We covered KAPE as a computer forensics tool to extract forensics artifacts and process them for forensics investigation.
Kroll Artifact Parser and Extractor (KAPE) parses and extracts Windows forensics artifacts. It is a tool that can significantly reduce the time needed to respond to an incident by providing forensic artifacts from a live system or a storage device much earlier than the imaging process completes.
KAPE serves two primary purposes, 1) collect files and 2) process the collected files as per the provided options. For achieving these purposes, KAPE uses the concept of targets and modules. Targets can be defined as the forensic artifacts that need to be collected. Modules are programs that process the collected artifacts and extract information from them. We will learn about them in the upcoming tasks.
Subscribe to my channel membership to get exclusive access to Cyber Security notes including dedicated notes for KAPE Forensics.
Targetwill we use if we want to collect multiple artifacts with a single command?
What is the name of the directory where binary files are stored, which may not be present on a typical system, but are required for a particular KAPE Module?
In the second to last screenshot above, what module have we selected for processing?
What option has to be checked to append date and time information to triage folder name?
What option needs to be checked to add machine information to the triage folder name?
kape.exein an elevated shell. Take a look at the different switches and variables. What variable adds the collection timestamp to the target destination?
What variable adds the machine information to the target destination?
Which switch can be used to show debug information during processing?
Which switch is used to list all targets available?
Which flag, when used with batch mode, will delete the _kape.cli, targets and modules files after the execution is complete?
7zip, Google Chrome and Mozilla Firefox were installed from a Network drive location on the Virtual Machine. What was the drive letter and path of the directory from where these software were installed?
What is the execution date and time of CHROMESETUP.EXE in MM/DD/YYYY HH:MM?
What search query was run on the system?
When was the network named Network 3 First connected to?
KAPE was copied from a removable drive. Can you find out what was the drive letter of the drive where KAPE was copied from?