Table of Contents
- Page 1 – Introduction, Screenshots, Updating EZ Tools in KAPE
- Page 2 – How to Use KAPE, Usage Scenarios
- Page 3 – Examining KAPE Output
- Page 4 – Miscellaneous
- Page 5 – Conclusion, KAPE-Related Blog Posts/Videos, Change Log
KAPE is a modular triage tool that can be catered to meet your specific forensic artifact collection and parsing needs from live and mounted systems. In short, it can target specific artifacts using the Targets feature and then parse the artifacts to provide meaningful, actionable output using the Modules feature. In plain English, it grabs files of interest and facilitates the output of human readable artifacts for the examiner to analyze in a very quick manner.
As of December 2020, a sample of output from KAPE can be retrieved from a GitHub repository of I put together for the purpose of these EZ Tools guides. The GitHub repository can be found here.
This guide was created with those new to KAPE in mind, regardless of background (LE, Private, Student, etc). It should be noted the primary purpose of this guide is aimed to help break the intimidation barrier with trying out a new tool such as KAPE. There are certainly more advanced ways to leverage KAPE but they will not be covered in this guide. Maybe in a future guide!
If by the end of this guide you don’t think to yourself “hey, I can totally use this in my day to day work”, then please let me know why that’s not the case.
Download link: Introducing KAPE – Kroll Artifact Parser and Extractor
License: KAPE EULA – Summary: free to all Law Enforcement, personal learning purposes, and permitted for non-commercial use by students and educational institutions, solely for purposes directly related to learning, training, research, or development functions performed by an educational institution.
Command Line (kape.exe)
Yes, there is a dark mode. Use it! Tools -> Skins to customize gkape to your liking.
Updating EZ Tools in KAPE
When you update Eric’s tools, you usually do it with a PowerShell script called “Get-ZimmermanTools.ps1”. Here’s an example of what that looks like:
However, usually that’s only updating the tools that reside in their own folder and have no bearing on the instance of his tools that reside in KAPE’s Modules\bin folder. It is very important to make sure you keep the EZ Tools in the KAPE\Modules\bin folder updated as you’re using the tool. You can do this by simply copying and overwriting the executable files for Eric’s tools in the Modules/bin folder.
For instance, if you update Eric’s tools, you’ll see the following gets downloaded when you initially download or update the existing binaries.
However, if you look in your KAPE folder in the Modules\bin directory, not all those tools will be present. That’s because the tools that are missing are either the GUI versions of his tools, which KAPE does not call with its Modules (more on that later), or they are tools that simply aren’t used by a KAPE Module currently (i.e. bstrings, etc).
Needless to say, if you update your binaries in the first screenshot, it doesn’t mean the binaries in the KAPE\Module\bin folder are updated. You need to do this manually. A simple copy and paste will do the trick. You can do this with the binaries and the maps for tools like EvtxECmd.
Additionally, just because you sync the maps for EvtxECMd in one folder doesn’t mean they are synced in the other. If you end up using KAPE a lot rather than the individual tools themselves, make sure you stay vigilant to update and sync the maps from GitHub for EvtxECmd as well as Targets and Modules from GitHub.
For EvtxECmd, a simple
evtxecmd.exe --sync command works to get the latest maps. The same can be said for KAPE with a simple
kape.exe --sync command.