KAPE - Kroll Artifact Parser and Extractor

KAPE - Kroll Artifact Parser and Extractor#

KAPE is a tool used in the preservation stage of DFIR. As with most (all) tools used during DFIR, there is no installation done on the ‘victim’ device. Instead KAPE is run from a live disk or mounted disk image. You can find the files here. You do need to sign up to download the software, but a free email is enough.

KAPE exists as both a CLI and GUI version, but under the hood the GUI just lanches the CLI for you. How nice of it. We’ll go through both here. The CLI is launched from kape.exe, while the GUI is with Gkape.exe.

KAPE has two uses cases (they aren’t exclusive).
The first and primary use is capturing artifacts from a disk (live or imaged). The disk image is referred to as the ‘source’. For the artifact capture we define ‘Targets’ for collection. There are also compound targets, which a just a list of other targets to capture (i.e. SANS standard). Either way, targets are defined as .tkape files and stored in the ‘live’ disk’.
The second use case is to consolidate the outputs from the target collection to create report files. These are known as ‘Modules’. For example, there is a module to create a .csv of processes running on the system. Again the module files are kept on the live disk but they are stored as .mkape files.

Using the GUI#

I like starting with the easiest option, because why not. In the GUI we can see ‘Targets’ on the left and ‘Modules’ on the right. We have to select at least one to start the process. We should also check the ‘source’ to make sure it’s where we want to collect data from, and destination to make sure we store the data somewhere helpful. The destination also has additional options:

‘Flush’ clears the destination folder
‘%d’ adds a date to the file names
‘%m’ adds machine information to the file names
VSCs are volume shadow copies, you can confirm if you want to collect and consolodate from these as well.
you can also transfer the data to a remote location such as sftp

Using the Terminal#

As you have seen above, the GUI just launches the terminal anyway, so why not skip the middle man. From the KAPE directory we run kape.exe with the below arguements

–tsource : i.e. C:\
–tdest : i.e. D:\targets
–tflush : clears the target destination directory
–target : The targets to collect i.e. SANS
–mflush : clears the module directory
–module : the modules to run, i.e. EZparser

Batch Mode#

It’s called batch mode, but really it’s an ‘autorun’ task. This is helpful if you want to perform planned tasks, or delegate to less technical people (or computers). To create a batch file, copy the terminal command to a txt file (without the ./kape.exe) and save it as an _kape.cli file. Leave the file in the root directory of the kape folder. Whenvever the kape exe is run, it will execute the batch files found. You’ll probably want these copying to a network location.

Useful Components#

This is just a list of components I’ve found helpful in my journey. Your mileage may vary.

Targets:

SANS : a collection of registry extractions

Modules:

EZparser : creates a collection of .csv files from the target