Thu, May 18, 2023
KAPE Quarterly Update – Q1 2023
KAPE had several updates during Q1 2023. Here is a recap of all the important enhancements and news from January through March 2023:
Key Q1 2023 KAPE Updates
- Hayabusa Modules updated
- Multiple new LiveResponse Modules leveraging PowerShell
- New MFTECmd Module - $I30
- Q1 2023 KapeFiles Changes
Hayabusa Modules Updated
Hayabusa is a free threat hunting tool developed by Yamato Security and is consistently updated with fixes and new features. As a result, the Hayabusa KAPE Modules have been revised, as new features have been added/modified. If you’re doing event log analysis in your everyday KAPE workflow, try out the new Hayabusa Modules, which can be found here.
KAPE users need to supply the Hayabusa binary into the .\KAPE\Modules\bin subfolder. As indicated in Line 10 of the Hayabusa_EventStatistics Module, KAPE looks for a binary named hayabusa.exe within a folder named Hayabusa. Therefore, the proper setup would look something similar to this before being able to successfully run the Modules:
.\KAPE\Modules\bin\hayabusa\hayabusa.exe
Multiple new LiveResponse Modules leveraging PowerShell
Vito Alfano recently contributed to multiple new PowerShell Modules that can be used in a live response scenario. The new PowerShell Modules can be located in the Modules\Windows subfolder.
New MFTECmd Module - $I30
MFTECmd has had the ability to parse $I30 files since March 2022, according to the Zimmerman Tools changelog. However, only until recently was the ability to automate this functionality added to KAPE, due to Phill Moore. Check out the Module here.
Q1 2023 KapeFiles Changes
Here is an overview of the changes to the KapeFiles GitHub repository from January 1, 2023 to March 31, 2023.
KAPE-Related GitHub Repositories
Our experts recommend “watching” the following GitHub repositories for KAPE-related updates:
- KAPE Targets and Modules
- Registry Explorer/RECmd Plugins
- RECmd Batch Files
- SQLECmd Maps
- EvtxECmd Maps
Keep KAPE Updated
Looking for the EZ button to keep KAPE, EZ Tools and the ancillary files associated with your instance(s) of KAPE? Check out the PowerShell script created by Kroll’s Andrew Rathbun here to ensure your copy of KAPE is being updated.
KAPE Resources
There are a number of KAPE resources for additional KAPE support, including the KAPE manual, training and certification opportunities, or you can contact our experts directly at [email protected]. An enterprise license is required when KAPE is used on a third-party network and/or as part of a paid engagement.
Cyber Risk
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Kroll Artifact Parser And Extractor (KAPE)
Find, collect and process forensically useful artifacts in minutes.
24x7 Incident Response
Enlist experienced responders to handle the entire security incident lifecycle.
Data Recovery and Forensic Analysis
Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.
Cyber Risk Retainer
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.
Computer Forensics
Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.
KAPE Resources
The latest KAPE tutorials, webcasts and guides created by Kroll instructors.
KAPE Training
Learn how to jumpstart your forensic investigations and find meaningful data fast with a live KAPE training session led by a Kroll instructor.