{"id":13597695,"url":"https://github.com/swisscom/Invoke-Forensics","last_synced_at":"2025-04-10T05:33:07.652Z","repository":{"id":49886014,"uuid":"348381938","full_name":"swisscom/Invoke-Forensics","owner":"swisscom","description":"Invoke-Forensics provides PowerShell commands to simplify working with the forensic tools KAPE and RegRipper.","archived":false,"fork":false,"pushed_at":"2023-11-28T12:15:43.000Z","size":51,"stargazers_count":112,"open_issues_count":0,"forks_count":18,"subscribers_count":18,"default_branch":"main","last_synced_at":"2025-03-04T22:02:06.107Z","etag":null,"topics":["forensics","kape","powershell-scripts","regripper"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/swisscom.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-03-16T14:38:21.000Z","updated_at":"2025-02-04T11:40:53.000Z","dependencies_parsed_at":"2024-07-29T03:43:36.108Z","dependency_job_id":null,"html_url":"https://github.com/swisscom/Invoke-Forensics","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/swisscom%2FInvoke-Forensics","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/swisscom%2FInvoke-Forensics/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/swisscom%2FInvoke-Forensics/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/swisscom%2FInvoke-Forensics/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/swisscom","download_url":"https://codeload.github.com/swisscom/Invoke-Forensics/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248163323,"owners_count":21057911,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["forensics","kape","powershell-scripts","regripper"],"created_at":"2024-08-01T17:00:39.278Z","updated_at":"2025-04-10T05:33:05.400Z","avatar_url":"https://github.com/swisscom.png","language":"PowerShell","funding_links":[],"categories":["Tool-Related GitHub Repos"],"sub_categories":["KAPE"],"readme":"# Forensic helper scripts for KAPE and RegRipper\n\nIf you use KAPE or RegRipper for forensic analysis, then Invoke-Forensics could help you by providing PowerShell commands to simplify working with these tools. They speed up your work when\n* you deal with multiple evidence files in that commands are provided for\n    unzipping and mounting VHDX images and run KAPE against them or let you\n    getting files from them.\n* you are tired of searching for the correct name to provide to these tools in\n  that the commands have tab-completion support which lets you quickly find\n  available [RegRipper](https://github.com/keydet89/RegRipper3.0)\n  [plugins](https://github.com/keydet89/RegRipper3.0/tree/master/plugins) or\n  [KAPE](https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape)'s\n  [Targets and Modules\n  (KapeFiles)](https://github.com/EricZimmerman/KapeFiles) (\"what was that\n  Module name again?\"), run them or let you show the content of the files for\n  inspection\n* you need to search for specific KAPE files based on a given filter (\"Is\n  there already a PowerShell console Target available?\")\n\n***\n\u003c!-- vim-markdown-toc GFM --\u003e\n\n* [What exactly do these scripts provide?](#what-exactly-do-these-scripts-provide)\n* [Requirements](#requirements)\n* [Functions](#functions)\n* [Usage](#usage)\n    * [Invoke-Kape](#invoke-kape)\n    * [Invoke-KapeOnMultipleImages](#invoke-kapeonmultipleimages)\n    * [Invoke-KapeFileCollection](#invoke-kapefilecollection)\n    * [Search-KapeFile](#search-kapefile)\n    * [Invoke-KapeUnpack](#invoke-kapeunpack)\n    * [Mount-VHDX](#mount-vhdx)\n    * [Remove-VHDX](#remove-vhdx)\n    * [Invoke-RegRipper](#invoke-regripper)\n* [Tips \u0026 Tricks](#tips--tricks)\n* [Changelog](#changelog)\n    * [[Unreleased]](#unreleased)\n    * [[0.1.0] - 2021-03-22](#010---2021-03-22)\n\n\u003c!-- vim-markdown-toc --\u003e\n***\n\n## What exactly do these scripts provide?\n\nThe main advantage using the scripts is that they allow running KAPE against\nor collecting files from multiple collected KAPE images in one command which\nincludes unzipping, mounting the VHDX and running the command (KAPE itself or\nfile copy) against the corresponding drive letter and unmounting the VHDX image\nagain. Using these function against multiple collections reduce the time\nseverely compared to running these commands manually.\n\nThe other purpose of the scripts is to quickly jump through the available\nplugins or KAPE files using the tab-completion support and to be able to print\nthe content of the files to inspect those directly in the shell.\n\nImportant note: These scripts do only provide a subset of KAPE's and\nRegRippers arguments. For more specific needs use the binaries directly to be\nable to use all the available options, make a [Pull\nRequest](https://github.com/swisscom/Invoke-Forensics/pulls) or file an\n[Issue](https://github.com/swisscom/Invoke-Forensics/issues) to request the\ninclusion of further arguments.\n\nThe wrapper scripts provide:\n* **Tab-completion support for plugin and artifact names** which helps finding\n    them without the need to navigate into subfolders.\n* **Run KAPE against one or multiple evidence ZIP files or VHDX images** which\n    includes unzipping evidence ZIP files, mounting VHDX images and run KAPE\n    with given Modules against those (`Invoke-KapeOnMultipleImages`).\n* **Copy files from one or multiple evidence ZIP files or VHDX images** which\n    includes unzipping evidence ZIP files, mounting VHDX images and run a\n    copy command with a given (regex) pattern against those\n    (`Invoke-KapeFileCollection`).\n* **Run one or multiple RegRipper plugins or profiles against a given hive**.\n    RegRipper only allows using one plugin or a profile per execution, but not\n    multiple plugins in one command outside of profiles (`Invoke-RegRipper`).\n* **Search for KAPE files based on keywords in a KAPE field (e.g. Description,\n    FileMask, ...) or the whole file** and print either a short list with the\n    name and the location, the file content or a file listing for further\n    processing in PowerShell (`Search-KapeFile`). gkape.exe could also be used \n    for searching Targets or Modules.\n* **Printing the content of plugins or artifact files** without the need for\n    navigating into subfolders (Invoke-Kape*, Search-KapeFile and\n    Invoke-RegRipper functions using `-Print`).\n* **Mounting VHDX files and return drive letter**\n* **Handling unpacking** of evidence ZIP files and VHDX ZIP\n    file in target folder in one command.\n\n## Requirements\n\nUnzip program from e.g. Git for Windows found in the path. The Expand-Archive\nPowerShell command fail when extracting the VHDX ZIP files.\n\nFor mounting VHDX images install the required PowerShell module. Native\nPowerShell command `Mount-DiskImage` is used within the provided `Mount-VHDX`.\nThe advantage of `Mount-VHDX` over `Mount-DiskImage` is that it returns the\nused drive letter.\n\n``` PowerShell\nPS\u003e Enable-WindowsOptionalFeature -FeatureName \"Hyper-V Module for Windows PowerShell\"\n```\n\n## Functions\n\n* Invoke-Kape - _Run KAPE with given Targets or Modules_\n* Invoke-KapeOnMultipleImages - _Run KAPE against multiple VHDX containers,\n    including unzipping evidence ZIP and VHDX zip and mounting VHDX files first_\n* Invoke-KapeFileCollection - _Collect files based on a given pattern from VHDX containers_\n* Search-KapeFile - _Search for KAPE files based on either a pattern in a field or in the whole file_\n* Invoke-KapeUnpack - _Unpack KAPE evidence ZIP and included VHDX zip file_\n* Mount-VHDX - _Mount VHDX container and return drive letter_\n* Remove-VHDX - _Remove VHDX files from given path and all its subfolders_\n* Invoke-RegRipper - _Run one or more RegRipper plugins against a hive_\n\n## Usage\n\n1. Navigate into KAPE or RegRipper folder\n2. Load scripts into PowerShell\n    ``` powershell\n    # Load both RegRipper and KAPE functions\n    . .\\Invoke-Forensics\\Invoke-Forensics.ps1\n    # Load KAPE functions\n    . .\\Invoke-Forensics\\Invoke-Kape.ps1\n    # Load RegRipper functions\n    . .\\Invoke-Forensics\\Invoke-RegRipper.ps1\n    ```\n3. Run commands, see below\n\n### Invoke-Kape\n\n_Change into KAPE's directory first._\n\nRun a KAPE command or show the content of a Target or Module file. The Target and Module parameters have tab-completion support. You can pass module variables with `-mvars` similar as it is used with KAPE, see [KAPE's doc](https://ericzimmerman.github.io/KapeDocs/#!Pages\\3.-Using-KAPE.md#mvars).\n\n``` PowerShell\n# List all Targets which starts with an 'a' in the name and print the one which was choosen\nInvoke-Kape -Target a\u003cctrl-space\u003e -Print\n\n# Jump through all Targets which starts with an 'a' in the name and print the content\nInvoke-Kape -Print -Target a\u003ctab\u003e\n\n# Example for printing Amcache Target\nPS\u003e Invoke-Kape -Target Amcache -print\nDescription: Amcache.hve\nAuthor: Eric Zimmerman\nVersion: 1.0\nId: 13ba1e33-4899-4843-adf1-c7e6b20d759a\nRecreateDirectories: true\n...\n\n# Jump through all remaining Modules besides AmcacheParser and print the selected\nInvoke-Kape -Print -Target Amcache -Module AmcacheParser,\u003ctab\u003e\n\n# Invoke KAPE using the Target Amcache\nInvoke-Kape -tsource C: -tdest C:\\temp\\ -Target Amcache\n\n# Invoke KAPE using the Module AmcacheParser\nInvoke-Kape -msource C:\\temp -mdest C:\\temp\\ -Module AmcacheParser\n\n# Invoke KAPE using two Modules\ninvoke-kape -msource C:\\WindowsTimelineTest -mdest C:\\WindowsTimelineTestTemp -Module SQLECmd,WxTCmd\n```\n\n### Invoke-KapeOnMultipleImages\n\n_Change into KAPE's directory first._\n\nThe function provides the following:\n* Unpacks all KAPE evidence zip files (unless `-SkipUnzip` or `-SkipUnzipEvidenceZip` is given)\n* Unpacks all VHDX zip files found in the target output folder (`-TOutPattern`) (unless `-SkipUnzip` is given)\n* Extracts the hostname from the path to use it in KAPE commands and for output folder name\n* Loop over all VHDX files\n  * Mounts VHDX file and provide the drive letter to the KAPE command\n  * Run KAPE with the given Modules (`-Module` has tab-completion support for Module names)\n  * Unmounts the VHDX file\n\nSample directory and file structure:\n* C:\\evidence-folder\\\n  * server1-evidence.zip\n     * include mout and tout folders\n     * tout includes the VHDX ZIP\n  * server2-evidence.zip\n\n``` powershell\nPS\u003e $zip=\"C:\\evidence-folder\\\"\nPS\u003e $tout=\"*\\tout\"\nPS\u003e $dest=\"C:\\kape-parsing-output\"\nPS\u003e $serverPattern=\"\\\\(\\w*)-evidence\"\nPS\u003e $modules=@(\"JLECmd\",\"LECmd\")\nPS\u003e Invoke-KapeOnMultipleImages -KapeEvidenceFolder $zip -TOut $tout -Destination $dest -HostnamePattern $serverPattern -Module $modules -SkipUnzip\n```\n\n### Invoke-KapeFileCollection\n\n_Change into KAPE's directory first._\n\nThe function copies files based on a pattern (`-FileNamePattern`) from the\nmounted VHDX image into a destination directory. This can be used if you need\nto extract a given file from an KAPE image.\n\nThe function provides the following:\n* Unpacks all KAPE evidence zip files (unless `-SkipUnzip` or `-SkipUnzipEvidenceZip` is given)\n* Unpacks all VHDX zip files found in the target output folder (`-TOutPattern`) (unless `-SkipUnzip` is given)\n* Loop over all VHDX files\n  * Mounts VHDX file and provide the drive letter to the copy command\n  * Copy given files based on filename pattern into destination directory.\n    The source directory is replicated in the destination directory\n  * Unmounts the VHDX file\n\n``` powershell\n# Unzip evidence zip file, navigate into new subfolders, unzip VHDX ZIP files, mount VHDX images and collect files into destination directory\nPS\u003e Invoke-KapeFileCollection -KapeEvidenceFolder C:\\kape-output\\ -TOutPattern *\\tout -Destination C:\\kape-output\\fs -HostnamePattern \"\\\\(\\w*)-evidence\" -FileNamePattern \"*console*history*\"\n\n# Skip unzipping of evidence zip file, just navigate into already unzipped envidence subfolders, mount VHDX images and collect files into destination directory\nPS\u003e Invoke-KapeFileCollection -KapeEvidenceFolder C:\\kape-output\\ -TOutPattern *\\tout -Destination C:\\kape-output\\fs -HostnamePattern \"\\\\(\\w*)-evidence\" -FileNamePattern \"*console*history*\" -SkipUnzip\n```\n\n### Search-KapeFile\n\nSearch through all Target and Module files, either by pattern in a specific\nfield or the whole file.\n\nBasic usage, there is a generic `-Filter` parameter to search the whole file\nfor a keyword or more specific filters, like `-FilterDescription`,\n`-FilterFileMask`, ...\n\nIf you would like to print the found files use `-Print`.\n\nUse `-MatchAllOfThem` to match all of the given filters.\n\n``` powershell\n# Search for powershell in description field or history in the file mask field and use a short list as output.\nPS\u003e Search-KapeFile -FilterDescription powershell -FilterFileMask history -ShortList\n!SANS_Triage.tkape .\\Targets\\Compound\\!SANS_Triage.tkape\nChrome.tkape .\\Targets\\Browsers\\Chrome.tkape\nCombinedLogs.tkape .\\Targets\\Compound\\CombinedLogs.tkape\nDebian.tkape .\\Targets\\WSL\\Debian.tkape\n...\n\n# Print the content of the found KAPE files\nPS\u003e Search-KapeFile -FilterDescription powershell -FilterPath psreadline  -MatchAllOfThem -Print\n\n# Search for powershell in description field or history in the file mask field and return file listing object.\nPS\u003e Search-KapeFile -FilterDescription powershell -FilterFileMask history\n\nName                                        FullName\n----                                        --------\nPowerShellOperationalFullEventLogView.mkape C:\\KAPE\\Modules\\Eve...\nPowerShell5SecondPause.mkape                C:\\KAPE\\Modules\\Mis...\nDoubleCommander.tkape                       C:\\KAPE\\Targets\\App...\nDropbox.tkape                               C:\\KAPE\\Targets\\App...\n...\n\n# Post processing search by using native PowerShell\nPS\u003e Search-KapeFile -FilterDescription powershell -FilterFileMask history | select name\n...\n\n# Search for a KAPE file which matches all of the provided patterns.\nPS\u003e Search-KapeFile -FilterDescription powershell -FilterFileMask history -MatchAllOfThem\n\n# Other searches to limit the scope\nPS\u003e Search-KapeFile -FilterDescription powershell -OnlyTargets\nPS\u003e Search-KapeFile -FilterPath psreadline -OnlyModules\nPS\u003e Search-KapeFile -FilterDescription mozilla -FilterPath thunderbird -OnlyTargets -MatchAllOfThem -ShortList\nThunderbird.tkape .\\Targets\\Apps\\Thunderbird.tkape\n```\n\n### Invoke-KapeUnpack\n\nUnzip evidence output ZIP file and then unzip the VHDX zip file inside the Targets folder.\n\n``` powershell\nPS\u003e Invoke-KapeUnpack -Path C:\\kape-files\\ -TOutPattern *\\tout -Verbose\nPS\u003e Invoke-KapeUnpack -Path C:\\kape-files\\ -TOutPattern *\\tout -Verbose -SkipUnzipEvidenceZip\n```\n\n### Mount-VHDX\n\nMount the given image and provide the used drive letter. The native mount command\ndoesn't provide the drive letter, therefore we use `Get-Volume` before and\nafter and diff the used drive letters on the system to see which was given to\nour VHDX image.\n\n``` powershell\nPS\u003e Mount-VHDX -VHDXFile C:\\kape-files\\server\\tout\\2021-03-11T152024_server_20210311T152024.vhdx\nPS\u003e Mount-VHDX -VHDXFile C:\\kape-files\\server\\tout\\2021-03-11T152024_server_20210311T152024.vhdx -verbose\n```\n\n### Remove-VHDX\n\nRemove VHDX files recursively.\n\n``` powershell\nRemove-VHDX C:\\kape-files\n```\n\n### Invoke-RegRipper\n\n_Change into RegRipper's directory first._\n\nRun a RegRipper plugin or profile against a hive.\n\n``` powershell\n# Print plugin content\nPS\u003e Invoke-RegRipper -Hive E:\\C\\Windows\\System32\\config\\SOFTWARE -Plugin appcertdlls -Print\nappcertdlls\n#-----------------------------------------------------------\n# appcertdlls.pl\n#\n# History:\n#  20200427 - updated output date format\n#  20120912 - created\n\n# Print multiple plugins\nPS\u003e Invoke-RegRipper -Hive E:\\C\\Windows\\System32\\config\\SOFTWARE -Plugin appcertdlls,clsid -Print\n\n# Invoke RegRipper with given plugin\nPS\u003e Invoke-RegRipper -Hive E:\\C\\Windows\\System32\\config\\SOFTWARE -Plugin app\u003ctab\u003e\nPS\u003e Invoke-RegRipper -Hive E:\\C\\Windows\\System32\\config\\SOFTWARE -Plugin appcertdlls\n\n# Run multiple plugins after each other\nPS\u003e Invoke-RegRipper -Hive E:\\C\\Windows\\System32\\config\\SOFTWARE -Plugin appcertdlls,clsid\n\n# list all plugins\nPS\u003e Invoke-RegRipper -Hive E:\\C\\Windows\\System32\\config\\SOFTWARE -Plugin \u003cctrl-space\u003e\nadobe                   cached                  gpohist                 ...\nallowedenum             cached_tln              gpohist_tln             ...\namcache                 calibrator              heap                    ...\namcache_tln             clsid                   heidisql                ...\n...\n```\n\n## Tips \u0026 Tricks\n\nIf you work with [Vim](https://www.vim.org) and would like to use folding for RegRipper output, use the following [snippet](https://gist.github.com/Karneades/3d6643abf72a6a8731385e57d6ce9262) in your vimrc. Use `:RRFolding` to enable plugin folding\n\n``` vimscript\n\" folds on \u003cpluginname\u003e v.XXXXXX\nfunc! SetRegRipper()\n   setlocal foldexpr=getline(v:lnum)=~\\'^\\\\w\\\\+.*\\\\sv\\\\.'?'\u003e1':'='\n   setlocal foldmethod=expr\nendfunc\ncommand! RRFolding :call SetRegRipper()\n```\n\nIf you would like to get crazy, put that autocmd in your vimrc to activate\nfolding for filenames containing \"regripper\".\n\n```\nau BufRead,BufNewFile * if (expand('\u003cafile\u003e') =~ 'regripper') | call SetRegRipper() | endif\n```\n\n## Changelog\n\nThe format is based on [Keep a Changelog](http://kgbeepachangelog.com/) \nand this project adheres to [Semantic Versioning](http://semver.org/).\n\n### [Unreleased]\n\n**Changed**\n* Rename Invoke-Forensic.ps1 to Invoke-Forensics.ps1\n\n\u003c!--\n\n**Added**\n\n**Fixed**\n\n**Security**\n\n**Deprecated**\n\n**Removed**\n--\u003e\n\n### [0.1.0] - 2021-03-22\n\n**Added**\n\n* Add initial version of the helper scripts, allow working with evidence ZIP\n   files, VHDX images, running KAPE against multiple ZIP or VHDX files, search\n   for Targets or Modules using different filters, run RegRipper commands, all\n   the commands support tab-completion for RegRipper's plugins and KAPE's\n   Targets and Modules.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fswisscom%2FInvoke-Forensics","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fswisscom%2FInvoke-Forensics","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fswisscom%2FInvoke-Forensics/lists"}