Awesome
DFIR ORC
Documentation
Build
| Branch | Status |
|---|---|
| main | |
| release/10.1 | |
| release/10.2 |
Requirements
- Visual Studio
- From 2017 to 2022
- English only (vcpkg limitation)
- Use this installer configuration or alternatively use vstools
- Check also "Desktop development with C++"
- Kitware's CMake >= 3.25 or Visual Studio integrated version
Build environment can be setup quickly using Microsoft's developer virtual machines. Import this .vsconfig from Visual Studio Installer.
Commands
Both 32-bit and 64-bit versions should be built for maximum compatiliby before deployment. See https://dfir-orc.github.io for more details about deployment and configuration.
In a prompt like Developer Command Prompt for VS 2019 (prefer to avoid using cmd.exe):
git clone --recursive https://github.com/dfir-orc/dfir-orc.git
cd dfir-orc
mkdir build-x86 build-x64
cd build-x86
cmake -G "Visual Studio 17 2022" -A Win32 -T v141_xp ..
cmake --build . --config MinSizeRel -- -maxcpucount
cd ../build-x64
cmake -G "Visual Studio 17 2022" -A x64 -T v141_xp ..
cmake --build . --config MinSizeRel -- -maxcpucount
-
The
-T v141_xpoption will allow compatibility with Windows XP SP2 and later, it can safely be removed if this is not required. -
The default
ORC_BUILD_VCPKG=ONoption will build vcpkg packages in 'external/vcpkg' subdirectory.
Important Always do a git submodule update after any git pull to update submodules aswell. Alternatively, always pull with git pull --recurse-submodules
Options
| CMake option | Default | Description |
|---|---|---|
| ORC_DOWNLOADS_ONLY | OFF | Only download vcpkg dependencies |
| ORC_BUILD_VCPKG | ON | Build vcpkg dependencies |
| ORC_BUILD_APACHE_ORC | OFF | Build Apache Orc module |
| ORC_BUILD_COMMAND | ON | Build OrcCommand library |
| ORC_BUILD_FASTFIND | OFF | Build FastFind binary |
| ORC_BUILD_ORC | ON | Build Orc binary |
| ORC_BUILD_PARQUET | OFF | Build Parquet module (x64) |
| ORC_BUILD_SSDEEP | OFF | Build with ssdeep support |
| ORC_BUILD_JSON | ON | Build with JSON enabled |
| ORC_USE_STATIC_CRT | ON | Use static runtime |
| ORC_VCPKG_ROOT | ${ORC}/external/vcpkg | VCPKG root directory |
| ORC_XMLLITE_PATH | XmlLite.dll path (xp sp2) | |
| VCPKG_TARGET_TRIPLET | Autodetect | VCPKG triplet to use |
| CMAKE_TOOLCHAIN_FILE | Autodetect | VCPKG's toolchain file |
[1] The xmllite.dll is native after patched Windows XP SP2
Note: Some combinations may be irrelevant.
License
The contents of this repository is available under LGPL2.1+ license. The name DFIR ORC and the associated logo belongs to ANSSI, no use is permitted without express approval.
Le contenu de ce dépôt est disponible sous licence LGPL2.1+, tel qu'indiqué ici. Le nom DFIR ORC et le logo associé appartiennent à l'ANSSI, aucun usage n'est permis sans autorisation expresse.
Acknowledgments
DFIR ORC is disclosing Microsoft source code with Microsoft's permission.