-
Notifications
You must be signed in to change notification settings - Fork 29
/
AChoir.ACQ
209 lines (209 loc) · 5.4 KB
/
AChoir.ACQ
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
*******************************************************
* Live Acquisition Script (2.0) *
* - Pulls Forensic artifacts & telemetry for analysis *
* - Created by D0n Quix0te/OMENScan (May 2015) *
* - Inspired by many other tools *
*******************************************************
SET:CopyPath=Part
64B:
SAY:
SAY: AChoir - 64 Bit Detected... Switching to 64 Bit Script...
SAY:
INI:AChoir64.ACQ
END:
SAY:
SAY: AChoir will pull artifacts and telemetry of forensic value for investigation.
SAY:
SAY: * * * Please MAKE SURE you are running this as an Administrator * * *
SAY: * * * Administrator right are required for many of these utilities * * *
SAY:
PZZ: Press Any Key to Continue, or q to QUIT
SAY:
SAY: 1. Now Dumping Memory...
SAY:
SAY: WARNING: This will take while, and will create a HUGE memory image File.
SAY: You've been warned ;-)
SAY:
SAY: Checking for available Disk Space (Min Required: &MEM)
SAY:
N<<:&Dsa &Mem
SAY: Not Enough disk space in &ACQ to Capture Memory: &MEM ...
SAY: Bypassing Memory Capture!
END:
N>>:&Dsa &Mem
ACQ:\MemDump
*EXE:\MEM\WinPmem320.exe --output &Acq\WinPmemDump.Raw --logfile &Acq\WinPmemDump.Log --volume_format raw -dd -t
EXE:\MEM\WinPmem40x64.exe &Acq\WinPmemDump.Raw
END:
SAY:
SAY: 2. Extracting Prefetch Directory...
SAY:
ACQ:\Prf
NCP:"&Win\prefetch\*" "&Acq"
SAY:
SAY: 3a. Copy Raw $MFT(s)...
SAY:
DSK:Fixed
ACQ:\RawData
NCP:"&Dsk:\$MFT" "&Acq"
SAY:
SAY: 3b. Copy Raw $LogFile...
SAY:
NCP:"&Dsk:\$LogFile" "&Acq"
SAY:
SAY: 3c. Now Extracting USNJrnl...
SAY:
EXE:\DSK\ExtractUSNJrnl.exe /DevicePath:c: /OutputPath:&Acq
SAY:
SAY: 3d. Now Parsing USNJrnl...
SAY:
CMD:fsutil usn enumdata 1 0 1 C: > &Acq\USNJrnl.dat
CMD:fsutil usn readjournal C: csv >> &Acq\USNJrnl.dat
SAY:
SAY: 4a. Gathering System Information...
SAY:
ACQ:\
CMD:\SYS\PSInfo.exe /accepteula -s > &Acq\Info.dat
SAY:
SAY: 4b. Gathering System Audit Information...
SAY:
EXE:\SYS\WinAudit.exe /r=gsoPxuTUeERNtnzDaIbMpmidcSArCOHG /f=&Acq\WinAudit.htm /l=&Acq\WinAudLog.txt
SAY:
SAY: 4c. Gathering Group Policy Information...
SAY:
CMD:GPResult /R /Z > &Acq\GPResult.txt
SAY:
SAY: 5. Raw Copy Registry Hives...
SAY:
ACQ:\Reg
NCP:"&Win\System32\Config\SECURITY" "&Acq"
NCP:"&Win\System32\Config\SOFTWARE" "&Acq"
NCP:"&Win\System32\Config\SAM" "&Acq"
NCP:"&Win\System32\Config\SYSTEM" "&Acq"
NCP:"&Win\AppCompat\Programs\Amcache.hve" "&Acq"
SAY:
SAY: 6. Copying (System32) EventViewer Logs...
SAY:
ACQ:\Evt
ACQ:\Evt\Sys32
NCP:"&Win\System32\winevt\Logs\*" "&Acq"
SAY:
SAY: 6a. Copying (Sysnative) EventViewer Logs...
SAY:
ACQ:\Evt\Nativ
NCP:"&Win\sysnative\winevt\Logs\*" "&Acq"
SAY:
SAY: 7. Parsing (System32) Etc Directory, and SRUM...
SAY:
ACQ:\SYS
ACQ:\SYS\Sys32
NCP:"&Win\System32\Drivers\Etc\*" "&Acq"
NCP:"&Win\System32\sru\SRUDB.dat" "&Acq"
SAY:
SAY: 7a. Parsing (Sysnative) Hosts And Services Directory...
SAY:
ACQ:\SYS\Nativ
NCP:"&Win\sysnative\Drivers\Etc\*" "&Acq"
NCP:"&Win\sysnative\sru\SRUDB.dat" "&Acq"
SAY:
SAY: 8. Parsing Environment Variables...
SAY:
ACQ:\SYS
CMD:Set > &Acq\EnVar.dat
SAY:
SAY: 9. Parsing The Patch List...
SAY:
CMD:WMIC qfe list > &Acq\QFEList.dat
SAY:
SAY: 10. Gathering Running Process List Information...
SAY:
CMD:Tasklist /v > &Acq\Tasklist.dat
CMD:Tasklist /M > &Acq\TaskAll.dat
CMD:\SYS\PSList.exe /accepteula -x > &Acq\PSList.dat
SAY:
SAY: 11. Gathering Connection Information...
SAY:
***:Replaced NETSTAT with CPORTS (Gives Full Path of Process)
***:NetStat -abno > &Acq\NetStat.dat
EXE:\SYS\cports.exe /scomma &Acq\CPorts.csv
SAY:
SAY: 12. Gathering IP Config Information...
SAY:
CMD:IPConfig /all > &Acq\IPConfig.dat
CMD:IPConfig /DisplayDNS > &Acq\IPCfgDNS.dat
SAY:
SAY: 13. Gathering ARP Information...
SAY:
CMD:Arp -a > &Acq\ArpInfo.dat
SAY:
SAY: 14. Gathering NetBIOS Information...
SAY:
CKY:&Win\System32\NBTStat.exe
CMD:&Win\System32\NBTStat.exe -scn > &Acq\NetBios.dat
END:
CKY:&Win\sysnative\NBTStat.exe
CMD:&Win\sysnative\NBTStat.exe -scn >> &Acq\NetBios.dat
END:
SAY:
SAY: 15. Gathering Open Files/Process Information...
SAY:
ACQ:\SYS
CMD:\SYS\Handle.exe /accepteula > &Acq\OpenFiles.dat
SAY:
SAY: 16. Gathering Scheduled Task Information...
SAY:
CMD:At > &Acq\SchedTasks.dat
CMD:Schtasks /query /fo LIST /v >> &Acq\SchedTasks.dat
SAY:
SAY: 17. Gathering System Logon Information...
SAY:
CMD:\SYS\PSLoggedon.exe /accepteula > &Acq\Logon.dat
SAY:
SAY: 18. Gathering Services Information...
SAY:
CMD:Net Start > &Acq\Services.dat
CMD:sc query type= service state= all > &Acq\Services-2.dat
CMD:Tasklist /SVC > &Acq\Services-3.dat
SAY:
SAY: 19. Gathering Last Activity Information...
SAY:
EXE:\SYS\LastActivityView.exe /scomma &Acq\LastActivity.csv
SAY:
SAY: 20. Gathering User Assist Information...
SAY:
EXE:\SYS\UserAssistView.exe /scomma &Acq\UserAssist.csv
SAY:
SAY: 21. Gathering AutoRun Information...
SAY:
ACQ:\Arn
ARN:
SAY:
CMD:\SYS\Autorunsc.exe /accepteula -a * -c -h > &Acq\AutoRun.dat
SAY:
SAY: 22a. Gathering Current (Open) User Registry...
SAY:
ACQ:\Reg
CMD:Reg Save HKCU &Acq\NTUSER.DAT
SAY:
SAY: 22b. Gathering All User Registries...
SAY:
NCP:"C:\Users\*\NTUSER.DAT" "&Acq"
SAY:
SAY: 23. Now Extracting Browser History...
SAY:
ACQ:\Brw
EXE:\SYS\BrowsingHistoryView.exe /scomma &Acq\BrowseHist.csv
EXE:\SYS\BrowsingHistoryView.exe /shtml &Acq\BrowseHist.htm
SAY:
SAY: 24. Gathering $Recycle.Bin entries...
SAY:
DSK:Fixed
ACQ:\RBin
NCP:"&Dsk:\$Recycle.Bin\*" "&Acq"
SAY:
SAY: Acquisition Complete...
SAY:
SAY: Now Hashing Artifacts...
HSH:ACQ
SAY:
PZZ: All Done! Press Any Key to Finish.