The script create_dfir_orc_config.py converts artifact definitions from YAML format to DFIR ORC XML format. The script is specifically designed to process artifact definitions from the ForensicArtifacts repository, focusing only on Windows artifacts.
DFIR-ORC is a forensic artifact collector for Windows : https://github.com/DFIR-ORC/dfir-orc
Required Python libraries: requests, pyyaml
To automatically download the artifact definitions and convert them to DFIR ORC XML format:
python3 create_dfir_orc_config.py --autoThe converted files will be saved in the DFIR-ORC-Config directory.
To convert artifact definitions from a specified input directory to a specified output directory:
python3 create_dfir_orc_config.py path/to/input_dir path/to/output_dir- path/to/input_dir: The input directory containing YAML files (can contain subdirectories). Defaults to ForensicArtifacts_to_convert.
- path/to/output_dir: The output directory for the converted XML files. Defaults to DFIR-ORC-Config.
--auto: Automatically download and extract artifacts from the ForensicArtifacts repository.
- test the generated configurations
- ForensicArtifacts to KapeFiles
other repo getting more artifacts: https://github.com/mthcht/KapeFiles2DFIR-orc-config