Home

Awesome

KAPE Workshop DFRWS 2019

This Readme page is a one stop shop for all the slides, scripts, notes, link, etc from my 2019 DFRWS KAPE Workshop. If something is missing, or you just are looking for some additional information, create an issue through this GitHub repo and I will do my best to help. My contact info is in the slide deck and at the bottom of this document.

At a minimum, before you come to the workshop, download ZimmermanTools and KAPE. Please feel free to install and get familiar with them both.

The slide deck for the Workshop will be posted immediately after wrapping up the workshop.

This page will change several times between now and conference. Bookmark this page and check it a few times before you arrive at the workshop.

I hear that there are a large number of people registered for the workshop, which it awesome but it also means that I could be spread a little thin. Getting the tools installed on you machine or VM will be a big help. Instructions to do that install follow.

Looking forward to seeing you all Sunday afternoon.

-Mark

Installation for the Workshop

First, here is the Official KAPE Documentation by Eric Zimmerman

Second, the update and install scripts are run PowerShell, that's just how it is. But really, it is a good thing. Come on over to the Dark Side. Once installed and updated you can switch back to cmd if you must. There is also a Windows GUI for KAPE which we will demo in the workshop.

It will be so helpful if each of you could download and install KAPE and ZimmermanTools before you get to the Workshop. I anticipate the the WiFi that will be available in the meeting rooms, of which there will be more than ours, will be terrible. So there is a possibility that you will not be able to download in the classroom. At that point USB drives will be at a premium. ;-0

Step 1 - Download Get-ZimmermanTools.zip from here

Unzip the file , determine where you want to "install the tools", create that folder structure if it does not exist and run the command below. The tools and KAPE can be run from any device ... Hard Drive, USB Removable drive, etc. It is totally portable.

Example: The PowerShell command below

PS c:\Tools\ZimmermanTools> .\Get-ZimmermanTools.ps1 

This example downloads/extracts and saves details about programs to c:\Tools\ZimmermanTools directory. Change the destination drive and folder to meet you needs.

Step 2 - Download KAPE from Kroll's Website found here

Unzip the files to a folder of your choice. This part does not require Powershell but updating the application in the future will. Here is a suggested structure for KAPE and Zimmerman tools locations. You can put them anywhere you want, even on a thumb drive or external hard drive.

Example Folder Structure

[Download Workshop Slide Deck](media/DFRWS 2019 - KAPE.pdf)

On-Line YAML Validator Sites

https://codebeautify.org/yaml-validator https://jsonformatter.org/yaml-validator

Links to KAPE related Articles

Official KAPE Documentation by Eric Zimmerman

Introducing KAPE!

Introduction to KAPE

Exploring KAPE’s Graphical User Interface

Automating SFTP Creation for KAPE’s Sake!

KAPE TRICKS

RECmd_Batch_MC.reb - Mike Cary's RECmd BAtch Example

Links to Arsenal Image Mounter

Download Arsenal Image Mounter

Short video on mountin images with AIM

Links to KAPE related Scripts / Code

Mike Gray's Get-KapeModuleBinaries - Downloads binaries used by KAPE Modules


Commands in the Slides

These are the command show in the slides, you can cut and paste them into to your terminal window or your editor. Is you have trouble with a particular command referencing these may help you resolve it.

Targets

Collect Lnk files and Jumplists from drive C. Save the output to G:\kape_out\tdest.

kape --tsource C: --target LnkFilesAndJumpLists --tdest G:\kape_out\tdest

Collect Evidence of Execution. Clean up you destination folder before writing new data to it. Save the output to a vhdx and provide the computer name as the base name for the vhdx.

kape --tsource C: --target EvidenceOfExecution --tflush --tdest G:\kape_out\tdest --vhdx $env:ComputerName

Collect all the registry hives from C and all the volume shadow copies (vss). Cleanup your target destination before writing new data. Your destination is on a network and is referenced by a UNC path. Use an environment var to build the name of the vhdx.

kape --tsource C --target RegistryHives --vss --tflush --tdest \\<your-share>\kape_out\tdest --vhdx $env:ComputerName

Example showing several functions: Multiple targets separated by commas. Collecting volume shadowcopies and depuping. Lastly saving the collected data via SFTP to another server. You will need to have you own ssh server and credentials to use this feature.

kape --tflush --tsource C: --target RegistryHives, LnkFilesAndJumpLists,EvidenceOfExecution --tdest C:\kape_out\tdest --tdd --scs 172.16.21.243 --scp 22 --scu kape-user --scpw "forensics" --vhdx $env:ComputerName

kape --tflush --tsource C: --target RegistryHives, LnkFilesAndJumpLists,EvidenceOfExecution --tdest C:\kape_out\tdest –vss --tdd
--scs 104.248.94.196 --scp 22 --scu kape-ssh --scpw "KAP3g0at" --vhdx $env:ComputerName 

Modules

Run two KAPE modules, LECmd and JLEcmd on the output from the previous run LnkFilesAndJumpLists target.

kape -–msource G:\kape_out\tdest -–module LECmd,JLEcmd --mdest G:\kape_out\mdest  

Run two KAPE modules, PECmd and AmcacheParser on the output from the previous run EvidenceOfExecution target.

kape --msource E:\kape_out\tdest -–module PECmd,AmcacheParser --mflush --mdest G:\kape_out\mdest

Run RegistryHives Target and RECmd Module to generate a comprehensive set of registry reports. RECmd Module calls RECmd.exe using registry explorer batch file.

kape --tsource C --target RegistryHives --tflush --tdest G:\kape_out\tdest --vhdx $env:ComputerName --msource G:\kape_out\tdest --module RECmd --mdest G:\kape_out\mdest

Hands on Labs

Target and module names, on the command line do not include the extension (.tkape or .mkape)

Theses lab questions will be added before the work starts

Using the command line version of KAPE, collect

Lab-01

Use command line or GUI version of KAPE (or maybe even try both) collect all the Registry Hives on your own system. Flush your tdest folder before collecting any data. Write the files out to a drive of your choice but in a top level folder named kape_out\lab-01\tdest.

​ How many files were copied out? How man were deduced? How long did it take?

Example target dest: --tdest C:\kape_out\LAB-01\tdest We will being looking at the output of this command later in the workshop.

LAB-01 Solution

kape --tsource C --target RegistryHives --vss --tflush --tdest C:\kape_out\lab-01\tdest

LAB-01-GKAPE

Lab-02

From the command line, collect LNK file (shortcuts) & all registry files, including the volume shadow copies. Wrap them up in a vhdx with a base name of LAB-02. Save them to kape_out\lab-02\tdest. I you get stuck look at the GitHub page, there are several resoures there that will help you. Or, build the command in GKAPE and then cut & paste the command into the command line. Looking for the target name(s) to use, look in your kape\targets folder.

.\kape.exe --tsource C: --tdest G:\kape_out\LAB-02\tdest --tflush --target LnkFilesAndJumpLists,RegistryHives --vss --vhdx LAB-02 --gui

Lab-03

Run the compound target named !BasicCollection of your own system. This target is a good example of the typical artificats you might want to collect from a Windows system in a triage situation. There are many targets that will be called by this compound target. Save the data to a vhdx with a base name of the the computer name in a folder named kape_out\LAB-03\tdest

kape --tflush --tsource C: --target !BasicCollection --tdest C:\kape_out\LAB-03\tdest --vss --vhdx $env.ComputerName

Lab-04

Using Notepad or any editor of you choice, review the Console_Log.txt that resulted from Lab-01 - Lab-03. They should all look different becaue different targets were run. Spend just a few minutes on each one as you are really just trying to a get a quick feel for the kind of infomation that can be found here.

Lab-05

Launch TimeLine Explorer (TLE). It is found in the ZImmerTools/Timeline Explorer folder. You should have installed ZImmerman Tools at the same time that you installed KAPE. If you did not install TLE and you have Excel or another spreadsheet, you can use that to review the csv's

Using TLE load the CopyLog.csv file for one of your target runs. Use TLE to filter the data. Use TLE to sort by date. Just experiment a little, look at the info in the CopyLog.csv and how powerful TLE is.

Lab-06

Unzip and mount the VHDX file created in Lab-02 or Lab-03. Mounting is just a matter of double clicking on the unzipped VHDX. What drive letter was it assigned? Can you navigate through the folder structure? Can you see that the folder structure was preserved?

Lab-07

Run the RECmd module to process all the registry files that were collected in LAB-01. RECmd calls a Registry Explorer batch file to does some really impressive processing. I want you to know that this kind of power is possible with KAPE and for now, just o run how run it. Creating this kind of module and the associated Registry Explorer batch file is beyond the scope of this workshop. But, if you study the examples and read the Registry Explorer docs, you can create your own.

Review all the csv's this modules produces. Load some of them up in Timeline Explorer and look at the data.

kape --msource F:\kape_out\LAB-01\tdest --module RECmd --mdest F:\kape_out\LAB-04\mdest

Lab-08

Lab-09

Module processing. Look at the elements in the target !Basic Processing (run in Lab-03) and run some modules to process it. Just wanting you to find 2 - 3 modules that would process the artifacts collected by this target. Hint: Evidence of Execution is a compound target, meaing the it expands and there are more target inside that name.

Construct a tape module command to process the output from Lab-03. Remember that Lab-03 saved it's data to a vhdx so you will need to mount it before you can run your list of modules against it.

kape --msource K:\C  --module EvtxECmd,Prefetch,PECmd,JLECmd,LECmd,MFTECmd_$MFT,WxTCmd --mdest G:\kape_out\Lab-09\mdest --mflush

The value for --msource looks different that we have seen becuase the module source is the mounted VHDX.

Contact Information

Mark Hallman

Email: mark.hallman@gmail.com
Skype: mhallman Twitter: @mhallman