Skip to content

DFIR-OGRE documentation

CTRL K

CTRL K

Getting Started
- Docker‑based Installation
- Manual Installation
Usage
Built-in Plugins
Plugin Creation

Windows Artefacts

Enumerates every user‑specific COM class identifier (CLSID) stored in the UsrClass hive

Extracts every CLSID registration stored in the machine‑wide Software hive

Extracts every pieces of metadata that is stored in a Windows Shell Link file

Parses files produced by the GetObjInfo utility, extracting Windows object information from the object manager namespace

Extracts detailed information from Windows Registry hive files

Srum Energy Usage

Srum table that tracks stores the per‑process estimates of how much electrical energy Windows thinks each component has consumed over time

Srum Energy Usage Long Term

Srum table that tracks long term, per‑process estimates of how much electrical energy Windows thinks each component has consumed over time

Srum Tagged Energy

Parse data from Srum tagged_energy table {B6D82AF1-F780-4E17-8077-6CB9AD8A6FC4} ()

Parse data from Srum vfuprov table {7ACBBAA3-D029-4BE4-9A7A-0885927F1D8F}

Srum Wpn Provider

Srum table that tracks telemetry that Windows collects about the Windows Push Notification (WPN) service – i

© Copyright 2026, ANSSI. The contents of this documentation is available under the Open License version 2.0 published by Etalab.

Powered by Hextra