/AChoirX

ReWrite of AChoir in Go for Cross Platform

Primary LanguageGoGNU General Public License v2.0GPL-2.0

AChoirX

AChoirX is a port of AChoir in Go(lang) for Cross Platform forensic collection, processing, and analysis.

The goal of AChoirX is to create a simple scripting language for Targeted Collection (Live Response) on Windows, Linux, OSX (MacOS), and Android. AChoirX (like AChoir) will also support scripting of extraction, parsing, and analysis of mounted forensic images.

The AChoirX installation contains a single AChoir collection script, which can run on all three primary versions of AChoirX (Windows, Linux, MacOS). This shows the power of the idea: A single consistent method to gather artifacts and telemetry from all three platforms using a single script. AChoirX does not to abstract these artifacts - but rather collects the actual platform specific raw artifacts in a consistent manner using the same utility on all three platforms. Please Note: While AChoirX also runs on Android - it is not yet supported in the default script.

AChoir scripts can be modified in nearly endless ways to meet the collection needs of different types of investigations. AChoirX can also run in interactive console mode, or across TCP using the built in Multi-Handler. AChoirX also natively supports common upload methods such as SFTP or S3. Since AChoirX runs on Windows, Linux, MacOS, and Android - All of these functions, including the multi-handler (client and server modes) and the upload methods, work regardless of platform.

Non-Disclaimer

This repository represents a Project and not a Product.

This software is furnished "as-is". We provide no warranty whatsoever, whether express, implied, or statutory, including, but not limited to, any warranty of merchantability or fitness for a particular reason or purpose, or any warranty that the software will be error-free.

In no respect shall the author or distributors of AChoirX incur any liability for any damages, including, but not limited to, direct, indirect, special, or consequential damages arising out of, resulting from, or any way connected to the use of this software, whether or not based upon warranty, contract, tort, or otherwise; whether or not injury was sustained by persons or property or otherwise; and whether or not loss was sustained from, or arose out of, the results of, the software, or any services that may be provided by the software.

You agree to install and use this software solely at your own risk.

AChoirX is an Open Source Project and carries no formal support expressed or implied.

Change Log:

10/16/2020 - Alpha 23. Windows, Linux, OSX supported. The default script runs on all three platforms and gathers platform specific Artifacts and Telemetry. Has built in S3 Bucket uploading (using the AWS SDK).

10/17/2020 - Alpha 24. Hash Running Program for non-repudiation. Add &Myp (My Program) and &Myh (My Hash)

10/25/2020 - Alpha 25. Add /GXR: - Gets a Zip File, Extracts it, and runs the script.

10/30/2020 - Alpha 26. Copy Running Program to \Progs for non-repudiation

11/07/2020 - Beta 27. Upgraded Status to Beta. Change CPY: Target File Atime and MTime to match Source. Change FileExists to accept File or Directory & Improve Error handling. Add Quoted Parsing to EXE: and SYS: processing.

11/10/2020 - Beta 28. Add &USR and &PWD - To enable UserID and Password on Command Line

11/13/2020 - Beta 29. Implement Encryption (/DEC:, ENC:, DEC:).

11/18/2020 - Beta 30. Minor Fixes. Added PlasoX.ACQ Script for cross platform Plaso (Targeted TimeLine) processing

11/26/2020 - Beta 31. Add Admin/Root Checks - Move subroutine to Platform Specific Files. Add &Adm Variable = Yes or No (Running as Admin/Root)

11/27/2020 - Beta 32. Add &Mem Variable (Total System Memory)

11/29/2020 - Beta 33. Add support for unzipping an embedded []byte stream. Embed Platform specific Default Scripts (Win, Lin, OSX)

12/20/2020 - Beta 34. Add Embedder to ToolChain. Include WinPmem (Memory Dumper) in Embedded Zip. Add TSK Fcat into (Raw NTFS Copy) into Embedded Zip

12/20/2020 - Beta 35. Fix &CNR Counter

12/27/2020 - Beta 36. Change Conditional Logic to only count a single occurrence of &FOR and &LST comparisons. This prevents the need for multiple END: statements. Multiple comparisons only get a single hit if ANY match is found. THIS IS IMPORTANT!! Wherever &FOR and &LST are used in CONDITIONAL LOGIC - A SINGLE HIT WILL BE TRUE. To Test for INDIVIDUAL cases use a specific check and NOT a Check Against a list (&LST, &FOR). Expand &FOR and &LST Support to more Actions. Add HSH: Will put the File hash in the &HSH Variable (Only supports a single File for now). Trim quotes for CKN: and CKY:

12/28/2020 - Beta 37 - Implement CopyPath= for Single File Copy

01/01/2021 - Beta 38 - Implement END:Reset to clear any Dangling ENDs. Use Judiciously.

02/14/2021 - Beta 39 - Implement native SFTP Upload

02/21/2021 - Beta 40(RC1) - Refactor code for efficiencies, Fix Command Line Variables. Improve Comparisons for Missing Parameters (EQU:, NEQ:, N==:, N<<:, N>>:). Set LastRC for SFS:, SFU:, S3S:, and S3U:. Upgrade Status to Release Candidate 1

02/27/2021 - Beta 41(RC1) - Set LastRC for /GET:, GET:, and /GXR:

03/02/2021 - Beta 42(RC1) - Check if a port is open on a remote machine - TCP:RemoteHost:Port or UDP:RemoteHost:Port. IMPORTANT NOTE: UDP is connectionless and unreliable - I have included this functionality, but it cannot be trusted. Use with Caution and Caveat.

03/05/2021 - Beta 43(RC1) - Close Ini File at the end of processing. Add LogHndl.Sync() after SAY: to control/force Log file Flushing better. Improve Unzip messages.

03/18/2021 - Beta 50(RC1) - Convert to Go1.16 (REQUIRED TO COMPILE THIS VERSION). Convert from AChoirX custom embedder to native GoLang Embed. Convert from GOPATH to Module. Improve UnZip Routine.

03/19/2021 - Beta 51(RC1) - Implement Syslog RFC3164 Format

03/19/2021 - Beta 52(RC1) - Add Syslog Type (SET:SyslogT=) of UDP or TCP. Improve Syslog Message format

03/24/2021 - Beta 53(RC1) - Improve Embedded Extraction Logic. Extract if AChoir.ACQ is not there. Allow other .ACQ files to be extracted and Run. Error Detection when Files Dissapear during processing

05/01/2021 - Beta 54(RC2) - Add File and Directory Delete Functions. DEL: (Accepts WildCards) - Only Files in Subdirectories (Off of The AChoirX Root). CLN: - Only Subdirectories (Off of The AChoirX Root). This is to prevent accidental Deletion of files not related to the acquisition or toolkit

05/20/2021 - Beta 55(RC2) - Attempting to fix occasional Hang on Threads in the Wait Chain. The problem only happens on many small files. It may be related to deferring the Close. Added Counters to troubleshoot the issue. Make Console Message and Log Levels the same.

05/21/2021 - Beta 56(RC2) - Separate the Debugging Counters to Isolate Better. Add Debug command Line Option - /DBG:, , ,

05/28/2021 - Beta 57(RC2) - Add Context and Timeout to AWS S3 upload for Upload hangs. Add Rudimentary Zip Routine - Must Use &FOR and cannot add to Zip.

05/30/2021 - Beta 58(RC2) - Expand and Improve Zip Routine: Allow Multiple Additions, Change Output Zip File Naming routines, and Add WildCards.

08/15/2021 - Beta 59(RC2) - Small bug fix for determining current Disk Available (&DSA) if the Drive is not C: (Windows Only)

09/12/2021 - Beta 90(RC3) - Small bug fix for Delims. Add REX: Load Regular Expression Table. Add HST: Load Hash Table. Add Regular Expression Searching to CPS: (Copy by Signature). Add Hash Searching to CPS: (Copy by Signature)

09/19/2021 - Beta 91(RC3) - Add /B64: - Allows a Base64 Encoded string to create an Ini File - work like the PowerShell -enc Parameter

11/25/2021 - Beta 92(RC3) - Add Upload Retry Count (Default is 3)

12/27/2021 - Beta 93(RC3) - Escape percent signs

05/15/2022 - Beta 94(RC3) - Add Echo command

09/22/2022 - Beta 95(RC3) - Add CPU Limit Throttling

10/21/2022 - AChoirX v10.00.96 - Improve CPU Limit Throttling

10/24/2022 - AChoirX v10.00.97 - Add Native Registry Extraction

02/12/2023 - AChoirX v10.00.98 - Check for Collisions - Multiple collections at the same time, Improve Syslog (remove CRLFs)

03/10/2023 - AChoirX v10.00.99 - Minor improvement to CPS: (it ignores case now)

AChoirX v10.01.00 - Release 1.0, Add /Nam: to Specify Directory Name

04/02/2023 - AChoirX v10.01.01 - Release 1.01. Add FLT: = Filter &LST and &FOR based on a Filter File, Add SET:Filter= to control how the filter functions, None = Remove the Filter, Incl or Excl = Filter is used to Include or Exclude entries, Full or Part = Filter is full or partial match, (Example: SET:Filter=Incl,Part = Filter data that has Partial Matches)

04/15/2023 - AChoirX v10.01.02 - Release 1.02. Fix Zip Bug when no directory is specified

04/16/2023 - AChoirX v10.01.03 - Release 1.03. More improvements in Zip - Fix Subdirectory Indexing

06/18/2023 - AChoirX v10.01.10 - Release 1.10. Add remote Multi-Handler (Server & Client Modes)

06/24/2023 - AChoirX v10.01.11 - Release 1.11. Improvements in remote Multi-Handler

06/30/2023 - AChoirX v10.01.12 - Release 1.12. Change Behavior: If Console or CLI was invoked. Drop back into Interactive Mode after INI: Processing

07/02/2023 - AChoirX v10.01.13 - Release 1.13. Get input from Stdin or TCP Server

07/04/2023 - AChoirX v10.01.14 - Release 1.14. Con:Last - Display last 10 Console Messages

07/06/2023 - AChoirX v10.01.15 - Release 1.15. Improvements in Con:Last

07/08/2023 - AChoirX v10.01.16 - Release 1.16. Default CLI Console output Redirect to TCP

07/15/2023 - AChoirX v10.01.17 - Release 1.17. SFTP improvements (cross platform). Add /XTR and XTR: - extracts the embedded toolkit

07/23/2023 - AChoirX v10.01.18 - Release 1.18. Cosmetic changes, Improvements in the embedded Default Scripts

12/23/2023 - AChoirX v10.01.19 - Release 1.19. Change behavior of --exestdout and --exestderr to Append Mode, Linux collection script improvements

12/24/2023 - AChoirX v10.01.20 - Release 1.20. Improve SRV/CLI display if there are errors

01/01/2024 - AChoirX v10.01.20a - Release 1.20a. Standardize Win, Lin, and OSX default embedded scripts across all executables.

01/01/2024 - AChoirX v10.01.20b - Release 1.20b. Update all upload scripts to support OSX.

01/07/2024 - AChoirX v10.01.20c - Release 1.20c. Add MacOS Support for ARM 64.

02/03/2024 - AChoirX v10.01.21 - Release 1.21. Occasionally the TCP STDOut file is not deleted (Add clear file to compensate)

03/18/2024 - AChoirX v10.01.21a - Release 1.21a. Include Beta Android Version. For more info: http://www.musectech.com/2024/03/achoirx-and-android-another-rabbit-hole.html

04/06/2024 - AChoirX v10.01.22 - Release 1.22 Dont allow Files to be zipped into themselves

04/20/2024 - AChoirX v10.01.23 - Release 1.23 Improvements in Registry Key Extraction

04/22/2024 - AChoirX v10.01.24 - Release 1.24 Fix CopyPath=Full Bug

05/19/2024 - AChoirX v10.01.50 - Release 1.50 No code changes per se. Refactoring of the litany of Scripts - Consolidating wherever it makes sense.

06/03/2024 - AChoirX v10.01.51 - Release 1.51 Change behavior of &LST when it is used with FOR: (i.e. to do FOR: on a list of directories). When in Looping mode, Append &FOR file names into ForFiles instead of overwriting them

06/20/2024 - AChoirX v10.01.52 - Release 1.52 - Change behavior of &LST and &FOR on parsing error - &LST and &FOR will work even on parse error. Add Set:ParseQuote=Strict or Lazy

06/20/2024 - AChoirX v10.01.53 - Release 1.53 - Change REG: output file name to replace any invalid chars with "-"

06/20/2024 - AChoirX v10.01.54 - Release 1.54 - Add LST: and FOR: Counters

08/17/2024 - AChoirX v10.01.55 - Release 1.55 - Add INC: (Include an INI - Allowing Nested INI Files)

09/03/2024 - AChoirX v10.01.56 - Release 1.56 - Add OPTIONAL output file name to REG: to allow all extractions to go to the same CSV - Close Registry Key Properly so it can be unloaded

09/29/2024 - AChoirX v10.01.57 - Release 1.57 - Add NCP: NTFS Raw Copy - Only implemented in Windows - Not Applicable to Linux, MacOS, or Android - Most of the code for this was copied from: https://github.com/kmahyyg/go-rawcopy

10/11/2024 - AChoirX v10.01.58 - Release 1.58 - Change Time Display to UTC. Fix edge case when Regexp expands "$" like with $MFT or $Logfile, etc...

11/10/2024 - AChoirX v10.01.58a - Release 1.58a - Componentize, Combine, and Consolidate Scripts

11/30/2024 - AChoirX v10.01.59 - Release 1.59 - Change XIT: to run non-Blocked (EXA:) - This change in behavior is designed to allow AChCleanr to run after AChoirX exits. Add &MyE - For This Program's Executable name. Add experimental AChCleanr - Which dissolves most of AChoirX after it runs. The forensic collection data will remain, but most other components will be erased. This is to prevent a Bad Actor from using AChoirX left behind on the drive as a LOLBin.