KAPE Quarterly Update Q4 2021

KAPE had a number of key updates during the final quarter of 2021. Here is a recap of all the important enhancements and news from October through December 2021:

Key Q4 2021 KAPE Updates

Continue update of KAPE and EZ Tools binaries with KAPE-EZToolsAncillaryUpdater.ps1
KAPE Module reorganization
Nominate KAPE in the Forensic 4:cast Awards
Version Changelog 1.1.0.1

Fix issue with SFTP verification when using --scd and the directory already existed
Update Targets and Modules
nuget and control updates

Version Changelog 1.1.0.0

Fix Editor and Save As in gkape
nuget/control updates
Tweak how KAPE is accessing files in the root of VSCs
Change sync to accept a GitHub repo (optional) to pull Targets and Modules from. Without specifying a URL, the official repo is used. The URL is expected to have the same format as the official repo should an alternate URL be used.
Sync will also include .template and .guide files in the Targets and Modules directory
Fix issue with Disable flush warnings related to mdest existing
When transferring files, add timestamp to end of directory in format yyyyMMddHHmmss. Example: KAPE_data_push{comment}_yyyyMMddHHmmss, where comment is optionally supplied
When using Azure SAS, add details to the test file being uploaded (timestamp, computer name, OS info, comment) vs. simply “test upload” for the contents
Added --scd switch to specify the default path to upload files to. If the directory does not exist, it will be created. Do NOT use leading slash! Example: --scd foo/bar/wizzo
Update included Targets/Modules and Module binaries

See end of the article for additional updates.

Continue Update of KAPE and EZ Tools Binaries with KAPE-EZToolsAncillaryUpdater.ps1

Kroll’s Andrew Rathbun created a PowerShell script to automate the updating of the KAPE binary and EZ Tools binaries found in .\KAPE\Modules\bin, and he created the ancillary files those tools rely on to generate output. KAPE utilizes Targets (.tkape) and Modules (.mkape), RECmd utilizes Batch (.reb) files, and SQLECmd (.smap) and EvtxECmd (.map) utilize Maps. Each of these files is stored in separate repos on GitHub. Keeping all these components of your KAPE instance updated is now made easier using Andrew’s PowerShell script, KAPE-EZToolsAncillaryUpdater.ps1.

The KAPE Target/Compound Target Guide and Template files were created earlier in 2021. Recently, we added a KAPE Module/Compound Module Guide and Template for the community’s benefit. With guides for both Targets and Modules in place, anyone can follow and create their own Targets and Modules either for internal purposes or to contribute to the public KapeFiles repository.

KAPE Module Reorganization

In late 2020, the Targets were reorganized and standardized, including but not limited to, file-naming conventions, content structure of .tkape files and reorganization of the files and folders within the Targets folder. Modules received this same treatment in November 2021. Modules were renamed to a standardized format similar to how SQLECmd Maps are named. Following is the template and a few examples:

Template

.\KAPE\Modules\Apps\ToolName_Description.mkape

Examples

.\KAPE\Modules\Apps\NirSoft\BrowsingHistoryView_BrowsingHistory.mkape
.\KAPE\Modules\Apps\GitHub\Volatility\Volatility_pslist.mkape
.\KAPE\Modules\EZTools\RECmd\RECmd_Kroll.mkape

The Apps folder in Modules had significant changes during this reorganization. Tools that originated from GitHub were given their own subdirectory (.\Apps\GitHub), and any other tools where there were three or more by either the same developer, suite or process now has a dedicated folder created for them. For example, all NirSoft tools are now in .\Apps\NirSoft. All Sysinternals Modules are stored with one another in .\Apps\Sysinternals. Lastly, there are currently three SOF-ELK Modules (with more to come in due time), so they reside in .\Apps\SOFELK.

Any Modules that relate to processes or tools that ship with Windows were moved to the Windows folder. This includes Modules written using PowerShell since that ships natively with Windows. Additionally, all Modules related to EZ Tools reside in their own dedicated EZTools folder. If there are two or more Modules related to a given tool, they have been combined in their own dedicated folder named after that EZ Tool.

Ultimately, this reorganization and standardization of the file-naming convention allows for KAPE’s Target and Modules to continue to scale while maintaining order and structure as growth continues. If you had local Compound Modules that were calling on other Modules, it may be wise to ensure the filenames in your local Modules (!Local folder) are calling on the correct file names of your intended Modules.

Nominate KAPE in the Forensic 4:cast Awards!

Nominations are now open for the 2022 Forensic 4:cast Awards that cover all of the 2021 calendar year. If KAPE served you well in 2021, please consider nominating KAPE here.

Here is an overview of the changes to KAPE from October 1, 2021 to December 31, 2021.

Targets Added/Updated

Modules Added/Updated

Most Modules were moved, renamed or updated in some fashion in November 2021. Be sure to keep your copy of KAPE synced and updated.

KAPE-Related GitHub Repositories

Our experts recommend “watching” the GitHub repositories for KAPE-related updates. Be sure to check the “All Activity” option in the Notifications section (Figure 1).

Key KAPE updates

Figure 1 - Notification options

If you need additional KAPE support, explore our virtual live training and certification opportunities or contact our experts at [email protected]. An enterprise license is required when KAPE is used on a third-party network and/or as part of a paid engagement.

This article was written by Andrew Rathbun, a Senior Associate in Kroll's Cyber Risk practice.