KAPE

Kroll Artifact Parser and Extractor

KAPE Process

1. Source

Live system mounted image F-response

2.KAPE

Target options

3. Destinations

Files from source are copied here

4. KAPE

Module options

5. Module Output

Programs run against destination files

Target Options

Targets - Artifacts that need to be collected from a system or image

Example of a target file

Description: Prefetch files

Author: Example author

Version: 1.0

Id: Example ID

RecreateDirectories: true

Targets:

 -

  Name: Prefetch

  Category: Prefetch

  Path: C:\Windows\prefetch\

  FileMask: '*.pf'

 -

  Name: Prefetch

  Category: Prefetch

  Path: C:\Windows.old\Windows\prefetch\

  FileMask: '*.pf'


# Documentation

# ExampleLinksHere

This TKAPE file tells KAPE to collect files with the file mask *.pf from the path C:\Windows\prefetch and C:\Windows.old\prefetch.


Compound targets - Targets that are compounds of multiple other targets. Compound targets help us collect multiple targets by providing a single a command

Example of a compound target file

Description: Prefetch files

Author: Example author

Version: 1.0

Id: Example ID

RecreateDirectories: true

Targets:

 -

  Name: Prefetch

  Category: Prefetch

  Path: Prefetch.tkape

 -

  Name: RecentFileCache

  Category: ApplicationCompatibility

  Path: RecentFileCache.tkape

 -

  Name: Syscache

  Category: Syscache

  Path: Syscache.tkape


# Documentation

# N/A

The above Compound Target will collect evidence of execution from Prefetch, RecentFileCache, and Syscache targets


Targets use the ".tkape" extension


!Disabled

This directory contains Targets that you want to keep in the KAPE instance, but don't want them to appear in the active Targets list


!Local

This directory contains targets that will not sync with the KAPE Github repository

Module Options

Modules - Run specific tools against the provided set of files. Run some command(s) and store the output (generally in CSV or TXT)

Example of a module file

Description: IPConfig

Category: LiveResponse

Author: Mike Cary

Version: 1.0

Id: Example ID

ExportFormat: txt

Processors:

 -

  Executable: C:\Windows\System32\ipconfig.exe

  CommandLine: /all

  ExportFormat: txt

  ExportFile: ipconfig.txt


# Documentation

# ExampleLinkshere


The bin directory

The bin directory contains executables we want to run on the system but are not usually natively present on most systems. Many of these binaries will be required for KAPE modules


Module files use the ".mkape" extension

GKAPE (KAPE GUI)

GKAPE is a GUI for KAPE. You can run the GUI by opening gkape.exe

Image below courtesy of kape room on TryHackMe (click for full image):


GKAPE will essentially generate a KAPE command, which will be run after clicking "execute!" in the GUI

The KAPE CLI will not be covered here, but you can see available options by opening an elevated command line, navigating to the kape.exe, and running it through the command line interface