Table of Contents
- Page 1 – Introduction, Screenshots, Updating EZ Tools in KAPE
- Page 2 – How to Use KAPE, Usage Scenarios
- Page 3 – Examining KAPE Output
- Page 4 – Miscellaneous
- Page 5 – Conclusion, KAPE-Related Blog Posts/Videos, Change Log
How to Use KAPE
KAPE, or any forensic tool for that matter, is nothing without evidence to throw at it. This guide will commonly refer to using forensic images against KAPE simply for the purpose of universal availability in that anyone can make their own images of their own media, computer, etc or even use KAPE against their own live system. Frankly, anything that has artifacts that are listed on the Target side of KAPE are fair game for the purpose of acquisition. It doesn’t need to be an Operating System drive every time. However, for an examiner, that’ll be the most common use case. It is important to note that KAPE has many use cases and the ones covered in this guide are not exhaustive but simply deemed the most applicable for an examiner that’s inexperienced with KAPE to get up to speed and effective with KAPE as quick as possible.
With that being said, gather your image(s) and mount them via Arsenal Image Mounter, it’s free! Do not use FTK Imager for mounting your images as your images will be mounted as a network share rather than a physical disk like with Arsenal Image Mounter. The benefit to being mounted as a physical disk is that it allows you access to Volume Shadow Copies. Both are the same price so you might as well use the tool that does the job better!
Once your evidence has a drive letter attached to it, point the Target Source in gkape to the OS partition which is where all Windows OS-related artifacts will reside. Here’s an example of a basic collection that I do on a daily basis.
Targets serve as instructions to KAPE on where to grab certain files. Targets exist for many Windows artifacts, third-party-apps, etc. Targets simply specify to KAPE that the files stored by a respective program are stored in a certain location within the Target. Those files will then be copied out from your evidence image into the specified Target Destination folder.
Think of using the Target side as a fancy way to copy out the targeted files to a destination folder. Why would you want to do this, you ask? You can use EZ’s Tools to analyze those files to drill down to the specific artifacts for validation purposes as well as for self-learning purposes.
To illustrate this, check out an example of a Target that I wrote for VoidTools’ Everything:
ProTip: Thanks to Eric Zimmerman for this one. When using the command line version of KAPE, if you want to run an entire folder’s worth of targets (i.e. Apps, Windows, Antivirus, etc), instead of specifying the individual targets one at a time after –target, simply put the folder name after –target. So, if you wanted to run all the targets that fall under the Apps folder, your command would look like this: kape.exe –tsource C: –tdest “C:\temp” –tflush –target Apps.
To put it simply, Modules are parsers for the targeted files KAPE copies out to your Target Destination folder. However, this parsed output goes into a Module Destination folder that you specify. One really cool aspect of Modules is that anyone can write a Module for a third-party parser to be executed against the targeted files. However, outside of simply executing the command for that Module, you need to make sure the binary (.exe) is in the Bin subfolder within the Modules folder. KAPE does not provide the binaries for these Modules with the sole exception for the EZ Tool suite which is also created by Eric Zimmerman.
To illustrate this, check out an example of a Module that I wrote for VoidTools’ Everything:
This Target and Module used together would copy out the Everything.DB and convert it into something human readable all in one action.
Setting Target and Module Destinations
You need to specify where you want KAPE to store the Target files and the Module output. The simplest way to go about this, in my opinion, is to create a dedicated folder for your KAPE collection. Within this folder, create two subfolders: tout and mout, tout for Target output and mout for Module output. That way, tout will always have the files you’re telling KAPE to copy out from the evidence and mout will have the parsed output from those targeted files.
Building Out Your Command
One of the best features of gkape is the ability to use the GUI to establish a working command that you can use at scale, if necessary, or to have at the ready when you’re using the command line version (kape.exe). The command will be built out live on the bottom of the GUI as you select the elements of the task that you want KAPE to perform. Check out the demonstration below!
As of October 2020, KAPE’s Targets were reorganized a bit. As with other EZ Tools, you can use the column header grouping feature to better see how the Targets are laid out.
New with 0.9.5.0, you can Select All, Select None, and Invert Selection for your targets. Watch how the command line reacts to my actions.
For more documentation on gkape, click here.
Collect, Collect and Process, or Process?
There are a few ways to use KAPE. The basic questions you have to ask yourself are:
- Do you want KAPE to copy the files you’re targeting to a specified folder and do nothing else?
- If so, make sure to use a Target and specify a Target Destination where you want those files to be copied to, i.e. a folder named tout
- Do you want KAPE to copy the files you’re targeting to a specified folder AND run modules against those files you copied?
- If so, make sure to use a Target and specify a Target Destination where you want those files to be copied to, i.e. a folder named tout, AND
- Make sure you use a Module and specify a Module Destination where you want the parsed output to be placed, i.e. a folder name mout.
- Do you want KAPE to simply run a Module(s) against files in place?
- If so, make sure you use a Module and specify the Module Source (where are the files residing?) and a Module Destination (where the parsed output is to be placed).
- An example of this would be simply running the !EZParser module against an image (C drive)
Here’s an example of all three scenarios above in order. Pay attention to the boxes that are highlighted in red as those are the mandatory fields for each scenario.
KAPE can be used in many scenarios, but here are two common ones that’ll apply to most everyday examiners.
The Ultimate Practice Scenario
Practice makes perfect, right? Before you use KAPE on evidence, use it on your own system! No one knows your system better than yourself so the artifacts you see should make sense to you. This will also help you understand the artifacts better if you’ve not had any formal training yet on Windows Artifacts. If you’ve not had training, fear not! There’s a section coming up where I’ll provide some self-study resources for these artifacts so you can approach analysis from a more informed position.
Prior to running KAPE on your own system, you should download and install VoidTools’ Everything tool. Throw it on your second monitor and sort by Last Modified. On your other monitor, start opening up documents and watch as the LNK files populate in real-time. Interact with your system and watch what changes are made in correlation to the actions you’re performing on your system. This is purely for educational purposes so you understand how much is happening on your system as you interact with it. Here’s an example of what I saw when I opened Slack, Snipping Tool, and Edit Pad Pro in that specific order.
Once you’ve done this, run KAPE on your OS Drive (Target Source = OS Drive, !BasicCollection Target, !EZParser Module, CSV output) and see how the artifacts look in a CSV format. Once you get familiar with that, apply this concept to the digital evidence that you analyze in your professional life.
If you don’t have a professional life in DFIR yet, practice on your own digital media! Or, even better, create new images for people to test on and we can host the image(s) in Tool Testing. In turn, you’ll help the community as well as help to establish a name for yourself! Let us know if you do that, please!
The Real World Scenario
When using KAPE against mounted evidence, a live system, etc, you’ll want to make sure you target the relevant artifacts to your investigation. This is made easy with certain Targets that come with KAPE that bundle multiple Targets together into one to provide a nice triage analysis package.
The following Targets provide a a nice “easy button” for getting everything you’ll need to start your analysis:
- This is probably the most applicable to the everyday examiner. Anything not covered in this Target file can be manually added on the Target side prior to executing KAPE.
- This is similarly to !BasicCollection but the Target is written more verbose rather than pointing to other tkape files. Look at the way this one is written vs !BasicCollection so you can see the difference.
- This is geared more towards an IR investigation but can still provide plenty of useful data.
Alternatively, you can customize your recipe on the Target side to cater to your specific needs. The above Targets just make life easy for those who want to grab all the above artifacts without having to individually select each Target for each respective artifact.
If you’re running an image through a commercial tool and it’s going to take hours or overnight, KAPE can provide you actionable results within minutes that can provide you with leads to explore further once the commercial tool is done chewing through the image. Point KAPE towards the Operating System partition of an image as most Targets will look for artifacts in the Users folder, AppData, or the Windows\System32\ folder and beyond. If you point a Target to a non-Operating System drive, more than likely those locations won’t exist and therefore you won’t have much to analyze!
Below are some use cases for KAPE for the everyday law enforcement examiner:
- Check UserAssist for executed programs
- Check Amcache and ShimCache for executed programs (timestamp not reliable, cross reference with UserAssist)
- Check LNK files for opened files
- Check JumpLists (Automatic Destinations) for opened files
- Check $MFT for File Creation dates of illicit images, videos, etc
- Check $MFT and USN Journal for file knowledge
- Check $I and $R files in the Recycle Bin for evidence of file deletion
- Check Volume Shadow Copies for evidence of files that may not exist on the image you have in front of you
Also, you can point a commercial tool towards your KAPE Target output and view it in the tool’s GUI as that will likely take less time than chewing through an entire E01 image. However, sometimes unallocated space is important in an LE investigation so be cognizant that KAPE will not deal with unallocated space in any way.
IR examiners likely have a system in place to run KAPE remotely and acquire what Targets are needed for their examination. Often, IR examiners work off triage packages for 95% of their analysis and simply request an E01 of endpoints that require further analysis beyond the artifacts KAPE provides. This is a more efficient approach rather than asking for E01’s of every system in the network. Remember, some networks can have thousands or tens of thousands of endpoints. A 1-2GB KapeTriage package is a lot easier to digest than full E01’s for each affected system.
Research and Testing
KAPE can be used to learn more about how Windows works in many ways. Want to research a relatively undocumented artifact? Write a Target for the artifact if one doesn’t already exist. Next, write a Module, if able, for the artifact. If you’re not able to, collaborate with someone who can help you write a Module for it. If you can’t do that, then write a blog post about your findings in hopes the community will build off your research to better understand that artifact. KAPE won’t research anything for you, but it can facilitate that research while also hopefully providing new Targets and Modules that the community can use in the course of their investigations.