Tue, Sep 22, 2020

Child Exploitation Investigation � Express Analysis with KAPE

Has your workload increased or decreased in recent years? With an ever-growing backlog of cases, efficiently locating and processing data is becoming just as important a skill as interviewing and other traditional skills investigators rely on. With Kroll Artifact Parser and Extractor (KAPE) collection and triage capabilities, full disk forensics is becoming a thing of the past. In this session, KAPE creator Eric Zimmerman showcases how key Windows artifacts can be collected from a live or forensic image, parsed and reviewed in a few minutes using KAPE. Additionally, Eric demonstrates how to make custom targets to collect child exploitation material such as .jpgs, .pngs, .mp4s, etc. These examples can then be extended to meet the requirements of even the most complex cases.

Watch the Webcast Replay

Webcast Replay: Child Exploitation Investigation – Express Analysis with KAPE

This 30-minute webcast covers:

  • How to leverage KAPE to collect data most relevant to child exploitation cases
  • How to extract actionable intelligence from artifacts found on offenders’ systems
  • How to prioritize machines for analysis when dealing with multiple systems

Tools used in the session:

Speaker: Eric Zimmerman, Senior Director, Cyber Risk, Kroll

Notable Passages from Eric Zimmerman During the Presentation

In most investigations, we want to focus in on a few key things, what documents have been opened? Pictures, movies, PDFs, Word documents, websites. We want to focus on what directories have been opened. Because that's maybe where their contraband is being kept, or where they're accessing files from, where they're downloading things to. And so there's of course, going to be certain key artifacts that we can focus in on in order for you to be able to make use of the data in the most efficient way possible.

On KAPE vs. osTriage 

osTriage is somewhat similar to KAPE, but if you want to think of KAPE like osTriage version four, that might be an interesting way for you to think about it. Now the thing that you need to keep in mind, the distinction between osTriage and KAPE is that osTriage is a very specific tool for frontline investigators, that is going to try and present a wide range of data in a very similar look and feel. If you've used osTriage, you have the grids, and it's the tabs and everything's in a grid and you look at all the stuff in one place. KAPE is going to be a little bit different than that. KAPE is going to expect you to know what you want to collect and what you want to process.

On KAPE’s Capabilities 

KAPE doesn't do anything by itself. KAPE is driven by targets which collect files and modules which run programs. And what makes KAPE so capable is that you do not need to rely on me to make KAPE do what you want. With very little work, you can extend KAPE to make it work exactly the way you want to collect exactly the files that you want, no more and no less. KAPE expects you, the user to have a deeper understanding of what you want to collect, as opposed to show me all the stuff and I want to know about hashes of interest and keywords, and it's yellow and it's red.

On Triaging

Now another thing that's always really interesting in almost every type of case is what has a user been running? What programs have they been running on their system? Evidence of execution. So one of the artifacts that will tell us about evidence of execution is prefetch. And so now, if I get rid of that filter, it tells me that the targets I'm going to collect are link files and jump lists and prefetch, right here. Notice that the execute button is ready to go.

KAPE is going to do a lot of work for us to make sure that the customizations that we build are going to work for us before we need them. In other words, when we make them and we test them, we're going to get feedback right away whether or not something works, or it doesn't. Now part of that would be after we click Execute here, let's see what happens and then I'll walk through actually what happened here. Now it's already searched, the search is over. I am done with my triage.

That's the features and functionality that you are going to be able to have in the field to get answers to your questions, essentially, in real time. Look at how little time it took for me to iterate the entire 60 gig drive, .091 seconds, it knew about all 185 files to find. Then it copied them all and de-duplicated three. Now it's going to calculate the SHA-1 of every file that it sees. And by default, it is only going to copy out a single instance of each file based on the SHA-1. Why? If you had 38 files that are the same, I don't want to give you 38 files that you have to look at, you only need it once. Now you can certainly turn that off. But by default, you're good. This is it. It took three seconds to do that triage.

On Collecting Documents

If pictures and videos are named with the extension, still, you're still going to get them. Now if they're renaming all their pictures to dot foo, or dot docx, and they're really JPEGs, well, no. You're not going to be able to extract those out unless you look for Word documents. However the link files and the jump list are going to tell you what's been opened. I don't know that I've ever had a case, and I've worked plenty of cases where somebody has been renaming all of their files to get rid of keywords, series information, even renaming files based on their extension, super rare in my experience. You'd still be able to get it based on the file name, recent documents that have been opened and that should be pivot you there.

On KAPE With Other Tools

Do you know how much faster Axiom and other tools are going to process this data when you pre-filter this stuff that you're going to look at anyway, with KAPE? Orders of magnitude. There is no option for an L01, that is proprietary. It'll never happen. You can do a Zip. Zip's done. So that's not an issue at all. If I go back to here, you could do Zip, VHD or VHDX, no problem. I would recommend that you do VHDX because everything should support that without any issues.

On Collecting Evidence 

This Zip file with my VHDX in it? That is your original evidence at this point. That should be something that you never touch. In other words, don't extract out this VHDX and then delete the Zip file. The Zip file is always what you collected. 

I want to know about what files and folders were accessed. I want to know about what programs were executed. Well look, there's your jump lists and your link files. So if I bring these into Timeline Explorer, in less than 10 seconds, I know every single file that was open. There's everything that I've opened on this computer. In automatic destinations. There's all of the link files that I opened. Now what would you do here? Here's where you could start searching for all of the various keywords that you normally would associate with child exploitation cases.

On KAPE in Chain of Custody 

How can KAPE output be presented in court to assure chain of custody? It is no different than any other forensic program you've ever used. How would you do it if you used X-Ways? Or Encase? Or osTriage? You collect this, it's on a thumb drive, you put that into your case, in my case as an FBI agent, I would have written a 302, it would end in a 1A. It would go into evidence, whatever that is. You're good to go.

On Event Logs

So what am I doing right now? I'm collecting event logs. But guess what? On a running system, event logs are locked. You can't just go copy them, but I just did. Because I'm using raw disk access. So if a file is locked registry, hives anything, boom, you got it.

On Modules

I am not going to distribute the executables for a Module, you are going to have to go get that executable and put it in the right place. Why? So that you could make sure that only what you want to run is going to be possible to run. If I did it, or I allowed other people to put these into the default distribution, you can imagine how fun it would be if somebody did a Module for escalate, that just starts deleting the entire C drive, you would not be happy with me. And so there has been work that's gone into making sure that everybody is as safe as possible when it comes to using this as well.

On Collecting Cloud Data 

Now one thing you need to be aware of if you're collecting cloud data, does your search warrant allow for it? Are you legally authorized if you touch a file that's in the OneDrive folder and OneDrive starts downloading it from the cloud, are you okay? You should be because your warrant should specifically say that if that happens, it happens.

For more information on KAPE training and certification sessions, click here. If you’re interested in using KAPE commercially, purchase an enterprise license here.

Kroll Artifact Parser And Extractor (KAPE)

Find, collect and process forensically useful artifacts in minutes.


Proactively monitor, detect and respond to threats virtually anywhere – on endpoints and throughout the surface, deep and dark web.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.