Home
OMENScan edited this page Oct 28, 2019
·
13 revisions
AChoir - v4.0a
Every Incident Responder eventually comes to the conclusion that they need to script their favorite Live Acquisition utilities. For some reason (or many reasons) many of those Live Acquisition scripts are often shared only among trusted parties.
I have seen these scripts written in numerous scripting languages - but oddly enough, all of these scripts tend to use many of the same freely available utilities - To do mostly the same things.
It often takes a Responder several years, along with lots of trial and error to settle on a set of utilities (and options) that both work, and that provide relevant information on useful forensic artifacts.
And even though Responders often use the same utilities and are scripting them in largely the same way, each Responder has to go through the same pain of building their own script in their (not so) favorite scripting language - figuring out how to quickly and consistently gather the artifacts of most value and limit the scripting footprint.
I believe that this process of re-inventing the wheel over and over again is just silly.
That’s why I wrote AChoir.
AChoir has several goals:
-
Identify the best free forensic utilities
-
Make it easy to get these utilities and…
-
Automate the building of Acquisition toolkits with them
-
Self Document
-
Build a Framework for Live Acquisition Scripts/Toolkits
-
Minimize the impact of the scripting function on artifacts
-
Move towards a repository model for Acquisition utilities
-
Make remote acquisition as easy as local acquisition
Achoir itself is architected with two primary functional concepts:
-
To download the Acquisition utilities and organize them into a Acquisition Toolkit
-
To Run those utilities (Toolkit) in an organized way.
An AChoir script can download, and unzip these utilities in order to create a Live Acquisition Toolkit. We have provided our version of a "Build" script, but you can make your own.
The idea is to make it easily repeatable to download and organize these utilities. That is: with just AChoir and a builder script, anyone can build an Acquisition Scripting Toolkit.
This has the additional benefit of documenting where everything came from.
The second functional concept of running the Acquisition Script to gather artifacts is obvious. But what AChoir tries to do is make that experience consistent and repeatable. Achoir creates unique directories for every Acquisition run, and has built in functions like hashing and Raw NTFS File Copy. In this way we are creating both a consistent framework and a scripting language that is targeted specifically at Live Acquisition.
I would say, you could almost everything Achoir does with any scripting language - If that is what you want to do. In fact, that is how AChoir started life. But Achoir’s goals are to make Live Acquisition scripting consistent and to eventually create a respository for Live Acquisition utilities to make the whole process easier for Responders.
We are also very sensitive to the "Observer Effect" problem when Acquiring artifacts, and Achoir will continue to be coded in a way to minimize disturbing the artifacts. This takes some work when writing your own Live Acquisition scripting programs.
The Achoir scripting language has two primary concepts:
-
Objects
-
Actions
Actions are the thing you want to do. Objects are the thing(s) you want to do the Actions against. Actions always start in column 1, they are three letters folowed by a colon(:).
Note:As of AChoir v0.99 Actions can be indented using tabs or spaces.Objects Can go anywhere and start with an ampersand(&) followed by three letters.
Here is a simple example:
Dir:\Test
Say:The Current Directory is: &DirIn this example, a lot of things are going on. First the &Dir object is being set by the DIR: action. In addition, if that directory does not exist it will be created. All directories are created RELATIVE to the directory Achoir was run from. doing this ensures consistency every time Achoir is run, and prevents one set of artifacts from stepping on another set.
The next statement (SAY:) then prints the text and &Dir object to both the screen, and a unique LogFile for each run.
Here is another Example:
ACQ:\Reg
NCP:"C:\Users\*\NTUSER.DAT" "&Acq"In this example our goal is to Copy all User NTUSER.DAT Registry files under the C:\USERS Directory. We want to do this using AChoir’s built-in NTFS Raw Copy Action. Using AChoir’s NTFS Raw Copy allows us to copy open and locked files, and bypasses the NTFS file system to avoid modifying any Time Stamps. We do this to make the footprint as small as possible to make the File Copy more "forensically sound" by preventing unwanted modifications to the file system (Accessed) TimeStamps.
First we set the Acquisition Sub-Directory (ACQ:) object (&Acq) to "\Reg" This is a path directly under the unique generated Acquisition Directory.
Next, the NCP: action copies any/all NTUSER.DAT files found in any NTFS subdirectory under C:\Users (Note: wildcards are also valid) into the &Acq directory.
Here is a list of all the Actions and Objects:
Actions:
========
SET:Cache=Local Used in Conjunction with SMB (MAP:) collections
Uses the Local (Target) machines drive to cache working files
This will impact Forensic Soundness - but it makes
Processing much faster since AChoir does not have to Cache
files over the network
SET:Cache=Movable (Default) - Used in Conjunction with SMB (MAP:) collections
Uses the Remote (SMB) drive to cache working files. This
Prevents files from being written to the target machine, but
Processing is slower since AChoir will have to Cache files
over the network
SET:MapErr=Continue If a MAP: fails to Map a drive
Continue. The Return code will be
Set to 1 (This is the default behavior)
SET:MapErr=Fail If a MAP: fails to Map a drive
Fail and Exit out of AChoir
SET:MapErr=Query If a MAP: fails to Map a drive
Query for the server to be re-entered
SET:SyslogL=<syslogging Level> Sets the Syslog Level.
Options are: none, min, max
The default is NONE (No Syslogging)
SET:SyslogP=<syslog Server Port> Sets the Syslog Server Port
SET:SyslogS=<syslog Server IP> Sets the Syslog Server
IP Address, and sets the Syslog Level to 1
Syslogging will immediately begin.
SET:NCP=NODCMP Sets the NCP: (NTFS Raw Copy) to NOT
DeCompress LZNT1 compressed files.
Instead, the RAW Compressed data will
be extracted (and must be manually
decompressed to use it).
SET:NCP=DECOMP DeCOMPRESS LZNT1 files. This is more
or forensically sound. Since LZNT1 compressed
SET:NCP=RAWONLY files are not usable in their RAW COMPRESSED
form, AChoir will attempt to decompress
the file using a built-in LZNT1 Decompressor.
Note: There will be TWO files: The original
COMPRESSED file (LZ) AND an UNcompressed version
with the original file name (or possibly an "(LX)"
extension (see below).
SET:NCP=OSCOPY Sets the NCP: (NTFS Raw Copy) to
copy a file using the OS API if
DeCOMPRESSION ERRORS are encountered. This is
a CHANGE from AChoir 1.9 behavior. This is not
as forensically sound (it may leave artifacts)
as the DECOMP/RAWONLY option.
Note1: This setting will ONLY call OS Copying
if the LZNT1 DeCompression has ERRORS.
Note2: THREE files can be created: The original
COMPRESSED file (LZ), a Decompressed version with
a "(LX)" appended, and a THIRD copy of the file
written through OSCopying with the original file
name.
SET:CopyPath=None Set the NCP: and CPY: Copy Path to None.
This will ignore the paths of the source files
and copy everything into the directory destination.
SET:CopyPath=Full Set the NCP: and CPY: Copy Path to Full.
This will append the source file's copy path
to the output directory. This allows the examiner
to quickly see exactly where the source file came from
SET:CopyPath=Part Set the NCP: Copy Path to Partial and CPY: Copy Path to Full.
This only works for NCP: Copy, and will copy ONLY the path
after any wildcards. This allows the examiner to see the
RELATIVE path the the source files were in
SET:CopyDepth=nn Set the Directory Depth for CPY: Default is 10 Subdirs.
Note: This is not used by NCP: - Only CPY:
SET:Trim=Yes When using &For or &Lst, Trim leading and trailing spaces (Default)
SET:Trim=No When using &For or &Lst, DO NOT Trim leading and trailing spaces
SET:DELIMS=<chars> These are the delimiters that the &FOR and &LST objects
will use to Parse out &FO0-&FO9 and &LS0-&LS9
<chars> can be up to 5 characters.
Example: SET:DELIMS=,\ (will set delimiters to , AND \)
SAY: Echo Text and Objects to the Screen and Logfile
CON:Hide Hide The Console Screen - For quiet Acquisition
DO NOT USE IF YOU HAVE SCREEN INPUT - For any
Input be sure to Show any Hidden Screen
CON:Show Show a Previously Hidden Console
Be Sure to Show any hidden screens before needed
Input.
CON:MSGLevel=<min>, <std>, <max>, <debug> Set console messages level.
Levels break down (generally) as follows:
min=Just display the command, progress and critical errors
but no output
std=Display the command, progress, critical errors,
and standard output
max=Display the command, progress, critical errors, warnings,
standard and extended output
debug=display everything, including internal debugging information
SLP:<Sec> Sleep for <Sec> Seconds
NTP:<FQDN> Set the FQDN of the NTP Server.
Note: This WILL NOT do an NTP request. It ONLY
sets the FQDN of the NTP Server to use.
ADM:Check Check if AChoir is running as an Administrator,
and warn if it is not
ADM:Force Check if AChoir is running as an Administrator,
and EXIT OUT if it is not
INP: Input from console. (INP:<Display This Text>)
Display text and get input into variable &Inp
IMPORTANT NOTE: Longer input is TRUNCATED to 250 chars
EQU:<string1> <string2> - Is <string1> equal to <string2>
if True run the statements until an END:
Note: Use "" to use strings with spaces in them
NEQ:<string1> <string2> - Is <string1> NOT Equal to <string2>
if True run the statements until an END:
Note: Use "" to use strings with spaces in them
N>>:<Number1> <Number2> - Is <Number1> Greater Than <Number2>
if True run the statements until an END:
Note: THIS MUST BE A NUMBER
N<<:<Number1> <Number2> - Is <Number1> Less Than <Number2>
if True run the statements until an END:
Note: THIS MUST BE A NUMBER
N==:<Number1> <Number2> - Is <Number1> Equal to <Number2>
if True run the statements until an END:
Note: THIS MUST BE A NUMBER
INI: SWITCH to another Script File (INI:F:\NewScript.Acq)
Note: This WILL NOT RETURN to the calling script.
INI:Console - Switch to Interactive Console Mode
CSE:SAY Display Optional Case Information ans write it to Log
CSE:GET Input Optional Case Information - ONLY allowed ONCE
per session to avoid ambiguity.
GET: Get a file using HTTP into &Fil
Note: &Fil (FIL:) MUST BE SET TO THE FULL PATH OF
THE NEW FILE!
EXE: Run a Program and wait for completion (P_WAIT)
EXA: Run a Program and DON'T wait for completion (P_NOWAIT)
EXB: Run a Program in the background (P_DETACH)
SYS: Execute a System Command using the OS Shell
CMD: Execute a System Command using AChoir's Command Shell
USR:<UserId>
UserId to use when mapping a drive (Optional)
USR:? Will query for the UserId for Drive Mapping
PWD:<Password>
Password to use when mapping a drive (Optional)
PWD:? Will query for the Password for Drive Mapping
MAP: Map to a remote drive share (\\<server>\<share>) and use
it as the Acquisition Directory
SHR: Create a Share (SHR:<x:\ShareDirectory> <ShareName>)
Used for Remote Acq to map back to Achoir Directory
SHD: Delete a local Share (SHD:<ShareName>)
ACQ: Tell Achoir to create a unique Acquisition directory
DIR: Set the &Dir object and create the directory if needed
FIL: Set the &Fil object (File)
DRV: Set the &Drv object (Drive - ie. X:)
VR0: - VR9:
Set the &VR0 - &VR9 variables
CN0: - CN9: <Number to Set> or ++ or --
Set the &CN0 - &CN9 variables
Increment/Decrement with CNx:++ and CNx:--
HSH:ACQ Hash everything in the &ACQ directory and subdirectories
HSH:Dir Hash everything in the &DIR directory and subdirectories
FOR: Set the &FOR object. This is a Looping object based on
Files - For instance "FOR:C:\Users\*.DAT" will define
All *.DAT Files under C:\Users. In this way a single
command can be run iteratively against all of these files.
DSK:<typ>Set the &DSK object. This is a Looping object based on
all attached/mounted disks that match the <typ>
<typ> can be: Fixed, Remote, Remove, CDRom, RamDisk
LST:<FileName>
Set the &LST object. This is a Looping object based on
Lines in the <FilName>. In this way a single command can
be run iteratively replacing the &For variable with each
entry in the <FileName>.
CPY: Copy Files (CPY:<FromFile> <ToFile>) - Supports Quotes
Supports Wildcard. Important Note: CPY: WILL RECURSE THROuGH
SUBDIRECTORIES ONLY IF A WILDCARD IS USED.
CPS: Copy Files (CPS:<FromFile> <ToFile>) by Signature
(Loaded by the Sig: command)
Supports Wildcard. Important Note: CPY: WILL RECURSE THROuGH
SUBDIRECTORIES ONLY IF A WILDCARD IS USED.
VCK:<x:> Check if the Volume <x:> is NTFS, FAT32, CDFS, Other, None
(Used for conditional execution if Vol is/not NTFS)
NCP: NTFS Raw File Copy - Supports Wildcards (* and ?)
NCP:<File(s) to Copy> <Destination Directory>
Note: COMPRESSED Files will ALSO be copied using the OS
API unless SET:NCP=RAWONLY is set.
Sig:Clear Clears out the AChoir Signature Table
Sig:<Typ=xxxx>
Loads a File Signature ino the Signature Table. The first
variable is the File Type, the second is the Hex Signature
(must be in the form of XX).
Signature Type can be up to 10 bytes (i.e JPG, JPEG, MOV, etc)
Signatures can be up to 32 Chars (16 bytes)
There cane be up to 100 Active Signatures loaded.
(Sig:Clear - Clears the table back to 0)
NCS: NTFS RAW Copy Files by Signature (Loaded by the Sig:
command - Supports Wildcards (* and ?)
ARN: Search Registry Run Key and copy the EXEs
(possible malware persistence)
ARN:<Offline Registry>
By adding an Explicit Path to a SOFTWARE Offline Registry
File, AChoir will try to find the Run Keys and copy the
EXEs. This is the DeadBox equivalent of ARN:
USB:Protect Sets the Windows USB WriteProtect Registry key to 1
(Enable USB Write Protection) - Newly attached USB
devices will be write protected by Windows
USB:Enable Sets the Windows USB WriteProtect Registry key to 0
(DISABLES USB Write Protection)
CKY: Check if a File exists. If it does, run until an "END:"
action
64B: Check if 64 Bit AChoir is Running - If so, run until an "END:"
action
32B: Check if 32 Bit AChoir is Running - If so, run until an "END:"
action
CKN: Check if a File does not exist. If it doesn't, run until
an "END:" action
RC=: If the Last MAP:, GET:, SYS: or EXE: command was this return code
run the statements until an END:
RC!: If the Last MAP:, GET:, SYS: or EXE: command was NOT this return code
run the statements until an END:
RC>: If the Last MAP:, GET:, SYS: or EXE: command return code was >
run the statements until an END:
RC<: If the Last MAP:, GET:, SYS: or EXE: command return code was <
run the statements until an END:
VER:<verkeyword>
Check the passeed OS Version <verkeyword> Keyword to see if that
OS version is running. If so, run the statements until END:
Note: the valid <verkeyword> keywords are:
WinXP, WinXP64, Vista, Win7, Win8, Win8.1, Win10
Win2000, Win2003, Win2008, Win2008R2, Win2012, Win2012R2,
Win2016, Server, Client
Note2: Use this function with Caution - For various reasons Windows
CAN report the wrong version. This is a limitation of the
Windows Platform and APIs
END: End Conditional Statement execution.
LBL:<LabelName>
Define a Label that can be Jumped to (JMP:<LabelName>)
JMP:<LabelName>
Jump to a defined Label (LBL:<LabelName>)
BYE: Exit AChoir (usually used in Console Mode or Conditional section
XIT:<Exit Command>
Run Command or Program on Exit
MAX:nnnnnnnnn
Maximum File Size (And Memory Allocation) For NTFS Raw Copy
- Default is 999999999 (1GB)Objects:
========
&Dir The Current Directory Object
&Inp Input from console (INP: Action)
&Tim The Local Time Set on the computer - Please Note: It may not be accurate.
&Ntp Query the NTP Server and display the Time. Used for Time Drift.
&Fil The Current File Object
&Acq The Current Acquisition Directory
&Acn The Current Acquisition Name
&For An array of File objects set by the FOR: action
&FO0-&FO9 The &FOR object parsed into 10 variables using
the Delims (See SET:DELIMS=)
&Lst An array of text objects set by the LST: action
&LS0-&LS9 The &LST object parsed into 10 variables using
the Delims (See SET:DELIMS=)
&DSK An Array of Disk objects set by the DSK: action
&Num The array number of each &For Object
&Win The Windows Root Directory
&CHK The FileName that was Checked for (non) existence by the
CKN: and CKY: actions
&RCD The Last Return Code set by a SYS: or EXE: action
&Drv A variable used to hold a Drive Letter (C:, D:, etc...)
&Map A variable used to hold the last Mapped Drive Letter (Z:, Y:, etc...)
&Tmp The Window %Temp% variable
&FNM Each &FOR File Name (Without Path)
&VR0 - &VR9 Variables set by the VR0: - VR9: Actions
&CN0 - &CN9 Counters set and incremented/decremented by the CN0: - CN9: Actions
&CNR AFTER using the &FOR or &LST variable the number of records counted is
stored here
&VCK Results of last Volume Check (VCK:<x:\>
&MEM System Memory
&DSA Disk Space Available
%<variable>% - AChoir can also expand the native DOS/Windows Environment Variables
Note: To use a native % (prevent expansion) in a script, use %% Here are the Command Line Options:
/HELP - Help
/BLD - Run the Build.ACQ Script (Build the AChoir Toolkit)
Note: This option WILL NOT Create an Acquisition Base Directory - BE AWARE!
/RUN - Run the AChoir.ACQ Script to do a Live Acquisition
This option WILL Create a Base Acquisition Directory
/MNU - Run the Menu.ACQ Script (AChoir Menu)
Note: This is a simple Menu Script for selecting an AChoir script to run.
/CON - Run In Interactive Mode (Same as /Ini:Console)
/CSE - Interactive/Console Query for Case Information
/GET:<URL> Get a file using HTTP, before doing the collection.
Note: The FileName will be set to the URL FileName (after last "/").
The File will be placed in the Root Directory of AChoir
ANY PRIOR VERSION OF THE FILE WILL BE DELETED
/INI:Console - Run In Interactive Mode (Console Input)
/INI:<File Name> - Run the <File Name> script instead of AChoir.ACQ
This Option WILL NOT Create a Base Acquisition Directory
Use the ACQ: action to create the Base Acquisition Directory if you want one.
/DRV:<x:> - Set the &DRV parameter
This option is designed to allow you to build dead-box scripts,
and specify a drive variable (the drive letter that has been mounted).
/USR:<UserId> - UserId to use when mapping a drive (Optional)
/USR:? Will query for the UserId for Drive Mapping
/PWD:<Password> - Password to use when mapping a drive (Optional)
/PWD:? Will query for the Password for Drive Mapping
/MAP:<\\Server\Share> - Map a network drive - THIS SETS THE ACQUISITION AND
CURRENT DIRECTORIES TO THE MAPPED DRIVE - This is mostly used for REMOTE
Acquisition
/VR0: - /VR9:
Set the &VR0 - &VR9 variables from the command line. These can be used
to pass variables to the AChoir Scripts.A note about Conditonal Logic
(CKY:, 64B:, 32B:, CKN:, RC=:, RC!:, RC>:, RC<:, END:, LBL:, JMP:, VER:)
Conditional Logic doesn't make much sense in Interactive Mode (/CON), but you may want to know
these various conditions. AChoir is coded to give the results of these comparisons in
Interactive Mode, and to take Conditional Action in regular Scripted Mode. In Interactive Mode
Achoir WILL NOT take conditional action.A note about Syslogging
By default Syslogging is turned OFF - This is in keeping with my desire to keep the AChoir
footprint minimal, and have as little impact on the target machine as possible. In some cases
however, the need run and track AChoir across many machines overides the above.
To turn Syslogging on, simply set the Syslog Server IP (SET:SyslogS=nnn.nnn.nnn.nnn). AChoir
is currently written to have three logging levels (none, min, max). Please note that the current
Syslogging capability is just a way to monitor the progress of AChoir, and it does not log
extensively like the local log. Continue to use the local log to get a full picture of everything
AChoir has done (including errors).A note about Case Information (/CSE, CSE:GET, CSE:SAY)
To avoid any accidental confusion about Case information (that may jeopardize non-repudiation),
I have coded AChoir to disallow changing Case information after it has been displayed. Some may
find this draconian, but it is important to avoid ambiguity when doing forensic analysis, so
I have chosen to disallow changing Case information even if the default settings are displayed.
Also Note: Case Information is entirely optional - You can use AChoir without entering any
Case Information, and this is the default (so AChoir can run fully unattended)A note about NTP (NTP: and &NTP)
Achoir can query an NTP server to display the Accurate Time. This is most useful when identifying
Time Drift when gathering artifacts. For Example:
NTP:windows.time.com
SAY:Local Time: &Tim - NTP Time: &Ntp
BY DEFAULT NONE of the default/provided scripts use NTP. This is for three reasons:
1. It's bad form to put NTP servers in any default config files.
2. It opens a UDP Port (123) and communicates with an NTP server, and that may be
considered contamination.
3. NTP is UDP and it may not work in situations where NAT is used and/or NTP is blocked
(Your Firewall may need to be configured to allow NTP)
AChoir's NTP client may be useful in many situations to identify Time Drift, but please take
into account the issues above before using this function.A note about EXE: EXA: and EXB:
Under normal circumstances I recommend using EXE: to execute programs, it is much easier to
control the script when things are run sequentially, but in cases where there may be several
machines running AChoir, or Execution Time is limited or important, one may want to run
several programs Concurrently or in the Background. The primary problem with this method
is that one cannot know when these Asynchoronously run programs will complete.
Use EXA: and EXB: judiciously, bearing in mind that NOT ONLY will they complete at different
times, but the AChoir Script ITSELF will continue to run as these programs also run in
parrallel. In fact, AChoir could even complete and exit while these programs are still
executing. This can have major implications for your AChoir scripts. A note about System32 File ReDirection:
When Non-Native programs (for instance 32 bit programs on 64 Bit Windows) are run, the
Operating System will redirect files located in the %SystemRoot%\System32 directory to
a different directory. This directory can be different based on circumstances, but its
alias is always %SystemRoot%\Sysnative. I am slowly building this into all the parts
of AChoir. This can be seen in the CPY: and NCP: Copy functions and the FOR: function.
Achoir will try to detect if it is not running Native, and will adjust some of it's
actions based on that. Whenever AChoir does this, it will note it on the screen and
in the Acquisition Log.
One may wonder - why not just use whatever Windows tells us. The answer to that is
simple: If we are running AChoir on an endpoint, we may be interested in BOTH the
32Bit artifacts AND the 64Bit artifacts. Since BOTH can be present, and BOTH may
be relevant to an investigation, AChoir will always try to get both artifacts if
it can.A note about /GET:
The /GET: Option will get a file using HTTP (HTTPS is not supported). This is a way
to get a file from a Web Server that will be used in the acquisition. This can be
used in a multitude of ways - but the most obvious is to host an AChoir Script on
a Web Server, download it and run it.
This would look like:
achoir /get:http://192.168.1.1/Test1.txt /ini:Test1.txtA note about FOR:
In order to allow both current directory searches and current+subdirectory searches
I have come up with the following nomenclature:
* If a BackSlash is present (for instance FOR:.\files.*) AChoir will search the current
directory and all subdirectories
* If a BackSlash IS NOT present (for instance FOR:Files.*) Achoir will ONLY SEARCH
the CURRENT directory.
I believe this is the easiest way to support both types ofsearches. A note about SET:TRIM=<yes> or <No>
Achoir is designed to work with Built in DOS utilities and commands. I have found that
Redirecting output to a file can OFTEN add eroneous spaces which then make parsing
difficult. To overcome that, I have added the ability to Trim or Not Trim &For and &Lst
file enumeration. Trimming is on by default, but if you don't want it, you can turn it off.A note about LZNT1 Decompression
Building a working LZNT1 decompressor has been a huge challenge. With the addition of
Yogesh Khatri's bug fixes, I believe it is now stable. Nonetheless, I am leaving in the
LZNT1 decompressor fallback:
1. If an NTFS file is compressed AChoir will identify it and copy the raw data file
preserving the compression. It will append an (LZ) extention to the file to identify it as
an LZNT1 compressed file.
2. AChoir will then try to decompress the raw data into ANOTHER file. It will try to use the
original file name (this makes identifying the files easier).
3. If that doesn't work properly it will append an (LX) extentions to the file (LZNT1 Xtracted)
and it will then use standard OS APIs to copy the file with original name
You can therefore have up to 3 copies of the same file:
* Raw compressed file (LZ)
* Uncompressed file created by AChoir LZNT1 decompressor (LX)
* Uncompressed file using standard OS Copy (decompress through the OS)
If you are concerned with Forensic soundness, you can TURN OFF the OS Copy routine using the
SET:NCP=RAWONLY option in AChoir. This may mean that you will not have a working/readable file,
and you will need to extract that file using another means.
I am continually working on the LZNT1 decompressor to make it more resilient to errors.Artifacts that AChoir itself generates:
Achoir itself will generate a few files. These are meant to increase non-repudiation and make the artifacts easier to use. Logfile (ACQ-IR-<name>-<date>-<time>.txt ---------------------------------------- Achoir will create a logfile for each acquisition in the /Logs directory. The log contains both the actions taken by AChoir and additional information such as the hash of each program that is run. DirHash.txt ----------- When requested in the AChoir Script (HSH:DIR), Achoir will hash all files starting at the directory AChoir is run from (AChoir's root directory) and store the MD5 hashes in this file. ACQHash.txt ----------- When requested in the AChoir Script (HSH:ACQ), Achoir will hash all acquired artifacts and store the MD5 hashes in this file. Index.htm --------- Achoir will generate an Index.htm file for every acquisition. This file can be opened with your favorite web browser to browse and open the acquired artifacts. This is an incredibly simple but useful feature. x-MFT.db --------- Achoir will generate an SQLite database when using NCP: Raw Copy. This database is a subset of the $MFT for that volume - used to make searching for wildcards faster. ForFiles --------- Achoir will create a temporary file in the Acquisition Cache Directory called "ForFiles" every time the FOR: Action is used. ForFiles contains the results and is used when the &FOR Looping object (variable) is used. ForDisks --------- Achoir will create a temporary file in the Acquisition Cache Directory called "ForDisks" every time the DSK: Action is used. ForDisks contains the results and is used when the &DSK Looping object (variable) is used. MCpFiles --------- Achoir will create a temporary file in the Acquisition Cache Directory called "MCpFiles" every time the CPY: Action is used for multiple files. AChoir first recurses through the file directory, saves what it finds in the MCpFiles file, and then copies all the files saved in the MCpFile. Acknowledgements: IMPORTANT NOTE: I could not have implemented the NTFS Raw Copy Function without the Excellent NTFS tutorial at: http://www.installsetupconfig.com/win32programming/windowsvolumeapis1index.html<br> Much of the code in the Achoir NTFS Raw Copy function is directly from this tutorial. And I want to publicly thank them for making this example code available. AChoir also heavily uses the LZNT1 decompression code from ReactOS at: https://doxygen.reactos.org/d0/dd2/sdk_2lib_2rtl_2compress_8c_source.html Last Thoughts: The AChoir language is pretty simple. And I will do my best to keep it that way. To best understand it, please take a look at the Build.ACQ and Achoir.ACQ scripts