Share

AChoir is a scriptable open-source tool which enables collecting a host of forensic data on a target PC.

The details include basic system and hardware information, installed applications, drivers, user groups and accounts, network adapters, running processes (copies of the executables, not just the names), currently open network connections, browsing history, and raw data including dumps of RAM, NTFS data (MFT, UsnJrnl etc), event logs, Registry hives and more.

AChoir assembles most of this information with the help of other free or open-source tools, including AutoRuns to find your startup programs, and NirSoft's LastActivityView to build a timeline of the user's recent actions.

You don't need to have any of these tools in advance, AChoir doesn't break any license by bundling programs itself. Instead, when you first run AChoir-inst.exe, the program automatically downloads everything it needs. (The "Install" just collects all the files you need in a single folder tree. Make this a USB key and you've created a portable toolkit you can run anywhere.)

When you're ready, running AChoir.exe or AChoir64.exe in the installation folder will start the data collection process. This takes a while, and requires a lot of space, mostly due to the complete RAM dump. HTML reports and copies of the various data files are stored in a local folder.

This all ran smoothly when we tried it, but the key point of AChoir is that it's all controlled via custom scripts. Here's a very small part from the default file:

SAY: 10. Gathering Running Process List Information...
SAY:
SYS:Tasklist /v > &Acq\Tasklist.dat
SYS:Tasklist /M > &Acq\TaskAll.dat
SYS:\SYS\PSList.exe /accepteula -x > &Acq\PSList.dat

The "SAY" and "SYS" commands are displaying prompts or running actions, and everything else is essentially just a batch file. AChoir is using the built-in TaskList command to record details of running tasks, SysInternals' PsList to capture more, and redirecting the output of both to a report file.

This makes it extremely easy to reconfigure the program. Don't need the full memory dump? Delete those lines. Want to use some other NirSoft tool, instead? Find the command line switches you need and add it to the script.

* AChoir v0.55 - Add LST: - Looping Object (&LST) that reads entries from a file. Also Add SID (file owner) copy on the CPY: command.

Verdict ratingsratingsratingsratingsratings

AChoir isn't for beginners, but if you need to collect a lot of data on a PC then it's a solid and configurable way to start.