KAPE

Table of Contents

• Page 1 – Introduction, Screenshots, Updating EZ Tools in KAPE
• Page 2 – How to Use KAPE, Usage Scenarios
• Page 3 – Examining KAPE Output
• Page 4 – Miscellaneous
• Page 5 – Conclusion, KAPE-Related Blog Posts/Videos, Change Log

Miscellaneous

This section is for other cool things you can do with KAPE to make your life easier or to benefit the DFIR community as a whole! This section will likely expand as new ideas come to mind.

Creating Targets and Modules

Targets and Modules are written not only by Eric Zimmerman but the DFIR community at large through the KapeFiles GitHub repository. Targets are easy enough to create. It’s best to follow the official documentation, model your Targets/Modules after ones already created, and test on your own before you do a Pull Request on GitHub.

Testing Targets and Modules is easy. As long as they show up when you run –tlist or –mlist, then you know you did it right. Here’s an example of both.

–tlist verification

–mlist verification

Additionally, you can use the following syntax to make the above examples easier:

• kape.exe –mlist EventLogs
  • This will display the same as the second GIF above, but no need for the .\
  • This can, of course, be used with any of the other folders listed in the KAPE directory
• kape.exe –mlist EventLogs –mdetail
  • This will display Module processor details. Basically the same as double clicking on the Module in gkape but it’ll output in the command line.

If you want to make a Target and are looking for a guide or template, look no further! Here’s a KAPE Target Guide you can follow. If you don’t need all the instructions, the KAPE Target Guide provides, then use the KAPE Target Template.

Using Third-Party KAPE Modules

Some Modules will require using a third-party app that KAPE doesn’t provide. To use these correctly, view the Module (.mkape) file in a text editor or double-click on the module in gkape to view the contents of the Module. There will be a BinaryURL value that will point you to where to download the executable for the third-party program. The GIF below will highlight this as well as the filtering feature.

Updating KAPE

KAPE itself will need to be updated from time to time as well as ensuring you have the most up to date Targets and Modules from GitHub. First, let’s cover

To ensure you have the most up to date Targets and Modules in KAPE, be sure to sync with GitHub through either gkape or the command line.

Sync with GitHub using gkape

Sync with GitHub using kape – command: kape.exe –sync

If you want to keep up to date with new updates to the Kape GitHub repository, then create a GitHub account and Watch the KapeFiles repository.

Why Use Debug or Trace?

Debug and Trace messages exist for troubleshooting purposes and are completely optional. I personally prefer them because when the EvtxECmd Module is chewing through a 4GB Security.evtx log or MFTECmd is chewing through an MFT that’s 4GB in size I know that KAPE is still working.

Here’s a quick demonstration of KAPE ran without debug or trace, with debug, and with debug and trace enabled.

No Debug or Trace

Debug enabled

Debug and Trace enabled

Regardless of the options you choose, what you see above will be logged in the ConsoleLog.txt in your Module Destination output folder for your future reference.