3.3.8. Add KAPE Output

KAPE is an external collection tool, the output of which can be imported into Cyber Triage^®. If you use KAPE to collect data from a computer, but want to take advantage of the analytics in Cyber Triage, then you can import the KAPE .vhd or .zip file.

Note

Currently Cyber Triage imports only the KAPE .vhd and .zip file contents. It ignores any other KAPE outputs, and will not parse KAPE “Module” output.

Watch the Cyber Triage Basics Course KAPE video on this technique.

To export data from KAPE for import into Cyber Triage^®.

1. Run KAPE with either the !BasicCollection or !SANS_Triage options selected.

2. Use either No Container, VHD, or VHDX for the output.

Note

You may see warnings from KAPE, however with these options selected Cyber Triage^® should have no issue reading the file.

To import KAPE data:

1. Choose the KAPE button on the right-hand side of the Add New Host area.

2. Enter a display name (it can be a host name or more descriptive).

3. If your KAPE data is in a VHD or VHDX file, then Browse to the file.

4. If your KAPE data is in a ZIP file, then extract the contents to a folder and Browse to that folder. The selected folder must contain a subfolder named either ‘C’ or ‘C%3A’.

5. Press Continue to then configure what data types to collect (see Data Collection Types) and malware settings (see Ingest-Time Settings).

If you are using the Team version of Cyber Triage, then note that the client will do the parsing of the KAPE data and send the results to the server. The client must continue to run until the VHD or folder have been parsed.

After collection has started, proceed to Host-level Examination for an overview of the analysis techniques.

You can read more about KAPE and the differences between it and our collection tool on our blog.