For those that didn’t see, last week Eric Zimmerman, the creator of a number of fine forensics tools, released a new tool called KAPE, which is the Kroll Artifact Parser and Extractor. This tool provides examiners the ability to quickly collect files and folders into a storage location (folder/vhd/vhdx), and then parse them with various utilities.
Targets (tkape) and Modules (mkape) files can quickly be defined so that you can target exactly what files you want to collect, and parse them with dedicated tools.
Eric is hosting a community module and target location on his Github, and you can also sync with this in the gkape GUI.
Whilst playing with the tool I have created a few little things that might help other examiners better utilise the tool.
This is less of a thing since Eric updated the GUI to allow for viewing and editing tkape and mkape files by double clicking. But still worth knowing about.
If you want to quickly and easily view the contents of a tkape or mkape file you can do two things; the first is change their default program to be notepad. The second is to run the following reg commands so that you can view their contents as text in the Preview pane:
reg add HKLM\Software\Classes\.tkape /v PerceivedType /d text
reg add HKLM\Software\Classes\.mkape /v PerceivedType /d text
After you have finished running KAPE, there are two ps1 scripts that I think might be useful going forward.
The first can be run over the collection output folder, and will create a session file for Registry Explorer to open all of the collected Registry files, rather than loading them up individually. I would recommend manually deleting rows from this though to speed up the opening time.
- Copy “registryExplorerSession.ps1” into the “Targets” output folder and run it, then open the resultant session in Registry Explorer.
The second can be run from the parsing output folder, and will create a session file for all the csvs and xlsx files to be loaded into TimelineExplorer.
- Copy “tle_session.ps1” into the “Modules” output folder and run it, then open the resultant session in Timeline Explorer.
These can be modified as required and I probably need to put them somewhere better, but for now, they’re on my GitHub
I would like to create a PS1 that will keep KAPE and the binaries it runs in modules up to date, but I haven’t yet done that.
An undocumented feature is that if you use an environmental variable like %compname% in the command line it will expand it out. This is great if you were collecting off machines on a network and want to save everything into a vhdx with the date (%d switch) and the computer name (%computername%)
I’ve found this tool to be really useful for testing out stuff, and capturing data to parse from images quickly. Even better if you can get everything working in one go with a combo of targets and modules.
Plus Eric is very receptive to improvements.
Do you have any tricks or improvements that you’d like to make?