{"id":13597725,"url":"https://github.com/Richard1611/RemoteKapeTriage","last_synced_at":"2025-04-10T05:33:14.847Z","repository":{"id":231004965,"uuid":"354057982","full_name":"Richard1611/RemoteKapeTriage","owner":"Richard1611","description":"A powershell tool that automate the remote forensic evidence adquisitions (triage) from Remote windows machines, using KAPE tool.","archived":false,"fork":false,"pushed_at":"2021-05-28T19:45:46.000Z","size":386,"stargazers_count":7,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-11-06T22:40:28.263Z","etag":null,"topics":["cybersecurity","forensic-analysis","forensics","incident-response","information-gathering","information-security","kape","powershell","powershell-script","threathunting","triage"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Richard1611.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-04-02T15:25:01.000Z","updated_at":"2023-10-04T07:54:25.000Z","dependencies_parsed_at":null,"dependency_job_id":"4d82edd3-e123-43ff-b94e-02ac01aa1386","html_url":"https://github.com/Richard1611/RemoteKapeTriage","commit_stats":null,"previous_names":["richard1611/remotekapetriage"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Richard1611%2FRemoteKapeTriage","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Richard1611%2FRemoteKapeTriage/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Richard1611%2FRemoteKapeTriage/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Richard1611%2FRemoteKapeTriage/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Richard1611","download_url":"https://codeload.github.com/Richard1611/RemoteKapeTriage/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248163360,"owners_count":21057917,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cybersecurity","forensic-analysis","forensics","incident-response","information-gathering","information-security","kape","powershell","powershell-script","threathunting","triage"],"created_at":"2024-08-01T17:00:39.804Z","updated_at":"2025-04-10T05:33:14.096Z","avatar_url":"https://github.com/Richard1611.png","language":"PowerShell","funding_links":[],"categories":["Tool-Related GitHub Repos"],"sub_categories":["KAPE"],"readme":"# RemoteKapeTriage\nA powershell tool that automate the remote forensic evidence adquisitions (triage) from Remote windows machines, using [KAPE](https://www.kroll.com/en/insights/publications/cyber/kroll-artifact-parser-extractor-kape) tool.\n\nDue limitations in KAPE built-in remote adquisitions capabilities while adquiring registry keys and other elements through UNC Path, I decided to automate the process of running kape on remote computers, but running the tools locally (Yes, is a bit confused) on the target machine and archiving the evidence in remote server using a UNC Path (\\\\\\\\).\n\n**Requirements**\n1. Place [KAPE](https://www.kroll.com/en/insights/publications/cyber/kroll-artifact-parser-extractor-kape) as .zip in a remote computer and specify the route in the variable **$fileshare** to use it as default archiving path or you can specify the fileshare path with the argument -fileshare. \n2. Run the tool within a powershell session with Admin privileges in both remote computer to acquire and computer/server where your evidences will be saved.\n3. Due Cred-SSP and DCOM [\"Double-Hop\" limitations](https://community.spiceworks.com/topic/601698-powershell-remoting-and-unc-paths), **you must authenticate twice**.\n4. Ensure proper WMI/RPC (Port 135) and WinRM (Port 5985/5986) exclusions through network and host Firewalls from Analyst computers to Remote Machines. As well as SMB between remote machine and fileshare server.\n5. For memdump capabilities (do it before point 1):\n   - Download [Winpmem](https://github.com/Velocidex/WinPmem/releases) and save it within '\u003cKAPE_working_directory\u003e/Modules/bin' as \"winpmem.exe\"\n   - Substitute the KAPE Winpmem.mkape module at \u003cKAPE_working_directory\u003e/Modules/LiveResponse/WinPmem.mkape\u003e for this version [Winpmem.mkape](https://github.com/Richard1611/RemoteKapeTriage/blob/main/WinPmem.mkape) or simply edit the original file.\n\n\n## Usage Help\n\n**Arguments**\n1. help: Display help and command refecences\n2. target: machine to acquire\n3. fileshare: Place where your evidences will be saved. Default value is stored within $fileshare variable.\n4. collect: The evidence collection level  \n   - basic: Just eventlogs. \n   - basic+: basic + memdump. \n   - medium: kape triage [!SansTriage](https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Compound/!SANS_Triage.tkape) Module. \n   - medium+: medium + memdump. \n   - full: kape triage with all target modules. \n   - full+: full + memdump. \n   - memdump: memmory dump with kape+[Winpmem](https://github.com/Velocidex/WinPmem/releases). \n\n**Examples:**\n\n**Full collection + memdump:**\nRemoteKapeTriage.ps1 -target computer1 -colect full+ \n\n**Basic Collection:** RemoteKapeTriage.ps1 -target computer1 -collect basic \n\n**Basic Collection + save directory specification:**\nRemotekapetriage.ps1 -target computer1 -collect basic -fileshare \\\\\\Remoteserver\\c$\\\n\n## How it works??\n![Information flow architecture](https://github.com/Richard1611/RemoteKapeTriage/blob/main/RemoteKapeTriage%20-%20Information%20flow%20architecture.PNG)\n## Usage Example\n![Usage Example](https://github.com/Richard1611/RemoteKapeTriage/blob/main/Usage%20example.PNG)\n\n## Notes\n* Due im not the most experienced guy with powershell, theres a lot of pending improvements to do (like error/exceptions handling).\n* Im open to receive pull requests if you want to collaborate.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FRichard1611%2FRemoteKapeTriage","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FRichard1611%2FRemoteKapeTriage","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FRichard1611%2FRemoteKapeTriage/lists"}