Introduction

We covered KAPE as a computer forensics tool to extract forensics artifacts and process them for forensics investigation.

Kroll Artifact Parser and Extractor (KAPE) parses and extracts Windows forensics artifacts. It is a tool that can significantly reduce the time needed to respond to an incident by providing forensic artifacts from a live system or a storage device much earlier than the imaging process completes.

KAPE serves two primary purposes, 1) collect files and 2) process the collected files as per the provided options. For achieving these purposes, KAPE uses the concept of targets and modules. Targets can be defined as the forensic artifacts that need to be collected. Modules are programs that process the collected artifacts and extract information from them. We will learn about them in the upcoming tasks.

Get Computer Forensics Notes

Challenge Answers

Which binary is used to run GUI version of KAPE?
What is the file extension for KAPE Targets?
What type of Target will we use if we want to collect multiple artifacts with a single command?
What is the file extension of the Modules files?

What is the name of the directory where binary files are stored, which may not be present on a typical system, but are required for a particular KAPE Module?

In the second to last screenshot above, what target have we selected for collection?

In the second to last screenshot above, what module have we selected for processing?

What option has to be checked to append date and time information to triage folder name?

What option needs to be checked to add machine information to the triage folder name?

Run the command kape.exe in an elevated shell. Take a look at the different switches and variables. What variable adds the collection timestamp to the target destination?

What variable adds the machine information to the target destination?

Which switch can be used to show debug information during processing?

Which switch is used to list all targets available?

Which flag, when used with batch mode, will delete the _kape.cli, targets and modules files after the execution is complete?

Two USB Mass Storage devices were attached to this Virtual Machine. One had a Serial Number  0123456789ABCDE. What is the Serial Number of the other USB Device?

7zip, Google Chrome and Mozilla Firefox were installed from a Network drive location on the Virtual Machine. What was the drive letter and path of the directory from where these software were installed?

What is the execution date and time of CHROMESETUP.EXE in MM/DD/YYYY HH:MM?

What search query was run on the system?

When was the network named Network 3 First connected to?

KAPE was copied from a removable drive. Can you find out what was the drive letter of the drive where KAPE was copied from?

Video Walkthrough