KAPE has seen a number of key updates during the second quarter of this year. Our team of experts has put together the below guide of all the important changes between April and July 2021.
Key Q2 2021 KAPE Updates
- New KAPE Module/Compound Module Guides and Templates have been created
- KAPE Directory Traversal Targets have been *placed in the !Disabled folder for template creation
- KapeResearch Modules were developed during last quarter’s update, but they’ve grown and will continue to grow. This quarter, we’ve added KapeResearch Modules for the Amcache and UsrClass.dat files.
- Kroll Batch File: RECmd was updated from 1.1 to 1.10. There are newly parsed artifacts with a significantly smaller CSV output due to improvement and refinements to this batch file.
- Version ChangeLog 184.108.40.206
- Allows for --sync to run without admin privileges
- Added additional S3 switches for using session tokens and supplying a key prefix
- NuGet updates
- gkape can now save _kape.cli once configured. gkape will also prompt to load the FIRST command line from _kape.cli when starting. This is useful for preconfiguring KAPE for less technical people to use remotely
- Version ChangeLog 220.127.116.11
- Fixed issue with TLS version related to testing URL
- Version ChangeLog 18.104.22.168
- Add %s variable, which resolves to the system drive letter (i.e., C or D, vs. C:\ or D:\, etc.)
- S3 Presigned URL tweaks (maximum five GB size limit per AWS)
- Allow for up to TLS 1.2 connections
- Control and NuGet updates
- Updated EZTools binaries
See end of the article for additional updates.
KAPE Module/Compound Module Guides and Templates Created
The KAPE Target/Compound Target Guide and Template files were created earlier this year. Recently, we have added a KAPE Module/Compound Module Guide and Template for the community’s benefit. With guides for both Targets and Modules in place, anyone can follow along and start creating their own Targets and Modules either for internal purposes or to contribute to the public KapeFiles repository.
Directory Traversal Targets - !Disabled
Directory Traversal Targets are located in the .\KAPE\!Disabled folder and will not show up within kape.exe or gkape.exe until they are moved out of those folders. They were placed there so they can serve as a good template for the creation of Targets for files not covered by those Targets. Also, searching for and grabbing a certain file extension recursively goes against the triage mindset, but we understand there are use cases when this may be required.
Update of Select Targets and Modules
$J.tkape has been updated to include the ability to pull the $J from a VHDX that contains an offline copy of the $J. Previously, the Target was only suited for pulling from a live machine as the Target was looking for an alternate data stream (ADS), whereas when the $J is in its offline form, it’s no longer an ADS.
FileExplorerReplacements.tkape was expanded upon to include new third-party applications that serve as alternatives to Windows File Explorer. These applications have been known to be used by threat actors during periods of unauthorized access. TotalCommander.tkape provides artifacts for one of the more popular Windows File Explorer replacements utilized by threat actors. Testing was done on FTP-related artifacts with Total Commander and added to the Total Commander Target.
The community has continued to contribute to the KapeFiles repository, which is greatly appreciated. The functionality of KAPE continues to grow with your support.
Kroll Batch File – RECmd
Leveling up from version 1.1 to 1.10, from 2,733 lines to 3,167 lines, and an average output size from 30MB to 6MB in our tests, the Kroll Batch file has become leaner and more actionable for DFIR examiners. New categories were added, including but not limited to threat hunting, where relevant new artifacts are constantly being added. Smaller output (file size) yet more output (actionable evidence) has provided the RECmd KAPE Module a huge boost in effectiveness within the past few months. This Batch file is open to community feedback on the RECmd GitHub repository.
New KapeResearch Modules
KapeResearch Modules were created to help KAPE users conduct their own research by allowing an easy button for dumping full registry hives to JSON from the ROOT Key of the respective hive. Amcache and UsrClass.dat hives proved to be difficult, as they did not have ROOT for the name of the ROOT value. Rather, they had a GUID or some other value besides ROOT. A simple modification to the existing KapeResearch Modules allowed for those unique values to be accounted for, which allowed for a successful JSON dump of the Amcache and UsrClass.dat hives using KAPE.
For anyone looking to learn more about digital forensics, develop a better workflow or become more comfortable with the command line and CSVs rather than GUIs, our experts strongly recommend running KAPE on their own system. Start with either !BasicCollection or KapeTriage for Targets and use !EZParser on for Modules. Examine the output in Timeline Explorer, another tool created by Eric Zimmerman, and learn what and how your systems record artifacts. If you have any questions about KAPE, please email [email protected].
Here is an overview of the changes to KAPE from April 1, 2021, to June 30, 2021.
Module/Compound Module Guides and Templates Added
KAPE-Related GitHub Repositories
Our experts recommend “watching” the following GitHub repositories for KAPE-related updates:
If you need additional KAPE support, explore our virtual live training and certification opportunities or contact our experts at [email protected]. An enterprise license is required when KAPE is used on a third-party network and/or as part of a paid engagement.
This article was written by Andrew Rathbun, a Senior Associate in Kroll's Cyber Risk practice.