KapeFiles
KapeFiles copied to clipboard
EricZimmerman
2 Features for kape targets
KAPE version latest
Is your feature request related to a problem? Please describe. WhatsApp.tkape for example
Describe the solution you'd like Feature 1) Path variable in the tkape files should have a wildcard option to match a directory, Example: C:\Program Files\*SomeApp*
Feature 2) SaveAsFileName variable in the tkape files should have a %destinationFileName% parameter similar to the mkape parameters so the target filename can be altered, Example: SaveAsFileName: %destinationFileName%.jpg
Describe alternatives you've considered Would like to know of any.
Additional context An example can be seen in the PR https://github.com/EricZimmerman/KapeFiles/pull/887:
Feature 1) WhatsApp.tkape could be better addressed with using the following path instead: C:\Users%user%\AppData\Local\Packages\*WhatsAppDesktop*\LocalCache\Roaming\WhatsApp\Cache
Feature 2) WhatsApp_Media.tkape could be better addressed renaming the target files with a .jpg extension to make them readable: Path: C:\Users%user%\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\profilePictures SaveAsFileName: %destinationFileName%.jpg
One should already be fully supported. I don't know that I'm a fan of two
Well wildcard C:\Program Files\*\ will catch any folder under Program Files but if you want to match a folder by name it would be more efficient such as C:\Program Files\*SomeApp*
I just tested the TeamViewer Target and it worked as expected.
Specifically, this part:
-
Name: TeamViewer Application Logs
Category: ApplicationLogs
Path: C:\Program Files*\TeamViewer\
FileMask: 'TeamViewer*_Logfile*'
Comment: "Includes TeamViewer<version>_Logfile.log and TeamViewer<version>_Logfile_OLD.log"
NOTE: I had to copy the file found in Program Files, add a few characters (so KAPE didn't SHA1 dedupe) and place it in C:\Program Files (x86)\TeamViewer for this test scenario. The Program Files* wildcard worked as expected, as did the wildcards in the FileMask.
I even went futher and added another slightly different file with a different file name to test the double wildcard in the FileMask and it worked.
I then went ANOTHER step further and modified the Target to this:
-
Name: TeamViewer Application Logs
Category: ApplicationLogs
Path: C:\Program Files*\*eamViewe*\
FileMask: 'TeamViewer*_Logfile*'
Comment: "Includes TeamViewer<version>_Logfile.log and TeamViewer<version>_Logfile_OLD.log"
and it worked!
interesting @AndrewRathbun, I tried the TeamViewerLogs target on my machine and it didnt find anything under Program Files(x86) even though it exists. I tried running the following command:
.\kape.exe --tsource C: --tdest C:\Temp\KapeTarget --tflush --target TeamViewerLogs --debug
and this is the resulted output:
Found 4 targets. Expanding targets to file list...
Processing target: TeamViewer Connection Logs (v2)
Expanding directory: C:\Program Files*\TeamViewer\
Files found: 0
Processing target: TeamViewer Application Logs (v2)
Expanding directory: C:\Program Files*\TeamViewer\
Files found: 0
Processing target: TeamViewer Application User Logs (v2)
Expanding directory: C:\Users\%user%\AppData\Roaming\TeamViewer\
As you can see they do exist:
I tested it with kape 1.3.0.2 on Windows 11.
@EricZimmerman I have already done that and put the output in the comment above. by the way, kape fails to recognize the correct OS(I'm using Windows 11 and it says Windows 10)
11 came out after kape 1.3.0.2 most likely. It's the same family vs previous versions of windows
Message ID: @.***>
@EricZimmerman I have already done that and put the output in the comment above. by the way, kape fails to recognize the correct OS(I'm using Windows 11 and it says Windows 10)
I did my testing with that same version of KAPE and Windows 🤷♂️. To be fair, the Windows Registry shows references to 10 even on 11 systems. Not sure why but it is what it is. I don't think that's a KAPE issue as KAPE is very likely just parsing what Windows is recording.