Create your own PC forensics toolkit for free

By on
Create your own PC forensics toolkit for free

Need to know what someone’s been doing on a PC? AChoir automates the process of running forensics utilities.

Are you a computer technician or even the unofficial tech support person in your office? You'll know that getting to the bottom of what's been done on a Windows system can be a challenge. 

Running some of NirSoft’s forensic freeware on a USB key could help you collect enough data to figure out what's been going on. For example, NirSoft’s LastActivityView lists recent computer actions, OpenSaveFilesView reports on recently opened and saved files, ExecutedProgramsList details the programs they’ve launched, WifiHistoryView shows recent network connections, and the list goes on.

The problem? Each of these tools covers one area only. To collect a full set of data you must manually launch each one in turn, set it up, then save and combine your reports– not exactly convenient.

AChoir is an open-source scriptable framework which can download the tools you need, run them in an organised way, extract raw data from the target system and produce detailed HTML reports, all fully automated.

It’s certainly not for beginners, but it's fairly straightforward and a real time-saver if you're an IT technician or an advanced Windows user. The package comes with sensibly-chosen, ready-to-use scripts, so you can try it right away.

Unzip the download and run AChoir-inst.exe to build the toolkit, and save it to your chosen file (this could be a USB key for easy use anywhere).

AChoir makes use of tools from NirSoft, Sysinternals and other developers, but they’re not bundled with the package. Instead the installer downloads them as required, ensuring you’ll always get the latest edition.

Once you’re ready, running AChoir.exe or AChoir64.exe in the installation folder launches the default script, collecting basic system and hardware information, installed applications, drivers, user groups and accounts, network adapters, running processes (copies of the executables, not just the names), currently open network connections, browsing history, and raw data including dumps of RAM, NTFS data, event logs, Registry hives and more.

HTML reports, raw data files and other information are saved to a subfolder as the scan progresses, and can be reviewed or analysed later.

Still, the default script does collect a lot of data, and it’s relatively easy to customise and tweak (if you're familiar with scripting).

AChoir is an open source application for Windows 7 and later.

This article originally appeared at

Copyright Software Crew

Most Read Articles


What would you like to see more of on BiT?
How To's
Photo Galleries
View poll archive

Log In

  |  Forgot your password?