DFIR ORC, where ORC stands for “Outil de Recherche de Compromission” in French, is a collection of specialized tools dedicated to reliably parsing and collecting critical artifacts such as the MFT, registry hives, or event logs. It can also embed external tools and their configurations.
DFIR ORC collects data but does not analyze it: it is not meant to triage machines. It cannot spy on an attacker, as an EDR or HIDS/HIPS would. It instead provides a forensically relevant snapshot of machines running Microsoft Windows.
Over the years, it has evolved to become stable and reliable software to collect unaltered data faithfully. Meant to scale up for use on large installed bases, it supports fine-tuning to have a low impact on production environments.
Source code and additional information may be found here: https://github.com/DFIR-ORC/dfir-orc