This project is managed by ANSSI. To find out more, you can visit the page (in French) dedicated to ANSSI’s open-source strategy. You can also click on the badges above to learn more about their meaning.
| Branch | Status |
|---|---|
| main |  |
| release/10.3 |  |
winget install Microsoft.Git
# Copy .vsconfig file or clone the repository and install Visual Studio
git clone --recursive https://github.com/dfir-orc/dfir-orc.git
cd dfir-orc
winget install --id Microsoft.VisualStudio.2022.BuildTools --override "--passive --config .vsconfig"
Import-Module "C:\Program Files (x86)\Microsoft Visual Studio\2022\BuildTools\Common7\Tools\Microsoft.VisualStudio.DevShell.dll"
Enter-VsDevShell -VsInstallPath "C:\Program Files (x86)\Microsoft Visual Studio\2022\BuildTools" -SkipAutomaticLocation
.\Build-Orc.ps1 # Powershell >=5.1The script builds the x86-xp, x64-xp versions of DFIR-ORC and then packages them into DFIR-ORC.exe.
To also embed a configuration at build time using ToolEmbed:
.\Build-Orc.ps1 -ToolEmbed .\configTo build specific platforms or multiple configurations:
.\Build-Orc.ps1 -BuildConfig Debug,MinSizeRel -Platform x64-xp,x86-xp,x64,x86- Visual Studio 2022 to 2026, English language pack only (vcpkg limitation)
- Select workload: Desktop development with C++
- Import the provided .vsconfig in Visual Studio Installer
- To build test add:
- "Microsoft.VisualStudio.Component.VC.TestAdapterForBoostTest"
- "Microsoft.VisualStudio.Component.VC.TestAdapterForGoogleTest",
- "Microsoft.VisualStudio.Component.VC.UnitTest"
- PowerShell 5.1+ (for
Build-Orc.ps1)
A clean Windows 11 build environment can be provisioned using Hyper-V Quick Create (search for Hyper-V Quick Create in the Start menu). This creates a local VM from an evaluation image without requiring a separate download. Remaining dependencies can be installed inside the VM using 'Visual Studio Installer' by selecting 'Desktop development with C++'.
To build without the script, see Manual Build.
The script drives the full pipeline: configure > build > package with OrcCapsule > optionally embed a configuration with ToolEmbed.
.\Build-Orc.ps1 [[-Source] <path>]
[[-BuildConfig] <Debug|MinSizeRel|RelWithDebInfo>[,...]]
[[-Platform] <platform>[,...]]
[[-BuildDir] <path>]
[[-ToolEmbed] <config-dir>]
[-ConfigureOnly]
[-BuildOnly]
[-FastFind]
| Parameter | Default | Description |
|---|---|---|
-Source |
(current dir) | Root of the DFIR-ORC source tree |
-BuildConfig |
MinSizeRel |
One or more CMake build configurations: Debug, MinSizeRel, RelWithDebInfo |
-Platform |
x64-xp, x86-xp |
One or more target platforms; each must match a dfir-orc-<platform> CMake preset |
-BuildDir |
.\build |
Root directory for all CMake artifacts and packaged output |
-ToolEmbed |
(none) | If set, runs a ToolEmbed step using this directory as configuration source |
-ConfigureOnly |
(off) | Run cmake configure for all presets then stop; skip build and packaging |
-BuildOnly |
(off) | Run configure and build, but skip the packaging step |
-FastFind |
(off) | Also build and package FastFind.exe in addition to DFIR-ORC.exe |
Packaged executables are written to <BuildDir>\<config>\DFIR-ORC.exe (and FastFind.exe when -FastFind is set). When -ToolEmbed is used the configuration-embedded output is written to <BuildDir>\<config>\DFIR-ORC-ready.exe.
Examples:
# Default release build
.\Build-Orc.ps1
# Debug build in a custom build directory
.\Build-Orc.ps1 -BuildConfig Debug -BuildDir .\out\debug
# Build two configurations in one pass for all default platforms
.\Build-Orc.ps1 -BuildConfig Debug,MinSizeRel
# Build for additional platforms (including post Seven/2008-R1 presets)
.\Build-Orc.ps1 -Platform x64-xp,x86-xp,x64,x86
# Release build with embedded configuration
.\Build-Orc.ps1 -BuildConfig RelWithDebInfo -ToolEmbed .\config
# Also produce a FastFind package alongside DFIR-ORC
.\Build-Orc.ps1 -FastFind
# Configure only (useful to pre-download vcpkg dependencies)
.\Build-Orc.ps1 -ConfigureOnly- Configures the
capsule-x86-xppreset plus onedfir-orc-<platform>preset per value in-Platform, placing each binary tree under<BuildDir>\<preset-name>. - Builds every configured preset for each value in
-BuildConfig. - For each build configuration, runs OrcCapsule to bundle the per-platform
DFIR-ORC_<arch>.exeartifacts into a single self-selectingDFIR-ORC.exe. When-FastFindis set the same bundling is done forFastFind.exe. - (Optional) Runs ToolEmbed (via the newly packaged capsule) to inject the XML configuration and tools from
-ToolEmbed, producingDFIR-ORC-ready.exe.
Use a Developer Command Prompt for VS 2022 (avoid plain cmd.exe).
git clone --recursive https://github.com/dfir-orc/dfir-orc.git
cd dfir-orc
# Configure
cmake --preset capsule-x86-xp
cmake --preset dfir-orc-x64-xp
cmake --preset dfir-orc-x86-xp
# Build (replace MinSizeRel with your target configuration)
cmake --build --preset capsule-x86-xp-MinSizeRel
cmake --build --preset dfir-orc-x64-xp-MinSizeRel
cmake --build --preset dfir-orc-x86-xp-MinSizeRel
# Encapsulation
.\build\capsule-x86-xp\MinSizeRel\OrcCapsule.exe capsule add `
.\build\dfir-orc-x86-xp\MinSizeRel\DFIR-ORC_x86.exe `
.\build\dfir-orc-x64-xp\MinSizeRel\DFIR-ORC_x64.exe `
--output .\build\DFIR-ORC.exe `
--force$CONFIG_DIR = "C:\path\to\your\orc-config"
.\build\DFIR-ORC.exe ToolEmbed /embed="$CONFIG_DIR\config" /out=DFIR-ORC.exe$CONFIG_DIR = "C:\path\to\your\orc-config"
cp .\build\DFIR-ORC.exe "$CONFIG_DIR\tools\DFIR-ORC_x64.exe"
cd $CONFIG_DIR
.\build.cmdBoth 32-bit and 64-bit versions should be built for maximum compatibility before deployment. See https://dfir-orc.github.io for deployment and configuration details.
Setup the build environment by following the Quick Start section but stop before running .\Build-Orc.ps1.
$ORC_MIRROR = "c:\users\foo\mirror"
$ENV:VCPKG_DOWNLOADS="$ORC_MIRROR\vcpkg-downloads"
# Populate the vcpkg download directory
New-Item -type directory $ORC_MIRROR
git clone --recursive https://github.com/dfir-orc/dfir-orc.git
cd dfir-orc
# Don't use 'vcpkg install --download-only ...' which is as they state "best-effort"
.\Build-Orc.ps1 -ConfigureOnly -Platform x86-xp,x64-xp,x86,x64
Copy-Item "external/vcpkg/vcpkg.exe" $ORC_MIRROR/
# Mirror the repositories
git clone --mirror https://github.com/dfir-orc/dfir-orc.git "$ORC_MIRROR/dfir-orc.git"
git clone --mirror https://github.com/microsoft/vcpkg.git "$ORC_MIRROR/vcpkg.git"Transfer the $ORC_MIRROR directory to the offline machine.
Ensure Visual Studio 2022 with the Desktop development with C++ workload and PowerShell 5.1+ are installed before proceeding.
# Adjust to where the mirror was transferred
$ORC_MIRROR = "C:\Users\bar\mirror"
$ENV:VCPKG_DOWNLOADS="$ORC_MIRROR\vcpkg-downloads" # 'Tools' subdirectory is requiredOption A — internal git server: push the mirrors first, then clone from the server:
git push --mirror https://internal.git/mirror/dfir-orc.git
git push --mirror https://internal.git/mirror/vcpkg.git
git clone https://internal.git/mirror/dfir-orc.git
cd dfir-orc
git -c url."https://internal.git/mirror/vcpkg.git".insteadOf="https://github.com/microsoft/vcpkg.git" `
submodule update --initOption B — local filesystem:
git clone "$ORC_MIRROR/dfir-orc.git"
cd dfir-orc
git -c protocol.file.allow=always `
-c url."file:///$ORC_MIRROR/vcpkg.git".insteadOf="https://github.com/microsoft/vcpkg.git" `
submodule update --initThen build:
Copy-Item $ORC_MIRROR/vcpkg.exe "external/vcpkg/"
.\Build-Orc.ps1The contents of this repository are available under the LGPL 2.1+ license.
The name DFIR ORC, the associated logo and the ANSSI logo belong to ANSSI, no use is permitted without express approval.
Le contenu de ce dépôt est disponible sous licence LGPL 2.1+, tel qu'indiqué ici.
Le nom DFIR ORC, le logo associé et le logo de l'ANSSI appartiennent à l'ANSSI, aucun usage n'est permis sans autorisation expresse.
DFIR ORC is disclosing Microsoft source code with Microsoft's permission.