Skip to content

Built-in Plugins

DFIR-OGRE provides a collection of plug‑ins, each dedicated to parsing a specific class of Windows artefacts. The built‑in plug‑ins cover a lot of artefacts that appears in a typical DFIR-ORC archive.

Retrieving the plugins

Plugins can be retrieved by cloning the dfir-ogre-plugin-windows repository

# Choose a location where you keep all the sources
mkdir -p ~/dfir-ogre && cd ~/dfir-ogre

git clone https://github.com/ANSSI-FR/dfir-ogre-plugin-windows.git

The plugins are located in dfir-ogre-plugin-windows/configuration folder

Plugin list

Acmru
Extracts Search Assistant entries from NTUser hive
Application Specific
Activity Cache
Extracts rows from the Activity SQLite table that records Windows 10 Timeline events
Services and Applications
Amcache Driver
Extracts driver metadata stored in the AmCache hive
Services and Applications
Amcache Driver Xml
List drivers from various xml report files
Services and Applications
Amcache File
Retrieves cached executable file metadata from the Windows AmCache hive
Services and Applications
Amcache Ie Addon Xml
List internet explorer addons from different xml report files
Services and Applications
Amcache Installer Xml
List installed software from various Xml files
Services and Applications
Amcache Program
Extracts metadata about installed programs from the Windows AmCache hive
Services and Applications
Amcache Program Xml
Parse installed programs from AEINV WER xml reports
Services and Applications
Amcache Program Xml XML
Parse installed programs from FullCompatReport reports
Services and Applications
Amcache Program Xml XML
Parse installed programs from AEINV_PREVIOUS reports
Services and Applications
Antifishing File
Extracts the Internet Explorer anti‑phishing registry hive under NTUser hive
Application Specific
App Compat Cache
Extracts entries from the AppCompatCache value stored in the Windows System hive
Services and Applications
Autoruns
Parses CSV files produced by the Windows Autoruns utility, extracting entries that define programs or scripts that start automatically
Persistence
Backup Exclude
Extracts entries that Windows marks as excluded from Volume Shadow Copy Service (VSS) and backup operations, from the System hive
File System
Bam Dam
Extracts Activity Moderator (BAM/DAM) records from the Windows System hive
Services and Applications
Browser Download History
Parses the download history database of a Chrome profile (typically */Default/History)
Browser Artefacts
Browser Download History Lite
Extracts records from the places sqlite database that Firefox uses to store download metadata
Browser Artefacts
Browser History
Parses the browsing hisory database of a Chrome profile (typically */Default/History)
Browser Artefacts
Browser History Lite
Extracts navigation records from a Firefox places sqlite database
Browser Artefacts
Chrome Extension
Extracts metadata from a Chrome‑based browser extension’s manifest
Browser Artefacts
Clsid
Enumerates every user‑specific COM class identifier (CLSID) stored in the UsrClass hive
Windows Artefacts
Clsid Software
Extracts every CLSID registration stored in the machine‑wide Software hive
Windows Artefacts
Evt
Parse Windows EventLog (EVT) files and emit one record per event
Logs
Fastfind File
Parse the filesystem results of the fastfind tool
Fast Find
Fastfind Obj
Parse the object result of the fastfind tool
Fast Find
Fastfind Reg
Parse the registry results of the fastfind tool
Fast Find
Firefox Extension
Extracts metadata from Firefox browser add‑ons (version 26+)
Browser Artefacts
Getthis
Parse the GetThis files produced by Orc and retrieve information about the collected files
File System
Ie Webcache History
Extracts browsing history records from Internet Explorer 10+ WebCache databases (WebCacheV01
Browser Artefacts
Java Idx
Extracts metadata about each downloaded artifact, including its URL, server IP, size, timestamps and signing status
Application Specific
Listdlls
Parse output from Sysinternals ListDLL tool that lists loaded DLLs for running processes on Windows
Services and Applications
Lnk
Extracts every pieces of metadata that is stored in a Windows Shell Link file
Windows Artefacts
Mass Storage
Extracts information about every USB (or other) mass‑storage device ever connected to a Windows system, using data from the System hive
File System
Merge File
Reads a text file and concatenates every line into a single output line
File System
Mui Cache
Extracts entries from the per‑user MUI cache stored in the Registry hive
Services and Applications
Network Config
Extracts network settings from the Windows System hive
System Information
Ntfsinfo
Extract NTFS’s Master File Table (MFT) from an ORC‑generated CSV file
File System
Objinfo
Parses files produced by the GetObjInfo utility, extracting Windows object information from the object manager namespace
Windows Artefacts
Pca App Launch
Parses PCA application launch data
Logs
Pca General Record
Extracts each line of a PCA log
Logs
Pending Rename
Extracts entries from the PendingFileRenameOperations value in the System hive
File System
Prefetch
Parses Windows Prefetch files to extract execution metadata
Services and Applications
Processes Orc
Extracts Windows processes data from an ORC‑generated CSV file
Services and Applications
Processes Orc Csv
Parses CSV files produced by ORC that enumerate running processes
Services and Applications
Recent App
Extracts information about applications and files recently accessed by a user from the NtUser hive
Services and Applications
Recycle Bin
Extracts metadata from Windows recycle‑bin files
File System
Reg Autoruns
Extracts persistence‑related registry data from the USER hive (HKCU)
Persistence
Reg Autoruns Software
Extracts persistence‑related registry data from the SOFTWARE hive
Persistence
Reg Autoruns System
Extracts persistence‑related registry data from the SYSTEM hive
Persistence
Reg Keys
Extracts detailed information from Windows Registry hive files
Windows Artefacts
Reg Systeminfo
Extracts various system information from the SYSTEM and SOFTWARE hives
System Information
Run Mru
Extracts entries from the RunMRU in the NTUser hive, which stores commands typed in the Windows + R dialog
Services and Applications
Scheduled Tasks
Extracts metadata for Windows scheduled tasks stored in the Software hive
Persistence
Services Control Set
Extracts all service definitions from a Windows System hive, in the related control‑set keys
Persistence
Shellbags
Extracts the contents of Shell Bag structures stored in the UsrClass hive
File System
Shim Db
Extracts information about the Windows Application Compatibility Shim database stored in the Software hive
Services and Applications
Srum App Timeline
Srum table that tracks statistics about inputs (focus, keyboard, mouse, etc
Services and Applications
Srum Application Resources
Srum table that tracks ressource usage for every exe that’s executed on the system whether it still exists on disk or not
Services and Applications
Srum Energy Estimation
Parse data from srum
Services and Applications
Srum Energy Usage
Srum table that tracks stores the per‑process estimates of how much electrical energy Windows thinks each component has consumed over time
Windows Artefacts
Srum Energy Usage Long Term
Srum table that tracks long term, per‑process estimates of how much electrical energy Windows thinks each component has consumed over time
Windows Artefacts
Srum Network Connectivity Usage
Srum table that tracks network connection time statistics per interface
Network
Srum Network Data Usage
SRUM table that tracks how much network traffic each installed app consumes
Network
Srum Sdp Cpu
Srum table for windows server 2022 that tracks cpu time
Services and Applications
Srum Sdp Network
Srum table for windows server 2022 that tracks network activity
Network
Srum Sdp Physical Disk
Srum table for windows server 2022 that tracks physical drive information
File System
Srum Sdp Volume
Srum table for windows server 2022 that tracks storage volumes information
File System
Srum Tagged Energy
Parse data from Srum tagged_energy table {B6D82AF1-F780-4E17-8077-6CB9AD8A6FC4} ()
Windows Artefacts
Srum Vfuprov
Parse data from Srum vfuprov table {7ACBBAA3-D029-4BE4-9A7A-0885927F1D8F}
Windows Artefacts
Srum Wpn Provider
Srum table that tracks telemetry that Windows collects about the Windows Push Notification (WPN) service – i
Windows Artefacts
Subject Interface Package
Extracts Subject Interface Package (SIP) records from the Windows Software hive
Services and Applications
Systeminfo
Parses the Windows SystemInfo CSV file generated by the systeminfo command
System Information
Tcpvcon
Parse a TCPView “Tcpvcon
Network
User Assist
Extracts execution data stored in the NTUser hive
Services and Applications
User Profile
Extracts data about Windows user profiles from the Software hive
System Information
Usninfo
Parses the CSV export of the Windows USN Journal
File System
Volstats
Parses a Windows volume‑statistics csv file
File System
Vss Snapshot
Parses CSV files that list Volume Shadow Copy (VSS) snapshots
File System
Wer
ParsesWindows Error Reporting files (WER), extracting metadata about crashes, hangs, and other failure events reported by the operating system
Logs
Windows Events
Parses windows evtx logs
Logs
X509 Cert
Parses the Windows Software registry hive to collect system‑wide X509 certificates stored in the Software hive
System Information
X509 Cert Certificates
Extracts X509 certificates stored in a user’s NTUser hive
System Information