AChoir version 1.0 (AChoir.exe, AChoir64.exe, A-AChoir.exe, A-AChoir64.exe)
11 views
Skip to first unread message
OmenScan
Jul 1, 2017, 9:52:27 PM7/1/17
to Forensic Utilities Artifacts
Hashes:
AChoir.exe MD5 - 1e6dfa17fbf1fbda7b2f966506fdf208
AChoir.exe Sha1 - cef961cba256ee75e2423feee994bca52ab64f11
AChoir64.exe MD5 - a29facf2775fc37957127320d396284d
AChoir64.exe Sha1 - 9729653fd72a56092e0da7c39b766c166e80171e
A-AChoir.exe MD5 - 4e4dd59cf3a6890271be0164db09edb3
A-AChoir.exe Sha1 - 93ad3790cc2e355a714f1ccd27f87f131a42b8ca
A-AChoir64.exe MD5 - 41f57736eb5e06342047ec29f728e170
A-AChoir64.exe Sha1 - a94d16e47347819e7bca62987f74c16e87bf108b
AChoir.exe MD5 - 1e6dfa17fbf1fbda7b2f966506fdf208
AChoir.exe Sha1 - cef961cba256ee75e2423feee994bca52ab64f11
AChoir64.exe MD5 - a29facf2775fc37957127320d396284d
AChoir64.exe Sha1 - 9729653fd72a56092e0da7c39b766c166e80171e
A-AChoir.exe MD5 - 4e4dd59cf3a6890271be0164db09edb3
A-AChoir.exe Sha1 - 93ad3790cc2e355a714f1ccd27f87f131a42b8ca
A-AChoir64.exe MD5 - 41f57736eb5e06342047ec29f728e170
A-AChoir64.exe Sha1 - a94d16e47347819e7bca62987f74c16e87bf108b
OmenScan
Jul 1, 2017, 10:08:22 PM7/1/17
to Forensic Utilities Artifacts
File Artifacts:
Depending on the Action, AChoir may create file artifacts in acquisition directory. If AChoir is run from an attached USB drive, these artifacts should not affect non-repudiation (ie. they will not modify the System Drive)
1. Logfile (ACQ-IR-<name>-<date>-<time>.txt
AChoir will create a logfile for each acquisition in the /Logs directory. The log contains both the actions taken by AChoir and additional information such as the hash of each program that is run.
2. DirHash.txt
Created by: HSH:DIR
When requested in the AChoir Script (HSH:DIR), Achoir will hash all files starting at the directory AChoir is run from (AChoir's root directory) and store the MD5 hashes in this file.
3. ACQHash.txt
Created By: HSH:ACQ
When requested in the AChoir Script (HSH:ACQ), Achoir will hash all acquired artifacts and store the MD5 hashes in this file.
4. Index.htm
Achoir will generate an Index.htm file for every acquisition. This file can be opened with your favorite web browser to browse and open the acquired artifacts.
5. x-MFT.db
Created by: NCS and NCP
Achoir will generate an SQLite database when using NCP: Raw Copy. This database is a subset of the $MFT for that volume - used to make searching for wildcards faster.
6. ForFiles
Created by: FOR:
Achoir will create a temporary file in the Acquisition Cache Directory called "ForFiles" every time the FOR: Action is used. ForFiles contains the results and is used when the &FOR Looping object (variable) is used.
7. ForDisks
Created By: DSK:
Achoir will create a temporary file in the Acquisition Cache Directory called "ForDisks" every time the DSK: Action is used. ForDisks contains the results and is used when the &DSK Looping object (variable) is used.
Depending on the Action, AChoir may create file artifacts in acquisition directory. If AChoir is run from an attached USB drive, these artifacts should not affect non-repudiation (ie. they will not modify the System Drive)
1. Logfile (ACQ-IR-<name>-<date>-<time>.txt
AChoir will create a logfile for each acquisition in the /Logs directory. The log contains both the actions taken by AChoir and additional information such as the hash of each program that is run.
2. DirHash.txt
Created by: HSH:DIR
When requested in the AChoir Script (HSH:DIR), Achoir will hash all files starting at the directory AChoir is run from (AChoir's root directory) and store the MD5 hashes in this file.
3. ACQHash.txt
Created By: HSH:ACQ
When requested in the AChoir Script (HSH:ACQ), Achoir will hash all acquired artifacts and store the MD5 hashes in this file.
4. Index.htm
Achoir will generate an Index.htm file for every acquisition. This file can be opened with your favorite web browser to browse and open the acquired artifacts.
5. x-MFT.db
Created by: NCS and NCP
Achoir will generate an SQLite database when using NCP: Raw Copy. This database is a subset of the $MFT for that volume - used to make searching for wildcards faster.
6. ForFiles
Created by: FOR:
Achoir will create a temporary file in the Acquisition Cache Directory called "ForFiles" every time the FOR: Action is used. ForFiles contains the results and is used when the &FOR Looping object (variable) is used.
7. ForDisks
Created By: DSK:
Achoir will create a temporary file in the Acquisition Cache Directory called "ForDisks" every time the DSK: Action is used. ForDisks contains the results and is used when the &DSK Looping object (variable) is used.
Reply all
Reply to author
Forward
0 new messages