KAPE Targets
Let’s explore the concept of Triage Acquisition within the context of Incident Response and Threat Hunting.
Triage Acquisition involves obtaining specific files or artifacts that provide insights into the system’s state we are analyzing.
In a simplified lessons series focused on Evidence Acquisition at the AD Environment level, we’ll discuss several ideas. In this video, we’ll delve into the first concept: using KAPE Targets. This tool stands out for its effectiveness in evidence collection.
Video Link IR & TH Series - Velociraptor EDR Evidence Collection: KAPE [ARABIC]
Custom Evidence Collection In this lesson, we’ll explore the second concept: collecting evidence when there are no known pre-defined artifacts or targets.
Video Link IR & TH Series - Velociraptor EDR Evidence Collection: Custom [ARABIC]
Offline Collection
In the previous lessons, the execution relied on a fundamental point: running Velociraptor as a Client/Server role.
Now, in this lesson, we will explore a completely different execution method that enables us to collect evidence even when communication with the client systems is challenging. This could be due to the absence of communication via Public IP or the difficulty of our physical presence on site to perform the acquisition task as Incident Responders.
Video Link IR & TH Series - Velociraptor EDR Evidence Collection: Offline [ARABIC]