Mon, Jun 8, 2020

KAPE Released: New Target and Module Definition Changes

KAPE Version Update

KAPE has been nominated for a Forensic:4Cast award for non-commercial software of the year! Please take 18.5 seconds to vote for KAPE

KAPE is now live. If you get any strange errors when updating or using --sync, use the --debug option to see which file is causing the issue. For most, simply deleting the offending file will fix things. Worst case, just delete your local KAPE install and redownload.

  • REMOVE IsDirectory from Target definitions. Any existing targets not part of the official repo will need to be adjusted.
  • In Target definitions, Path is now ALWAYS assumed to be a directory. This means it should NOT contain wildcards like *.pf. These should be moved to the FileMask property. All official targets have been updated to reflect this. FileMask is still optional. If it is not specified, * is assumed, which will match all files in Path.
  • In Target definitions, Recursive is optional. If missing, it is assumed to be false. Existing targets with Recursive: false set cleaned up (property deleted).
  • Existing targets have been swept for empty comments which were deleted.
  • Path properties in Targets have been cleaned up. (Paths should end with \ by convention. This is not required, but makes it more obvious as to what the path contains).
  • You can now reference subdirectories under Targets in Target definitions. Example: To pull in all targets under Targets\Antivirus, use Path: Antivirus\*
  • Regex is allowed in Target FileMask spec. Example: FileMask: regex:(2019|DSC|Log).+\.(jpg|txt) tells KAPE to use the regex to match against *complete* filenames. KAPE will add \A to the beginning of the regex and \z to the end, to ensure the entire filename is matched.
  • Because of the change above, you can now to do things in non-regex based FileMasks. Example: FileMask: 'Foo*.VHD'. Prior to this change, only *.VHD was possible. 
  • WaitTimeout has been added to module definition as an optional property. When present and greater than 0, this signifies the number of minutes KAPE should wait for a module to finish. If this is exceeded, KAPE will stop waiting and move on.
  • Nuget packages were updated.
  • Targets were updated.

Target Definition Changes

This version of KAPE cleans up a lot of things related to target files. Specifically, the IsDirectory property has been removed, meaning Path is always expected to be a directory now.

Here is an example of the old format:

KAPE Version Update

Vs the same Target in the new format:

KAPE Version Update

If FileMask is omitted, it is assumed to be *, which will match everything under Path.

For, I reviewed every existing target and did the following:

  • Remove IsDirectory
  • Update Path to be only a directory if it contained a file mask
  • Moved the file mask to the FileMask property
  • Removed Recursive: false from all targets (since it’s the default)
  • Deleted empty comments

By convention, the Path property should end with a \ to maintain consistency, but this is not mandatory (I do feel it makes it easier to understand what is going on).

This new version also has much improved FileMask capabilities. In fact, you can now use full blown Regular Expressions as well as more traditional file masks, like *.jpg or Foo*bar.txt.

This means that for all existing targets nothing needs to be changed. If you want to do regex matching against the entire filename, prefix the Filemask with regex:, like this:

FileMask: regex:(2019|DSC|Log).+\.(jpg|txt)

This allows for almost unlimited flexibility when looking for files, especially when wanting to walk an entire file system looking for certain extensions. By adding a single entry in regex format, a single pass of the file system will happen, versus one pass per file mask. How much time you gain here is a matter of several other factors, but it’s nice to have the option!

Finally, for compound targets, you can now reference a directory under the Targets folder, should you wish to dynamically include all target files under that directory. Example:

KAPE Version Update

This tells KAPE to look for any tkape files under the Targets\Antivirus folder and include them in the compound target. This has been possible for a long time via the command line, using the name of the directory in the --targets option, but this makes it possible to specify them in target files.

Module Definition Changes

KAPE now has the ability wait a predetermined amount of time for a module, versus letting a runaway module go on indefinitely.

To meet this requirement, an optional WaitTimeout value was added to the module header, like this:

KAPE Version Update

This value is specified as the number of minutes to wait. In the above example, AppWithTimeout will sleep for five minutes, but KAPE will only wait around for one minute for it to finish. When KAPE is run with this module, the following happens:

KAPE Version Update

If no timeout is specified, KAPE will wait forever for a module to finish.

For More On KAPE:

  • Download the latest version 
  • Sign up for one of the upcoming KAPE Intensive Training and Certification sessions
  • View the latest documentation on GitHub  

Our team is also available to answer questions at [email protected] or on twitter @KrollWire.


Kroll Artifact Parser And Extractor (KAPE)

Find, collect and process forensically useful artifacts in minutes.

Data Recovery and Forensic Analysis

Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.

Data Collection and Preservation

Improve investigations and reduce your potential for litigation and fines with the strict chain-of-custody protocol our experts follow at every stage of the data collection process.

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.