KAPE Quarterly Update - Q2 2022

KAPE had several updates during Q2 2022. Below, please find a recap of all the important enhancements and news from April through June 2022.

Key Q2 2022 KAPE Updates

• KAPE-EZToolsAncillaryUpdater.ps1 updated to version 3.4
• MFTECmd Module for Dumping Resident Files
• Contributing Guide added to KapeFiles repository
• READMEs added to Targets and Modules folders
• Q2 2022 KapeFiles Changes

KAPE-EZToolsAncillaryUpdater.ps1 updated to version 3.4

Kroll’s Andrew Rathbun created a PowerShell script to automate the updating of the KAPE binary, EZ Tools binaries found in .\KAPE\Modules\bin and the ancillary files those tools rely upon to generate output. This was first covered in the KAPE Q4 2021 Quarterly Update. 

Michael Moran has provided multiple valuable updates to this script, including the most recent update, which provides an update check feature to see if the version of the script being ran by the end user is the most current version. 

Be sure to watch the KAPE-EZToolsAncillaryUpdater.ps1 GitHub repository to be notified of future improvements by Andrew or members of the community.

MFTECmd Module for Dumping Resident Files

On June 22, 2022, Eric Zimmerman added a new feature to MFTECmd that provides the ability for resident files within an $MFT file to be dumped into a Resident folder. In testing on multiple $MFT files, it has been found that anywhere from 30-80 mb of files are dumped by MFTECmd. Given this use case may not be applicable for everyone using MFTECmd through KAPE, a separate Module was created for this specific MFTECmd function. This new Module joins multiple other special purpose MFTECmd Modules which provides a variety of options for KAPE users. 

Contributing Guide added to KapeFiles Repository

At the root of the KapeFiles GitHub repository, Andrew created a short guide on how to contribute to KAPE. This guide provides links to the KAPE Target and Module Guides and Templates. Additionally, a short GIF providing guidance on how to properly complete a Pull Request using the checkboxes has been included in the repo. 

If anyone in the community needs further assistance contributing to KAPE, please do not hesitate to email [email protected] for help from one of our experts.

READMEs added to Targets and Modules Folders

Continuing the trend of administrative changes in the KapeFiles repository this quarter, Andrew added READMEs to the root of both Targets and Modules folders. These README files aim to provide a description of the intended purpose of each of the subfolders within the Targets and Modules folders. More READMEs will be added in the coming months to provide further descriptions of the contents of the subfolders within the Targets and Modules folders. 

Q2 2022 KapeFiles Changes

Here is an overview of the changes to the KapeFiles GitHub repository from April 1, 2022 to June 30, 2022.

KAPE-Related GitHub Repositories

Our experts recommend watching the following GitHub repositories for KAPE-related updates:

• KAPE Targets and Modules
• Registry Explorer/RECmd Plugins
• RECmd Batch Files 
• SQLECmd Maps
• EvtxECmd Maps
• All of Eric Zimmerman’s GitHub repositories

Looking for the EZ button to keep KAPE, EZ Tools and the ancillary files associated with your instance(s) of KAPE? Check out the PowerShell script created by Kroll’s Andrew Rathbun here to ensure your copy of KAPE is being updated! 

If you need additional KAPE support, explore our virtual live training and certification opportunities or contact our experts at [email protected]. An enterprise license is required when KAPE is used on a third-party network and/or as part of a paid engagement.

This article was written by Andrew Rathbun, a Vice President in Kroll's Cyber Risk practice.