Enabling KAPE at Scale
KAPE (Kroll Artifact Parser and Extractor) is a DFIR triage tool developed by Eric Zimmerman. KAPE can both collect digital evidence based upon a highly configurable set of target definitions and process that data with an ever-gowning list of processing modules.'the DFIR community is contributing new targets and modules at a frequent, steady pace. KAPE is a true game-changer, no other tool is even close.
There has been little written about implementing KAPE at scale and today's webcast will focus on those possibilities. 'KAPE has several features that allow for the remote access of data and the ability to store collected data and processing output remotely. 'Examples of how to use the KAPE remote options will be shown and demoed. These capabilities include SFTP, Amazon S3, Microsoft Azure, UNC Paths, and PowerShell.
PowerShell Remoting has the ability to asynchronously execute commands and scripts on remote systems. 'Using this capability, KAPE can be executed a large number of systems simultaneously. There were a few hurdles to clear in getting a set of PowerShell scripts that could be used in a DFIR triage situation involving many remote systems.'the approach and solution will be demo and code shared. '
Through this webcast, we hope to provide not only information on KAPE functionality and examples that you can utilize immediately, but also to stimulate thought on using KAPE at scale and, 'hopefully, participation in making these scripts better.
