This 30-minute webcast covers:
- How to leverage KAPE to collect triage data
- How to normalize data across multiple artifacts
- How to build a mini timeline using KAPE
- How to analyze a mini timeline
Tools used in the session:
Download Webcast Slides
Notable Passages From Mari Degrazia During the Presentation
On Approach
“When I start thinking about the key questions to my case, I can usually really focus in on a handful of artifacts that are relevant and important to my investigation. With this approach, with the mini timeline with KAPE, we're thinking, we're going to do that sniper approach instead of like the shotgun approach. We're not going to try and get all of the things; we're going to try and get things that are relevant to our case so that we can get answers quickly.”
On Triage Data
“What are those artifacts? The main one and the main three that we're going to be dealing with today, as it relates is the file system, right? We're talking about files that have been treated on the system, files that have been deleted on the system. This is what we call the MFT in forensics—the master file table. That's going to give us our modified access created, born dates. It can even give us visibility into things like as own identifier, as something was downloaded from the internet, and the MFT can also contain references to deleted files. Just within a file that might be 500 megs in size, we get a ton of information. So, if we think about taking a full disk image in terabytes and terabytes of data, really there's MFT 500 makes small file lots and lots of information. The registry tracks so much of what a user does on the system. We talk about things like recent documents that have been opened up by user and applications that have been executed on the system. We can even tie that to a particular user, things like the USR class, the ntuser.dathive, the sound system security hive. So, the registry gives us a wealth of information into the system as well.”
On KAPE Basics
“When we talk about KAPE, the way that KAPE works is, we have something called targets and modules kind of at the core of it. The targets tell you what information it is that you want to collect from the system, which I just went over right here in the slides. So, we need to tell KAPE of what to collect, and we do that with what's called target files. Next, we want to process that data and to process that data, we use something called modules. And modules will say, okay, now that I have this MFT, how are you going to parse out that data?
KAPE can be ran against either a mounted image, so if you've already had a collection and you already have an image, you can mount that up using something like Arsenal Image Mounter, or you can run CAPE externally from a USB drive. One limitation, if you will, of KAPE, is that it is designed for a Windows system to run with the.net framework. So, if we're talking something about a live system or running it on a mounted image that would be from the Windows platform. So, we have lots of options when we use KAPE.”
On Collection
“One of the really cool things about KAPE, and I'm going to be talking about them in a minute here, are these targets in the modules. These are open source. These are written by the community. So, if you're working a case or you've been working cases in like you know what? I really find that the shrimp has been very valuable to see data exfiltration. I need a target for that. You can use this little sink with GitHub button and pull down all the targets and modules that have been written by the community, or you can write one yourself. And I think there are over 100 different target modules that have been written either by Eric Zimmerman or the community. To that end, I wrote my own target that collects this information that I've talked about. A lot of times in forensics, we have to use so many different tools to look at our data. We have tools like X-Ways where you can open up an image, run your keyword, searches, filter sort, find interesting files. And if you're working a case, ultimately at some point in time, you're going to have to share your findings with somebody, right? Whether it's your manager who then passes on the information or it's a client, and you have to write a report. So, there's this concept of data messaging that happens.”
On Why There Are Timelines
“I can see this malware watched in the user assist in my registry key, but I want to know how did that person connect into the system to do that? Did they log in locally? Did they come in through RDP? You might jump over and you have to go look at your event logs. So, you have to filter it by the date. But now on a timeline, as soon as you see that user assist happened, you can just scroll up and down your timeline to see what happened, which lets you build out these really cool connections because now you're going to start noticing things that you may not have known to go look for. So for example, if malware executes on the system, you might see an installed service and then you might see an install service, then you might see a run key, and then you might see to actually modify the registry where it alters the firewall. What happens is instead of kind of being responsible for going out in doing and looking at all these different things because it's in this timeline, it's all there for you.”