KAPE Quarterly Update – Q4 2022

KAPE  had several updates during Q4 2022. Here is a recap of all the important enhancements and news from October through December 2022:

Key Q4 2022 KAPE Updates

• KAPE Change Log
• New Module Variables for Command Lines: %d%, %guid% and %sourceDirectoryBase%
• New Modules Have Been Created for Multiple NirSoft Tools
• New Target for New Windows 11 Pro (22H2) Artifact
• Q4 2022 KapeFiles Changes

KAPE Change Log

Version 1.3.0.2

• Change from nlog to Serilog (much nicer console output)
• New module variables for command lines: %d%, %guid% and %sourceDirectoryBase%
• General tweaks and fixes
• Nuget package updates
• Updated EZTools binaries
• Sync'ed Targets and Modules

New Module Variables for Command Lines: %d%, %guid% and %sourceDirectoryBase%

KAPE 1.3.0.2 has added new Module variables. This will allow for Modules to be made for tools without unique output filenames to have their filenames made unique using either the current date/time in UTC (%d%), a random GUID (%guid%) or the source directory base (%sourceDirectoryBase%), i.e., C, VSS1, VSS2, etc.

New Modules Have Been Created for Multiple NirSoft Tools

Modules have been created for the following NirSoft tools, thanks to Pedro Sanchez Cordero:

• VideoCacheView
• WebBrowserDownloads
• WebBrowserPassView
• AlternateStreamView
• LastActivityView

As always with any third-party binary that are not EZ Tools, binaries must be placed in .\KAPE\Modules\bin in accordance with the respective Module for that tool.

New Target for New Windows 11 Pro (22H2) Artifact

A new Windows 11 Pro (22H2) artifact was recently discovered by a member of the Digital Forensics Discord Server. Lucas Gonzalez, and further researched by Kroll’s Andrew Rathbun. A blog post on AboutDFIR detailing this research can be found here. KAPE also has a Target to pull this new artifact, as seen here.

Q4 2022 KapeFiles Changes

Here is an overview of the changes to the KapeFiles GitHub repository from October 1, 2022 to December 31, 2022.

KAPE-Related GitHub Repositories

Our experts recommend “watching” the following GitHub repositories for KAPE-related updates:

• KAPE Targets and Modules
• Registry Explorer/RECmd Plugins
• RECmd Batch Files
• SQLECmd Maps
• EvtxECmd Maps

Keep KAPE Updated

Looking for the EZ button to keep KAPE, EZ Tools and the ancillary files associated with your instance(s) of KAPE? Check out the PowerShell script created by Kroll’s Andrew Rathbun here to ensure your copy of KAPE is being updated.

KAPE Resources

There are a number of KAPE resources for additional KAPE support, including the KAPE manual,training and certification opportunities, or you can contact our experts directly at [email protected]. An enterprise license is required when KAPE is used on a third-party network and/or as part of a paid engagement.