Launch embedded KAPE with Targets doesn't work and produces errors

[Accipiter13]

Hi,

I'm trying to execute KAPE through a WolfLauncher command. Here's my take :

<wolf>
  [...]
    <command keyword="KapeTargets">
        <execute name="KAPE" run="7z:#Tools|kape.exe"/>
        <argument>--tsource %SystemDrive% --tdest . </argument>
        <input name="$MFT" source="7z:#T_Archive|$MFT" argument="--target {FileName}"/>
        <output name="Kape.7z" source="File" argument="/out={FileName}"/>
    </command>
  [...]
</wolf>

with this in ToolEmbed :

<toolembed>
  [...]
    <archive name="T_Archive" format="7z" compression="Normal">
        <file name="$MFT" path=".\tools\Targets\Windows\$MFT.tkape"/>
    </archive>
  [...]
</toolembed>

I gave a look at issue #59 but I already added the <input> tag, but it gives the same runtime error :

[E] Input file '' does not exist or is not a file [0x8007007b: The filename, directory name, or volume label syntax is incorrect.]

I don't understand this error since I think I've correctly embedded the ressources.

Do you have any idea about what's going wrong? Did I write something bad in my configuration?

Feel free to ask for any other complementary information that I might have ommitted.

Thanks.

[jeanga]

Hi Accipiter13,

The tag is seldom used in our configurations and your attempt to use it appears correct. We'll have to attempt to reproduce this issue.

Completely unrelated but are you trying to collect the $Mft special file using KAPE? If so, it could be much simpler and an effective workaround to try GetThis to achieve this without the need to add another collection tool to deploy.

Thank you for using dfir-orc!

[Accipiter13]

Hi @jeanga

The whole idea with using KAPE in this situation, is to run a Sans_Triage collection, which would be much faster than configuring get_this for each single artifact. Moreover, it would automatically create a 'windows like' directory architecture.

I firstly tried to collect the MFT, as it was a simple first approach to see if it worked, plus it was easier to show my issue this way.

I would also like to add that I was able to run KAPE with arguments (not without errors), but since I need a file to execute it, I added the <input> tag, hence the error.

Thanks for your response, I'll wait and see if you can reproduce this error.

Regards.

[AndrewRathbun]

I would only recommend the SANS_Triage Compound Target so long as you've validated it grabs what you want. If you're working IR, would strongly recommend KapeTriage over other Compound Targets. SANS_Triage is meant to be purely educational and shouldn't be used in production unless you've verified yourself that it grabs everything you need.

[Accipiter13]

Hi @AndrewRathbun

I appreciate your advice. I'll ask my collaborators tomorrow to be sure about what we want to collect, and use the adequate target Compound.

Regards.

[AndrewRathbun]

If you have any questions about best practices re: KAPE Targets and Modules, please don't hesitate to ping me.

[Accipiter13]

Thanks! I won't hesitate, I joined the DFIR discord, would probably be better to ping you there.

[AndrewRathbun]

Thanks! I won't hesitate, I joined the DFIR discord, would probably be better to ping you there.

Yes, I do agree with that! Catch you there!