• Stars
    star
    109
  • Rank 319,077 (Top 7 %)
  • Language
    PowerShell
  • License
    MIT License
  • Created over 3 years ago
  • Updated 12 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Invoke-Forensics provides PowerShell commands to simplify working with the forensic tools KAPE and RegRipper.

Forensic helper scripts for KAPE and RegRipper

If you use KAPE or RegRipper for forensic analysis, then Invoke-Forensics could help you by providing PowerShell commands to simplify working with these tools. They speed up your work when

  • you deal with multiple evidence files in that commands are provided for unzipping and mounting VHDX images and run KAPE against them or let you getting files from them.
  • you are tired of searching for the correct name to provide to these tools in that the commands have tab-completion support which lets you quickly find available RegRipper plugins or KAPE's Targets and Modules (KapeFiles) ("what was that Module name again?"), run them or let you show the content of the files for inspection
  • you need to search for specific KAPE files based on a given filter ("Is there already a PowerShell console Target available?")


What exactly do these scripts provide?

The main advantage using the scripts is that they allow running KAPE against or collecting files from multiple collected KAPE images in one command which includes unzipping, mounting the VHDX and running the command (KAPE itself or file copy) against the corresponding drive letter and unmounting the VHDX image again. Using these function against multiple collections reduce the time severely compared to running these commands manually.

The other purpose of the scripts is to quickly jump through the available plugins or KAPE files using the tab-completion support and to be able to print the content of the files to inspect those directly in the shell.

Important note: These scripts do only provide a subset of KAPE's and RegRippers arguments. For more specific needs use the binaries directly to be able to use all the available options, make a Pull Request or file an Issue to request the inclusion of further arguments.

The wrapper scripts provide:

  • Tab-completion support for plugin and artifact names which helps finding them without the need to navigate into subfolders.
  • Run KAPE against one or multiple evidence ZIP files or VHDX images which includes unzipping evidence ZIP files, mounting VHDX images and run KAPE with given Modules against those (Invoke-KapeOnMultipleImages).
  • Copy files from one or multiple evidence ZIP files or VHDX images which includes unzipping evidence ZIP files, mounting VHDX images and run a copy command with a given (regex) pattern against those (Invoke-KapeFileCollection).
  • Run one or multiple RegRipper plugins or profiles against a given hive. RegRipper only allows using one plugin or a profile per execution, but not multiple plugins in one command outside of profiles (Invoke-RegRipper).
  • Search for KAPE files based on keywords in a KAPE field (e.g. Description, FileMask, ...) or the whole file and print either a short list with the name and the location, the file content or a file listing for further processing in PowerShell (Search-KapeFile). gkape.exe could also be used for searching Targets or Modules.
  • Printing the content of plugins or artifact files without the need for navigating into subfolders (Invoke-Kape*, Search-KapeFile and Invoke-RegRipper functions using -Print).
  • Mounting VHDX files and return drive letter
  • Handling unpacking of evidence ZIP files and VHDX ZIP file in target folder in one command.

Requirements

Unzip program from e.g. Git for Windows found in the path. The Expand-Archive PowerShell command fail when extracting the VHDX ZIP files.

For mounting VHDX images install the required PowerShell module. Native PowerShell command Mount-DiskImage is used within the provided Mount-VHDX. The advantage of Mount-VHDX over Mount-DiskImage is that it returns the used drive letter.

PS> Enable-WindowsOptionalFeature -FeatureName "Hyper-V Module for Windows PowerShell"

Functions

  • Invoke-Kape - Run KAPE with given Targets or Modules
  • Invoke-KapeOnMultipleImages - Run KAPE against multiple VHDX containers, including unzipping evidence ZIP and VHDX zip and mounting VHDX files first
  • Invoke-KapeFileCollection - Collect files based on a given pattern from VHDX containers
  • Search-KapeFile - Search for KAPE files based on either a pattern in a field or in the whole file
  • Invoke-KapeUnpack - Unpack KAPE evidence ZIP and included VHDX zip file
  • Mount-VHDX - Mount VHDX container and return drive letter
  • Remove-VHDX - Remove VHDX files from given path and all its subfolders
  • Invoke-RegRipper - Run one or more RegRipper plugins against a hive

Usage

  1. Navigate into KAPE or RegRipper folder
  2. Load scripts into PowerShell
    # Load both RegRipper and KAPE functions
    . .\Invoke-Forensics\Invoke-Forensics.ps1
    # Load KAPE functions
    . .\Invoke-Forensics\Invoke-Kape.ps1
    # Load RegRipper functions
    . .\Invoke-Forensics\Invoke-RegRipper.ps1
  3. Run commands, see below

Invoke-Kape

Change into KAPE's directory first.

Run a KAPE command or show the content of a Target or Module file. The Target and Module parameters have tab-completion support.

# List all Targets which starts with an 'a' in the name and print the one which was choosen
Invoke-Kape -Target a<ctrl-space> -Print

# Jump through all Targets which starts with an 'a' in the name and print the content
Invoke-Kape -Print -Target a<tab>

# Example for printing Amcache Target
PS> Invoke-Kape -Target Amcache -print
Description: Amcache.hve
Author: Eric Zimmerman
Version: 1.0
Id: 13ba1e33-4899-4843-adf1-c7e6b20d759a
RecreateDirectories: true
...

# Jump through all remaining Modules besides AmcacheParser and print the selected
Invoke-Kape -Print -Target Amcache -Module AmcacheParser,<tab>

# Invoke KAPE using the Target Amcache
Invoke-Kape -tsource C: -tdest C:\temp\ -Target Amcache

# Invoke KAPE using the Module AmcacheParser
Invoke-Kape -msource C:\temp -mdest C:\temp\ -Module AmcacheParser

# Invoke KAPE using two Modules
invoke-kape -msource C:\WindowsTimelineTest -mdest C:\WindowsTimelineTestTemp -Module SQLECmd,WxTCmd

Invoke-KapeOnMultipleImages

Change into KAPE's directory first.

The function provides the following:

  • Unpacks all KAPE evidence zip files (unless -SkipUnzip or -SkipUnzipEvidenceZip is given)
  • Unpacks all VHDX zip files found in the target output folder (-TOutPattern) (unless -SkipUnzip is given)
  • Extracts the hostname from the path to use it in KAPE commands and for output folder name
  • Loop over all VHDX files
    • Mounts VHDX file and provide the drive letter to the KAPE command
    • Run KAPE with the given Modules (-Module has tab-completion support for Module names)
    • Unmounts the VHDX file

Sample directory and file structure:

  • C:\evidence-folder\
    • server1-evidence.zip
      • include mout and tout folders
      • tout includes the VHDX ZIP
    • server2-evidence.zip
PS> $zip="C:\evidence-folder\"
PS> $tout="*\tout"
PS> $dest="C:\kape-parsing-output"
PS> $serverPattern="\\(\w*)-evidence"
PS> $modules=@("JLECmd","LECmd")
PS> Invoke-KapeOnMultipleImages -KapeEvidenceFolder $zip -TOut $tout -Destination $dest -HostnamePattern $serverPattern -Module $modules -SkipUnzip

Invoke-KapeFileCollection

Change into KAPE's directory first.

The function copies files based on a pattern (-FileNamePattern) from the mounted VHDX image into a destination directory. This can be used if you need to extract a given file from an KAPE image.

The function provides the following:

  • Unpacks all KAPE evidence zip files (unless -SkipUnzip or -SkipUnzipEvidenceZip is given)
  • Unpacks all VHDX zip files found in the target output folder (-TOutPattern) (unless -SkipUnzip is given)
  • Loop over all VHDX files
    • Mounts VHDX file and provide the drive letter to the copy command
    • Copy given files based on filename pattern into destination directory. The source directory is replicated in the destination directory
    • Unmounts the VHDX file
# Unzip evidence zip file, navigate into new subfolders, unzip VHDX ZIP files, mount VHDX images and collect files into destination directory
PS> Invoke-KapeFileCollection -KapeEvidenceFolder C:\kape-output\ -TOutPattern *\tout -Destination C:\kape-output\fs -HostnamePattern "\\(\w*)-evidence" -FileNamePattern "*console*history*"

# Skip unzipping of evidence zip file, just navigate into already unzipped envidence subfolders, mount VHDX images and collect files into destination directory
PS> Invoke-KapeFileCollection -KapeEvidenceFolder C:\kape-output\ -TOutPattern *\tout -Destination C:\kape-output\fs -HostnamePattern "\\(\w*)-evidence" -FileNamePattern "*console*history*" -SkipUnzip

Search-KapeFile

Search through all Target and Module files, either by pattern in a specific field or the whole file.

Basic usage, there is a generic -Filter parameter to search the whole file for a keyword or more specific filters, like -FilterDescription, -FilterFileMask, ...

If you would like to print the found files use -Print.

Use -MatchAllOfThem to match all of the given filters.

# Search for powershell in description field or history in the file mask field and use a short list as output.
PS> Search-KapeFile -FilterDescription powershell -FilterFileMask history -ShortList
!SANS_Triage.tkape .\Targets\Compound\!SANS_Triage.tkape
Chrome.tkape .\Targets\Browsers\Chrome.tkape
CombinedLogs.tkape .\Targets\Compound\CombinedLogs.tkape
Debian.tkape .\Targets\WSL\Debian.tkape
...

# Print the content of the found KAPE files
PS> Search-KapeFile -FilterDescription powershell -FilterPath psreadline  -MatchAllOfThem -Print

# Search for powershell in description field or history in the file mask field and return file listing object.
PS> Search-KapeFile -FilterDescription powershell -FilterFileMask history

Name                                        FullName
----                                        --------
PowerShellOperationalFullEventLogView.mkape C:\KAPE\Modules\Eve...
PowerShell5SecondPause.mkape                C:\KAPE\Modules\Mis...
DoubleCommander.tkape                       C:\KAPE\Targets\App...
Dropbox.tkape                               C:\KAPE\Targets\App...
...

# Post processing search by using native PowerShell
PS> Search-KapeFile -FilterDescription powershell -FilterFileMask history | select name
...

# Search for a KAPE file which matches all of the provided patterns.
PS> Search-KapeFile -FilterDescription powershell -FilterFileMask history -MatchAllOfThem

# Other searches to limit the scope
PS> Search-KapeFile -FilterDescription powershell -OnlyTargets
PS> Search-KapeFile -FilterPath psreadline -OnlyModules
PS> Search-KapeFile -FilterDescription mozilla -FilterPath thunderbird -OnlyTargets -MatchAllOfThem -ShortList
Thunderbird.tkape .\Targets\Apps\Thunderbird.tkape

Invoke-KapeUnpack

Unzip evidence output ZIP file and then unzip the VHDX zip file inside the Targets folder.

PS> Invoke-KapeUnpack -Path C:\kape-files\ -TOutPattern *\tout -Verbose
PS> Invoke-KapeUnpack -Path C:\kape-files\ -TOutPattern *\tout -Verbose -SkipUnzipEvidenceZip

Mount-VHDX

Mount the given image and provide the used drive letter. The native mount command doesn't provide the drive letter, therefore we use Get-Volume before and after and diff the used drive letters on the system to see which was given to our VHDX image.

PS> Mount-VHDX -VHDXFile C:\kape-files\server\tout\2021-03-11T152024_server_20210311T152024.vhdx
PS> Mount-VHDX -VHDXFile C:\kape-files\server\tout\2021-03-11T152024_server_20210311T152024.vhdx -verbose

Remove-VHDX

Remove VHDX files recursively.

Remove-VHDX C:\kape-files

Invoke-RegRipper

Change into RegRipper's directory first.

Run a RegRipper plugin or profile against a hive.

# Print plugin content
PS> Invoke-RegRipper -Hive E:\C\Windows\System32\config\SOFTWARE -Plugin appcertdlls -Print
appcertdlls
#-----------------------------------------------------------
# appcertdlls.pl
#
# History:
#  20200427 - updated output date format
#  20120912 - created

# Print multiple plugins
PS> Invoke-RegRipper -Hive E:\C\Windows\System32\config\SOFTWARE -Plugin appcertdlls,clsid -Print

# Invoke RegRipper with given plugin
PS> Invoke-RegRipper -Hive E:\C\Windows\System32\config\SOFTWARE -Plugin app<tab>
PS> Invoke-RegRipper -Hive E:\C\Windows\System32\config\SOFTWARE -Plugin appcertdlls

# Run multiple plugins after each other
PS> Invoke-RegRipper -Hive E:\C\Windows\System32\config\SOFTWARE -Plugin appcertdlls,clsid

# list all plugins
PS> Invoke-RegRipper -Hive E:\C\Windows\System32\config\SOFTWARE -Plugin <ctrl-space>
adobe                   cached                  gpohist                 ...
allowedenum             cached_tln              gpohist_tln             ...
amcache                 calibrator              heap                    ...
amcache_tln             clsid                   heidisql                ...
...

Tips & Tricks

If you work with Vim and would like to use folding for RegRipper output, use the following snippet in your vimrc. Use :RRFolding to enable plugin folding

" folds on <pluginname> v.XXXXXX
func! SetRegRipper()
   setlocal foldexpr=getline(v:lnum)=~\'^\\w\\+.*\\sv\\.'?'>1':'='
   setlocal foldmethod=expr
endfunc
command! RRFolding :call SetRegRipper()

If you would like to get crazy, put that autocmd in your vimrc to activate folding for filenames containing "regripper".

au BufRead,BufNewFile * if (expand('<afile>') =~ 'regripper') | call SetRegRipper() | endif

Changelog

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

[Unreleased]

Changed

  • Rename Invoke-Forensic.ps1 to Invoke-Forensics.ps1

[0.1.0] - 2021-03-22

Added

  • Add initial version of the helper scripts, allow working with evidence ZIP files, VHDX images, running KAPE against multiple ZIP or VHDX files, search for Targets or Modules using different filters, run RegRipper commands, all the commands support tab-completion for RegRipper's plugins and KAPE's Targets and Modules.

More Repositories

1

ai-research-keyphrase-extraction

EmbedRank: Unsupervised Keyphrase Extraction using Sentence Embeddings (official implementation)
Python
432
star
2

cleanerversion

CleanerVersion adds a versioning/historizing layer to your relational DB which implements a "Slowly Changing Dimensions Type 2" behavior
Python
136
star
3

bugbounty

Swisscom Vulnerability Disclosure Policy & Bug Bounty Programme
81
star
4

ArtifactCollectionMatrix

Forensic Artifact Collection Tool Matrix
73
star
5

open-service-broker

Open Service Broker is an implementation of the "Open Service Broker API" based on Spring Boot & Groovy. It enables platforms such as Cloud Foundry & Kubernetes to provision and manage services.
Groovy
70
star
6

PowerGRR

PowerGRR is an API client library in PowerShell working on Windows, Linux and macOS for GRR automation and scripting.
PowerShell
56
star
7

detections

Threat intelligence and threat detection indicators (IOC, IOA)
YARA
53
star
8

PowerSponse

PowerSponse is a PowerShell module focused on targeted containment and remediation during incident response.
PowerShell
38
star
9

ruby-netsnmp

SNMP library in ruby (v1, v2c, v3)
Ruby
32
star
10

gitlab-merge-request-resource

A concourse resource to check for new merge requests on GitLab
Shell
31
star
11

ai-research-mamo-framework

A Model Agnostic Multi-Objective Framework for Deep Learning models
Python
31
star
12

cf-statistics-plugin

CloudFoundry CLI plugin for displaying real-time metrics and statistics data
Go
27
star
13

bitbucket-cli

A Bitbucket Enterprise CLI
Go
19
star
14

splunk-addon-powershell

Splunk Add-on for PowerShell provides field extraction for PowerShell event logs.
17
star
15

update-java-ca-certificates

Small utility to convert the system trust store to a system Java KeyStore
Go
16
star
16

korp

A command line tool for pushing docker images into a corporate registry based on Kubernetes yaml files
Go
15
star
17

cf-reverse-proxy

Proxy app to make your your HTTP backends publicy accessible
JavaScript
11
star
18

containerdays-2024-krm

Resources used for the ContainerDays 2024 Talk «Evolving GitOps: Harnessing Kubernetes Resource Model for 5G Core»
Go
10
star
19

puppet-scaleio

Ruby
9
star
20

dynstrg-howto

JavaScript
9
star
21

collectd-scaleio

A collectd plugin for scaleio
Python
8
star
22

dopi

DEPRECATED - Deployment Orchestrator for Puppet - inner Orchestrator
Ruby
8
star
23

waypoint-plugin-cloudfoundry

A plugin for Hashicorp Waypoint that allows to deploy artifacts on Cloud Foundry
Go
8
star
24

mongodb-enterprise-boshrelease

A bosh release for MongoDB Enterprise.
Shell
7
star
25

swisscom-csirt-resources

A curated list of analysis tools and resources created or maintained by Swisscom CSIRT.
7
star
26

dop_common

DEPRECATED - Shared library for Deployment Orchestrator for Puppet
Ruby
7
star
27

searchdump

A simple tool to backup *Search (e.g: ElasticSearch / OpenSearch) to multiple destinations
Go
7
star
28

cf-sample-app-python

A sample Flask application to deploy to Cloud Foundry which works out of the box.
Python
7
star
29

net-ssh-cli

A library to make interactive SSH sessions more convenient.
Ruby
7
star
30

ai-research-fairsourcing

This project provides actionable insights to improve Fairness and Diversity metrics during the recruiting pipeline of a company. It assesses the impact of each candidate with respect to the team's objectives. You can select the desired dimensions to consider as well as what are the relevant subgroups. Track your progress through time and adapt your targets!
Jupyter Notebook
7
star
31

dopv

DEPRECATED - Deployment Orchestrator for Puppet VM provisioning
Ruby
7
star
32

JCR-Hopper

Migrate AEM with Grace
Java
7
star
33

apisix-opa-plugin

Go
6
star
34

mip

Mobile Insights Platform
Python
6
star
35

dcsplus-utils

Helpful utilities for DCS+ users
PowerShell
5
star
36

pongo2-runner

A small utility to render pongo2 templates
Go
5
star
37

cf-sample-app-nodejs

A sample Express application to deploy to Cloud Foundry which works out of the box.
JavaScript
5
star
38

dopc-client

DEPRECATED - Deployment Orchestrator for Puppet - Controller Client
Ruby
5
star
39

dopc

DEPRECATED - Deployment Orchestrator for Puppet - Controller
Ruby
5
star
40

terraform-dcs-demo

This repo contains sample infrastructure as code snippets to deploy, maintain and manage infrastructure on DCS using Terraform vCloud Director provider.
HCL
5
star
41

leaselocker

This package provides a solution to avoid race conditions in Kubernetes when multiple processes are updating the same resource. It offers a set of utility functions and classes that handle synchronization and locking mechanisms, ensuring that only one process can modify the resource at a time.
Go
4
star
42

cf-rasa-chatbot

Go
4
star
43

docs-api

The documentation of the Swisscom APIs
HTML
4
star
44

sample-uaa-spring-boot-service-provider

Java
4
star
45

ip-whitelisting-route-service-demo-app

A demo app for an IP whitelisting route service in Cloud Foundry
Go
4
star
46

crossplane-composition-tester

BDD test framework for the Crossplane compositions implemented with functions
Python
4
star
47

docs-appcloud-service-offerings

The documentation to the services in the Swisscom Application Cloud marketplace
HTML
4
star
48

docs-k8wms

Documentation of the kubernetes workload management stack with github pages
4
star
49

mssql-always-encrypted

An utils library to work with MSSQL Always Encrypted features
Go
3
star
50

blogpost-cnb

Resources used in the blog post "Cloud Native Buildpacks to unite PaaS and CaaS"
Java
3
star
51

churn-intent-DE

3
star
52

sample-uaa-spring-boot-resource-server

Java
3
star
53

containerdays-2024-dns

Resources used for the ContainerDays 2024 Talk «Building and Operating a Highly Reliable Cloud Native DNS Service With Open Source Technologies»
Shell
3
star
54

renovate-approve-bot-bitbucket-server

Bot to automatically approve Bitbucket Server PRs
Go
3
star
55

mac-fan

A small collection of utilities to control your Macbook fan speed.
Shell
3
star
56

eos

EOS is a simple IPTV middleware prepared mainly for Android AOSP environment. It is a framework which can be easily ported to a target platform.
C
3
star
57

appcloud-cf-cli-plugin

The official cf CLI plugin for the Swisscom Application Cloud
Go
3
star
58

securitytxt

Swisscom security contacts according to RFC 9116
3
star
59

provider-cortex

Go
2
star
60

ssl-tool

A tool to deal with SSL things
Go
2
star
61

esc-vm-scheduler-helm-chart

Helm Chart for the Swisscom ESC VM-Scheduler
2
star
62

kube-tools

A collection of small tools to work with Kubernetes
Go
2
star
63

ai-research-document-classification

Python
2
star
64

aws-generate-secrets

Go
2
star
65

cf-elk-sample

Example app for using ELK Service with NodeJS
JavaScript
2
star
66

opa-demo

An Open Policy Agent demo - source of the code used at WeAreDevelopers Live 2020
Go
2
star
67

esbuild-webserver

A simple web-server that can be used as an alternative to Webpack's dev-server
Go
2
star
68

sample-uaa-angular-client

Oidc sample app for Angular
TypeScript
2
star
69

mcollective-cmd-agent

This is a fork of the puppetlabs shell agent with ruby 1.8.7 support and additional features. https://github.com/puppetlabs/mcollective-shell-agent
Ruby
2
star
70

puppet-package_verifiable

The idea is that we have a way to check within the catalog whether a package currently installed matches the one we want to install.
Ruby
2
star
71

hfc

Ruby
1
star
72

docs-appcloud-service-connector

HTML
1
star
73

kibana-buildpack

Go
1
star
74

istioports

A small app which adds large port ranges to an Istio ServiceEntry
Go
1
star
75

open-service-broker-extension-template

A template to show how Swisscom's service broker could be extended
Groovy
1
star
76

docs-dop

DEPRECATED
HTML
1
star
77

sample-uaa-javascript-client

Oidc (authorization code with PKCE) sample javascript app
HTML
1
star
78

cf-sample-app-go

A sample Go application to deploy to Cloud Foundry which works out of the box.
Go
1
star
79

pod-lifecycle-notifier

A simple probe that notifies defined channels about its own startup and shutdown.
Java
1
star
80

cf-scraper

A simple app which scrapes information about Cloud Foundry orgs
JavaScript
1
star
81

docs-appcloud-devguide

The documentation for developers working with the Swisscom Application Cloud
HTML
1
star
82

kubernetes-testing

A simple Kubernetes test suite
Ruby
1
star
83

cf-sample-app-dotnetcore

A sample ASP.NET application to deploy to Cloud Foundry which works out of the box.
C#
1
star
84

gte

Inspired by the dockerize template library, GTE is a go template engine based on the golang template package and the go-jmespath library (JMESPath is a query language for JSON).
Go
1
star
85

cf-default-app-staticfile

The default Static File app that will be pushed into the Swisscom Application cloud if no source code is provided.
HTML
1
star