Digital Forensics:KAPE

Digital Forensics:An introduction to Kroll Artifact Parser and Extractor (KAPE) 

Kroll Artifact Parser And Extractor (KAPE)

Kroll's Artifact Parser and Extractor (KAPE) – created by Kroll senior director and three-time Forensic 4:cast DFIR Investigator of the Year Eric Zimmerman – lets forensic teams collect and process forensically useful artifacts within minutes.

Photo cradit:kroll.com

• We will use the forensics tool KAPE to collect and process files from a device.
• KAPE does not need to be installed. It is portable and can be used from network locations or USB drives. 

Prerequisite steps:

• Download KAPE and unzip.
• Create a new ZIP file named ‘kape.zip’ by compressing only two items: ‘kape.exe’ and the ‘Target’ directory.
  

Q1.

• From amongst kape.exe and gkape.exe, which binary is used to run GUI version of KAPE?
• Ans:gkape.exe

Now that we have learned about the different components of KAPE let's take it for a test drive. In the attached host, double-click to open the gkape.exe file. You will see the following Window:

• Use the search bar to search for the targets needed based on reading what is being asked in the challenge questions.
• You can also use the “KapeTriage” compound Target which collects most of the files needed for a DFIR investigation.

In particular, the KapeTriage Compound Target was created to selectively collect the most important artifacts from a computer in minutes, rather than creating a full disk image, with forensically reliable, quick win results.

Photo credit:kapetriage-mindmap-for-dfir-practitioners (Kroll)

• Select the “Use Module options” option.
• Set the “Module destination” as the path to an empty folder created on the desktop
• Select the !EZParser module

We have selected the KapeTriage compound Target and !EZParser Compound Module. The command line below shows the CLI command that will be run. The Execute! button in the bottom right corner will execute the command. 

We can press any key to terminate the command window.

• Open EZViewer.
• File > Open.
• Open this csv file in EZViewer:

Q2.

• What is the name of the file that was deleted on 30/05/2024?
• See the “DeleteOn” column:

Explanation:

• In EZViewer go to File > Open.
• Open this csv file in EZViewer:
• EZparser\FileDeletion

The RecycleBin_InfoFiles Target collects metadata files that reside within a user’s Recycle Bin. Parsing these files will provide information about which files were deleted by a given user. These files do NOT contain the original files that were deleted. 

Q3.

• How many times did this program py.exe run?
• 10
• What is the full path to the program executable?
• \WINDOWS\PY.EXE 
• Interesting Directories Accessed?
• \ZIP-PASSWORD-BRUTEFORCER-MASTER\ZIP-PASSWORD-BRUTEFORCER.PY
• See the “ExecutableName” column:

Explanation:

• In EZViewer go to File > Open.
• Open this csv file in EZViewer:
• EZparser\ProgramExecution

EvidenceOfExecution

The EvidenceOfExecution Target will collect files related to various program execution artifacts, including Prefetch and Amcache that reside within Windows.

Q4.

• When was the last time the USB drive was removed?
• See the “LastRemove” column:

Explanation:

• In EZViewer go to File > Open.
• Open this csv file in EZViewer:
• EZparser\Registry

RegistryHives

The RegistryHives Target collects the Registry Hives specified within the following Targets: RegistryHivesSystem.tkape and RegistryHivesUser.tkape. This means the following Registry Hives will be collected: SAM, SOFTWARE, SYSTEM, SECURITY, NTUSER.dat, DEFAULT, UsrClass.dat.

Credit Video : Kroll Artifact Parser and Extractor (KAPE) Official Demo

ทีมา :   Kape

หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูล  เผยแพร่ความรู้และให้โอกาสในการค้นคว้าหาข้อมูลเพื่อการศึกษา   บุคคลที่สนใจโดยทั่วไป รวมถึงนักเรียน นิสิต นักศึกษา  ในการเรียนรู้เท่านั้น

* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ

#WINDOWSFORENSIC #COMPUTERFORENSICS #DFIR #FORENSICS #DIGITALFORENSICS #COMPUTERFORENSIC #INVESTIGATION #CYBERCRIME #FRAUD