As a follow up to my SANS webcast, which you can view here, I wanted to post detailed instructions on how to use KAPE to collect triage data and generate a mini-timeline from the data collected. As much as I hate to say "push button forensics", once you get KAPE up and running, it really is only a matter of a couple of clicks and you are off to the races.
I won't go into detail here on the benefits of collecting triage data or timelining (of which there are many!), but instead focus on how to set up KAPE to do it. If you would like more details on the above, please watch my webcast.
To get the timelining to work in KAPE you will need to do three things to get it set up. These will each be detailed in this post:
- Download/Upgrade KAPE
- Grab the timeline Targets and Modules
- "Install" the executables called by the KAPE modules I wrote
As KAPE gets updated, I expect step #2 to drop off as it will be rolled out with the newer versions.
KAPE (Kroll Artifact Parser and Extractor) is a free tool written by Eric Zimmerman, and available for download on the Kroll website. From the website:
"KAPE is a multi-function program that primarily: 1) collects files and 2) processes collected files with one or more programs. KAPE reads configuration files on the fly and based on their contents, collects and processes relevant files. This makes KAPE very extensible in that the program’s author does not need to be involved to add or expand functionality"
To this end, I have written a target that defines what files to collect to create a timeline, and about 20 modules that tell KAPE how to process the data - AKA - make a timeline.
In order to do this, you will need to grab the new target and timeline modules and the binary files that the modules call.
Step 1 - Download/Update KAPE
If you don't have KAPE, download KAPE from here.
If you already have KAPE, you will need to have version 0.8.6.3 or greater. To update KAPE, run the Get-KAPEUpdate.ps1 PowerShell script in the root of the KAPE directory.
Step 2 - Grab the Timeline Modules and Targets
The Targets in KAPE define what files will be collected. The Modules define what executable will be ran against the files that are collected.
To grab the latest Targets and Module from github, run gkape.exe and click the "Synch with GitHub" at the very bottom of KAPE. This will get you the latest Targets and Modules.
The timeline modules I created should be in the \Modules\timelining subfolder. If you do not have this folder after syncing (Eric was working on implement the syncing of module subfolders at the time of this blog post) you will need to grab the timelining folder directly from github.
Step 3 - Grab the executables
The timelining modules will call specific executable to run against the targets. For example, if we want to parse out the eventlogs, the program EvtxEcmd.exe is called by KAPE to parse the artifact. The executables are placed in the KAPE bin folder:
For the timeline modules, here are the executable you will need to download, and the locations where they go under the bin folder:
Purpose: Parse $MFT file
Instructions: should already be in \modules\bin. Tested with version 0.4.4.4
Purpose: Parse out *.evtx event logs
Instructions: should already be in \modules\bin\EvtxECmd folder. Make sure you have version 0.5.1.0 or newer as the older version will not work for timelining.
Regripper v 2.8
Purpose: Run regripper plugins against various registry hives
Instructions: Make folder \modules\bin\regripper. Place rip.exe , "p2x5124.dll" and the plugins folder in the regripper folder:
Harlan Carvey Timeline Tools
Purpose: parse event logs, timeline registry hives, convert timeline formats, etc.
Instructions: Create the folder \modules\bin\tln_tools. Place bodyfile.exe, evtparse.exe, parse.exe, regtime.exe and p2x5124.dll in the \tln_tools folder.
Mari DeGrazia Timeline Tools
Purpose: Convert between file formats
Instructions: Place in the tln_tools folder created previously
Step 4 - Generate that timeline!
Once you have the the targets,modules and executables set up, you can generate a timeline.
First, run the Target options in KAPE to grab the triage data. This can be done on a mounted image, or an external USB drive attached to the system of interest. You could even use something like F-Response to run KAPE to do a remote collection.
Check "Use Target Options"
Target Source: The drive letter you want to collect the files from. On a mounted image, this would be the drive letter that the image is mounted as. For a live collection, this would most likely be C:
Target Destination: This would be where you want the files copied to. Most likely an external drive for a live collection, or a folder on your analysis computer for a mounted image.
Targets: Select MiniTimelineCollection
Hit execute when ready:
KAPE will now copy all the required files and place them into the Target Destination folder.
Now that the targets are collected, the modules will need to be run against the collected files.
Select "Use Module Options"
Module Source: This will be where the files were copied to by KAPE
Module Destination: The will be where the resulting timeline will be created
Modules: Select Mini_Timeline and if desired, Mini_Timeline_Slice_by_Daterange. The daterange will give you a smaller timeline with a specified date range.
Variables: Add two variable by using the Key and Value fields. computerName and dateRange. computerName will be the name of the system you are analyzing. The dateRange will be the dateRange you want the smaller timeline to have. This has to be in the format mm/dd/yyyy-mm/dd/yyyy.
Once completed, select execute:
After running, you will have two timelines created in CSV format. The other files created are temporary working files created during the process. These CSV files can be opened using a text editor, TimelineExplorer, Excel, or any other CSV tool of your choice. If you want some more details on how to do the timeline analysis, and where to get started with analysis of these files watch my webex towards the end.
I highly recommend reading Harlan Carvey's blog posts on timelineing, as KAPE is just a way to automate this process.
Here is a detailed breakdown of what the timeline targets and modules I created are doing:
Targets collect the following files:
Registy hives (SAM,SECURITY, SOFTWARE, SYSTEM, NTUSER.DAT, UsrClass.dat)
Event logs (*.evt, *.evtx)
Timeline Modules will include the following in the timeline:
File MACB timestamps
Last write times of the above registry hive's keys
ReRipper plugins ran: muicache, userassist, AppCompatCache, Services
Event Logs with Event ID and descriptions
For more detailed information on KAPE, including how to write modules and targets, check out the KAPE documentation.