/RemoteKapeTriage

A powershell tool that automate the remote forensic evidence adquisitions (triage) from Remote windows machines, using KAPE tool.

Primary LanguagePowerShellGNU General Public License v3.0GPL-3.0

RemoteKapeTriage

A powershell tool that automate the remote forensic evidence adquisitions (triage) from Remote windows machines, using KAPE tool.

Due limitations in KAPE built-in remote adquisitions capabilities while adquiring registry keys and other elements through UNC Path, I decided to automate the process of running kape on remote computers, but running the tools locally (Yes, is a bit confused) on the target machine and archiving the evidence in remote server using a UNC Path (\\).

Requirements

  1. Place KAPE as .zip in a remote computer and specify the route in the variable $fileshare to use it as default archiving path or you can specify the fileshare path with the argument -fileshare.
  2. Run the tool within a powershell session with Admin privileges in both remote computer to acquire and computer/server where your evidences will be saved.
  3. Due Cred-SSP and DCOM "Double-Hop" limitations, you must authenticate twice.
  4. Ensure proper WMI/RPC (Port 135) and WinRM (Port 5985/5986) exclusions through network and host Firewalls from Analyst computers to Remote Machines. As well as SMB between remote machine and fileshare server.
  5. For memdump capabilities (do it before point 1):
    • Download Winpmem and save it within '<KAPE_working_directory>/Modules/bin' as "winpmem.exe"
    • Substitute the KAPE Winpmem.mkape module at <KAPE_working_directory>/Modules/LiveResponse/WinPmem.mkape> for this version Winpmem.mkape or simply edit the original file.

Usage Help

Arguments

  1. help: Display help and command refecences
  2. target: machine to acquire
  3. fileshare: Place where your evidences will be saved. Default value is stored within $fileshare variable.
  4. collect: The evidence collection level
    • basic: Just eventlogs.
    • basic+: basic + memdump.
    • medium: kape triage !SansTriage Module.
    • medium+: medium + memdump.
    • full: kape triage with all target modules.
    • full+: full + memdump.
    • memdump: memmory dump with kape+Winpmem.

Examples:

Full collection + memdump: RemoteKapeTriage.ps1 -target computer1 -colect full+

Basic Collection: RemoteKapeTriage.ps1 -target computer1 -collect basic

Basic Collection + save directory specification: Remotekapetriage.ps1 -target computer1 -collect basic -fileshare \\Remoteserver\c$\

How it works??

Information flow architecture

Usage Example

Usage Example

Notes

  • Due im not the most experienced guy with powershell, theres a lot of pending improvements to do (like error/exceptions handling).
  • Im open to receive pull requests if you want to collaborate.