Avi's blog

 Kape is a triage collection and post-processing application written by Eric Zimmerman. Besides full disk image, this tool allows us to create smaller triage image.  If you want to learn more, please open for508 workbook and labs section 1-2.pdf file and look for page 28. This is windows based. It requires target files which identify specific artifacts to be collected in a triage image. Target files are crowd sourced.  Kape ships with one target file that collects every relevant artifacts called !SANS_Triage.tkape Command : Admin privilege required.  kape.exe --tsource F --target !SANS_Triage --tdesk C:\temp\Output --tsource -->where is the data. This should be formatted as C or D: or F:\ --target -->what data to collect. --tlist will tell you list of available targets.  --tdest -->where to copy the collected data. Here you can also use vhdx and vhd. Command to see target list with details, assuming you are in the kape folder: kape.exe --tlist . --tdet...

 Kansa is an IR framework. https://github.com/davehull/Kansa For enterprise data collection, you need to do this first from the admin system: Set-NetConnectionProfile -NetworkCategory Private (In private network) Enable-PSRemoting  from powershell on the systems where you want to run this tool. Check: netstat -naob | findstr "5985"   Also allow tcp port 5985 and 5986 for winrm through the network. You can use  GPO. Though winrm is communicating over http and https but authentication will be happened using kerberos in domain environment.  After downloading it  from the github and unzip it, you need to unlock it using powershell. Need powershell v3 or later. ls -r *.ps1 | Unblock-File Powershell policy bypass: Set-ExecutionPolicy AllSigned | RemoteSigned | Unrestricted From FOR508 course: .\kansa.ps1 -OutputPath .\Output\ -TargetList .\hostlist -TargetCount 250 -Verbose -Pushbin -Pushbin is required by those scripts who has dependency of other binary....