-
Notifications
You must be signed in to change notification settings - Fork 31
Remote Acquisition with AChoir
I designed AChoir specifically to make both Local and Remote Acquisition work the same way.
To do this, I relied on writing all artifacts to a Drive and Directory.
Doing a remote acquisition then, is a simple matter of mapping a remote drive, and running AChoir from that drive. This also has the effect of writing the artifacts back to that same remote mapped drive.
Achoir has built in functions to Map remote drives and reference them by variables in AChoir scripts to make this simple. Here is a simple Example:
-
SAY: 1. Mapping Remote Drive…
-
MAP:
-
SAY: 2. Now Switching To Remote Script…
-
INI:&Map\Remoted.Acq
Or if we know that we want to MAP to Server1 with Share2 we could use:
-
SAY: 1. Mapping Remote Drive…
-
MAP:\\Server1\Share2
-
SAY: 2. Now Switching To Remote Script…
-
INI:&Map\Remoted.Acq
Both of these examples will work.
The AChoir installation has included two scripts already to do remote acquisition. The first is: Remote.ACQ, the second is Remoted.ACQ.
First, install Achoir on the Remote File share that you will map to. This is where AChoir will get it’s remote utilities, and where it will store its artifacts. Next, copy the Remoted.ACQ script from the /Scripts directory to the root directory so AChoir can find it. If you like, you can reference the Remoted.ACQ script from the /Scripts directory, but moving it to the root directory makes things simpler.
Next, Copy AChoir.exe and Remote.ACQ to a USB drive or to the local disk drive of the machine to be acquired. You can also edit the Remote.ACQ file to MAP: directly to the remote Machine\Share, but that is not necessary. AChoir will ask for the remote Machine\Share if one is not specified - and will continue to ask until it can succesfully map a remote drive.
To make this even easier, you can rename Remote.ACQ to AChoir.ACQ, which will make it the default script - Meaning that by just typing in "AChoir", Achoir will run the remote acquisition script.
AChoir can also do Remote Acquisition without a local Script file. To do this, use AChoir’s command line options: /USR:, /PWD:, and /MAP:.
Note: If you choose not to enter a Password (/PWD:) or UserId (/USR:) on the AChoir command line, Windows will prompt you for them. So /USR: and /PWD: are optional.
Using these options from the command line works differently than if they are in an AChoir Script file. I did this so that AChoir can be run completely with a single executable and no local Script file.
The main difference between putting MAP: in a script and running AChoir with the /MAP: command line option is that /MAP: will map a remote drive and make it both the Acquisition drive (&ACQ) AND the Current Directory (&DIR). This allows remote Acquisition to function exactly like Local Acquisition - It will Default to AChoir.ACQ on the remote drive, and those scripts will work exactly the same whether they are local or remote.
My goal is to allow for completely remote acquisition to a central server using something like Sysinternals PSExec. It should also allow for a remote Acquisition to map back to the Incident Responder’s machine, run the acquisition utilities from the Responder’s machine, and save artifacts to the Responder’s mapped hard drive.