Table of Contents
- Page 1 – Introduction, Screenshots, Updating EZ Tools in KAPE
- Page 2 – How to Use KAPE, Usage Scenarios
- Page 3 – Examining KAPE Output
- Page 4 – Miscellaneous
- Page 5 – Conclusion, KAPE-Related Blog Posts/Videos, Change Log
Miscellaneous
This section is for other cool things you can do with KAPE to make your life easier or to benefit the DFIR community as a whole! This section will likely expand as new ideas come to mind.
Creating Targets and Modules
Targets and Modules are written not only by Eric Zimmerman but the DFIR community at large through the KapeFiles GitHub repository. Targets are easy enough to create. It’s best to follow the official documentation, model your Targets/Modules after ones already created, and test on your own before you do a Pull Request on GitHub.
Testing Targets and Modules is easy. As long as they show up when you run –tlist or –mlist, then you know you did it right. Here’s an example of both.
–tlist verification
–mlist verification
Additionally, you can use the following syntax to make the above examples easier:
- kape.exe –mlist EventLogs
- This will display the same as the second GIF above, but no need for the .\
- This can, of course, be used with any of the other folders listed in the KAPE directory
- kape.exe –mlist EventLogs –mdetail
- This will display Module processor details. Basically the same as double clicking on the Module in gkape but it’ll output in the command line.
If you want to make a Target and are looking for a guide or template, look no further! Here’s a KAPE Target Guide you can follow. If you don’t need all the instructions, the KAPE Target Guide provides, then use the KAPE Target Template.
Using Third-Party KAPE Modules
Some Modules will require using a third-party app that KAPE doesn’t provide. To use these correctly, view the Module (.mkape) file in a text editor or double-click on the module in gkape to view the contents of the Module. There will be a BinaryURL value that will point you to where to download the executable for the third-party program. The GIF below will highlight this as well as the filtering feature.
Updating KAPE
KAPE itself will need to be updated from time to time as well as ensuring you have the most up to date Targets and Modules from GitHub. First, let’s cover
To ensure you have the most up to date Targets and Modules in KAPE, be sure to sync with GitHub through either gkape or the command line.
Sync with GitHub using gkape
Sync with GitHub using kape – command: kape.exe –sync
If you want to keep up to date with new updates to the Kape GitHub repository, then create a GitHub account and Watch the KapeFiles repository.
Why Use Debug or Trace?
Debug and Trace messages exist for troubleshooting purposes and are completely optional. I personally prefer them because when the EvtxECmd Module is chewing through a 4GB Security.evtx log or MFTECmd is chewing through an MFT that’s 4GB in size I know that KAPE is still working.
Here’s a quick demonstration of KAPE ran without debug or trace, with debug, and with debug and trace enabled.
No Debug or Trace
Debug enabled
Debug and Trace enabled
Regardless of the options you choose, what you see above will be logged in the ConsoleLog.txt in your Module Destination output folder for your future reference.