DFIR-OGRE is a command‑line utility that extracts windows forensic artefact from DFIR-ORC archives into structured data that can be consumed by Splunk, ELK or other databases.
It provides a collection of plug‑ins, each dedicated to parsing a specific class of Windows artefacts. The built‑in plug‑ins cover a lot of artefact that appears in a typical DFIR-ORC archive:
- Application Specific – shortcut (
.lnk) files, Java download index, etc. - Browser artefacts – Chrome and Firefox extensions, download histories, and general browsing history.
- File system – NTFS information, USN journal entries, recycle‑bin records, etc.
- Processes and applications – AmCache, scheduled tasks, Shell Bags, Prefetch Files, Orc processes, etc.
- System logs – Windows Event logs (EVTX), Windows Error Reporting files, SRUM usage databases, etc.
This software is currently in beta. While functional and actively developed, it may still undergo breaking changes, and some artefact parsers may not yet be fully stabilized. We welcome feedback, bug reports, and contributions using the issue tracker.
The full documentation is available on the website : https://anssi-fr.github.io/dfir-ogre-documentation/
| Item | Minimum version |
|---|---|
| Python | 3.10 or newer |
| git | any recent version |
| uv | ≥ 0.4 (installable with pip) |
# Choose a location
mkdir -p ~/dfir-ogre && cd ~/dfir-ogre
git clone git@github.com:ANSSI-FR/dfir-ogre-plugin-windows.git
git clone git@github.com:ANSSI-FR/dfir-ogre.git
#create the virtual environment
uv venv
uv pip install ./dfir-ogre
# Activate the virtual environment
source .venv/bin/activateThe prompt should now show the venv name, e.g. (dfir-ogre) $.
and the dfir-ogre command should be available
dfir-ogre --help Extract a DFIR-ORC archive from its Outcome.json file, using the ogre.yaml configuration.
dfir-ogre orc \
--archive ORC_xxx_Outcome.json \
--case sample_case \
--configuration dfir-ogre/configuration/ogre.yaml
This projet is managed by ANSSI. To find out more, you can visit the page (in French) dedicated to ANSSI’s open-source strategy. You can also click on the badges above to learn more about their meaning.