Mon, Jun 8, 2020
KAPE has been nominated for a Forensic:4Cast award for non-commercial software of the year! Please take 18.5 seconds to vote for KAPE
KAPE 0.9.2.0 is now live. If you get any strange errors when updating or using --sync, use the --debug option to see which file is causing the issue. For most, simply deleting the offending file will fix things. Worst case, just delete your local KAPE install and redownload.
This version of KAPE cleans up a lot of things related to target files. Specifically, the IsDirectory property has been removed, meaning Path is always expected to be a directory now.
Here is an example of the old format:
Vs the same Target in the new format:
If FileMask is omitted, it is assumed to be *, which will match everything under Path.
For 0.9.2.0, I reviewed every existing target and did the following:
By convention, the Path property should end with a \ to maintain consistency, but this is not mandatory (I do feel it makes it easier to understand what is going on).
This new version also has much improved FileMask capabilities. In fact, you can now use full blown Regular Expressions as well as more traditional file masks, like *.jpg or Foo*bar.txt.
This means that for all existing targets nothing needs to be changed. If you want to do regex matching against the entire filename, prefix the Filemask with regex:, like this:
FileMask: regex:(2019|DSC|Log).+\.(jpg|txt)
This allows for almost unlimited flexibility when looking for files, especially when wanting to walk an entire file system looking for certain extensions. By adding a single entry in regex format, a single pass of the file system will happen, versus one pass per file mask. How much time you gain here is a matter of several other factors, but it’s nice to have the option!
Finally, for compound targets, you can now reference a directory under the Targets folder, should you wish to dynamically include all target files under that directory. Example:
This tells KAPE to look for any tkape files under the Targets\Antivirus folder and include them in the compound target. This has been possible for a long time via the command line, using the name of the directory in the --targets option, but this makes it possible to specify them in target files.
KAPE now has the ability wait a predetermined amount of time for a module, versus letting a runaway module go on indefinitely.
To meet this requirement, an optional WaitTimeout value was added to the module header, like this:
This value is specified as the number of minutes to wait. In the above example, AppWithTimeout will sleep for five minutes, but KAPE will only wait around for one minute for it to finish. When KAPE is run with this module, the following happens:
If no timeout is specified, KAPE will wait forever for a module to finish.
For More On KAPE:
Our team is also available to answer questions at [email protected] or on twitter @KrollWire.
Find, collect and process forensically useful artifacts in minutes.
Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.
Improve investigations and reduce your potential for litigation and fines with the strict chain-of-custody protocol our experts follow at every stage of the data collection process.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.