Digital Forensics:An introduction to Kroll Artifact Parser and Extractor (KAPE)
Kroll Artifact Parser And Extractor (KAPE)
Kroll's Artifact Parser and Extractor (KAPE) – created by Kroll senior director and three-time Forensic 4:cast DFIR Investigator of the Year Eric Zimmerman – lets forensic teams collect and process forensically useful artifacts within minutes.
Photo cradit:kroll.com
- We will use the forensics tool KAPE to collect and process files from a device.
- KAPE does not need to be installed. It is portable and can be used from network locations or USB drives.
Prerequisite steps:
- Download KAPE and unzip.
- Create a new ZIP file named ‘kape.zip’ by compressing only two items: ‘kape.exe’ and the ‘Target’ directory.
Q1.
- From amongst kape.exe and gkape.exe, which binary is used to run GUI version of KAPE?
- Ans:gkape.exe
- Use the search bar to search for the targets needed based on reading what is being asked in the challenge questions.
- You can also use the “KapeTriage” compound Target which collects most of the files needed for a DFIR investigation.
Photo credit:kapetriage-mindmap-for-dfir-practitioners (Kroll)
- Select the “Use Module options” option.
- Set the “Module destination” as the path to an empty folder created on the desktop
- Select the !EZParser module
We have selected the KapeTriage compound Target and !EZParser Compound Module. The command line below shows the CLI command that will be run. The Execute! button in the bottom right corner will execute the command.
- Open EZViewer.
- File > Open.
- Open this csv file in EZViewer:
Q2.
- What is the name of the file that was deleted on 30/05/2024?
- See the “DeleteOn” column:
Explanation:
- In EZViewer go to File > Open.
- Open this csv file in EZViewer:
- EZparser\FileDeletion
The RecycleBin_InfoFiles Target collects metadata files that reside within a user’s Recycle Bin. Parsing these files will provide information about which files were deleted by a given user. These files do NOT contain the original files that were deleted.
Q3.
- How many times did this program py.exe run?
- 10
- What is the full path to the program executable?
- \WINDOWS\PY.EXE
- Interesting Directories Accessed?
- \ZIP-PASSWORD-BRUTEFORCER-MASTER\ZIP-PASSWORD-BRUTEFORCER.PY
- See the “ExecutableName” column:
Explanation:
- In EZViewer go to File > Open.
- Open this csv file in EZViewer:
- EZparser\ProgramExecution
The EvidenceOfExecution Target will collect files related to various program execution artifacts, including Prefetch and Amcache that reside within Windows.
Q4.
- When was the last time the USB drive was removed?
- See the “LastRemove” column:
Explanation:
- In EZViewer go to File > Open.
- Open this csv file in EZViewer:
- EZparser\Registry
The RegistryHives Target collects the Registry Hives specified within the following Targets: RegistryHivesSystem.tkape and RegistryHivesUser.tkape. This means the following Registry Hives will be collected: SAM, SOFTWARE, SYSTEM, SECURITY, NTUSER.dat, DEFAULT, UsrClass.dat.
Credit Video : Kroll Artifact Parser and Extractor (KAPE) Official Demo
ทีมา : Kape
อ่านเพิ่มเติม: Timeline Explorer
หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูล เผยแพร่ความรู้และให้โอกาสในการค้นคว้าหาข้อมูลเพื่อการศึกษา บุคคลที่สนใจโดยทั่วไป รวมถึงนักเรียน นิสิต นักศึกษา ในการเรียนรู้เท่านั้น
No comments:
Post a Comment