killchain-compendium/forensics/kape.md

594 B

Kroll Artifact Parser

  • Collect and processes artifacts on windows
  • Collects from live systems, mounted images and F-response tool

Targets

  • Needs source and target directory, as well as a module to process the files on
  • Target copies a file into a repository
  • *.tkape files contains metadata of the files to copy
  • Compound Targets contain metadata of multiple files in order to get a result quicker
  • !Disable do not appear in the target list
  • !Local keep on local

Modules

  • Used on the targeted files
  • *.mkape files
  • Additional binaries are kept in bin