时生成 FastFind 包 .\Build-Orc.ps1 -FastFind # 仅配置（预下载 vcpkg 依赖项很有用） .\Build-Orc.ps1 -ConfigureOnly ``` #### 脚本的作用 1. Configures the `capsule-x86-xp` preset plus one `dfir-orc-` preset per value in `-Platform`, placing each binary tree under `\`. 2. Builds every configured preset for each value in `-BuildConfig`. 3. For each build configuration, runs **OrcCapsule** to bundle the per-platform `DFIR-ORC_.exe` artifacts into a single self-selecting `DFIR-ORC.exe`. When `-FastFind` is set the same bundling is done for `FastFind.exe`. 4. *(Optional)* Runs **ToolEmbed** (via the newly packaged capsule) to inject the XML configuration and tools from `-ToolEmbed`, producing `DFIR-ORC-ready.exe`. ### 手动构建 Use a *Developer Command Prompt for VS 2022* (avoid plain `cmd.exe`). #### 构建 ``` git clone --recursive https://github.com/dfir-orc/dfir-orc.git cd dfir-orc # 配置 cmake --preset capsule-x86-xp cmake --preset dfir-orc-x64-xp cmake --preset dfir-orc-x86-xp # 构建（将 MinSizeRel 替换为目标配置） cmake --build --preset capsule-x86-xp-MinSizeRel cmake --build --preset dfir-orc-x64-xp-MinSizeRel cmake --build --preset dfir-orc-x86-xp-MinSizeRel # 封装 .\build\capsule-x86-xp\MinSizeRel\OrcCapsule.exe capsule add ` .\build\dfir-orc-x86-xp\MinSizeRel\DFIR-ORC_x86.exe ` .\build\dfir-orc-x64-xp\MinSizeRel\DFIR-ORC_x64.exe ` --output .\build\DFIR-ORC.exe ` --force ``` #### 配置 ``` $CONFIG_DIR = "C:\path\to\your\orc-config" .\build\DFIR-ORC.exe ToolEmbed /embed="$CONFIG_DIR\config" /out=DFIR-ORC.exe ``` #### [已弃用] 使用旧 build.cmd 的配置 ``` $CONFIG_DIR = "C:\path\to\your\orc-config" cp .\build\DFIR-ORC.exe "$CONFIG_DIR\tools\DFIR-ORC_x64.exe" cd $CONFIG_DIR .\build.cmd ``` Both 32-bit and 64-bit versions should be built for maximum compatibility before deployment. See https://dfir-orc.github.io for deployment and configuration details. ### 离线构建 #### 在线机器上 Setup the build environment by following the [Quick Start](#quick-start) section but stop before running `.\Build-Orc.ps1`. ``` $ORC_MIRROR = "c:\users\foo\mirror" $ENV:VCPKG_DOWNLOADS="$ORC_MIRROR\vcpkg-downloads" # 填充 vcpkg 下载目录 New-Item -type directory $ORC_MIRROR git clone --recursive https://github.com/dfir-orc/dfir-orc.git cd dfir-orc # 不要使用 'vcpkg install --download-only ...'，因为如所述这是“尽力而为” .\Build-Orc.ps1 -ConfigureOnly -Platform x86-xp,x64-xp,x86,x64 Copy-Item "external/vcpkg/vcpkg.exe" $ORC_MIRROR/ # 镜像仓库 git clone --mirror https://github.com/dfir-orc/dfir-orc.git "$ORC_MIRROR/dfir-orc.git" git clone --mirror https://github.com/microsoft/vcpkg.git "$ORC_MIRROR/vcpkg.git" ``` Transfer the `$ORC_MIRROR` directory to the offline machine. #### 离线机器上 Ensure Visual Studio 2022 with the *Desktop development with C++* workload and PowerShell 5.1+ are installed before proceeding. ``` # 调整到镜像传输的位置 $ORC_MIRROR = "C:\Users\bar\mirror" $ENV:VCPKG_DOWNLOADS="$ORC_MIRROR\vcpkg-downloads" # 'Tools' subdirectory is required ``` **Option A — internal git server**: push the mirrors first, then clone from the server: ``` git push --mirror https://internal.git/mirror/dfir-orc.git git push --mirror https://internal.git/mirror/vcpkg.git git clone https://internal.git/mirror/dfir-orc.git cd dfir-orc git -c url."https://internal.git/mirror/vcpkg.git".insteadOf="https://github.com/microsoft/vcpkg.git" ` submodule update --init ``` **Option B — local filesystem**: ``` git clone "$ORC_MIRROR/dfir-orc.git" cd dfir-orc git -c protocol.file.allow=always ` -c url."file:///$ORC_MIRROR/vcpkg.git".insteadOf="https://github.com/microsoft/vcpkg.git" ` submodule update --init ``` **Then build**: ``` Copy-Item $ORC_MIRROR/vcpkg.exe "external/vcpkg/" .\Build-Orc.ps1 ``` ## 许可 The contents of this repository are available under the [LGPL 2.1+ license](LICENSE.txt). The name DFIR ORC, the associated logo and the ANSSI logo belong to ANSSI, no use is permitted without express approval. Le contenu de ce dépôt est disponible sous licence LGPL 2.1+, tel qu'indiqué [ici](LICENSE.txt). Le nom DFIR ORC, le logo associé et le logo de l'ANSSI appartiennent à l'ANSSI, aucun usage n'est permis sans autorisation expresse. ## 致谢 DFIR ORC is disclosing Microsoft source code with Microsoft's permission.

标签：404团队, AI合规, ANSSI, Bash脚本, code.gouv.fr, DFIR-ORC, DFIR工具, ESC漏洞, HTTPS请求, LGPL, SecList, Windows取证, Windows系统, 内存取证, 协作开发, 取证框架, 取证采集, 外部分类, 开源取证工具, 数字取证, 文档化, 日志取证, 法国网络安全, 磁盘取证, 系统取证, 自动化脚本, 自动化采集, 证据收集