A powershell tool that automate the remote forensic evidence adquisitions (triage) from Remote windows machines, using KAPE tool.
Due limitations in KAPE built-in remote adquisitions capabilities while adquiring registry keys and other elements through UNC Path, I decided to automate the process of running kape on remote computers, but running the tools locally (Yes, is a bit confused) on the target machine and archiving the evidence in remote server using a UNC Path (\\).
Requirements
- Place KAPE as .zip in a remote computer and specify the route in the variable $fileshare to use it as default archiving path or you can specify the fileshare path with the argument -fileshare.
- Run the tool within a powershell session with Admin privileges in both remote computer to acquire and computer/server where your evidences will be saved.
- Due Cred-SSP and DCOM "Double-Hop" limitations, you must authenticate twice.
- Ensure proper WMI/RPC (Port 135) and WinRM (Port 5985/5986) exclusions through network and host Firewalls from Analyst computers to Remote Machines. As well as SMB between remote machine and fileshare server.
- For memdump capabilities (do it before point 1):
- Download Winpmem and save it within '<KAPE_working_directory>/Modules/bin' as "winpmem.exe"
- Substitute the KAPE Winpmem.mkape module at <KAPE_working_directory>/Modules/LiveResponse/WinPmem.mkape> for this version Winpmem.mkape or simply edit the original file.
Arguments
- help: Display help and command refecences
- target: machine to acquire
- fileshare: Place where your evidences will be saved. Default value is stored within $fileshare variable.
- collect: The evidence collection level
- basic: Just eventlogs.
- basic+: basic + memdump.
- medium: kape triage !SansTriage Module.
- medium+: medium + memdump.
- full: kape triage with all target modules.
- full+: full + memdump.
- memdump: memmory dump with kape+Winpmem.
Examples:
Full collection + memdump: RemoteKapeTriage.ps1 -target computer1 -colect full+
Basic Collection: RemoteKapeTriage.ps1 -target computer1 -collect basic
Basic Collection + save directory specification: Remotekapetriage.ps1 -target computer1 -collect basic -fileshare \\Remoteserver\c$\
- Due im not the most experienced guy with powershell, theres a lot of pending improvements to do (like error/exceptions handling).
- Im open to receive pull requests if you want to collaborate.