KapeTriage
Author: Scott Downie
description
KapeTriage collects most of the files needed for a DFIR Investigation. This Target pulls evidence from File System files, Registry Hives, Event Logs, Scheduled Tasks, Evidence of Execution, SRUM data, SUM data, Cloud metadata, WER, WBEM, Web Browser data (IE/Edge, Chrome, Mozilla history), LNK Files, JumpLists, Notepad unsaved sessions (Win11), 3rd party remote access software logs, 3rd party antivirus software logs, Windows 10/11 Timeline database, and $I Recycle Bin files.
includes (100)
paths
743 pathsfrom 100 targets
› paths use Windows environment syntax
collection commands
# PowerShell Collection Script
# Target: KapeTriage (Compound Target)
# Use KAPE for compound target collection:
# kape.exe --tsource C: --tdest D:\Evidence --target KapeTriage
Write-Host "For compound targets, use KAPE directly for best results." -ForegroundColor Yellow
› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
Note: This is a compound target that references 18 other targets. KAPE will automatically collect all referenced artifacts.
› cyberchef recipes
- open in cyberchef(opens in new tab)URL DecodeDecode URL-encoded strings
- open in cyberchef(opens in new tab)Unicode DecodeDecode Unicode escape sequences
- open in cyberchef(opens in new tab)Registry BinaryDecode binary registry values
Open in CyberChef to decode values extracted from this artifact.