• Stars
    star
    126
  • Rank 284,543 (Top 6 %)
  • Language
  • License
    MIT License
  • Created over 3 years ago
  • Updated 12 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A curated list of KAPE-related resources

Awesome-KAPE

In line with other Awesome GitHub repos, Awesome-KAPE serves as a curated list of KAPE-related resources, including but not limited to blog posts, videos, and links to relevant GitHub repos.

Official KAPE Links

Tool-Related GitHub Repos

KAPE

Official GitHub repositories:

  • KapeFiles - This repository contains all the Targets and Modules utilized by KAPE to collect and process forensic artifacts
  • KapeDocs - This repository serves as the backend for KAPE's Official Documentation, linked here

Community KAPE-related GitHub repositories:

EZ Tools

The command line versions of Eric Zimmerman's Tools ship with KAPE, so they are very relevant to KAPE's overall functionality. The following EZ Tools have KAPE Modules written for them and these repos should be monitored for activity given that they will directly influence KAPE output.

EZ Tools Manuals

Eric Zimmerman and Andrew Rathbun co-authored EZ Tools Manuals on Leanpub. You can find the book here!

Official GitHub repositories:

Updating KAPE and EZ Tools

Resources

Blog Posts/Guides

Mind Maps

SANS Poster

YouTube Videos

Unofficial Version History

Date Version Notes
2019-02-16 0.8.1.0 - Add support for UNC paths for --tsource and --tdest
- Better detection when out of storage space on destination
- Add check when --mdest and --tdest are the same and disallow it
- Warn when --msource != --tdest
- Clarify EULA section 1.3 as it relates to usage
2019-03-05 0.8.2.0 - Change ConsoleLog from being file based to memory based. ConsoleLog is saved to --tdest and/or --mdest as necessary
- Remove --dcl option since ConsoleLog is in memory now
- Added --sync switch to automatically update Targets and Modules from the KapeFiles GitHub repository
- Add --overwrite along with --sync to overwrite any local targets and modules
- In the ConsoleLog, remove extra line feeds and only show first letter of log level
- gkape updated to allow for editing and creating new targets and modules, including validation
- Added ability to specify multiple targets and modules on the command line (--target filesystem,eventlogs for example)
- Add Progress information to Title bar of Console or PowerShell window
- Gkape interface overhauled
- Added PowerShell script for automatic updates of the main KAPE package
- Add --mvars switch which allows passing in key:value pairs to modules
- Polish and tweaks
2019-03-15 0.8.3.0 - Added %kapeDirectory% variable that is replaced with the full path to where kape.exe was executed from. Useful for having a reference point for config files to pass to modules, etc.
- Added SFTP support. Server name, port, and username are required. See help screen for more details and switches. SFTP password, when present, will be redacted from the ConsoleLog
- Added zip to container options. Works like VHD(x) containers, except things just get zipped up
- When targeting $J, only copy the non-sparse part of the file. This makes for a much smaller (and faster!) collection
- Added _kape.cli support. _kape.cli should contain one or more KAPE command lines (one per line). When KAPE sees this file on start up, it executes one copy of KAPE per line in the file, then renames _kape.cli by adding a timestamp to the front of the file. See https://twitter.com/EricRZimmerman/status/1104212779299426304 for more details and example usage
- Remove --toe option
- In modules, for ExportFile property, %fileName% will get replaced using the name of the file being processed. Example: ExportFile: TeraCopy-history_%fileName%.csv
2019-04-24 0.8.3.2 - Truncate CopyLog filename when more than one target is used to avoid overly long file name creation
- Fix for rare issue when expanding wildcards in targets
- When using --sync, any targets or modules in !Disabled folders will be removed from the Targets or Modules directory so they stay disabled
- Added warning in gkape when either of the flush options are enabled. Also added a means to disable the warning in gkape
- Preserve last access timestamps even if last access updates are enabled.
- Tweak path detection so that things like --tdest ..\destination works, which allows for using relative paths on command line (i.e. when you do not know drive letter ahead of time)
- control and software updates
- When using --mlist and --mdetail, KAPE Will list any missing binaries along with the URL to download the missing files
- Updated to the most recent targets and modules
2019-05-01 0.8.3.3 - Updated nuget packages
- Fix issue copying files from VSS based on a change introduced in 0.8.3.2
- Handle long files paths gracefully when using container options. When a long file name is encountered, the file will be copied to a new name and the original full path/name is preserved in a text file in the <Root>\LongFileNames directory. The Copylog will still indicate original source and new destination
2019-05-01 0.8.3.4 - Fix for collecting from UNC paths
2019-05-03 0.8.3.5 - Fix for long file name issue when passing in multiple targets on the command line that caused the generated file names to become too long for containers
2019-05-16 0.8.4.0 - Faster VSC discovery (4x faster!) and better timestamp resolution for VSC creation
- Improve VSC access to allow for copying out NTFS system files ($MFT, $J, etc.) from VSCs
- Tweak to when a directory shows up under --tdest (right before its needed vs earlier in previous releases)
- Reference files pulled from VSCs using VSS# vs a path under ___vssMount for consistency
- Updated/new targets and modules
- Updated EZ Tools binaries
- General refactoring and cleanup
2019-06-04 0.8.4.2 - Added --cu switch. When using batch mode (_kape.cli), allows for deleting config files when the batch run completes
- Added detection of CPU architecture (x86 vs x64) and a way to run x86 specific binaries for modules. See the "Modules" documentation for full details. In short, x64 support is assumed. If x86 is needed, name the binary the same as what is in the module, but end the name with _x86. Example: If you had Executable: foo.exe in a module, having a file named foo_x86.exe next to foo.exe, foo_x86.exe would be the actual program executed. Use --debug to see the selection process take place
- Added documentation URL to KAPE help screen and clickable hyperlink in lower left of gkape
- Tweak output of --tlist/--mlist to include slightly less detail so there is not as much scrollback needed. --tdetail and --mdetail include the removed information if needed
- Add directory KAPE runs from to console log
- Fix for using relative paths with mdest
2019-06-25 0.8.5.0 - Detect invalid paths (\\server\C$: or c:\temp\c: for example)
- Updated nuget and controls
- Only show informational messages when they make sense (ie copy stats of files were found, etc)
- Handle case where --tdest is a directory like H:\C and treating that path as root vs assuming root is H:
- LOWER minimum .net dependency to .net 4.5 for kape.exe and 4.5.2 for gkape.exe
- Updated EZ Tools binaries
- Added details about files being skipped to CopyLog.txt (example: Skipping l:\Windows\System32\config\RegBack\SAM with SHA-1 DA39A3EE5E6B4B0D3255BFEF95601890AFD80709 as a file with same hash has already been copied)
2019-07-01 0.8.5.1 - Add %m to gkape interface
- Handle spaces in Target and Module names in gkape. It is recommended to not have spaces in names, but gkape now properly adds quotes around target and module switches if any of the selected items contains spaces
- Remove dependency for deduplication on whether 'Process VSCs' is checked in gkape.
- nuget and control updates
- Updated EZ Tools binaries
2019-07-22 0.8.5.2 - Redirect and capture standard error stream in console apps when --debug is used. Prior to this, only standard out stream was showing up in the console log
- Add dedicated log tracking skipped files (deduplicated and excluded). It is a CSV ending with 'skiplog.csv'. Thanks to Troy Larson for the idea!
- Add SHA-1 exclusion via --hex. Takes a text file containing one SHA-1 per line. Any files with the same SHA-1 as an entry in the file is skipped (and logged in 'skiplog.csv')
2019-07-29 0.8.5.3 - gkape tweak for new SHA-1 option moving around
- Fix issue with --zip container option when writing to UNC path
- Allow blank SFTP password
- Digitally sign Get-KAPEUpdate.ps1 script
2019-08-09 0.8.6.2 - When using transfer options, transfer module output to destination when --zm true is used. This pushes the output from modules as a zip file to the destination server. You can still optionally transfer target collection too
- For batch mode, add --ul switch. This stands for "Use linear" and when set on an entry (it should be the first one ideally), KAPE will run each instance from _kape.cli one at a time, vs spawning all at once. Useful for fine grained control over batch mode
- In gkape, remember selected targets and modules in gkape when viewing config via double click. This makes it possible to examine configurations and not have to reselect everything previously selected
- Change --mvars separator to ^ since comma was often used in variable definitions. Also tweaked how variables containing : are treated (they just work now vs. being truncated)
- When KAPE updates a module's output file to avoid overwriting an existing file, report the name of the new output file to the Console so its possible to know which input file corresponds to which output file
- Fix rare issue with module processing when standard out and standard error get written to concurrently
- Change redirecting StandardError to output file in modules to writing it to the Console. This prevents programs that mix normal output on StdErr from messing up output files
- Added 'Append' property (optional) to Module's processor section. If true, data is appended to the value for ExportFile. If append is false, a new, unique filename is generated to prevent files from being overwritten
- Standardize all timestamps used in log files, file names, etc. to correspond to same timestamp (when KAPE was executed) vs when files get created. this makes it easier to group related things together
- Added AWS S3 transfer support via --s3* switches
- Added Azure Storage transfer (SAS Uri) via --asu switch
- Updated gkape for newest features
2019-08-15 0.8.6.3 - Fix in gkape for mvars building (update separator to ^ vs old value of ,)
- Replace %m (Machine name) and %d (timestamp) in --zip, --vhx, and --vhdx switches. You can even do both at once to get a timestamped file with machine name
- Other minor tweaks and nuget updates
2019-08-26 0.8.7.0 - Refactored --sync command to allow for and respect subdirectories in Targets and Modules. --sync will reorganize things based on the KapeFile repo. Configs not in KapeFiles repo end up under !Local directory
- Overhauled Targets and modules organization. Compound targets and modules DO NOT need to be updated to new locations. KAPE will locate the base configs as needed on the fly
- With the new config organization, KAPE can now pull all configs under a directory specified in --target or --module. In this way, directories act like a compound config
- tlist and mlist now expect a path to look for configs. Use . to start. All configs in the provided path are displayed as well as subdirectories
- Added Folder column in gkape in Targets and Modules grids. Grouping by this column makes it easy to see what is in various folders
- Tweaks to transfer setting validation to ensure destination is writable
- Removed --sow switch
- When in SFTP server mode, display the KAPE switches needed to connect to the SFTP server for each defined user. This makes it as easy as copy/paste to tell KAPE to push to SFTP server
- Add --sftpu switch, which defaults to TRUE, that determines whether to display SFTP server user passwords when in SFTP server mode
- Added FollowReparsePoint and FollowSymbolicLinks to Target definition. These are optional and should be used on an as needed basis. The default for both is false if they are not present. This is the behavior KAPE has always had up to this point. Setting to true will follow the reparse or sym link which some programs use (Box, OneDrive, etc)
- Other minor tweaks and nuget updates
2019-09-07 0.8.7.1 - Detect of any FTK processes are running, warn, and exit unless new --ifw switch is also set. This warns people to not use FTK Imager to mount images which can lead to problems.
- Added check for new version of KAPE at end of run if Internet connectivity exists. If a new version is present, the new version number available is shown along with a message about how to update.
- Fix issue with empty directory paths being too long for containers in some cases
- Other tweaks for various edge cases
2019-09-18 0.8.7.2 - Swapped out SFTP client with more robust implementation
- Added logging of file upload and download initiation to SFTP mode. Now both the start of and completion of the upload is shown
- Added logging of file deletion to SFTP mode
- gkape GUI tweaks
- When syncing, a unique GUID is added to any config names that end up in !Local so the file names are unique. This prevents the warning about duplicate config names
- Other --sync tweaks
2019-09-26 0.8.7.3 - sftp transfer tweaks (use large buffers to send data, add transfer speed to Title bar)
- Updated zipping component (~35% faster zipping!)
- Updated SFTP config format (be sure to read the docs and check out the example)
2019-10-23 0.8.8.0 - Remove target information from container names and log files
- Delete SkipLog file if it is empty at end of run
- Fix issue with not finding files in VSCs due to symlink processing changes
- Cleaned up other names of log files
- Updated controls and nuget packages
2019-10-XX 0.8.8.1 - When using --cu, delete Documentation directory
- When batch mode file is present, do not process it if kape.exe -h or similar is called
- Detect when drive letter changes when processing Reparse/Symlinks. This prevents looking on the G drive where the reparse/symlink points to C:\. In these cases, the correct drive letter is now updated for the path to search and a warning is displayed
- Added (optional) MinSize and MaxSize properties to Targets definition. Specify the size in bytes and anything smaller/bigger than the defined values will be dropped. Enable --debug to see dropped files
- When using %m in --msource, replace it with the Machine name
2020-02-20 0.9.0.0 - Added --tvars to support variables in target files. For example c:\users\*\ntuser.dat becomes c:\users\%user%\ntuser.dat. If tvars is not used, %user% is replaced with *, but if --tvars user:eric is used, the path becomes c:\users\eric\ntuser.dat and only a single user is collected. All targets have been updated for this pattern, so not supplying tvars will work as it always has.
- Removed Target properties for following reparse and/or symlinks
- Added support to automatically resolve and follow reparse and symlink while staying on the target drive letter. This makes target writing easier and gets rid of warnings about possibly missing data, etc.
- Add system information to console including machine name, bittyness, operating system name and build number
- Remove --mef limitation so any export format can be defined in modules and used with --mef. Previously, only csv, xml, html and json were supported
- nuget and 3rd party control updates
2020-03-10 0.9.0.1 - Updated nuget and controls
- Fix issue with VSC iteration
- Updated EZ-Tools binaries
- Updated to latest target/modules
2020-04-14 0.9.0.2 - Add --sim switch that simulates files being copied, but nothing gets copied. The only thing that does not happen is the copying of data, so SHA-1, logging, etc. is intact. Useful for audits of files without really copying files, etc.
- Tweak debug and trace messages for vhd(x) building
- vhd(x) size calculation tweaks
- When using batch mode, allow for renaming kape.exe to any other name and things will still work
- Swap out SHA-1 code to FIPS compliant implementation
- Fix gkape issue when resizing where Target variables area was static
- Nuget and control updates
2020-04-16 0.9.0.3 - Fix issue with target source being expanded incorrectly (C: vs C:\)
- More FIPS improvements/tweaks
- Sparse file handling tweaks
- Updated targets and modules
2020-05-22 0.9.1.0 - Fix issue in gkape where Azure URI was not in quotes in generated command line.
- Updated controls/nuget
- Updated targets and modules
- Updated ezTools binaries
2020-05-28 0.9.2.0 - REMOVE IsDirectory from Target definitions. Any existing targets not part of the official repo will need to be adjusted
- In Target definitions, Path is now ALWAYS assumed to be a directory. This means it should NOT contain wildcards like *.pf. These should be moved to the FileMask property. All official targets have been updated to reflect this. FileMask is still optional. If it is not specified, * is assumed, which will match all files in Path
- In Target definitions, Recursive is optional. If missing, it is assumed to be false. Existing targets with Recursive: false set cleaned up (property deleted)
- Swept existing targets for empty comments and deleted them
- Cleaned up Path properties in Targets (Paths should end with \ by convention. This is not required, but makes it more obvious as to what the path contains)
- Added ability to reference subdirectories under Targets in Target definitions. Example: To pull in all targets under Targets\Antivirus, use Path: Antivirus\*
- Allow regex in Target FileMask spec. Example: `FileMask: regex:(2019
2020-06-23 0.9.3.0 - Updated targets and modules
- Updated controls and nuget
- Some updated EZTools and map sync
- Fix path check when regex option was present related to AlwaysAddToQueue
2020-09-18 0.9.4.0 - Added %sourceDriveLetter% to module variables. This resolves to the first two characters of --msource (ex. C:) even if --msource was c:\temp\foo. Needed for tools like manage-bde.exe
- Handle wide range of S3 providers vs just AWS: Amazon S3, Backblaze B2, Digital Ocean Spaces, Google Cloud Storage, IBM Cloud Object Storage, Linode Object Storage, Oracle Cloud Object Storage, and Wasabi
- Control and nuget updates
- Updated EZTools
- Updated targets and modules
2020-10-23 0.9.5.0 - Made --mlist and --tlist recursive
- Fix issue with tvars when more than one variable is on command line
- Add context menus to grids in gkape for Select all, Select none, and Invert selection
- Updated controls and nuget
2020-12-21 0.9.6.0 - Wrap updating Console.Title to prevent issues on some systems (rare issue)
- Add MinSize and MaxSize support to editing targets in gKape
- Fix issue in gKape with 'Selected target/module' count in status bar not always updating
- Add ability to select S3 provider in gKape
- gKape fixes when using the Editor and Save As
- Added --rlc switch, for Retain Local Copy. When true, local copies of transferred files are NOT deleted
- Updated controls and nuget
2021-03-15 1.0.0.0 - Add mvar support to ExportFile
- Add --s3url which allows for pushing collections to presigned S3 URLs, keeping credentials safe
- Updated controls and nuget
2021-06-15 1.0.0.1 - Add %s variable which resolves to the system drive letter (i.e. C or D, vs. C:\ or D:\ etc)
- S3 Presigned URL tweaks (maximum 5 GB size limit per AWS)
- Allow for up to TLS 1.2 connections
- Control and nuget updates
- Updated EZTools binaries
2021-06-15 1.0.0.2 - Fix issue with TLS version related to testing URL
2021-06-24 1.0.0.3 - Allow for --sync to run without admin
- Add additional S3 switches for using session tokens and supplying a key prefix
- nuget updates
- gkape can now save _kape.cli once configured. gkape will also prompt to load the FIRST command line from _kape.cli when starting. This is useful for preconfiguring KAPE for less technical people to use remotely, etc.
2021-10-21 1.1.0.0 - Fix Editor and Save As in gkape
- nuget/control updates
- Tweak how KAPE is accessing files in the root of VSCs
- Changed sync to accept a GitHub repo (optional) to pull Targets and Modules from. Without specifying a url, the official repo is used. The URL is expected to have the same format as the official repo should an alternate URL be used.
- Sync will also include .template and .guide files in the Targets and Modules directory
- Fix issue with Disable flush warnings related to mdest existing
- When transferring files, add timestamp to end of directory in format yyyyMMddHHmmss. Example: KAPE_data_push{comment}_yyyyMMddHHmmss, where comment is optionally supplied.
- When using Azure SAS, add details to test file being uploaded (timestamp, computer name, os info, comment) vs simply 'test upload' for the contents
- Added --scd switch to specify the default path to upload files to. If the directory does not exist, it will be created. Do NOT use leading slash! Example: --scd foo/bar/wizzo
- Updated included Targets/Modules, and Module binaries
2021-11-16 1.1.0.1 - Fix issue with SFTP verification when using -scdand the directory already existed
- Updated Targets and Modules
- Nuget and control updates
2022-03-10 1.2.0.0 - SFTP tweaks for partially existing directory structure
- Nuget package updates
- Updated EZTools binaries
- Sync'ed Targets and Modules
2022-12-22 1.3.0.0 - Change from nlog to Serilog (much nicer console output)
- New module variables for command lines: %d%, %guid%, and %sourceDirectoryBase%
- General tweaks and fixes
- Nuget package updates
- Updated EZTools binaries
- Sync'ed Targets and Modules

More Repositories

1

DFIRArtifactMuseum

The goal of this repo is to archive artifacts from all versions of various OS's and categorizing them by type. This will help with artifact validation processes as well as increase access to artifacts that may no longer be readily available anymore.
HTML
522
star
2

DFIRMindMaps

A repository of DFIR-related Mind Maps geared towards the visual learners!
460
star
3

VanillaWindowsReference

A repo that contains recursive directory listings (using PowerShell) of a vanilla (clean) install of every Windows OS version to compare and see what's been added with each update. Use these CSVs to create your own known good hash sets!
110
star
4

DFIRRegex

A repo to centralize some of the regular expressions I've found useful over the course of my DFIR career.
60
star
5

KAPE-EZToolsAncillaryUpdater

A script that updates KAPE (using Get-KAPEUpdate.ps1) as well as EZ Tools (within .\KAPE\Modules\bin) and the ancillary files that enhance the output of those tools
PowerShell
43
star
6

VanillaWindowsRegistryHives

A repo that contains a recursive dump from the ROOT key of every Windows Registry hive (using KAPE) from a vanilla (clean) install of every Windows OS version to compare and see what's been added with each update.
40
star
7

DFIRPowerShellScripts

Various PowerShells scripts I've made (or others have made) to automate some of the boring stuff in my everyday DFIR journey!
PowerShell
39
star
8

EventTranscript.db-Research

A repo for centralizing ongoing research on the new Windows 10/11 DFIR artifact, EventTranscript.db.
38
star
9

DirectoryOpus-DFIRConfig

A config file that's curated for DFIR examiners with shortcuts to common Windows artifacts and settings enabled that help make your life easier with various file management tasks.
28
star
10

Anti-Forensics-VHDX

A sample VHDX file with multiple verbose examples of forensic and anti-forensics artifacts. Meant to be basic and can be expanded upon. Please add a new issue if you have an idea for something to add.
HTML
24
star
11

SANSGoldPaperResearch_FOR500_Rathbun

A repository containing the research output from my GCFE Gold Paper which compared Windows 10 and Windows 11.
HTML
23
star
12

ForensicImageKAPEOutput

A repository of output using KAPE (!EZParser Module) for various publicly available forensic images!
12
star
13

SigHunter

A C# (.NET 6) tool to compare the file signature of files recursively and inform the user of matches and mismatches
C#
11
star
14

PCAParser

A PowerShell script that can be used to parse and convert to CSV the new Windows 11 artifacts found in C:\Windows\appcompat\pca
PowerShell
8
star
15

Windows11Research

A brain dump for any Windows 11 research that I may conduct
HTML
6
star
16

iOS_Test-Device_Photos.sqlite_Examples

This repo will contain several iOS Photos.sqlite databases, both Local Photo Library (LPL) db’s and Shared with You Syndication Photo Library (SWY) db’s that can be used to test Photos.sqlite queries.
3
star
17

KAPEPowerShellScripts

A working repo of PowerShell scripts that help extend KAPE's functionality
2
star
18

AndrewRathbun

2
star
19

CSVFileDetailsExtractor

A simple tool to enumerate useful details from CSV files recursively from a provided folder path
C#
2
star
20

CsvMerger

A simple program to merge CSV files together.
C#
1
star
21

CSVHeaderHunter

C# program to grab all CSV headers from a directory recursively and output to a CSV file
C#
1
star
22

MP3TagExtractor

A command-line application to extract (recursively, if needed) IDv3 metadata from audio files
C#
1
star
23

DFIRSQLiteSchemas

A repo containing schemas of commonly used SQLite databases in everyday DFIR analysis.
1
star