Create your own PC forensics toolkit with AChoir

Need to know what someone’s been doing on a PC? Running some of NirSoft's forensic freeware on a USB key could help you collect enough data to figure it out.

LastActivityView lists recent computer actions, OpenSaveFilesView reports on recently opened and saved files, ExecutedProgramsListdetails the programs they’ve launched, WifiHistoryView shows recent network connections, and the list goes on.

The problem? Each of these tools covers one area only. To collect a full set of data you must manually launch each one in turn, set it up, then save and combine your reports -- not exactly convenient.

AChoir is an open-source scriptable framework which can download the tools you need, run them in an organised way, extract raw data from the target system and produce detailed HTML reports, all fully automated.

It’s more straightforward than it sounds, and the package comes with sensibly-chosen, ready-to-use scripts, so you can try it right away.

Unzip the download, and run AChoir-inst.exe to build the toolkit, and save it to your chosen file (this could be a USB key for easy use anywhere).

AChoir makes use of tools from NirSoft, Sysinternals and other developers, but they’re not bundled with the package. Instead the installer downloads them as required, ensuring you'll always get the latest edition.

Once you're ready, running AChoir.exe or AChoir64.exe in the installation folder launches the default script, collecting basic system and hardware information, installed applications, drivers, user groups and accounts, network adapters, running processes (copies of the executables, not just the names), currently open network connections, browsing history, and raw data including dumps of RAM, NTFS data (MFT, UsnJrnl etc), event logs, Registry hives and more.

HTML reports, raw data files and other information are saved to a subfolder as the scan progresses, and can be reviewed or analysed later.

None of this is exactly sophisticated, and if you already automate these tools via your own scripts then AChoir won’t help you much.

Still, the default script does collect a lot of data, and it’s easy to customise and tweak.

AChoir is an open source application for Windows 7 and later.