Wed, Feb 2, 2022

KAPE Quarterly Update - Q4 2021

KAPE had a number of key updates during the final quarter of 2021. Here is a recap of all the important enhancements and news from October through December 2021:

Key Q4 2021 KAPE Updates
  • Continue update of KAPE and EZ Tools binaries with KAPE-EZToolsAncillaryUpdater.ps1
  • KAPE Module reorganization
  • Nominate KAPE in the Forensic 4:cast Awards
  • Version Changelog 1.1.0.1
  • Fix issue with SFTP verification when using --scd and the directory already existed
  • Update Targets and Modules
  • nuget and control updates
  • Version Changelog 1.1.0.0
  • Fix Editor and Save As in gkape
  • nuget/control updates
  • Tweak how KAPE is accessing files in the root of VSCs
  • Change sync to accept a GitHub repo (optional) to pull Targets and Modules from. Without specifying a URL, the official repo is used. The URL is expected to have the same format as the official repo should an alternate URL be used.
  • Sync will also include .template and .guide files in the Targets and Modules directory
  • Fix issue with Disable flush warnings related to mdest existing
  • When transferring files, add timestamp to end of directory in format yyyyMMddHHmmss. Example: KAPE_data_push{comment}_yyyyMMddHHmmss, where comment is optionally supplied
  • When using Azure SAS, add details to the test file being uploaded (timestamp, computer name, OS info, comment) vs. simply “test upload” for the contents
  • Added --scd switch to specify the default path to upload files to. If the directory does not exist, it will be created. Do NOT use leading slash! Example: --scd foo/bar/wizzo
  • Update included Targets/Modules and Module binaries

See end of the article for additional updates.

Continue Update of KAPE and EZ Tools Binaries with KAPE-EZToolsAncillaryUpdater.ps1

Kroll’s Andrew Rathbun created a PowerShell script to automate the updating of the KAPE binary and EZ Tools binaries found in .\KAPE\Modules\bin, and he created the ancillary files those tools rely on to generate output. KAPE utilizes Targets (.tkape) and Modules (.mkape), RECmd utilizes Batch (.reb) files, and SQLECmd (.smap) and EvtxECmd (.map) utilize Maps. Each of these files is stored in separate repos on GitHub. Keeping all these components of your KAPE instance updated is now made easier using Andrew’s PowerShell script, KAPE-EZToolsAncillaryUpdater.ps1.

The KAPE Target/Compound Target Guide and Template files were created earlier in 2021. Recently, we added a KAPE Module/Compound Module Guide and Template for the community’s benefit. With guides for both Targets and Modules in place, anyone can follow and create their own Targets and Modules either for internal purposes or to contribute to the public KapeFiles repository.

KAPE Module Reorganization

In late 2020, the Targets were reorganized and standardized, including but not limited to, file-naming conventions, content structure of .tkape files and reorganization of the files and folders within the Targets folder. Modules received this same treatment in November 2021. Modules were renamed to a standardized format similar to how SQLECmd Maps are named. Following is the template and a few examples:

  • Template
  • .\KAPE\Modules\Apps\ToolName_Description.mkape
  • Examples
  • .\KAPE\Modules\Apps\NirSoft\BrowsingHistoryView_BrowsingHistory.mkape
  • .\KAPE\Modules\Apps\GitHub\Volatility\Volatility_pslist.mkape
  • .\KAPE\Modules\EZTools\RECmd\RECmd_Kroll.mkape

The Apps folder in Modules had significant changes during this reorganization. Tools that originated from GitHub were given their own subdirectory (.\Apps\GitHub), and any other tools where there were three or more by either the same developer, suite or process now has a dedicated folder created for them. For example, all NirSoft tools are now in .\Apps\NirSoft. All Sysinternals Modules are stored with one another in .\Apps\Sysinternals. Lastly, there are currently three SOF-ELK Modules (with more to come in due time), so they reside in .\Apps\SOFELK.

Any Modules that relate to processes or tools that ship with Windows were moved to the Windows folder. This includes Modules written using PowerShell since that ships natively with Windows. Additionally, all Modules related to EZ Tools reside in their own dedicated EZTools folder. If there are two or more Modules related to a given tool, they have been combined in their own dedicated folder named after that EZ Tool.

Ultimately, this reorganization and standardization of the file-naming convention allows for KAPE’s Target and Modules to continue to scale while maintaining order and structure as growth continues. If you had local Compound Modules that were calling on other Modules, it may be wise to ensure the filenames in your local Modules (!Local folder) are calling on the correct file names of your intended Modules.

Nominate KAPE in the Forensic 4:cast Awards!

Nominations are now open for the 2022 Forensic 4:cast Awards that cover all of the 2021 calendar year. If KAPE served you well in 2021, please consider nominating KAPE here.

Here is an overview of the changes to KAPE from October 1, 2021 to December 31, 2021.

Targets Added/Updated

 

Modules Added/Updated

  • Most Modules were moved, renamed or updated in some fashion in November 2021. Be sure to keep your copy of KAPE synced and updated.
 

KAPE-Related GitHub Repositories

Our experts recommend “watching” the GitHub repositories for KAPE-related updates. Be sure to check the “All Activity” option in the Notifications section (Figure 1).

Key KAPE updates

Figure 1 - Notification options

If you need additional KAPE support, explore our virtual live training and certification opportunities or contact our experts at [email protected]. An enterprise license is required when KAPE is used on a third-party network and/or as part of a paid engagement.

This article was written by Andrew Rathbun, a Senior Associate in Kroll's Cyber Risk practice.



Cyber and Data Resilience

Incident response, digital forensics, breach notification, security strategy, managed security services, discovery solutions, security transformation.

Kroll Artifact Parser And Extractor (KAPE)

Find, collect and process forensically useful artifacts in minutes.

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.


Data Recovery and Forensic Analysis

Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.

Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Computer Forensics

Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.


KAPE Resources

The latest KAPE tutorials, webcasts and guides created by Kroll instructors.

Incident Response and Litigation Support

Kroll’s elite security leaders deliver rapid responses for over 3,000 incidents per year and have the resources and expertise to support the entire incident lifecycle, including litigation demands. Gain peace of mind in a crisis.