DFIR-OGRE is a command‑line utility that extracts Windows forensic artefacts from DFIR-ORC archives into structured data that can be consumed by Splunk, ELK or other databases.

It provides a collection of plug‑ins, each dedicated to parsing a specific class of Windows artefacts. The built‑in plug‑ins cover a lot of artefacts that appears in a typical DFIR-ORC archive:

• Browser artefacts – Chrome and Firefox extensions, download histories, and general browsing history.
• File system – NTFS information, USN journal entries, Lnk, recycle‑bin, etc.
• Persistence mecanism – Autoruns, Services, Scheduled tasks, etc.
• Services and applications – Activity Cache, AmCache, Shell Bags, Prefetch Files, etc.
• System logs – Windows Event logs (EVTX), Windows Error Reporting files, SRUM usage databases, etc.