Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/Richard1611/RemoteKapeTriage

A powershell tool that automate the remote forensic evidence adquisitions (triage) from Remote windows machines, using KAPE tool.
https://github.com/Richard1611/RemoteKapeTriage

cybersecurity forensic-analysis forensics incident-response information-gathering information-security kape powershell powershell-script threathunting triage

Last synced: 2 months ago
JSON representation

A powershell tool that automate the remote forensic evidence adquisitions (triage) from Remote windows machines, using KAPE tool.

Awesome Lists containing this project

README 

        
# RemoteKapeTriage

A powershell tool that automate the remote forensic evidence adquisitions (triage) from Remote windows machines, using [KAPE](https://www.kroll.com/en/insights/publications/cyber/kroll-artifact-parser-extractor-kape) tool.



Due limitations in KAPE built-in remote adquisitions capabilities while adquiring registry keys and other elements through UNC Path, I decided to automate the process of running kape on remote computers, but running the tools locally (Yes, is a bit confused) on the target machine and archiving the evidence in remote server using a UNC Path (\\\\).



**Requirements**

1. Place [KAPE](https://www.kroll.com/en/insights/publications/cyber/kroll-artifact-parser-extractor-kape) as .zip in a remote computer and specify the route in the variable **$fileshare** to use it as default archiving path or you can specify the fileshare path with the argument -fileshare. 

2. Run the tool within a powershell session with Admin privileges in both remote computer to acquire and computer/server where your evidences will be saved.

3. Due Cred-SSP and DCOM ["Double-Hop" limitations](https://community.spiceworks.com/topic/601698-powershell-remoting-and-unc-paths), **you must authenticate twice**.

4. Ensure proper WMI/RPC (Port 135) and WinRM (Port 5985/5986) exclusions through network and host Firewalls from Analyst computers to Remote Machines. As well as SMB between remote machine and fileshare server.

5. For memdump capabilities (do it before point 1):

   - Download [Winpmem](https://github.com/Velocidex/WinPmem/releases) and save it within '/Modules/bin' as "winpmem.exe"

   - Substitute the KAPE Winpmem.mkape module at /Modules/LiveResponse/WinPmem.mkape> for this version [Winpmem.mkape](https://github.com/Richard1611/RemoteKapeTriage/blob/main/WinPmem.mkape) or simply edit the original file.



## Usage Help



**Arguments**

1. help: Display help and command refecences

2. target: machine to acquire

3. fileshare: Place where your evidences will be saved. Default value is stored within $fileshare variable.

4. collect: The evidence collection level  

   - basic: Just eventlogs. 

   - basic+: basic + memdump. 

   - medium: kape triage [!SansTriage](https://github.com/EricZimmerman/KapeFiles/blob/master/Targets/Compound/!SANS_Triage.tkape) Module. 

   - medium+: medium + memdump. 

   - full: kape triage with all target modules. 

   - full+: full + memdump. 

   - memdump: memmory dump with kape+[Winpmem](https://github.com/Velocidex/WinPmem/releases). 



**Examples:**



**Full collection + memdump:**

RemoteKapeTriage.ps1 -target computer1 -colect full+ 



**Basic Collection:** RemoteKapeTriage.ps1 -target computer1 -collect basic 



**Basic Collection + save directory specification:**

Remotekapetriage.ps1 -target computer1 -collect basic -fileshare \\\Remoteserver\c$\



## How it works??

![Information flow architecture](https://github.com/Richard1611/RemoteKapeTriage/blob/main/RemoteKapeTriage%20-%20Information%20flow%20architecture.PNG)

## Usage Example

![Usage Example](https://github.com/Richard1611/RemoteKapeTriage/blob/main/Usage%20example.PNG)



## Notes

* Due im not the most experienced guy with powershell, theres a lot of pending improvements to do (like error/exceptions handling).

* Im open to receive pull requests if you want to collaborate.