1.3.0.

2
- Change from nlog to Serilog (much nicer console output)
- New module variables for command lines: %d%, %guid% and, %sourceDirectoryBase%
- General tweaks and fixes
- Nuget package updates
- Updated EZTools binaries
- Sync'ed Targets and Modules

1.2.0.0
- SFTP tweaks for partially existing directory structure
- Nuget package updates
- Updated EZTools binaries
- Sync'ed Targets and Modules

1.1.0.1
- Fix issue with SFTP verification when using --scd and the directory already
existed
- Updated targets and modules
- nuget and control updates

1.1.0.0
- Fix Editor and Save As in gkape
- nuget/control updates
- Tweak how KAPE is accessing files in the root of VSCs
- Changed sync to accept a github repo (optional) to pull Targets and Modules from.
Without specifying a url, the official repo is used. The URL is expected to have
the same format as the official repo should an alternate URL be used.
- Sync will also include .template and .guide files in the Targets and Modules
directory
- Fix issue with Disable flush warnings related to mdest existing
- When transferring files, add timestamp to end of directory in format
yyyyMMddHHmmss. Example: KAPE_data_push{comment}_yyyyMMddHHmmss, where comment is
optionally supplied.
- When using Azure SAS, add details to test file being uploaded (timestamp,
computer name, os info, comment) vs simply 'test upload' for the contents
- Added --scd switch to specify the default path to upload files to. If the
directory does not exist, it will be created. Do NOT use leading slash! Example: --
scd foo/bar/wizzo
- Updated included Targets/Modules, and Module binaries

1.0.0.3
- Allow for --sync to run without admin
- Add additional S3 switches for using session tokens and supplying a key prefix
- nuget updates
- gkape can now save _kape.cli once configured. gkape will also prompt to load the
FIRST command line from _kape.cli when starting. This is useful for preconfiguring
KAPE for less technical people to use remotely, etc.

1.0.0.2
- Fix issue with TLS version related to testing URL

1.0.0.1
- Add %s variable which resolves to the system drive letter (i.e. C or D, vs. C:\
or D:\ etc)
- S3 Presigned URL tweaks (maximum 5 GB size limit per AWS)
- Allow for up to TLS 1.2 connections
- Control and nuget updates
- Updated EZTools binaries
1.0.0.0
- Add mvar support to ExportFile
- Add --s3url which allows for pushing collections to presigned S3 URLs, keeping
credentials safe
- Updated controls and nuget

0.9.6.0
- Wrap updating Console.Title to prevent issues on some systems (rare issue)
- Add MinSize and MaxSize support to editing targets in gKape
- Fix issue in gKape with 'Selected target/module' count in status bar not always
updating
- Add ability to select S3 provider in gKape
- gKape fixes when using the Editor and Save As
- Added --rlc switch, for Retain Local Copy. When true, local copies of transferred
files are NOT deleted
- Updated controls and nuget

0.9.5.0
- Made --mlist and --tlist recursive
- Fix issue with tvars when more than one variable is on command line
- Add context menus to grids in gkape for Select all, Select none, and Invert
selection
- Updated controls and nuget

0.9.4.0
- Added %sourceDriveLetter% to module variables. This resolves to the first two
characters of --msource (ex. C:) even if --msource was c:\temp\foo. Needed for
tools like manage-bde.exe
- Handle wide range of S3 providers vs just AWS: Amazon S3, Backblaze B2, Digital
Ocean Spaces, Google Cloud Storage, IBM Cloud Object Storage, Linode Object
Storage, Oracle Cloud Object Storage, and Wasabi
- Control and nuget updates
- Updated EZTools
- Updated targets and modules

0.9.3.0
- Updated targets and modules
- Updated controls and nuget
- Some updated EZTools and map sync
- Fix path check when regex option was present related to AlwaysAddToQueue

0.9.2.0
- REMOVE IsDirectory from Target definitions. Any existing targets not part of the
official repo will need to be adjusted
- In Target definitions, Path is now ALWAYS assumed to be a directory. This means
it should NOT contain wildcards like *.pf. These should be moved to the FileMask
property. All official targets have been updated to reflect this. FileMask is still
optional. If it is not specified, * is assumed, which will match all files in Path
- In Target definitions, Recursive is optional. If missing, it is assumed to be
false. Existing targets with Recursive: false set cleaned up (property deleted)
- Swept existing targets for empty comments and deleted them
- Cleaned up Path properties in Targets (Paths should end with \ by convention.
This is not required, but makes it more obvious as to what the path contains)
- Added ability to reference subdirectories under Targets in Target definitions.
Example: To pull in all targets under Targets\Antivirus, use Path: Antivirus\*
- Allow regex in Target FileMask spec. Example: FileMask: regex:(2019|DSC|Log).+\.
(jpg|txt) tells KAPE to use the regex to match against *complete* filenames. KAPE
will add \A to the beginning of the regex and \z to the end, to ensure the entire
filename is matched.
- Because of the change above, it is also now possible to do things in non-regex
based FileMasks. Example: FileMask: 'Foo*.VHD'. Prior to this change, only *.VHD
was possible.
- Added WaitTimeout to module definition as an optional property. When present, and
greater than 0, signifies the number of minutes KAPE should wait for a module to
finish. If this is exceeded, KAPE will stop waiting and move on.
- Updated nuget packages
- Updated targets

0.9.1.0
- Fix issue in gkape where Azure URI was not in quotes in generated command line.
- Updated controls/nuget
- Updated targets and modules
- Updated ezTools binaries

0.9.0.3
- Fix issue with target source being expanded incorrectly (C: vs C:\)
- More FIPS improvements/tweaks
- Sparse file handling tweaks
- Updated targets and modules

0.9.0.2
- Add --sim switch that simulates files being copied, but nothing gets copied. The
only thing that does not happen is the copying of data, so SHA-1, logging, etc. is
intact. Useful for audits of files without really copying files, etc.
- Tweak debug and trace messages for vhd(x) building
- vhd(x) size calculation tweaks
- When using batch mode, allow for renaming kape.exe to any other name and things
will still work
- Swap out SHA-1 code to FIPS compliant implementation
- Fix gkape issue when resizing where Target variables area was static
- Nuget and control updates

0.9.0.1 2020-03-10
- Updated nuget and controls
- Fix issue with VSC iteration
- Updated EZ-Tools binaries
- Updated to latest target/modules

0.9.0.0 2020-02-20
- Added --tvars to support variables in target files. For example c:\users\*\
ntuser.dat becomes c:\users\%user%\ntuser.dat. If tvars is not used, %user% is
replaced with *, but if --tvars user:eric is used, the path becomes c:\users\eric\
ntuser.dat and only a single user is collected. All targets have been updated for
this pattern, so not supplying tvars will work as it always has.
- Removed Target properties for following reparse and/or symlinks
- Added support to automatically resolve and follow reparse and symlink while
staying on the target drive letter. This makes target writing easier and gets rid
of warnings about possibly missing data, etc.
- Add system information to console including machine name, bittyness, operating
system name and build number
- Remove --mef limitation so any export format can be defined in modules and used
with --mef. Previously, only csv, xml, html and json were supported
- nuget and 3rd party control updates

0.8.8.1 2019-10-xx
- When using --cu, delete Documentation directory
- When batch mode file is present, do not process it if kape.exe -h or similar is
called
- Detect when drive letter changes when processing Reparse/Symlinks. This prevents
looking on the G drive where the reparse/symlink points to C:\. In these cases, the
correct drive letter is now updated for the path to search and a warning is
displayed
- Added (optional) MinSize and MaxSize properties to Targets definition. Specify
the size in bytes and anything smaller/bigger than the defined values will be
dropped. Enable --debug to see dropped files
- When using %m in --msource, replace it with the Machine name
- 3rd party control updates

0.8.8.0 2019-10-23
- Remove target information from container names and log files
- Delete SkipLog file if it is empty at end of run
- Fix issue with not finding files in VSCs due to symlink processing changes
- Cleaned up other names of log files
- Updated controls and nuget packages

0.8.7.3 2019-09-26
- sftp transfer tweaks (use large buffers to send data, add transfer speed to Title
bar)
- Updated zipping component (~35% faster zipping!)
- Updated SFTP config format (be sure to read the docs and check out the example)

0.8.7.2 2019-09-18
- Swapped out SFTP client with more robust implementation
- Added logging of file upload and download initiation to SFTP mode. Now both the
start of and completion of the upload is shown
- Added logging of file deletion to SFTP mode
- gkape GUI tweaks
- When syncing, a unique GUID is added to any config names that end up in !Local so
the file names are unique. This prevents the warning about duplicate config names
- Other --sync tweaks

0.8.7.1 2019-09-07
- Detect of any FTK processes are running, warn, and exit unless new --ifw switch
is also set. This warns people to not use FTK Imager to mount images which can lead
to problems.
- Added check for new version of KAPE at end of run if Internet connectivity
exists. If a new version is present, the new version number available is shown
along with a message about how to update.
- Fix issue with empty directory paths being too long for containers in some cases
- Other tweaks for various edge cases

0.8.7.0 2019-08-26
- Refactored --sync command to allow for and respect subdirectories in Targets and
Modules. --sync will reorganize things based on the KapeFile repo. Configs not in
KapeFiles repo end up under !Local directory
- Overhauled Targets and modules organization. Compound targets and modules DO NOT
need to be updated to new locations. KAPE will locate the base configs as needed on
the fly
- With the new config organization, KAPE can now pull all configs under a directory
specified in --target or --module. In this way, directories act like a compound
config
- tlist and mlist now expect a path to look for configs. Use . to start. All
configs in the provided path are displayed as well as subdirectories
- Added Folder column in gkape in Targets and Modules grids. Grouping by this
column makes it easy to see what is in various folders
- Tweaks to transfer setting validation to ensure destination is writable
- Removed --sow switch
- When in SFTP server mode, display the KAPE switches needed to connect to the SFTP
server for each defined user. This makes it as easy as copy/paste to tell KAPE to
push to SFTP server
- Add --sftpu switch, which defaults to TRUE, that determines whether to display
SFTP server user passwords when in SFTP server mode
- Added FollowReparsePoint and FollowSymbolicLinks to Target definition. These are
optional and should be used on an as needed basis. The default for both is false if
they are not present. This is the behavior KAPE has always had up to this point.
Setting to true will follow the reparse or sym link which some programs use (Box,
OneDrive, etc)
- Other minor tweaks and nuget updates

0.8.6.3 2019-08-15
- Fix in gkape for mvars building (update separator to ^ vs old value of ,)
- Replace %m (Machine name) and %d (timestamp) in --zip, --vhx, and --vhdx
switches. You can even do both at once to get a timestamped file with machine name
- Other minor tweaks and nuget updates

0.8.6.2 2019-08-09
- When using transfer options, transfer module output to destination when --zm true
is used. This pushes the output from modules as a zip file to the destination
server. You can still optionally transfer target collection too
- For batch mode, add --ul switch. This stands for "Use linear" and when set on an
entry (it should be the first one ideally), KAPE will run each instance from
_kape.cli one at a time, vs spawning all at once. Useful for fine grained control
over batch mode
- In gkape, remember selected targets and modules in gkape when viewing config via
double click. This makes it possible to examine configurations and not have to
reselect everything previously selected
- Change --mvars separator to ^ since comma was often used in variable definitions.
Also tweaked how variables containing : are treated (they just work now vs. being
truncated)
- When KAPE updates a module's output file to avoid overwriting an existing file,
report the name of the new output file to the Console so its possible to know which
input file corresponds to which output file
- Fix rare issue with module processing when standard out and standard error get
written to concurrently
- Change redirecting StandardError to output file in modules to writing it to the
Console. This prevents programs that mix normal output on StdErr from messing up
output files
- Added 'Append' property (optional) to Module's processor section. If true, data
is appended to the value for ExportFile. If append is false, a new, unique filename
is generated to prevent files from being overwritten
- Standardize all timestamps used in log files, file names, etc. to correspond to
same timestamp (when KAPE was executed) vs when files get created. this makes it
easier to group related things together
- Added AWS S3 transfer support via --s3* switches
- Added Azure Storage transfer (SAS Uri) via --asu switch
- Updated gkape for newest features

0.8.5.3 2019-07-29
- gkape tweak for new SHA-1 option moving around
- Fix issue with --zip container option when writing to UNC path
- Allow blank SFTP password
- Digitally sign Get-KAPEUpdate.ps1 script

0.8.5.2 2019-07-22
- Redirect and capture standard error stream in console apps when --debug is used.
Prior to this, only standard out stream was showing up in the console log
- Add dedicated log tracking skipped files (deduplicated and excluded). It is a
CSV ending with 'skiplog.csv'. Thanks to Troy Larson for the idea!
- Add SHA-1 exclusion via --hex. Takes a text file containing one SHA-1 per line.
Any files with the same SHA-1 as an entry in the file is skipped (and logged in
'skiplog.csv')
- Remove 'CopyLog.txt' as it was redundant with what is in the copylog and skiplog
CSV files

0.8.5.1 2019-07-01
- Add %m to gkape interface
- Handle spaces in Target and Module names in gkape. It is recommended to not have
spaces in names, but gkape now properly adds quotes around target and module
switches if any of the selected items contains spaces
- Remove dependency for deduplication on whether 'Process VSCs' is checked in
gkape.
- nuget and control updates
- Updated EZ Tools binaries

0.8.5.0 2019-06-25
- Detect invalid paths (\\server\C$: or c:\temp\c: for example)
- Updated nuget and controls
- Only show informational messages when they make sense (ie copy stats of files
were found, etc)
- Handle case where --tdest is a directory like H:\C and treating that path as root
vs assuming root is H:
- LOWER minimum .net dependency to .net 4.5 for kape.exe and 4.5.2 for gkape.exe
- Updated EZ Tools binaries
- Added details about files being skipped to CopyLog.txt (example: Skipping 'l:\
Windows\System32\config\RegBack\SAM' with SHA-1
'DA39A3EE5E6B4B0D3255BFEF95601890AFD80709' as a file with same hash has already
been copied)
- Added %m command line variable expansion for *destination* switches. When
present, %m will be expanded to the Machine Name (NETBIOS name) where KAPE is
running

0.8.4.2 2019-06-04
- Added --cu switch. When using batch mode (_kape.cli), allows for deleting config
files when the batch run completes
- Added detection of CPU architecture (x86 vs x64) and a way to run x86 specific
binaries for modules. See the "Modules" documentation for full details. In short,
x64 support is assumed. If x86 is needed, name the binary the same as what is in
the module, but end the name with '_x86'. Example: If you had Executable: foo.exe
in a module, having a file named "foo_x86.exe" next to foo.exe, foo_x86.exe would
be the actual program executed. Use --debug to see the selection process take place
- Added documentation URL to KAPE help screen and clickable hyperlink in lower left
of gkape
- Tweak output of --tlist/--mlist to include slightly less detail so there is not
as much scrollback needed. --tdetail and --mdetail include the removed information
if needed
- Add directory KAPE runs from to console log
- Fix for using *relative* paths with mdest

0.8.4.0 2019-05-16
- Faster VSC discovery (4x faster!) and better timestamp resolution for VSC
creation
- Improve VSC access to allow for copying out NTFS system files ($MFT, $J, etc.)
from VSCs
- Tweak to when a directory shows up under --tdest (right before its needed vs
earlier in previous releases)
- Reference files pulled from VSCs using ''VSS#' vs a path under ___vssMount for
consistency
- Updated/new targets and modules
- Updated EZ Tools binaries
- General refactoring and cleanup

0.8.3.5 2019-05-03
- Fix for long file name issue when passing in multiple targets on the command line
that caused the generated file names to become too long for containers

0.8.3.4 2019-05-01
- Fix for collecting from UNC paths

0.8.3.3 2019-05-01
- Updated nuget packages
- Fix issue copying files from VSS based on a change introduced in 0.8.3.2
- Handle long files paths gracefully when using container options. When a long file
name is encountered, the file will be copied to a new name and the original full
path/name is preserved in a text file in the <Root>\LongFileNames directory. The
Copylog will still indicate original source and new destination

0.8.3.2 2019-04-24
- Truncate CopyLog filename when more than one target is used to avoid overly long
file name creation
- Fix for rare issue when expanding wildcards in targets
- When using --sync, any targets or modules in !Disabled folders will be removed
from the Targets or Modules directory so they stay disabled
- Added warning in gkape when either of the flush options are enabled. Also added a
means to disable the warning in gkape
- Preserve last access timestamps even if last access updates are enabled.
- Tweak path detection so that things like '--tdest ..\destination' works, which
allows for using relative paths on command line (i.e. when you do not know drive
letter ahead of time)
- control and software updates
- When using --mlist and --mdetail, KAPE Will list any missing binaries along with
the URL to download the missing files
- Updated to the most recent targets and modules

v0.8.3.0 2019-03-15
- Added %kapeDirectory% variable that is replaced with the full path to where
kape.exe was executed from. Useful for having a reference point for config files to
pass to modules, etc.
- Added SFTP support. Server name, port, and username are required. See help screen
for more details and switches. SFTP password, when present, will be redacted from
the ConsoleLog
- Added zip to container options. Works like VHD(x) containers, except things just
get zipped up
- When targeting $J, only copy the non-sparse part of the file. This makes for a
much smaller (and faster!) collection
- Added _kape.cli support. _kape.cli should contain one or more KAPE command lines
(one per line). When KAPE sees this file on start up, it executes one copy of KAPE
per line in the file, then renames _kape.cli by adding a timestamp to the front of
the file. See https://twitter.com/EricRZimmerman/status/1104212779299426304 for
more details and example usage
- Remove --toe option
- In modules, for ExportFile property, %fileName% will get replaced using the name
of the file being processed. Example: ExportFile: TeraCopy-history_%fileName%.csv
v0.8.2.0 2019-03-05
- Change ConsoleLog from being file based to memory based. ConsoleLog is saved to
--tdest and/or --mdest as necessary
- Remove --dcl option since ConsoleLog is in memory now
- Added --sync switch to automatically update Targets and Modules from the
KapeFiles GitHub repository
- Add --overwrite along with --sync to overwrite any local targets and modules
- In the ConsoleLog, remove extra line feeds and only show first letter of log
level
- gkape updated to allow for editing and creating new targets and modules,
including validation
- Added ability to specify multiple targets and modules on the command line (--
target filesystem,eventlogs for example)
- Add Progress information to Title bar of Console or PowerShell window
- Gkape interface overhauled
- Added PowerShell script for automatic updates of the main KAPE package
- Add --mvars switch which allows passing in key:value pairs to modules
- Polish and tweaks

v0.8.1.0 2016-02-16
- Add support for UNC paths for --tsource and --tdest
- Better detection when out of storage space on destination
- Add check when --mdest and --tdest are the same and disallow it
- Warn when --msource != --tdest
- Clarify EULA section 1.3 as it relates to usage