Last Day to Save $200 on Hands-on Cyber Security Training at SANS Santa Monica 2019!

Webcasts

To attend this webcast, login to your SANS Account or create your Account.

Enabling KAPE at Scale

  • Monday, September 9th, 2019 at 1:00 PM EDT (17:00:00 UTC)
  • Mark Hallman
This webcast has been archived. You can view the webcast presentation and download the slides by logging into your SANS Portal Account or creating an Account. Click the Register Now button after you have logged in to view the Webcast.

You can now attend the webcast using your mobile device!

Overview

KAPE (Kroll Artifact Parser and Extractor) is a DFIR triage tool developed by Eric Zimmerman.  KAPE can both collect digital evidence based upon a highly configurable set of target definitions and process that data with an ever-gowning list of processing modules. The DFIR community is contributing new targets and modules at a frequent, steady pace. KAPE is a true game-changer, no other tool is even close.

There has been little written about implementing KAPE at scale and todays webcast will focus on those possibilities. KAPE has several features that allow for the remote access of data and the ability to store collected data and processing output remotely. Examples of how to use the KAPE remote options will be shown and demoed. These capabilities include SFTP, Amazon S3, Microsoft Azure, UNC Paths, and PowerShell.

PowerShell Remoting has the ability to asynchronously execute commands and scripts on remote systems. Using this capability, KAPE can be executed a large number of systems simultaneously. There were a few hurdles to clear in getting a set of PowerShell scripts that could be used in a DFIR triage situation involving many remote systems. The approach and solution will be demo and code shared. 

Through this webcast, we hope to provide not only information on KAPE functionality and examples that you can utilize immediately, but also to stimulate thought on using KAPE at scale and, hopefully, participation in making these scripts better.

Speaker Bio

Mark Hallman

Mark has been performing computer-related investigations for over 12 years. Mark lead and assisted in investigations involving identification, preservation, research, analysis, and presentation of ESI for Fortune 100 and NLJ firms across the United States as well as governmental agencies such as The Department of Justice, The Department of Labor and The Securities and Exchange Commission. Mark's certifications include GCFE, CGFA, GCHI, EnCE, and CCE.

Mark was primarily responsible for building the digital forensics and e-discovery practice of a regional firm in Dallas Texas. Responsibilities included forensics tool research and evaluation, development of ESI collection protocols, development of investigation "playbooks", training of the analyst team in the application of those tools and techniques for deployment on client projects. Mark actively lead and participated in hundreds of digital forensics and e-discovery projects. In addition to investigation and team training/development responsibilities, Mark has provided expert testimony in both state and federal courts.

Mark currently works for the SANS Institute's Research Operations Center (SROC) researching, designing, developing and testing virtual lab environments for the SANS DFIR curriculum. I look forward to helping anyone with interest in building their skills in DIFR. DFIR Rocks!

Need Help? Visit our FAQ page or email webcast-support@sans.org.

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.