Replies: 6 comments 8 replies
-
there are several modules that can do just this. that would be how to do it, and, you can xfer all module output with the normal transfer switches, just make sure you zip the module output with the appropriate option. |
Beta Was this translation helpful? Give feedback.
-
winpmem, dumpit, etc. its really up to you picking the program you trust to dump memory, then wrapping the call in a KAPE module. KAPE does the rest to generate it and xfer it out |
Beta Was this translation helpful? Give feedback.
-
you need the module zipping option. look for that and add it. rest should be automatic |
Beta Was this translation helpful? Give feedback.
-
--zm should be enough. where are the azure switches? you should see any errors/warnings about it NOT being able to xfer in the log file. you can share a debug log with all the switches and we can see, but zm should be enough |
Beta Was this translation helpful? Give feedback.
-
what you can experiment with is using batch mode to do the collection, then do a second call, using the module flush option and a smaller module (or one that does nothing) so things get cleaned up. |
Beta Was this translation helpful? Give feedback.
-
that should in fact be the default when zipping things and transferring
them out
antmar904 wrote on 6/7/2022 3:18 PM:
…
Weird, I just ran my test again and it deleted all module output files
and left only the "ConsoleLog.txt" so I guess it's working.
—
Reply to this email directly, view it on GitHub
<#652 (reply in thread)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABARKJWR6YXQV24LAGJNKLDVN6N7ZANCNFSM5YC4D4VA>.
You are receiving this because you commented.Message ID:
***@***.***>
--
Eric Zimmerman
501-313-3778
|
Beta Was this translation helpful? Give feedback.
-
Hello all.
I've been using KAPE for awhile and love it. The one thing I am struggling with in DFIR is memory image creation and acquisition. Most of the EDR tools have this already built in however SentinelOne does not so I am trying to come up with the best way to incorporate this with my "Triage Image" process using KAPE. Does KAPE have the capability to create a memory image? This would be a great feature if it could create a memory image then upload it using one of the "Transfer Options" that already exist in KAPE.
Beta Was this translation helpful? Give feedback.
All reactions