KAPEing for fun and profit
Since everyone in the DFIR is talking about Eric Zimmerman’s KAPE, I wanted to have a look at it too.
I did have a quick look when it first came out, but I only went over the list of Modules & Targets and thought there is not a lot I can add (after all, it was created by Eric 😆). I created a small pull request to add a Target which will collect the StartupInfo files.
Lately I had more time, and I tried to think of additional targets / modules. I stared at my screen for a while, and then it hit. I need to do something practical. Since I don’t do DFIR for living at the moment, I don’t have any real cases / images. So I used last year’s Unofficial Defcon DFIR CTF, which was created by the amazing Dave Cowen & Matthew Seyer. I challenged myself to solve the entire thing, using only KAPE.
Since KAPE is not perfect (yet), there were several questions I could not answer with the existing list of KAPE modules. So I tried to create more targets and modules. Spoiler alert; some things can’t be automated (and even if they can, you need to understand and know what you are looking for).
When I just started, I thought I would describe how I answered each question and which module I used to solve it… but since there are already a lot of walkthroughs and write ups, I decided to only list the new KAPE targets & modules I created.
Unfortunately, I didn’t solve the entire CTF using KAPE. For many reasons (trivial questions, image files questions, malware analysis questions, etc.)
New KAPE Targets
Adding a new target is so easy! Since it allows us to use wildcards and to lookup files recursively, we can collect new evidence easily.
Since it’s so easy, it makes you want to add a target for every file out there, but that doesn’t make any sense. Targets I did add were related to evidence I thought might be useful in the future too. For example:
- ApacheAccessLog.tkape — Recursively search for Apache’s access log file.
- TeamViewerLogs.tkape — Connection related log files of Team Viewer.
- RDPCache.tkape — Collect the RDP Bitmap Cache files. I also ported the old and classic BMC Viewer to work with a newer version of .NET and changed it to be a command line tool — RDPBitmapCacheParser.
New KAPE Modules
Modules are a bit more complicated, depending on the binary you use to parse the evidence. It was also fun to add new modules, for different reasons.
Firstly, I learned about new tools — their existence, and how to use them better. Additionally, I was able to point my finger at what I think are the mostly required tools nowadays (commercial tools, closed source tools and evidence with no tools at all). These are the modules I added:
- SMB-Server-Anonymous-Logon.mkape — Simple module that use LogParser to extract information from the SMB Server event log file.
- ApacheAccessLog.mkape — At first, I created this one to answer a specific question, but it came quite handy later on in the challenge. This module also uses LogParser to convert the file into a csv file.
- ScheduledTasksFullEventLogView.mkape — This one uses NirSoft’s FullEventLogView.exe to parse the TaskScheduler event log file.
Like I said, using KAPE made me better understand how other tools work, and improved the way I used them. A small example is RECmd’s ability to read a setting file, and act upon that file. I heavily used a RECmd batch file that was created by Mike Cary, called RECmd_Batch_MC.reb. I did find some things that can be improved an I opened a pull request to add / fix the following:
- Added shutdown time key.
- Fixed an issue with exporting Network Interfaces.
While I was doing the challenge, I wrote down some notes that popped into my head. Not facts, just thoughts :)
- “Real Life” challenges are such a great resource. We should have more of these out there — if anyone is willing to share a scenario, I can try building a lab that will imitate that scenario, with no sensitive information.
- KAPE is awesome. It saves a lot of time for both collection and parsing of valuable forensic evidence. Still, you must know what to look for.
- The most “painful” things that are still not easy to handle with existing tools are related to Windows Event Logs and the $LogFile file. No worries though, Eric told me he’s working on tools for both!
- There is no command line tool to parse Windows Tasks. I might give it a shoot and do something like WTCmd :)
- LogParser.exe is really awesome. I didn’t use it enough in the past and it can be super useful to parse generic log files.
- Maybe there should be a KAPE module for image files information? something that would use tools like fsstat.