Hello Reader,
If you haven't already you should check out KAPE, https://www.kroll.com/en/insights/publications/cyber/exploring-kapes-graphical-user-interface KAPE is what I assume is the first step in a DFIR automation pipeline that most of the large consulting companies, and many of the large DFIR internal organizations, have built. KAPE solves the need of building a flexible triage tool that will extract data from live systems and shadow copies, mounted volumes and data extractions.
In addition KAPE can be set to run parsers against the extracted data allowing you to get to analysis faster, Eric even put a GUI on it that builds the command line for you!
But if it does all this why do I think its the first step? Well once you have the data processed in a scale-able way you then want to find a way to ingest and correlate that data within the single end point and then expand that into 1,000s of endpoints. It's that next step in DFIR automation that many companies, mine included, have been experimenting with over the years.
I'm excited for KAPE and the other tools like it that are emerging (Achoir, Velociraptor, Cylr, some might even say OsQuery with carver) that will help us push our analysis needs to where they need to be. We need to get our examiners beyond running tools to process data that they then stitch together and get all of the things that can be defined in code already done for them so they can focus on what humans do better than machines (for now) which is thinking.
If you want to learn more about KAPE and what I think the future of DFIR is heading make sure to turn into this Friday's Forensic Lunch!
If you haven't already you should check out KAPE, https://www.kroll.com/en/insights/publications/cyber/exploring-kapes-graphical-user-interface KAPE is what I assume is the first step in a DFIR automation pipeline that most of the large consulting companies, and many of the large DFIR internal organizations, have built. KAPE solves the need of building a flexible triage tool that will extract data from live systems and shadow copies, mounted volumes and data extractions.
In addition KAPE can be set to run parsers against the extracted data allowing you to get to analysis faster, Eric even put a GUI on it that builds the command line for you!
But if it does all this why do I think its the first step? Well once you have the data processed in a scale-able way you then want to find a way to ingest and correlate that data within the single end point and then expand that into 1,000s of endpoints. It's that next step in DFIR automation that many companies, mine included, have been experimenting with over the years.
I'm excited for KAPE and the other tools like it that are emerging (Achoir, Velociraptor, Cylr, some might even say OsQuery with carver) that will help us push our analysis needs to where they need to be. We need to get our examiners beyond running tools to process data that they then stitch together and get all of the things that can be defined in code already done for them so they can focus on what humans do better than machines (for now) which is thinking.
If you want to learn more about KAPE and what I think the future of DFIR is heading make sure to turn into this Friday's Forensic Lunch!
Also Read: Daily Blog #637
Post a Comment