Windows Live Artifacts Acquisition Scripting Framework
Every Incident Responder eventually comes to the conclusion that they need to script their favorite Live Acquisition utilities.
I have seen these scripts written in numerous scripting languages - but oddly enough, all of these scripts tend to use many of the same freely available utilities - To do mostly the same things.
It often takes an Incident Responder several years, along with lots of trial and error to settle on a set of utilities (and options) that both work and that provide relevant information on useful forensic artifacts.
And even though Responders often use the same utilities and are scripting them in largely the same way, each Responder has to go through the same pain of building their own script in their (not so) favorite scripting language - figuring out how to quickly and consistently gather the artifacts of most value.
Achoir is a Framework/Scripting Tool to standardize and simplify that process.
#Versions (So Far):
- First Version (05/30/15)
- Add Variables: &Dir &Fil &Acq &Win
- Add Hashing
- Add FOR:, &FOR, &NUM Looping
- Add CKY:, CKN:, RC=:, RC!:, RC):, RC(:, END:, &CHK, &RCD
- Add Logging
- Add /BLD (Build.Acq), /DRV:, &Prc, 32B:, 64B:, BYE:
- Hash Program before running,Set Artifacts ROS
- Create Index.html for Artifact Browsing
- Mapping External Drives - Set to the ACQDir
- New &Map variable and INI: action
- INP: action and &Inp variable (Console Input)
- New &Tmp is the Window %Temp% variable
- New CPY: Action to copy files
- New &FNM variable - Each &FOR File Name
- Lets call this 2.0-Lots of Code improvements
- Fix GMT DST idiosyncracy
- New ARN: Action - Parse the Run Key and copy the Autorun EXEs
- /MNU Command Line Option Runs Menu.ACQ
- Expand the ARN: routine to recognize WOW64 and System32/sysnative redirection
- More improvements to Run Key Extract
- Expand system variables %variable%
- More improvements in remote acquisition (Map)
- Add /MAP: /USR: and /PWD: command lines, and MAP: USR: and PWD: INI file Actions to enable Mapping for Remote Acquisition
- Add ADM:Check and ADM:Force to check OR enforce that AChoir be run from an ADMIN ID
- Converted to MSVC - Also replaced libCurl with MS WinHTTP APIs
- Improve CPY: - Prevent Overwriting Files
- Start and End Time Stamps and &Tim variable
- Changes to support 32 and 64 Bit versions!
- Turn On/Off USB Write Protect
- Internal Code Cleanup
- Add DRV: Action to Set &Drv
- Add Variables 0-9 (VR0: - VR9:) (&VR0 - &VR9)
- Fix Win7 "Application Data" Path Recursion Anomoly
- Remove DST Calculation - Add Checks to CPY:
- New DST Convergence Code
- Add LBL: and JMP: for Conditional Execution
- Add XIT: (Exit Command - Run on Exit)
- Offline Registry parse of AutoRun Keys for DeadBox analysis
- Change HTML display to only Root Folder
- Match DLL Delay Loading to &Dir Directory
- Fix root folder edge case
- Add CMD: - Like SYS: But uses a CMD.Exe shell In &Dir - Check Hash for AChoir ReactOS Shell
- Add LST: - Looping Object (&LST) that reads entries from a file. Also Add SID (file owner) copy on the CPY: command.
- Improve Privileges Message Display
- Fix Priv Bug & Add better Error Detection
- Add NTFS Raw Copy (NCP:)
- NCP:(Wilcard File Search) (Destination Dir)
- Additional Recursion Error Checking
- NTFS Raw Reading now support Attribute List (Multiple Cluster Runs/Fragmented Files)
- More NTFS Raw Read honing
- Add MAX: - Max File Size (& Mem Usage)
- Add RawCopy to ARN:
- Can now Read POSIX file names & Hard Links
- Large File (GreaterThan 1GB) Support
- ADD HKCU Parsing for ARN:
- Edge case exit Bug Fix
- Sig:(Typ=xxxx) Load File Type, Hex Signature
- NCS: NTFS Copy by Signature
- Used together to copy Files by Signature
- Refactored some SQLite Code to avoid random Heap Corruption issues
- FINALLY Fix Abend Bug in Large File Support
- Got rid of the other attempts to fix it
- NOTE: v0.95 will be slower than previous Versions. I opted for slower and safer code with a smaller memory footprint.
- Clean Up some of the code, improve output.
- Cosmetic changes to Index.htm
- Add Colors, Minor Bug Fixes
- CPS: Copy by Signature (Standard Win32 API)
- Used with SIG: to copy Files by Signature
- Not Recommended for Locked/System Files
- Tighten Application Data recursion to 2 lvls
- /Con or /ini:Console - Console as Input File
- Various improvements to Interactive Mode
- Replace conditional statements with messages
- add INI:Console to Scripting
- Improve switching between Script and Interactive Modes
- Cosmetic USB Message Changes
- HTTP Get Bug Fixes, Fix &Acq dblSlash
- Add Optional Case & Evidence Name/Number Input
- CSE:GET and CSE:SAY
- /CSE Argument to Get Case Information
- VCK:(x:) NTFS, FAT32, CDFS, Other, None
- &VCK - Contains Results of VCK:
- EQU:(s1) (s2) - Are S1 and S2 Equal?
- NEQ:(s1) (s2) - Are S1 and S2 NOT Equal?
- Support Indenting (spaces or Tabs)
- DSK:(type) Set &DSK looping variable to
- Types: Removable, Fixed, Remote, CDROM
- &DSK - Looping Var Contains Disk that match
- Peppered Flush STDOUT buffers for better PSExec Display (Remote Acq)
- SHR:(Path) (Name) - Create a Local Share
- SHD:(Name) - Delete a Local Share
- Add /USR:? and /PWD:? - Query MAP USR and PWD
- Replaced getch() with getchar(). This is because PsExec does not work with getch().
- PsExec also does not work with SetConsoleMode so there is no way to do hidden/masked password input.
- Implement NTP Client for Querying Time Drift
- Fix minor display bug when using &Tim
- New Actions to Hide and Reconnect the Console
- CON:Hide and CON:Show
- SLP:(Sec) Sleep for (Sec)Seconds
- Add /VR0: -/VR9: Command Line Parameters
- When BaseDir changes, change Windows CWD too
- New Redaction Routine for PWD: EXE: CMD:
- Add EXA: and EXB: (Asyn & Background EXe)
- Fix DSK: &DSK bug for Remote Collections
- File not being properly closed causes loop.
- Recognize Compressed Files, and allow them to be copied by the OS API to DeCompress them.
- The Flag for this behaviour is: SET:NCP=OSCOPY or SET:NCP=RAWONLY
- Added built in Support for WOW64 file redirection of X86 binCopy of SYSTEM32 (sub) directories. This was needed for switching from rawcopy to bincopy - plus its a good general feature anyway.
- Recognize Compressed Size
- More Comressed Files Support
- Add LZNT1 Decompress Routine
- Flag behaviors have changed:
- SET:NCP=NODCMP - NoDecompression
- SET:NCP=DECOMP/RAWONLY - LZNT1 Decompress
- SET:NCP=OSCOPY - Do OS/API copy on Decomp Err
- Add App Compat Manifest - For 8.1 and above comaptibility
- Add new Conditional Logic on Windows Version
- VER:WinXP, WinXP64, Vista, Win7, Win8, Win8.1
- Win2000, Win2003, Win2008, Win2008R2, Win2012, Win2012R2, Win2016
- Add Ver: Client, and Server checks
- LZNT1 Bug fixes by Yogesh Katri
- Update Offreg, and fix Edge Case of Short FN without a Long FN in $MFT record.
- Partial Back out of LZNT1 mod that negatively impacted $MFT Resident File extraction
- Fix Duplicate File copy due to multiple MFT Records for a file (Hard Links)
- Additional Messages for Looping
- Add ability to preserve Paths in CPY: and NCP:
- Allow ACQ: and DIR: to create nested paths
- Fix FOR: without backslash (Current Dir only)
- Move Get: to its own routine to allow new /Get: option - This will function as a way to allow AChoir to load an INI file remotely
- Added &MEM (Total memory), &DSA (Disk Avail)
- Added N>>:, N<<:, and N==: For NUMBERS ONLY comparison. Note: All numbers are converted internally to longlong (atoll)
- These can be used together to see if we have enough disk space to capture memory i.e. N>>:&DSA &MEM
- Expand Available Disk Checking into File Copy/Extract
- &DSA Should Really Point to the &ACQ Drive in case we use MAP:
- Added Experimental Sysloog Output and new Settings:
- SET:SYSLOGS=(Syslog Server IP)
- SET:SYSLOGP=(Syslog Port)
- -SET:SYSLOGL=None, Min, Max
- Expand syslogging
- Add Set:MapErr=Continue, Fail, Query)
- Add &CNR, &CN0-CN9, CN++, CN-- (Counters), and &Acn (Acquisition Name)
- Add Set:Trim=(Yes) or (No) (Default is Yes)
- Trims &FOR and &LST since DOS File Redirects OFTEN add erroneous spaces
- Add SET:DELIMS= (Sets the Parsing Delimiters)
- &LS0-&LS9 (Parses the first 10 Cols in &LST)
- &FO0-&FO9 (Parses the first 10 Cols in &FOR)
- Add WildCard to CPY: (No Longer needs FOR: to do multiple file copy)
- Add SET:CopyDepth=nn - Set Maximum Directory for CPY: (Does not work win NCP:) - This will help speed up copying by preventing unnecessary depth (Default is 10 SubDirs)
- Better mkdir Processing (Error Correction)
- Better Support for MAP: (Sets Target Dirs)
- Set:Cache=(local) or (Movable) - Speed enhancement to keep the Cache local to the target machine - Use with caution.
- Cut down on the Display Messages
- CON:MSGLevel=(min), (std), (max), (debug) (min=What it is doing, std= What it is doing and results (default), max= What it is doing and expanded results, debug= Same as max for now)
- No changes - Releasing v4.0 in honor of the Mr. Robot Season 4 premier 10/06/2019
- Add OPN: Opens a file for output, if a file is already OPN, it will be closed. Only one file can be OPN at a time.
- Add OUT: Action - Appends a string to the OPN: File
- Expand parsing to &LSA - &LSP and &FOA - &FOP
- Add Experimental Unicode File Processing
- Only UTF-16 (Big & Little Endian)
- Make Log File consistent (set to ACQName)
- Added &HST Variable (Host Name)
Quick Start (tl;dr):
The quickest way to get started with AChoir is to download the Achoir-Inst.exe file, run it, and allow it to build the default AChoir Toolkit.
If you want to buid the toolkit onto an external USB drive, simply install Achoir to your external USB drive, and let the Install program run the build process from there. Achoir will Install and build the toolkit onto the Drive and Directory it is installed to. This process also works if you want to install/run AChoir from a network share.