Authors: Mark Hallman (SANS Institute)

DFRWS USA 2019

Abstract

Mark Hallman (SANS Institute)
Abstract

Sunday, July 14, 2019 13:00 – 15:00

KAPE (Kroll Artifact Parser and Extractor) is a Digital Forensics & Incident Response (DFIR) triage tool developed by Eric Zimmerman.   KAPE can both collect digital evidence based upon a highly configurable set of target definitions and process that data with an ever-growing list of processing modules.  New targets and modules are being added every day, not just by Zimmerman, but by the DFIR community. KAPE is a game-changer, no other tool comes close.

By the end of this workshop, you will be able to run KAPE with confidence, collecting evidence with multiple combinations of targets and processing that target data with specific modules.  We will discuss not only apply how to use the tool for collections but that rationale of why we are collecting particular artifacts. We will provide the same detailed coverage of the modules used process the collected data.  Other topics covered:

  • How to create custom targets and modules
  • How to collect from essentially any device or storage location
  • How to keep everything up to date

Speaker Bio

Mark was primarily responsible for building the digital forensics and e-discovery practice of a regional firm in Dallas Texas. Responsibilities included forensics tool research and evaluation, development of ESI collection protocols, development of investigation “playbooks”, training of the analyst team in the application of those tools and techniques for deployment on client projects. Mark actively lead and participated in hundreds of digital forensics and e-discovery projects, in addition to investigation and testimony responsibilities. Mark has provided expert testimony in both state and federal courts.  Mark is currently a Sr. Technical Engineer for the SANS Institute’s Research Operations Center (SROC) where his responsibilities include researching, designing, developing and testing virtual lab environments for the SANS DFIR curriculum.

Workshop Logistics

If you wish to participate in the hands-on exercises, you will need to bring a laptop running Windows or a Mac and a Windows VM. Unfortunately, due to the MS license, we can’t provide the Windows VM for you. It would be best if you download KAPE ahead of the workshop.  We know from experience that a classroom full of students downloading an application during the class will bring the classroom network to its knees.  Please help us out with this.

You can download the latest version of KAPE from http://bit.ly/get-kape

While you’re at it, you can get the rest of Eric’s tools here.  http://bit.ly/get-ez-tools

Downloads