Skip to content
Forensics artefact collection tool for systems running Microsoft Windows
C++ CMake Objective-C C Python PowerShell
Branch: master
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
cmake ORC v10.0.0 Sep 23, 2019
docs/vstools ORC v10.0.0 Sep 23, 2019
external/vcpkg ORC v10.0.0 Sep 23, 2019
res ORC v10.0.0 Sep 23, 2019
src OrcLib: ZipLibrary: instanciate crypto singletons Sep 26, 2019
tests ORC v10.0.0 Sep 23, 2019
tools ORC v10.0.0 Sep 23, 2019
.clang-format ORC v10.0.0 Sep 23, 2019
.gitattributes ORC v10.0.0 Sep 23, 2019
.gitignore ORC v10.0.0 Sep 23, 2019
.vsconfig ORC v10.0.0 Sep 23, 2019
AUTHORS.txt ORC v10.0.0 Sep 23, 2019
CMakeLists.txt ORC v10.0.0 Sep 23, 2019
LICENSE.txt ORC v10.0.0 Sep 23, 2019 Update README to update Visual Studio versions supported Sep 26, 2019
VERSION.txt ORC v10.0.0 Sep 23, 2019
azure-pipelines.yml Remove default trigger [skip ci] Sep 25, 2019

Build Status LGPL licensed





  • Visual Studio >=2017 with this configuration or alternatively use vstools
  • Kitware's CMake >= 3.12 or Visual Studio 2017 integrated version
  • LLVM's Clang Format >= 8.0.0 or Visual Studio 2019 integrated version

NB: Visual Studio 2019 16.3 (and 16.4 preview 1) can now compile DFIR ORC.

Build environment can be setup quickly using Microsoft's developer virtual machines. Import this .vsconfig from Visual Studio Installer.


Both 32-bit and 64-bit versions should be built for maximum compatiliby before deployment. See for more details about deployment and configuration.

git clone
cd dfir-orc
mkdir build-x86 build-x64

cd build-x86
cmake -G "Visual Studio 16 2019" -A Win32 -T v141_xp -DORC_BUILD_VCPKG=ON ..
cmake --build . --config MinSizeRel -- -maxcpucount

cd ../build-x64
cmake -G "Visual Studio 16 2019" -A x64 -T v141_xp -DORC_BUILD_VCPKG=ON ..
cmake --build . --config MinSizeRel -- -maxcpucount
  • The -T v141_xp option will allow compatibility with Windows XP SP2 and later, it can safely be removed if this is not required.

  • The ORC_BUILD_VCPKG=ON option will build vcpkg packages in 'external/vcpkg' subdirectory.


Using default options is recommended with the exception of ORC_BUILD_VCPKG which should be set to ON so dependencies will be built automatically using vcpkg.

CMake option Default Description
ORC_BUILD_VCPKG OFF Build vcpkg dependencies
ORC_BUILD_APACHE_ORC OFF Build Apache Orc module
ORC_BUILD_CHAKRACORE OFF Build with ChakraCore support
ORC_BUILD_FASTFIND OFF Build FastFind binary
ORC_BUILD_ORC ON Build Orc binary
ORC_BUILD_PARQUET OFF Build Parquet module (x64)
ORC_BUILD_SQL OFF Build SQL module [1]
ORC_BUILD_SSDEEP OFF Build with ssdeep support
ORC_USE_STATIC_CRT ON Use static runtime
ORC_VCPKG_ROOT ${ORC}/external/vcpkg VCPKG root directory

[1] ORC_BUILD_SQL=ON requires SQL Server Native Client

Note: Some combinations may be irrelevant.

Build vcpkg dependencies manually

See top CMakeLists.txt for a complete list of the dependencies to install. Building mainstream vcpkg may not work as some packages have custom patches. The VERSION.txt contains the reference commit from official vcpkg repository.

cd external/vcpkg
vcpkg --vcpkg-root . install fmt:x64-windows-static ...


DFIR ORC is disclosing Microsoft source code with Microsoft's permission.

You can’t perform that action at this time.