Skip to content

DFIR-OGRE documentation

CTRL K

CTRL K

Getting Started
- Docker‑based Installation
- Manual Installation
Usage
Built-in Plugins
Plugin Creation

File System

Extracts entries that Windows marks as excluded from Volume Shadow Copy Service (VSS) and backup operations, from the System hive

Parse the GetThis files produced by Orc and retrieve information about the collected files

Extracts information about every USB (or other) mass‑storage device ever connected to a Windows system, using data from the System hive

Reads a text file and concatenates every line into a single output line

Extract NTFS’s Master File Table (MFT) from an ORC‑generated CSV file

Extracts entries from the PendingFileRenameOperations value in the System hive

Extracts metadata from Windows recycle‑bin files

Extracts the contents of Shell Bag structures stored in the UsrClass hive

Srum Sdp Physical Disk

Srum table for windows server 2022 that tracks physical drive information

Srum Sdp Volume

Srum table for windows server 2022 that tracks storage volumes information

Parses the CSV export of the Windows USN Journal

Parses a Windows volume‑statistics csv file

Parses CSV files that list Volume Shadow Copy (VSS) snapshots

© Copyright 2026, ANSSI. The contents of this documentation is available under the Open License version 2.0 published by Etalab.

Powered by Hextra