KAPE Quarterly Update

KAPE had a number of updates during the first quarter of 2022. Here is a recap of all the important enhancements and news from January through March 2022.

Key Q1 2022 KAPE Updates

KAPE-EZToolsAncillaryUpdater.ps1 updated to version 3.1
New Modules using PowerShell to enhance KAPE’s capabilities
Brave added to WebBrowsers.tkape Compound Target
New special purpose Modules added by the community
Nominate KAPE in the Forensic 4:cast Awards!
Q1 2022 KapeFiles changes
Changelog Version 1.2.0.0
- SFTP tweaks for partially existing directory structure
- Nuget package updates
- Updated EZTools binaries
- Sync'ed Targets and Modules

KAPE-EZToolsAncillaryUpdater.ps1 Updated to Version 3.1

Kroll’s Andrew Rathbun created a PowerShell script to automate the updating of the KAPE binary, EZ Tools binaries found in .\KAPE\Modules\bin and the ancillary files those tools rely upon to generate output. This was covered in the last KAPE Quarterly update.

In February 2022, Kroll’s Eric Zimmerman overhauled the way the Get-ZimmermanTools.ps1 script operated. Eric ported his tools from .NET 4 to .NET and thus allowed for end users to download either version or both. As a result, KAPE-EZToolsAncillaryUpdater.ps1 needed to be updated to accommodate this change. Additionally, the community contributed a -silent switch from a request by Mark Hallman.

Be sure to watch the KAPE-EZToolsAncillaryUpdater.ps1 GitHub repository to be notified of future improvements.

New Modules Using PowerShell to Enhance KAPE’s Capabilities

Andrew created multiple PowerShell scripts and associated KAPE Modules to further extend KAPE’s functionality and convenience for the end user.

When using the KapeTriage Target and !EZParser Module simultaneously, the ConsoleHost_history.txt file often can be forgotten as it only resides in the directory specified as the Target Destination. Analysis typically occurs with the CSV output that is found in the directory specified as the Module Destination. To ensure this invaluable artifact isn’t forgotten, Andrew created a PowerShell script and associated KAPE Module to move each user’s ConsoleHost_history.txt file where all the other Module output resides.

Additionally, Andrew created a PowerShell script and associated KAPE Module for leveraging MFTECmd’s recently added ability to parse the $J and $MFT files simultaneously. This allows for the Parent Path column in MFTECmd’s $J CSV output to be populated. For Incident Response (IR) cases, this allows examiners to better filter on known malicious folder paths. For law enforcement cases, this allows examiner to better filter on folder paths of interest. For both use cases, this will allow examiners to filter on previously existing folder paths and currently existing folder paths of interest easily when trying to identify historical file activity on a given NTFS partition.

Brave added to WebBrowsers.tkape Compound Target

Cassie Doemel recently conducted research into the Brave browser and added a new Target for the artifacts associated with that browser. The Target can be found here and the WebBrowsers Compound Target here. Given that Brave is a Chromium browser, SQLECmd has plenty of Maps to parse the SQLite databases commonly found with Chromium browsers.

New Special Purpose Modules Added by the Community

Multiple Thor-Lite Modules have been created and updated in Q1 2022. Thor-Lite is a fantastic tool ideal for IR investigations that’ll help drive better results based on various detection rulesets. A Module to automate the process of updating Thor-Lite’s binary and detection rulesets was created and now can be leveraged by KAPE users. A special thank you to those who contributed to these Modules.

Along with Thor-Lite, Chainsaw is a useful tool for providing analysts with complementary output to Eric Zimmerman’s EvtxECmd. EvtxECmd can be used to parse event logs, and Chainsaw will analyze that output for any quick win indicators of compromise based on Sigma rules. In order to lessen the hassle of keeping Sigma rules updated within your instance of Chainsaw when using KAPE, Andrew created a PowerShell script to automate the process. You can find the script here and the KAPE Module here.

Brian Maloney recently created a new tool dedicated to parsing OneDrive artifacts called OneDriveExplorer. Brian has graciously provided a KAPE Module for his tool that can be found here. Brian also created a KAPE Module for another of his tool called SEPparser, which parses Symantec Endpoint Protection logs, VBNs and the ccSubSDK database. Brian recommends using the Symantec_AV_Logs Target in conjunction with the SEPparser Module.

Jordan Klepser recently created a tool called DHParser. Jordan also created a KAPE Module and Target for this tool. Last, but not least, given the recent log4j vulnerability, a community member provided a KAPE Module for a tool called CVE-2021-44228-Scanner. KAPE users can now leverage this tool by using this Module, thanks to the work of Georg Lauenstein.

Nominate KAPE in the Forensic 4:cast Awards!

Nominations are now open for the 2022 Forensic 4:cast Awards! The 2022 Forensic 4:cast Awards cover all of the 2021 calendar year. If KAPE was a useful tool for you and served you well, please nominate KAPE for DFIR Non-Commercial Tool of the year here.

Q1 2022 KapeFiles Changes

Here is an overview of the changes to the KapeFiles GitHub repository from January 1, 2022 to March 31, 2022.

KAPE-Related GitHub Repositories

Our experts recommend “watching” the following GitHub repositories for KAPE-related updates:

KAPE Quarterly Update – Q1 2022

Looking for the EZ button to keep KAPE, EZ Tools and the ancillary files associated with your instance(s) of KAPE? Check out the PowerShell script created by Andrew here to ensure your copy of KAPE is being updated!

If you need additional KAPE support, explore our virtual live training and certification opportunities or contact our experts at [email protected]. An enterprise license is required when KAPE is used on a third-party network and/or as part of a paid engagement.

This article was written by Andrew Rathbun, a Vice President in Kroll's Cyber Risk practice.