Table of Contents
- Page 1 – Introduction, Screenshots, Updating EZ Tools in KAPE
- Page 2 – How to Use KAPE, Usage Scenarios
- Page 3 – Examining KAPE Output
- Page 4 – Miscellaneous
- Page 5 – Conclusion, KAPE-Related Blog Posts/Videos, Change Log
Examining KAPE Output (CSV)
CSV is the easiest format to analyze, in my opinion, simply for the reason of being able to harness the power of Excel’s filtering capabilities. If you don’t have Excel, you can use LibreOffice’s Calc or Eric Zimmerman’s Timeline Explorer/EZViewer as alternatives.
UPDATE: Timeline Explorer guide is now live here! Check out this guide for the best tool to pair with KAPE for your analysis!
First Things First
There are a few things I always do when I open a CSV file in Excel:
- Enable Filtering
- Freeze Top Row
- Locate Timestamp Column and Change Number Format(yyyy-mm-dd hh:mm:ss)
This will make your life a lot easier when you’re looking to drill down to specific artifacts and remove some of the irrelevant noise. Also, being able to sort on the timestamp column to see the order of events will be crucial to compiling a timeline of events that occurred on that system.
Using Column Filters
Below is an example of filtering on the KAPE EvtxECmd output by filtering on the EventID column for RDP Events (21, 22, 23, 24, 25).
Below is an example of how you can filter on the MFT looking for files created in the Program Files folders.
Understanding the Artifacts
The !EZParser Module will create subfolders for the various artifacts’ CSV output. These will include:
EventLogs
FileDeletion
FileFolderAccess
FileSystem
ProgramExecution
Registry
Within each of these folders will be CSV (by default) output files that you’ll use to examine the artifacts on the system, If you want to learn more about each of these artifacts, check out the following resources! AboutDFIR will be covering more of these tools in the future so this table will be updated as they are covered.
- FileSystem
- #MFT
- FileFolderAccess
- LNK Files and JumpLists
- Shellbags (NTUser.dat and UsrClass.dat files)
- ProgramExecution
- AppCompatCache/AmCache/RecentFileCache
- Registry
- 13Cubed – Introduction to Windows Forensics
- DFIR Summit 2016: Plumbing the Depths – Windows Registry Internals
- Episode 76: Investigating the Windows Registry using Registry Explorer – Part 1
- Episode 77: Investigating the Windows Registry using Registry Explorer – Part 2
- Episode 78: What is the Windows Registry transaction log?
- Exploring Registry Explorer
- Fast, Scalable Results with EZ Tools and the New Command line poster
- Forensic Lunch Test Kitchen 1/18/19 Windows 7 New RECMD
- Transaction logs and Registry Explorer
- FileDeletion
- EventLogs
- RDP Events
- 13Cubed – RDP Event Log Forensics
- Pro-Tip: filter on 21, 22, 23, 24, 25, and 1149 in EventID Column of EventLogs CSV output
- Windows RDP-Related Event Logs: Identification, Tracking, and Investigation
- 13Cubed – RDP Event Log Forensics
- EvtxECmd
- 13Cubed – Introduction to EvtxECmd
- Pro-Tip: EvtxECmd is run automatically as a part of the !EZParser Module
- 13Cubed – Introduction to EvtxECmd
- RDP Events
As always, Tools & Artifacts – Windows is at your disposal for Windows-based artifacts, both system and third-party. The SANS Windows Forensic Analysis (FOR500) and Hunt Evil (FOR508) posters are great resources, as well.