KAPE had a number of key updates during the final quarter of 2021. Here is a recap of all the important enhancements and news from October through December 2021:
See end of the article for additional updates.
Kroll’s Andrew Rathbun created a PowerShell script to automate the updating of the KAPE binary and EZ Tools binaries found in .\KAPE\Modules\bin, and he created the ancillary files those tools rely on to generate output. KAPE utilizes Targets (.tkape) and Modules (.mkape), RECmd utilizes Batch (.reb) files, and SQLECmd (.smap) and EvtxECmd (.map) utilize Maps. Each of these files is stored in separate repos on GitHub. Keeping all these components of your KAPE instance updated is now made easier using Andrew’s PowerShell script, KAPE-EZToolsAncillaryUpdater.ps1.
The KAPE Target/Compound Target Guide and Template files were created earlier in 2021. Recently, we added a KAPE Module/Compound Module Guide and Template for the community’s benefit. With guides for both Targets and Modules in place, anyone can follow and create their own Targets and Modules either for internal purposes or to contribute to the public KapeFiles repository.
In late 2020, the Targets were reorganized and standardized, including but not limited to, file-naming conventions, content structure of .tkape files and reorganization of the files and folders within the Targets folder. Modules received this same treatment in November 2021. Modules were renamed to a standardized format similar to how SQLECmd Maps are named. Following is the template and a few examples:
The Apps folder in Modules had significant changes during this reorganization. Tools that originated from GitHub were given their own subdirectory (.\Apps\GitHub), and any other tools where there were three or more by either the same developer, suite or process now has a dedicated folder created for them. For example, all NirSoft tools are now in .\Apps\NirSoft. All Sysinternals Modules are stored with one another in .\Apps\Sysinternals. Lastly, there are currently three SOF-ELK Modules (with more to come in due time), so they reside in .\Apps\SOFELK.
Any Modules that relate to processes or tools that ship with Windows were moved to the Windows folder. This includes Modules written using PowerShell since that ships natively with Windows. Additionally, all Modules related to EZ Tools reside in their own dedicated EZTools folder. If there are two or more Modules related to a given tool, they have been combined in their own dedicated folder named after that EZ Tool.
Ultimately, this reorganization and standardization of the file-naming convention allows for KAPE’s Target and Modules to continue to scale while maintaining order and structure as growth continues. If you had local Compound Modules that were calling on other Modules, it may be wise to ensure the filenames in your local Modules (!Local folder) are calling on the correct file names of your intended Modules.
Nominations are now open for the 2022 Forensic 4:cast Awards that cover all of the 2021 calendar year. If KAPE served you well in 2021, please consider nominating KAPE here.
Here is an overview of the changes to KAPE from October 1, 2021 to December 31, 2021.
Targets Added/Updated
Modules Added/Updated
Our experts recommend “watching” the GitHub repositories for KAPE-related updates. Be sure to check the “All Activity” option in the Notifications section (Figure 1).
Figure 1 - Notification options
If you need additional KAPE support, explore our virtual live training and certification opportunities or contact our experts at [email protected]. An enterprise license is required when KAPE is used on a third-party network and/or as part of a paid engagement.
This article was written by Andrew Rathbun, a Senior Associate in Kroll's Cyber Risk practice.
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Find, collect and process forensically useful artifacts in minutes.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.
Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.
The latest KAPE tutorials, webcasts and guides created by Kroll instructors.
Kroll’s elite security leaders deliver rapid responses for over 3,000 incidents per year and have the resources and expertise to support the entire incident lifecycle.
by Ryan Hicks
by George Glass
by Dave Truman
by Alex Cowperthwaite, Pratik Amin