- Created by Eric Zimmerman
- 1) Collects files (aka Target Collection) and 2) processes collected files (aka Module Execution) with modular input from community
- Can sync with Github community
- Uses targets (
--tsouce,--tdest) and modules (--target)- Written in YAML
- Does this in 15 minutes or less. Src
- Adds file masks (per module) to a queue.
- 1) Finds and copies files from a source location
- Will then build a list of files
- If a file is locked/protected/in-use, KAPE will come back to it on a second run. These are added to a secondary queue.
- 2) The output from the programs is then saved in directories named after a category (ex: EvidenceOfExecution (includes prefetch, shimcache, userassist, etc), BrowserHistory)
- During the secondary queue execution, KAPE uses raw disk reads to bypass the locks (enter memory forensics).
- Metadata is collected into log files as well
- Any target or module in the
!Disableddirectory will not be available in (G)Kape
- Collections of file and directory specifications
- After the list of files is built, targets are run
- Targets have a
.tkapeextension - Doc src
- See more below
- Can target anything, including files collected via target capabilities (since targets run first)
- Can even run the output of live executables; Ex: Dump netstat.exe to file
- Modules have a
.mkapeextension - See more below
- Create new ones with the facts that they should target specific artifacts that can be grouped together
- Category field is super important
- FileMask field will match extensions only
- Can also compound Targets by just setting their
Pathfield to another, more "fine-grained" target - Docs Src
-
A module’s job is to run programs against files, often generating output in the form of CSV or text that can then be reviewed by an examiner.
-
NOTE: Modules can only run ONE command; as such, you need a module for every executable you want to run against collected data.
-
FileMask field here is useful for targeting specific files; like $MFT.
-
Must include Processor field; at least one but can have more
-
If more it is for a slight variation of the cmd; e.g. export formats, recurse 3 or 4 times, etc.
-
Can either be an executable or CommandLine
-
Executable
- Required. The path to the executable is NOT necessary and only the name of the executable (with extension)
- Chosen executable should be placed in
[KAPE directory]\Modules\bin - Symbolic links can be done but have to use the
/hswitch
-
CommandLine
- Required. Do NOT try to use redirection.
-
ExportFormat
- Required. Ex:
ExportFormat: csv
- Required. Ex:
-
ExportFile
- Optional. Ex:
ExportFile: devices.txt
- Optional. Ex:
-
Append
- Optional. For example, this is useful for processing several ntuser.dat hives and getting all the output in a single file, vs one file per ntuser.dat hive.
-
- Metrics related to KAPE activity is displayed in the Title bar of the console window.
- Long file names supported. However, when using containers they can only handle 255 chars
- Update KAPE's targets and modules with:
kape --sync - Update KAPE itself with
Get-KAPEUpdate.ps1script - Can automate with Batch Mode
- Can be done over SFTP
- Can change "All at once" processing to Linear via the
--ulswitch. - Other Tips & Tricks
- Use environment variables in KAPE:
echo "--mdest c:\temp\out%COMPUTERNAME%" - KAPE should best be run as system.
- Use environment variables in KAPE:
- KAPE supports proxy