The Finest Hand-Selected Downloads
Individually reviewed & tested
Store News

AChoir 0.96a

Collect detailed forensic data on any PC

Rating:
(0)
Operating Systems:
Windows 10, Windows 7 (32 bit), Windows 7 (64 bit), Windows 8
License:
Open Source
Developer:
OMENScan
Software Cost:
Free
Category
Security
Date Updated:
15 April 2017
Downloads To Date:
660
Languages:
English
Download Size:
29.50 MB

AChoir is a scriptable open-source tool which enables collecting a host of forensic data on a target PC.

The details include basic system and hardware information, installed applications, drivers, user groups and accounts, network adapters, running processes (copies of the executables, not just the names), currently open network connections, browsing history, and raw data including dumps of RAM, NTFS data (MFT, UsnJrnl etc), event logs, Registry hives and more.

AChoir assembles most of this information with the help of other free or open-source tools, including AutoRuns to find your startup programs, and NirSoft's LastActivityView to build a timeline of the user's recent actions.

You don't need to have any of these tools in advance, AChoir doesn't break any license by bundling programs itself. Instead, when you first run AChoir-inst.exe, the program automatically downloads everything it needs. (The "Install" just collects all the files you need in a single folder tree. Make this a USB key and you've created a portable toolkit you can run anywhere.)

When you're ready, running AChoir.exe or AChoir64.exe in the installation folder will start the data collection process. This takes a while, and requires a lot of space, mostly due to the complete RAM dump. HTML reports and copies of the various data files are stored in a local folder.

This all ran smoothly when we tried it, but the key point of AChoir is that it's all controlled via custom scripts. Here's a very small part from the default file:

SAY: 10. Gathering Running Process List Information...
SAY:
SYS:Tasklist /v > &Acq\Tasklist.dat
SYS:Tasklist /M > &Acq\TaskAll.dat
SYS:\SYS\PSList.exe /accepteula -x > &Acq\PSList.dat

The "SAY" and "SYS" commands are displaying prompts or running actions, and everything else is essentially just a batch file. AChoir is using the built-in TaskList command to record details of running tasks, SysInternals' PsList to capture more, and redirecting the output of both to a report file.

This makes it extremely easy to reconfigure the program. Don't need the full memory dump? Delete those lines. Want to use some other NirSoft tool, instead? Find the command line switches you need and add it to the script.

* AChoir v0.55 - Add LST: - Looping Object (&LST) that reads entries from a file. Also Add SID (file owner) copy on the CPY: command.

Verdict:

AChoir isn't for beginners, but if you need to collect a lot of data on a PC then it's a solid and configurable way to start.

Your Comments & Opinion

Related Downloads Other Downloads From This Category

Find out exactly how a computer is being used with this powerful forensics tool

Trial Software

Troubleshoot program startup problems

Freeware

List every file ever created on your computer. (Almost)

Open Source

Find out more about how a PC is being used

Freeware

Find deleted images in Explorer's thumbnail cache

Freeware

Dump the contents of RAM to a file in a click

Freeware
36,587,888
Downloads
Secure & Tested Software
6,385
Reviews
Instant Download 24/7
307,126
Members
10+ Years of Service