Mon, Oct 17, 2022

KAPE Quarterly Update – Q3 2022

KAPE had several updates during Q3 2022. Below, please find a recap of all the important enhancements and news from July through September 2022.

Key Q3 2022 KAPE Updates

  • Official EZ Tools Manuals have been released
  • Modules created/updated for multiple open-source tools
  • Q3 2022 KapeFiles Changes
 

Official EZ Tools Manuals Have Been Released

Eric Zimmerman and Andrew Rathbun have been working on creating manuals for the EZ Tools suite. Given that they are some of the most widely used and taught tools in the DFIR community, it only seemed fitting for official manuals to be created. On October 1, 2022, we released EZ Tools Manuals on Leanpub. Any issues with the book can be reported here.

We will continually update the manuals, so “check” the “New version available” box to be notified for new releases.

KAPE Quarterly Update – Q3 2022

Modules Have Been Created/Updated for Multiple Open-Source Tools

Another module for an EZ Tool has been added to KAPE. iisGeoLocate now has a Module that can be used against IIS Logs. Combined with the IISLogFiles Target, KAPE can acquire IIS Logs and parse them with iisGeoLocate. Please note that iisGeoLocate is not added to !EZParser at this time as the IISLogFiles Target isn’t a part of KapeTriage.

In addition, a Module was created for Reg_hunter, which is a Registry threat hunting tool. There are multiple Modules within KAPE to leverage the power of this tool.

Modules for Hayabusa have been updated, renamed and moved into their own dedicated folder. Hayabusa is similar to Chainsaw in that it leverages Sigma rules as well as its own Hayabusa Rules, which can be found here.

Chainsaw 2.0 has also been released. The Chainsaw Module has been updated to reflect the new syntax in Chainsaw 2.0 and newer.

Lastly, a Module was created for WMI-Parser. Combined with the WBEM Target, examiners can obtain OBJECTS.DATA and parse it with WMI-Parser with hopes to locate threat actor persistence.

Q3 2022 KapeFiles Changes

Here is an overview of the changes to the KapeFiles GitHub repository from July 1, 2022 to September 30, 2022.

KAPE-Related GitHub Repositories

Our experts recommend “watching” the following GitHub repositories for KAPE-related updates:

KAPE-Related GitHub Repositories

 

Looking for the EZ button to keep KAPE, EZ Tools and the ancillary files associated with your instance(s) of KAPE? Check out the PowerShell script created by Kroll’s Andrew Rathbun here to ensure your copy of KAPE is being updated.

If you need additional KAPE support, explore our virtual live training and certification opportunities or contact our experts at [email protected]. An enterprise license is required when KAPE is used on a third-party network and/or as part of a paid engagement.

This article was written by Andrew Rathbun, a vice president in Kroll's Cyber Risk practice.

KAPE Quarterly Update – Q3 2022 /en/insights/publications/cyber/kape-quarterly-update-q3-2022 /-/media/kroll-images/insights/feature-images/kape-quarterly-update-q3-2022.png 2022-10-17T00:00:00.0000000 publication {E39587AD-8F0B-4FE2-865F-969BC5501096}{09213578-A7CA-4DD8-AE97-7476022C89D6}{3A077BFC-C74A-40AF-A14C-13BCF6E3873E}{CE2347F0-D222-4014-BA97-6A415CC633DF}{2F9D4938-E5F0-4F9C-9A20-C4A5DCF79130}{7A48DD95-1A63-4784-842F-A2BE81EAFE13}{29BBBAB0-0450-4652-AEAB-6D335E426996}{3A4E87DE-180A-4689-A293-20A6E94886A6} {2DEEE4D2-8278-4C50-B3FF-1563BB257804}

Stay Ahead with Kroll

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Kroll Artifact Parser And Extractor (KAPE)

Find, collect and process forensically useful artifacts in minutes.

24x7 Incident Response

Enlist experienced responders to handle the entire security incident lifecycle.

Data Recovery and Forensic Analysis

Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.

Incident Response Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Computer Forensics

Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.

KAPE Resources

The latest KAPE tutorials, webcasts and guides created by Kroll instructors.

KAPE Training

Learn how to jumpstart your forensic investigations and find meaningful data fast with a live KAPE training session led by a Kroll instructor.

Events

Webcast


KAPE Intensive Training and Certification

Online Event Apr 12 - Dec 08, 2022 | Online Event

Webcast


Q4 2022 Threat Landscape Virtual Briefing: Tech. and Manufacturing Targeted As Ransomware Peaks for 2022

Online Event Feb 15 - Feb 16, 2023 | Online Event

Event


A Kroll Data Breach Masterclass: 6 Key Mistakes Organizations Must Avoid

In-Person Feb 02, 2023 | in-person