If you’re utilizing KAPE to collect triage collections, are you also collecting a RAM image with the operating system artifacts?
Included in the Modules section of KAPE there are three modules that can create a RAM image. The modules for DumpIt and Winpmem have been available for a while. (I wrote the DumpIt module and Eric Capuano wrote the Winpmem module.) Now you also have the option of using Magnet Ram Capture as an option. As with any of the KAPE modules if you’re calling an executable, you need to ensure the .exe is present in the \modules\bin directory. KAPE does not distribute any 3rd party executables so you need to bring your own. You can download Magnet Ram Capture from the Magnet Free Tools site at Free Tools – Magnet Forensics.
Speaking of Magnet, I should say that I am, as of recent, an employee of Magnet Forensics. All views here, demented and otherwise, are my own and don’t reflect the views or opinions of my employer. Now that all the lawyers are smiling, let’s continue.
When utilizing KAPE you can either run the Memory collection module by itself…
Or more likely, as part of a triage collection so you can get the necessary artifacts, as well as a RAM dump.
While this does work to get both the artifacts and RAM capture, there are a couple issues with the process.
- Best practices for forensics suggest imaging the RAM before making any other changes to the target
- KAPE executes the Targets first and then proceeds to Modules (RAM collection)
- After the KAPE memory collection completes the memory image will be included in the specified KAPE output (zip).
- A copy of the memory image (raw) file stays on the computer, even if KAPE is transferring the data off to a remote location. This appeared to be the case regardless of which memory capture utility is used.
CSIRT-Collect is a PowerShell script that I wrote to automate to collection of a RAM image as well as a KAPE triage collection. I wanted to preserve the order of volatility and capture the RAM before any other artifact collection occurs. Version 3 by default leverages Magnet Ram Capture to collect the memory. You can utilize Winpmem or DumpIt with a minor code modification.
Network share location with “Collections” folder. Within ‘Collections’, 2 subdirectories:
- Memory, containing Magnet Ram Capture (MRC.exe) and command line version of 7zip (7za.exe)
- KAPE (default directory as installed)
The script will:
- map a drive to the “Collections” share, (update the script to reflect the network share for your environment)
- capture a memory image with Magnet Ram Capture,
- capture a triage collection with KAPE,
- transfer the output back to the network share,
- create a text flag when the process has completed.
At the very end of the script a “transfer complete” text file is written to the directory. This is an easy way to know that all the collection activity has completed. If being used for automation, the presence of this file can be used as a trigger to initiate further automation activities.
And that’s it. One script to capture RAM, capture a triage image, and then transfer the collections back to the network.
CSIRT-Collect can be initiated on the endpoint manually, invoked by EDR tools, as well as larger collection scenarios where the script can be pushed out via Group Policy.
Grab your copy of CSIRT-Collect here: