The State of Cyber Defense 2023: Detection and Response Maturity Model
Sep 26, 2023

KAPE has seen a number of key updates during the third quarter of this year. The guide below, assembled by our team of experts, highlights all the important changes that have occurred from July through September 2021.
See end of the article for additional updates.
Kanban boards were created for multiple GitHub repositories. As a result, Kroll’s ongoing tasks regarding KAPE have been transposed into the public realm into these Kanban boards, allowing anyone to see what’s ahead on the roadmap. These boards are also available to the public for contribution. For further information, reach out to [email protected].
Below are direct links to the respective GitHub project boards:
Phill Moore sparked this idea. Be sure to follow his passion project, This Week in 4n6.
During a recent revision of the Kroll Batch File for RECmd, unfamiliar Registry hives were uncovered, so the Kroll team developed a RegistryHivesOther Compound Target to cover the following Registry hives:
The forensic significance of these hives is currently unknown, so they are NOT included in the RegistryHives Compound Target. A note indicating as such has been included in the Compound Target for greater visibility.
KapeResearch Modules were created for the aforementioned Registry hives that are covered within the RegistryHivesOthers Compound Target. This will allow for those who want to do research into these hives to do so with a recursive dump from the ROOT (or topmost) key within the Registry hive.
Combining the KapeTriage Compound Target and !EZParser Compound Module are a common workflow with KAPE users. If an artifact listed within the KapeTriage Compound Target, every single EZ Tool listed within the !EZParser Compound Module will be put to work and provide output. Over time, Kroll has noticed that two tools in particular, SrumECmd and SumECmd, did not provide output using this workflow due to the nature of ESE databases needing to be repaired when acquired from a live system. This is a manual process that is highlighted here.
As a result, end-users may have mistaken an empty output folder for those respective Modules as absence of the artifact when that was not actually the case. Therefore, Export File has been added to each of those Modules for the purpose of outputting the console output to a text file regardless of whether the tool(s) parses the artifact(s) successfully. The reason for this is to provide greater visibility to the end-user about whether a) the artifact exists, b) it was parsed successfully, and if not, c) what they can do to ensure it does get parsed successfully. Feedback on this addition to these Modules has been universally positive. The SRUM and SUM databases are invaluable artifacts for data exfiltration and lateral movement, respectively, in the incident response world.
The community has continued to contribute to the KapeFiles repository, which is greatly appreciated! The functionality of KAPE continues to grow with your support!
For anyone looking to learn more about digital forensics, to develop a better workflow or to become more comfortable with the command line and CSVs rather than GUIs, our experts strongly recommend running KAPE on their own system. Start with either !BasicCollection or KapeTriage for Targets and use !EZParser on for Modules. Examine the output in Timeline Explorer, another tool created by Eric, and learn what and how your systems record artifacts. If you have any questions about KAPE, please email [email protected].
Here is an overview of the changes to the KapeFiles GitHub repository from July 1, 2021, to September 30, 2021.
Targets Added/Updated
Modules Added/Updated
Our experts recommend “watching” the following GitHub repositories for KAPE-related updates:
If you need additional KAPE support, explore our virtual live training and certification opportunities or contact our experts at [email protected]. An enterprise license is required when KAPE is used on a third-party network and/or as part of a paid engagement.
This article was written by Andrew Rathbun, a Senior Associate in Kroll's Cyber Risk practice.
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Find, collect and process forensically useful artifacts in minutes.
Enlist experienced responders to handle the entire security incident lifecycle.
Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.
Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.
The latest KAPE tutorials, webcasts and guides created by Kroll instructors.
Learn how to jumpstart your forensic investigations and find meaningful data fast with a live KAPE training session led by a Kroll instructor.