-
Notifications
You must be signed in to change notification settings - Fork 29
/
Copy pathWhatIsAChoir.txt
670 lines (560 loc) · 32 KB
/
WhatIsAChoir.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
AChoir - v4.5
AChoir
======
AChoir continues to mature. My goals are to make it a flexible scripting language designed
to gathering windows forensic artifacts locally or remotely, and to limit its footprint by
using techniques that limit what AChoir itself leaves behind as artifacts.
What is AChoir:
===============
Every Incident Responder eventually comes to the conclusion that they need to script their
favorite Live Acquisition utilities. For some reason (or many reasons) many of those Live
Acquisition scripts are often shared only among trusted parties.
I have seen these scripts written in numerous scripting languages - but oddly enough, all of
these scripts tend to use many of the same freely available utilities - To do mostly the
same things.
It often takes a Responder several years, along with lots of trial and error to settle on a
set of utilities (and options) that both work, and that provide relevant information on useful
forensic artifacts.
And even though Responders often use the same utilities and are scripting them in largely
the same way, each Responder has to go through the same pain of building their own script in
their (not so) favorite scripting language - figuring out how to quickly and consistently
gather the artifacts of most value and limit the scripting footprint.
I believe that this process of re-inventing the wheel over and over again is just silly.
That's why I wrote AChoir.
So How is AChoir different?
===========================
AChoir has several goals:
1. Identify the best free forensic utilities
2. Make it easy to get these utilities and...
3. Automate the building of Acquisition toolkits with them
4. Self Document
5. Build a Framework for Live Acquisition Scripts/Toolkits
6. Minimize the impact of the scripting function on artifacts
7. Move towards a repository model for Acquisition utilities
8. Make remote acquisition as easy as local acquisition
Achoir itself is architected with two primary functional concepts:
1. To download the Acquisition utilities and organize them into a Acquisition Toolkit
2. To Run those utilities (Toolkit) in an organized way.
An AChoir script can download, and unzip these utilities in order to create a Live
Acquisition Toolkit. We have provided our version of a "Build" script, but you can
make your own.
The idea is to make it easily repeatable to download and organize these utilities.
That is: with just AChoir and a builder script, anyone can build an Acquisition
Scripting Toolkit.
This has the additional benefit of documenting where everything came from.
The second functional concept of running the Acquisition Script to gather artifacts is
obvious. But what AChoir tries to do is make that experience consistent and repeatable.
Achoir creates unique directories for every Acquisition run, and has built in functions
like hashing and Raw NTFS File Copy. In this way we are creating both a consistent
framework and a scripting language that is targeted specifically at Live Acquisition.
So Isn't This Just another Scripting Language? I can do that already.
======================================================================
I would say, you could almost everything Achoir does with any scripting language - If that
is what you want to do. In fact, that is how AChoir started life. But Achoir's goals
are to make Live Acquisition scripting consistent and to eventually create a respository
for Live Acquisition utilities to make the whole process easier for Responders.
We are also very sensitive to the "Observer Effect" problem when Acquiring artifacts,
and Achoir will continue to be coded in a way to minimize disturbing the artifacts. This
takes some work when writing your own Live Acquisition scripting programs.
OK. I'm Sold. How does it work?
================================
The Achoir scripting language has two primary concepts:
1. Objects
2. Actions
Actions are the thing you want to do. Objects are the thing(s) you want to do the Actions
against. Actions always start in column 1, they are three letters folowed by a colon(:).
Note:As of AChoir v0.99 Actions can be indented using tabs or spaces.
Objects Can go anywhere and start with an ampersand(&) followed by three letters.
Here is a simple example:
Dir:\Test
Say:The Current Directory is: &Dir
In this example, a lot of things are going on. First the &Dir object is being set by the DIR:
action. In addition, if that directory does not exist it will be created. All directories are
created RELATIVE to the directory Achoir was run from. doing this ensures consistency every
time Achoir is run, and prevents one set of artifacts from stepping on another set.
The next statement (SAY:) then prints the text and &Dir object to both the screen, and a unique
LogFile for each run.
Here is another Example:
ACQ:\Reg
NCP:"C:\Users\*\NTUSER.DAT" "&Acq"
In this example our goal is to Copy all User NTUSER.DAT Registry files under the C:\USERS Directory.
We want to do this using AChoir's built-in NTFS Raw Copy Action. Using AChoir's NTFS Raw Copy
allows us to copy open and locked files, and bypasses the NTFS file system to avoid modifying any
Time Stamps. We do this to make the footprint as small as possible to make the File Copy more
"forensically sound" by preventing unwanted modifications to the file system (Accessed) TimeStamps.
First we set the Acquisition Sub-Directory (ACQ:) object (&Acq) to "\Reg" This is a path directly
under the unique generated Acquisition Directory.
Next, the NCP: action copies any/all NTUSER.DAT files found in any NTFS subdirectory under
C:\Users (Note: wildcards are also valid) into the &Acq directory.
Here is a list of all the Actions and Objects:
Actions:
========
SET:Cache=Local Used in Conjunction with SMB (MAP:) collections
Uses the Local (Target) machines drive to cache working files
This will impact Forensic Soundness - but it makes
Processing much faster since AChoir does not have to Cache
files over the network
SET:Cache=Movable (Default) - Used in Conjunction with SMB (MAP:) collections
Uses the Remote (SMB) drive to cache working files. This
Prevents files from being written to the target machine, but
Processing is slower since AChoir will have to Cache files
over the network
SET:MapErr=Continue If a MAP: fails to Map a drive
Continue. The Return code will be
Set to 1 (This is the default behavior)
SET:MapErr=Fail If a MAP: fails to Map a drive
Fail and Exit out of AChoir
SET:MapErr=Query If a MAP: fails to Map a drive
Query for the server to be re-entered
SET:SyslogL=<syslogging Level> Sets the Syslog Level.
Options are: none, min, max
The default is NONE (No Syslogging)
SET:SyslogP=<syslog Server Port> Sets the Syslog Server Port
SET:SyslogS=<syslog Server IP> Sets the Syslog Server
IP Address, and sets the Syslog Level to 1
Syslogging will immediately begin.
SET:NCP=NODCMP Sets the NCP: (NTFS Raw Copy) to NOT
DeCompress LZNT1 compressed files.
Instead, the RAW Compressed data will
be extracted (and must be manually
decompressed to use it).
SET:NCP=DECOMP DeCOMPRESS LZNT1 files. This is more
or forensically sound. Since LZNT1 compressed
SET:NCP=RAWONLY files are not usable in their RAW COMPRESSED
form, AChoir will attempt to decompress
the file using a built-in LZNT1 Decompressor.
Note: There will be TWO files: The original
COMPRESSED file (LZ) AND an UNcompressed version
with the original file name (or possibly an "(LX)"
extension (see below).
SET:NCP=OSCOPY Sets the NCP: (NTFS Raw Copy) to
copy a file using the OS API if
DeCOMPRESSION ERRORS are encountered. This is
a CHANGE from AChoir 1.9 behavior. This is not
as forensically sound (it may leave artifacts)
as the DECOMP/RAWONLY option.
Note1: This setting will ONLY call OS Copying
if the LZNT1 DeCompression has ERRORS.
Note2: THREE files can be created: The original
COMPRESSED file (LZ), a Decompressed version with
a "(LX)" appended, and a THIRD copy of the file
written through OSCopying with the original file
name.
SET:CopyPath=None Set the NCP: and CPY: Copy Path to None.
This will ignore the paths of the source files
and copy everything into the directory destination.
SET:CopyPath=Full Set the NCP: and CPY: Copy Path to Full.
This will append the source file's copy path
to the output directory. This allows the examiner
to quickly see exactly where the source file came from
SET:CopyPath=Part Set the NCP: Copy Path to Partial and CPY: Copy Path to Full.
This only works for NCP: Copy, and will copy ONLY the path
after any wildcards. This allows the examiner to see the
RELATIVE path the the source files were in
SET:CopyDepth=nn Set the Directory Depth for CPY: Default is 10 Subdirs.
Note: This is not used by NCP: - Only CPY:
SET:Trim=Yes When using &For or &Lst, Trim leading and trailing spaces (Default)
SET:Trim=No When using &For or &Lst, DO NOT Trim leading and trailing spaces
SET:DELIMS=<chars> These are the delimiters that the &FOR and &LST objects
will use to Parse out &FO0-&FO9 and &LS0-&LS9
<chars> can be up to 5 characters.
Example: SET:DELIMS=,\ (will set delimiters to , AND \)
SAY: Echo Text and Objects to the Screen and Logfile
CON:Hide Hide The Console Screen - For quiet Acquisition
DO NOT USE IF YOU HAVE SCREEN INPUT - For any
Input be sure to Show any Hidden Screen
CON:Show Show a Previously Hidden Console
Be Sure to Show any hidden screens before needed
Input.
CON:MSGLevel=<min>, <std>, <max>, <debug> Set console messages level.
Levels break down (generally) as follows:
min=Just display the command, progress and critical errors
but no output
std=Display the command, progress, critical errors,
and standard output
max=Display the command, progress, critical errors, warnings,
standard and extended output
debug=display everything, including internal debugging information
SLP:<Sec> Sleep for <Sec> Seconds
NTP:<FQDN> Set the FQDN of the NTP Server.
Note: This WILL NOT do an NTP request. It ONLY
sets the FQDN of the NTP Server to use.
ADM:Check Check if AChoir is running as an Administrator,
and warn if it is not
ADM:Force Check if AChoir is running as an Administrator,
and EXIT OUT if it is not
INP: Input from console. (INP:<Display This Text>)
Display text and get input into variable &Inp
IMPORTANT NOTE: Longer input is TRUNCATED to 250 chars
EQU:<string1> <string2> - Is <string1> equal to <string2>
if True run the statements until an END:
Note: Use "" to use strings with spaces in them
NEQ:<string1> <string2> - Is <string1> NOT Equal to <string2>
if True run the statements until an END:
Note: Use "" to use strings with spaces in them
N>>:<Number1> <Number2> - Is <Number1> Greater Than <Number2>
if True run the statements until an END:
Note: THIS MUST BE A NUMBER
N<<:<Number1> <Number2> - Is <Number1> Less Than <Number2>
if True run the statements until an END:
Note: THIS MUST BE A NUMBER
N==:<Number1> <Number2> - Is <Number1> Equal to <Number2>
if True run the statements until an END:
Note: THIS MUST BE A NUMBER
INI: SWITCH to another Script File (INI:F:\NewScript.Acq)
Note: This WILL NOT RETURN to the calling script.
INI:Console - Switch to Interactive Console Mode
CSE:SAY Display Optional Case Information ans write it to Log
CSE:GET Input Optional Case Information - ONLY allowed ONCE
per session to avoid ambiguity.
GET: Get a file using HTTP into &Fil
Note: &Fil (FIL:) MUST BE SET TO THE FULL PATH OF
THE NEW FILE!
EXE: Run a Program and wait for completion (P_WAIT)
EXA: Run a Program and DON'T wait for completion (P_NOWAIT)
EXB: Run a Program in the background (P_DETACH)
SYS: Execute a System Command using the OS Shell
CMD: Execute a System Command using AChoir's Command Shell
OPN:<FileName> - Open an Output File for Appending - Only one
File can be open at a time. OPN:(ing) a file
will close any previous one.
OUT:<String> - Append the string to the OPN: output file.
USR:<UserId>
UserId to use when mapping a drive (Optional)
USR:? Will query for the UserId for Drive Mapping
PWD:<Password>
Password to use when mapping a drive (Optional)
PWD:? Will query for the Password for Drive Mapping
MAP: Map to a remote drive share (\\<server>\<share>) and use
it as the Acquisition Directory
SHR: Create a Share (SHR:<x:\ShareDirectory> <ShareName>)
Used for Remote Acq to map back to Achoir Directory
SHD: Delete a local Share (SHD:<ShareName>)
ACQ: Tell Achoir to create a unique Acquisition directory
DIR: Set the &Dir object and create the directory if needed
FIL: Set the &Fil object (File)
DRV: Set the &Drv object (Drive - ie. X:)
VR0: - VR9:
Set the &VR0 - &VR9 variables
CN0: - CN9: <Number to Set> or ++ or --
Set the &CN0 - &CN9 variables
Increment/Decrement with CNx:++ and CNx:--
HSH:ACQ Hash everything in the &ACQ directory and subdirectories
HSH:Dir Hash everything in the &DIR directory and subdirectories
HSH:<FileName MD5 Hash The file and store it in &HSH
FOR: Set the &FOR object. This is a Looping object based on
Files - For instance "FOR:C:\Users\*.DAT" will define
All *.DAT Files under C:\Users. In this way a single
command can be run iteratively against all of these files.
DSK:<typ>Set the &DSK object. This is a Looping object based on
all attached/mounted disks that match the <typ>
<typ> can be: Fixed, Remote, Remove, CDRom, RamDisk
LST:<FileName>
Set the &LST object. This is a Looping object based on
Lines in the <FilName>. In this way a single command can
be run iteratively replacing the &For variable with each
entry in the <FileName>.
CPY: Copy Files (CPY:<FromFile> <ToFile>) - Supports Quotes
Supports Wildcard. Important Note: CPY: WILL RECURSE THROuGH
SUBDIRECTORIES ONLY IF A WILDCARD IS USED.
CPS: Copy Files (CPS:<FromFile> <ToFile>) by Signature
(Loaded by the Sig: command)
Supports Wildcard. Important Note: CPY: WILL RECURSE THROuGH
SUBDIRECTORIES ONLY IF A WILDCARD IS USED.
VCK:<x:> Check if the Volume <x:> is NTFS, FAT32, CDFS, Other, None
(Used for conditional execution if Vol is/not NTFS)
NCP: NTFS Raw File Copy - Supports Wildcards (* and ?)
NCP:<File(s) to Copy> <Destination Directory>
Note: COMPRESSED Files will ALSO be copied using the OS
API unless SET:NCP=RAWONLY is set.
Sig:Clear Clears out the AChoir Signature Table
Sig:<Typ=xxxx>
Loads a File Signature ino the Signature Table. The first
variable is the File Type, the second is the Hex Signature
(must be in the form of XX).
Signature Type can be up to 10 bytes (i.e JPG, JPEG, MOV, etc)
Signatures can be up to 32 Chars (16 bytes)
There cane be up to 100 Active Signatures loaded.
(Sig:Clear - Clears the table back to 0)
NCS: NTFS RAW Copy Files by Signature (Loaded by the Sig:
command - Supports Wildcards (* and ?)
ARN: Search Registry Run Key and copy the EXEs
(possible malware persistence)
ARN:<Offline Registry>
By adding an Explicit Path to a SOFTWARE Offline Registry
File, AChoir will try to find the Run Keys and copy the
EXEs. This is the DeadBox equivalent of ARN:
USB:Protect Sets the Windows USB WriteProtect Registry key to 1
(Enable USB Write Protection) - Newly attached USB
devices will be write protected by Windows
USB:Enable Sets the Windows USB WriteProtect Registry key to 0
(DISABLES USB Write Protection)
CKY: Check if a File exists. If it does, run until an "END:"
action
64B: Check if 64 Bit AChoir is Running - If so, run until an "END:"
action
32B: Check if 32 Bit AChoir is Running - If so, run until an "END:"
action
CKN: Check if a File does not exist. If it doesn't, run until
an "END:" action
RC=: If the Last MAP:, GET:, SYS: or EXE: command was this return code
run the statements until an END:
RC!: If the Last MAP:, GET:, SYS: or EXE: command was NOT this return code
run the statements until an END:
RC>: If the Last MAP:, GET:, SYS: or EXE: command return code was >
run the statements until an END:
RC<: If the Last MAP:, GET:, SYS: or EXE: command return code was <
run the statements until an END:
VER:<verkeyword>
Check the passeed OS Version <verkeyword> Keyword to see if that
OS version is running. If so, run the statements until END:
Note: the valid <verkeyword> keywords are:
WinXP, WinXP64, Vista, Win7, Win8, Win8.1, Win10
Win2000, Win2003, Win2008, Win2008R2, Win2012, Win2012R2,
Win2016, Server, Client
Note2: Use this function with Caution - For various reasons Windows
CAN report the wrong version. This is a limitation of the
Windows Platform and APIs
END: End Conditional Statement execution.
LBL:<LabelName>
Define a Label that can be Jumped to (JMP:<LabelName>)
JMP:<LabelName>
Jump to a defined Label (LBL:<LabelName>)
BYE: Exit AChoir (usually used in Console Mode or Conditional section
XIT:<Exit Command>
Run Command or Program on Exit
MAX:nnnnnnnnn
Maximum File Size (And Memory Allocation) For NTFS Raw Copy
- Default is 999999999 (1GB)
Objects:
========
&Dir The Current Directory Object
&Inp Input from console (INP: Action)
&Tim The Local Time Set on the computer - Please Note: It may not be accurate.
&Ntp Query the NTP Server and display the Time. Used for Time Drift.
&Fil The Current File Object
&Acq The Current Acquisition Directory
&Acn The Current Acquisition Name
&For An array of File objects set by the FOR: action
&FO0-&FOP The &FOR object parsed into 25 variables using
the Delims (See SET:DELIMS=)
&Lst An array of text objects set by the LST: action
&LS0-&LSP The &LST object parsed into 25 variables using
the Delims (See SET:DELIMS=)
&DSK An Array of Disk objects set by the DSK: action
&Num The array number of each &For Object
&Win The Windows Root Directory
&CHK The FileName that was Checked for (non) existence by the
CKN: and CKY: actions
&RCD The Last Return Code set by a SYS: or EXE: action
&Drv A variable used to hold a Drive Letter (C:, D:, etc...)
&Map A variable used to hold the last Mapped Drive Letter (Z:, Y:, etc...)
&Tmp The Window %Temp% variable
&FNM Each &FOR File Name (Without Path)
&VR0 - &VR9 Variables set by the VR0: - VR9: Actions
&CN0 - &CN9 Counters set and incremented/decremented by the CN0: - CN9: Actions
&CNR AFTER using the &FOR or &LST variable the number of records counted is stored here
&VCK Results of last Volume Check (VCK:<x:\>
&MEM System Memory
&DSA Disk Space Available
&HST Local Host Name (set to "localhost" on error)
&HSH MD5 of the last file Hashed with HSH:
%<variable>% - AChoir can also expand the native DOS/Windows Environment Variables
Note: To use a native % (prevent expansion) in a script, use %%
Here are the Command Line Options:
/HELP - Help
/BLD - Run the Build.ACQ Script (Build the AChoir Toolkit)
Note: This option WILL NOT Create an Acquisition Base Directory - BE AWARE!
/RUN - Run the AChoir.ACQ Script to do a Live Acquisition
This option WILL Create a Base Acquisition Directory
/MNU - Run the Menu.ACQ Script (AChoir Menu)
Note: This is a simple Menu Script for selecting an AChoir script to run.
/CON - Run In Interactive Mode (Same as /Ini:Console)
/CSE - Interactive/Console Query for Case Information
/GET:<URL> Get a file using HTTP, before doing the collection.
Note: The FileName will be set to the URL FileName (after last "/").
The File will be placed in the Root Directory of AChoir
ANY PRIOR VERSION OF THE FILE WILL BE DELETED
/INI:Console - Run In Interactive Mode (Console Input)
/INI:<File Name> - Run the <File Name> script instead of AChoir.ACQ
This Option WILL NOT Create a Base Acquisition Directory
Use the ACQ: action to create the Base Acquisition Directory if you want one.
/DRV:<x:> - Set the &DRV parameter
This option is designed to allow you to build dead-box scripts,
and specify a drive variable (the drive letter that has been mounted).
/USR:<UserId> - UserId to use when mapping a drive (Optional)
/USR:? Will query for the UserId for Drive Mapping
/PWD:<Password> - Password to use when mapping a drive (Optional)
/PWD:? Will query for the Password for Drive Mapping
/MAP:<\\Server\Share> - Map a network drive - THIS SETS THE ACQUISITION AND
CURRENT DIRECTORIES TO THE MAPPED DRIVE - This is mostly used for REMOTE
Acquisition
/VR0: - /VR9:
Set the &VR0 - &VR9 variables from the command line. These can be used
to pass variables to the AChoir Scripts.
A note about Conditonal Logic
(CKY:, 64B:, 32B:, CKN:, RC=:, RC!:, RC>:, RC<:, END:, LBL:, JMP:, VER:)
----------
Conditional Logic doesn't make much sense in Interactive Mode (/CON), but you may want to know
these various conditions. AChoir is coded to give the results of these comparisons in
Interactive Mode, and to take Conditional Action in regular Scripted Mode. In Interactive Mode
Achoir WILL NOT take conditional action.
A note about Syslogging
----------
By default Syslogging is turned OFF - This is in keeping with my desire to keep the AChoir
footprint minimal, and have as little impact on the target machine as possible. In some cases
however, the need run and track AChoir across many machines overides the above.
To turn Syslogging on, simply set the Syslog Server IP (SET:SyslogS=nnn.nnn.nnn.nnn). AChoir
is currently written to have three logging levels (none, min, max). Please note that the current
Syslogging capability is just a way to monitor the progress of AChoir, and it does not log
extensively like the local log. Continue to use the local log to get a full picture of everything
AChoir has done (including errors).
A note about Case Information (/CSE, CSE:GET, CSE:SAY)
----------
To avoid any accidental confusion about Case information (that may jeopardize non-repudiation),
I have coded AChoir to disallow changing Case information after it has been displayed. Some may
find this draconian, but it is important to avoid ambiguity when doing forensic analysis, so
I have chosen to disallow changing Case information even if the default settings are displayed.
Also Note: Case Information is entirely optional - You can use AChoir without entering any
Case Information, and this is the default (so AChoir can run fully unattended)
A note about NTP (NTP: and &NTP)
----------
Achoir can query an NTP server to display the Accurate Time. This is most useful when identifying
Time Drift when gathering artifacts. For Example:
NTP:windows.time.com
SAY:Local Time: &Tim - NTP Time: &Ntp
BY DEFAULT NONE of the default/provided scripts use NTP. This is for three reasons:
1. It's bad form to put NTP servers in any default config files.
2. It opens a UDP Port (123) and communicates with an NTP server, and that may be
considered contamination.
3. NTP is UDP and it may not work in situations where NAT is used and/or NTP is blocked
(Your Firewall may need to be configured to allow NTP)
AChoir's NTP client may be useful in many situations to identify Time Drift, but please take
into account the issues above before using this function.
A note about EXE: EXA: and EXB:
----------
Under normal circumstances I recommend using EXE: to execute programs, it is much easier to
control the script when things are run sequentially, but in cases where there may be several
machines running AChoir, or Execution Time is limited or important, one may want to run
several programs Concurrently or in the Background. The primary problem with this method
is that one cannot know when these Asynchoronously run programs will complete.
Use EXA: and EXB: judiciously, bearing in mind that NOT ONLY will they complete at different
times, but the AChoir Script ITSELF will continue to run as these programs also run in
parrallel. In fact, AChoir could even complete and exit while these programs are still
executing. This can have major implications for your AChoir scripts.
A note about System32 File ReDirection:
----------
When Non-Native programs (for instance 32 bit programs on 64 Bit Windows) are run, the
Operating System will redirect files located in the %SystemRoot%\System32 directory to
a different directory. This directory can be different based on circumstances, but its
alias is always %SystemRoot%\Sysnative. I am slowly building this into all the parts
of AChoir. This can be seen in the CPY: and NCP: Copy functions and the FOR: function.
Achoir will try to detect if it is not running Native, and will adjust some of it's
actions based on that. Whenever AChoir does this, it will note it on the screen and
in the Acquisition Log.
One may wonder - why not just use whatever Windows tells us. The answer to that is
simple: If we are running AChoir on an endpoint, we may be interested in BOTH the
32Bit artifacts AND the 64Bit artifacts. Since BOTH can be present, and BOTH may
be relevant to an investigation, AChoir will always try to get both artifacts if
it can.
A note about /GET:
------
The /GET: Option will get a file using HTTP (HTTPS is not supported). This is a way
to get a file from a Web Server that will be used in the acquisition. This can be
used in a multitude of ways - but the most obvious is to host an AChoir Script on
a Web Server, download it and run it.
This would look like:
achoir /get:http://192.168.1.1/Test1.txt /ini:Test1.txt
A note about FOR:
------
In order to allow both current directory searches and current+subdirectory searches
I have come up with the following nomenclature:
* If a BackSlash is present (for instance FOR:.\files.*) AChoir will search the current
directory and all subdirectories
* If a BackSlash IS NOT present (for instance FOR:Files.*) Achoir will ONLY SEARCH
the CURRENT directory.
I believe this is the easiest way to support both types ofsearches.
A note about SET:TRIM=<yes> or <No>
------
Achoir is designed to work with Built in DOS utilities and commands. I have found that
Redirecting output to a file can OFTEN add eroneous spaces which then make parsing
difficult. To overcome that, I have added the ability to Trim or Not Trim &For and &Lst
file enumeration. Trimming is on by default, but if you don't want it, you can turn it off.
A note about UniCode
------
Achoir is an ASCII based program. However, many of the utilities that AChoir uses, will write
UniCode text output files. In order for AChoir to be able read and parse that output, it needs
to understand some UniCode. To make that possible, AChoir can detect both Big Endian and Little
Endian UTF-16. AChoir Will internally convert the Unicode input to ASCII and write all it's
output to ASCII.
A note about LZNT1 Decompression
----------
Building a working LZNT1 decompressor has been a huge challenge. With the addition of
Yogesh Khatri's bug fixes, I believe it is now stable. Nonetheless, I am leaving in the
LZNT1 decompressor fallback:
1. If an NTFS file is compressed AChoir will identify it and copy the raw data file
preserving the compression. It will append an (LZ) extention to the file to identify it as
an LZNT1 compressed file.
2. AChoir will then try to decompress the raw data into ANOTHER file. It will try to use the
original file name (this makes identifying the files easier).
3. If that doesn't work properly it will append an (LX) extentions to the file (LZNT1 Xtracted)
and it will then use standard OS APIs to copy the file with original name
You can therefore have up to 3 copies of the same file:
* Raw compressed file (LZ)
* Uncompressed file created by AChoir LZNT1 decompressor (LX)
* Uncompressed file using standard OS Copy (decompress through the OS)
If you are concerned with Forensic soundness, you can TURN OFF the OS Copy routine using the SET:NCP=RAWONLY option in AChoir. This may mean that you will not have a working/readable file, and you will need to extract that file using another means.
I am continually working on the LZNT1 decompressor to make it more resilient to errors.
Artifacts that AChoir itself generates:
----------
Achoir itself will generate a few files. These are meant to increase non-repudiation
and make the artifacts easier to use.
Logfile (ACQ-IR-<name>-<date>-<time>.txt
----------------------------------------
Achoir will create a logfile for each acquisition in the /Logs directory.
The log contains both the actions taken by AChoir and additional information
such as the hash of each program that is run.
DirHash.txt
-----------
When requested in the AChoir Script (HSH:DIR), Achoir will hash all files starting
at the directory AChoir is run from (AChoir's root directory) and store the MD5 hashes
in this file.
ACQHash.txt
-----------
When requested in the AChoir Script (HSH:ACQ), Achoir will hash all acquired
artifacts and store the MD5 hashes in this file.
Index.htm
---------
Achoir will generate an Index.htm file for every acquisition. This file can
be opened with your favorite web browser to browse and open the acquired
artifacts. This is an incredibly simple but useful feature.
x-MFT.db
---------
Achoir will generate an SQLite database when using NCP: Raw Copy. This database is
a subset of the $MFT for that volume - used to make searching for wildcards faster.
ForFiles
---------
Achoir will create a temporary file in the Acquisition Cache Directory called "ForFiles"
every time the FOR: Action is used. ForFiles contains the results and is used when the
&FOR Looping object (variable) is used.
ForDisks
---------
Achoir will create a temporary file in the Acquisition Cache Directory called "ForDisks"
every time the DSK: Action is used. ForDisks contains the results and is used when the
&DSK Looping object (variable) is used.
MCpFiles
---------
Achoir will create a temporary file in the Acquisition Cache Directory called "MCpFiles"
every time the CPY: Action is used for multiple files. AChoir first recurses through the
file directory, saves what it finds in the MCpFiles file, and then copies all the files
saved in the MCpFile.
Acknowledgements:
IMPORTANT NOTE: I could not have implemented the NTFS Raw Copy Function without the Excellent NTFS tutorial at:
http://www.installsetupconfig.com/win32programming/windowsvolumeapis1index.html<br>
Much of the code in the Achoir NTFS Raw Copy function is directly from this tutorial. And I want to publicly thank
them for making this example code available.
AChoir also heavily uses the LZNT1 decompression code from ReactOS at:
https://doxygen.reactos.org/d0/dd2/sdk_2lib_2rtl_2compress_8c_source.html
Last Thoughts:
The AChoir language is pretty simple. And I will do my best to keep it that way. To best
understand it, please take a look at the Build.ACQ and Achoir.ACQ scripts