In addition to handling the updated Get-ZimmermanTools.ps1 script better, multiple improvements to the code’s readability, maintainability and core functionality have been made. To gain more context into the changes to the script, please visit the release notes for 4.0 and 4.1 (current version) here.
As of this writing, version 4.1 of this script should be used alongside your local KAPE instance. If you have any issues, please submit those here.
Windows Index Search Database
A new module was made for SIDR, a new tool that can be used to parse the Windows Index Search Database. Traditionally, this artifact has been in the ESE Database format, like SRUM and SUM. As of recently, it is now a SQLite Database. Thankfully, SIDR parses both the ESE and SQLite Database formats. Using KAPE, the Windows Index Search Database can be acquired with the Windows Index Search Target and process the artifact with the SIDR Module.
New Antivirus/RemoteAdmin Log Targets
KAPE users have contributed a few new Targets related to Antivirus and RemoteAdmin tools. As always, the Antivirus and RemoteAdmin Compound Targets will collect files specified in all related Targets. Cylance has been added as a new Antivirus Target, and as such has been added to the Antivirus Compound Target. RustDesk and DWAgent have been added as new RemoteAdmin Targets, and as such have been added to the RemoteAdmin Compound Target.
Q2 2023 KapeFiles Changes
KAPE-Related GitHub Repositories
Our experts recommend “watching” the following GitHub repositories for KAPE-related updates:
- KAPE Targets and Modules
- Registry Explorer/RECmd Plugins
- RECmd Batch Files
- SQLECmd Maps
- EvtxECmd Maps
Keep KAPE Updated
Looking for the EZ button to keep KAPE, EZ Tools and the ancillary files associated with your instance(s) of KAPE updated? Check out the PowerShell script created by Kroll’s Andrew Rathbun here to ensure your copy of KAPE is being updated.
There are a number of KAPE resources for additional KAPE support, including the KAPE manual, training and certification opportunities, or you can contact our experts directly at [email protected]. An enterprise license is required when KAPE is used on a third-party network and/or as part of a paid engagement.