KAPE is used to extract important forensics data based on the target and module options.
KAPE working logic
The target specifies what is the target of our forensical collection. For instance, if it is a registry hive, binary file, software logs or browser cache file,etc. The data collected can be stored in a file, directory, transported over ssh,etc to remote handlers.
KAPE "Targets" directory
cmd to view Targets available in KAPE
Modules allow KAPE to do the analysis of either the data collected via Target capabilities or other programs.
Evidence Collection
Show how to acquire all the registry files and store them in the path C:\temp\RegistryOnly.
kape.exe -kape.exe --tsource C: --target RegistryHives --tdest "c:\temp\RegistryOnly"
The Targets/Compound contains targets that collect from all targets
2. When a malware is executed, it will leave different execution evidence, use KAPE to acquire all the evidence of execution from the victim's system. Store the evidence in a VHDX file with the name CASE2.
kape.exe --tsource C: --target EvidenceOfExecution --vss --vhdx CASE2 --tflush --tdest "c:\temp"
-tsource -> drive being analyzed
--target -> Used for Evidence of Execution
--vss -> Process Volume Shadow Copies, as malware hides in them and hidden folders
--vhdx -> Used to create VHDX file
--tflush -> deletes previous contents of tdest so that only relevant files are zipped in o/p
3. File system evidence with the event logs all in once acquisition. Then we want to store the evidence in a VHDX file with the name CASE3. (Multiple Targets)
2. Collect Evidence of Execution on a system, save the output to a zip file in the path Z:\Evidence\DIY2, and make sure the computer name is used as the name for the zip.
3. Collect all the Windows Browser evidence from C: and all the volume shadow copies and store them in Z:\Evidence\DIY3. This time store your collected evidence to a network destination. Note: For this example, you will need to use UNC paths.
