KAPE

KAPE is Kroll Artifact Parser and Extractor.

KAPE is used to extract important forensics data based on the target and module options.

KAPE working logic

The target specifies what is the target of our forensical collection. For instance, if it is a registry hive, binary file, software logs or browser cache file,etc. The data collected can be stored in a file, directory, transported over ssh,etc to remote handlers.

KAPE "Targets" directory
cmd to view Targets available in KAPE

Modules allow KAPE to do the analysis of either the data collected via Target capabilities or other programs.

Evidence Collection

  1. Show how to acquire all the registry files and store them in the path C:\temp\RegistryOnly.

kape.exe -kape.exe --tsource C: --target RegistryHives --tdest "c:\temp\RegistryOnly" The Targets/Compound contains targets that collect from all targets

2. When a malware is executed, it will leave different execution evidence, use KAPE to acquire all the evidence of execution from the victim's system. Store the evidence in a VHDX file with the name CASE2.

kape.exe --tsource C: --target EvidenceOfExecution --vss --vhdx CASE2 --tflush --tdest "c:\temp" -tsource -> drive being analyzed --target -> Used for Evidence of Execution --vss -> Process Volume Shadow Copies, as malware hides in them and hidden folders --vhdx -> Used to create VHDX file --tflush -> deletes previous contents of tdest so that only relevant files are zipped in o/p

3. File system evidence with the event logs all in once acquisition. Then we want to store the evidence in a VHDX file with the name CASE3. (Multiple Targets)

kape.exe --tsource C: --target FileSystem,EventLogs --vss --vhdx CASE4 --tflush --tdest "c:\temp\CASE4" Wrong output name

4. Acquire all evidence from the system i.e all Targets run. Here, we use !ALL for target parameter.

In prior versions Target "!ALL" allowed for this, here I used GUI and selected all in Target selected

DIY

.\kape.exe --tsource C: --tdest C:\Evidence\DIY1 --tflush --target CloudStorage_All --gui

2. Collect Evidence of Execution on a system, save the output to a zip file in the path Z:\Evidence\DIY2, and make sure the computer name is used as the name for the zip.

.\kape.exe --tsource C: --tdest C:\Evidence\DIY2 --tflush --target CloudStorage_All,EvidenceOfExecution --zip %m --gui

3. Collect all the Windows Browser evidence from C: and all the volume shadow copies and store them in Z:\Evidence\DIY3. This time store your collected evidence to a network destination. Note: For this example, you will need to use UNC paths.

.\kape.exe --tsource C: --tdest \192.168.233.131\z\Evidence\DIY3 --tflush --target CloudStorage_All,EvidenceOfExecution,WebBrowsers --vss --zip %m --gui

4. Collect all Prefetch files from the C: drive and save the output to Z:\Evidence\DIY5.

.\kape.exe --tsource C: --tdest C:\Evidence\DIY5 --tflush --target CloudStorage_All,EvidenceOfExecution,WebBrowsers,Prefetch --gui

5. Run module for processing results from Task 4:

.\kape.exe --msource C:\Evidence\DIY5 --mdest C:\Evidence\DIY5_Module --mflush --module PECmd --mef html --gui
PreviousFile UploadNextStatic Analysis

Last updated

Was this helpful?