KAPE Updates
Cyber Risk

Thu, Feb 14, 2019

Introducing KAPE - Kroll Artifact Parser and Extractor

/en/our-team/eric-zimmermanEric Zimmerman is a Senior Director

Eric Zimmerman

Download KAPE
KAPE Quarterly Update Q2 2023
New KAPE Official Demo - Kroll recently published an official demo walkthrough of KAPE by Andrew Rathbun.

I’m proud to announce KAPE (Kroll Artifact Parser and Extractor) is now available for download. KAPE is an efficient and highly configurable triage program that will target essentially any device or storage location, find forensically useful artifacts, and parse them within a few minutes.

Having worked with and taught digital forensics for over 10 years in both law enforcement and enterprise environments, I understood how DFIR professionals could benefit from a program that collected and processed forensically valuable data quickly, potentially before any full system images were completed.

With key input from the digital forensics/incident response (DFIR) community, we also included predefined “targets” and “modules” for KAPE that help investigators gather a wider range of artifacts in a fraction of the time, enriching evidentiary libraries. KAPE is free for download here.

Note: If you're using KAPE commercially, we now have an enterprise license that will enable you to use KAPE on any engagements.

So… What Exactly is KAPE?

Kroll Artifact Parser and Extractor KAPE

KAPE is a multi-function program that primarily:

  1. collects files and
  2. processes collected files with one or more programs.

KAPE reads configuration files on the fly and based on their contents, collects and processes relevant files. This makes KAPE very extensible in that the program’s author does not need to be involved to add or expand functionality.

As we will see later in more detail, KAPE uses the concepts of targets and modules to do its work. KAPE comes with a range of default targets and modules for operations most commonly required in forensic exams. These can also serve as models  for creating new targets and modules.

The Latest from KAPE

KAPE Events
 

How KAPE Works

At a high level, KAPE works by adding file masks to a queue. This queue is then used to find and copy files from a source location. For files that are locked by the operating system, a second run bypasses the lock. At the end of the process, KAPE will make a copy and preserve metadata about all available files from a source location into a given directory. The second (optional) stage of processing is to run one or more programs against the collected data. This too works by targeting either specific file names or directories. Various programs are run against the files, and the output from the programs is then saved in directories named after a category, such as EvidenceOfExecution, BrowserHistory or AccountUsage.

By grouping things by category, examiners of all skill levels have the means to discover relevant information regardless of an individual artifact's source. In other words, an examiner no longer need to know how to process prefetch, shimcache, amcache, userassist, etc., as they relate to evidence of execution artifacts. Ultimately, a wider range of artifacts can be leveraged for any given requirement.

So, In the end, we have a process that looks like this:

Introducing KAPE

Before exploring how KAPE delivers these results, either as a single operation or in stages, let’s first discuss the concepts of targets and modules.

A Bit Deeper

As mentioned earlier, KAPE has two primary phases:

  • target collection and
  • module execution.

Targets and modules are both written using YAML, which is easy to read and to write. KAPE comes with many prebuilt targets and modules that can also serve as examples for building new ones in the future.

Why use KAPE?

KAPE is a robust, free-software triage program that will target a device or storage location, find the most forensically important artifacts (based on your needs), and parse them within a few minutes. Because of its speed, KAPE allows investigators to find and prioritize the systems most critical for their case. Additionally, KAPE can be used to collect key artifacts prior to the start of the imaging process. While the imaging completes, the data generated by KAPE can be reviewed for leads, building timelines, etc.

In short, KAPE gets you to the data (and its answers) much faster than more traditional means.

Download KAPE Now

Note: If you're using KAPE commercially, we now have an enterprise license that will enable you to use KAPE on any engagements.

Connect With Us

Stay Ahead with Kroll

Kroll Artifact Parser And Extractor (KAPE)

Find, collect and process forensically useful artifacts in minutes.

Kroll Artifact Parser And Extractor (KAPE)

KAPE Enterprise License

For individuals or business interested in using KAPE for commercial purposes.

KAPE Enterprise License

KAPE Resources

The latest KAPE tutorials, webcasts and guides created by Kroll instructors.

KAPE Resources

Cyber and Data Resilience

Incident response, digital forensics, breach notification, security strategy, managed security services, discovery solutions, security transformation.

Cyber and Data Resilience

Computer Forensics

Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.

Computer Forensics

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

24x7 Incident Response

Digital Forensics and Incident Response

Kroll’s elite security leaders deliver rapid responses for over 3,000 incidents per year and have the resources and expertise to support the entire incident lifecycle, including litigation demands. Gain peace of mind in a crisis.

Digital Forensics and Incident Response
Explore Insights
KAPE Quarterly Update - Q4 2023
Cyber

KAPE Quarterly Update - Q4 2023

February 14, 2024

by Eric Zimmerman

KAPE Quarterly Update—Q4 2023
KAPE Quarterly Update - Q3 2023
Cyber

KAPE Quarterly Update - Q3 2023

November 3, 2023

by Eric Zimmerman

KAPE Quarterly Update—Q3 2023
KAPE Quarterly Update - Q2 2023
Cyber

KAPE Quarterly Update - Q2 2023

July 19, 2023

by Eric Zimmerman

KAPE Quarterly Update – Q2 2023
KAPE Quarterly Update - Q1 2023
Cyber

KAPE Quarterly Update - Q1 2023

May 18, 2023

by Eric Zimmerman

Key Q1 2023 KAPE Updates
Webcast Replays
Conducting Efficient Insider Threat Investigations using KAPE
Webcast Replay

Conducting Efficient Insider Threat Investigations using KAPE

September 29, 2020
Conducting Efficient Insider Threat Investigations using KAPE
Child Exploitation Investigation � Express Analysis with KAPE
Webcast Replay

Child Exploitation Investigation � Express Analysis with KAPE

September 22, 2020
Webcast: Child Exploitation Investigation – Express Analysis with KAPE
Express Artifact Analysis Timeline Development with KAPE
Webcast Replay

Express Artifact Analysis Timeline Development with KAPE

June 4, 2020
Express Artifact Analysis and Timeline Development with KAPE
Q4 2021 Threat Landscape Virtual Briefing: Software Exploits Abound
Webcast Replay

Q4 2021 Threat Landscape Virtual Briefing: Software Exploits Abound

February 25, 2022
Q4 2021 Threat Landscape Briefing: Software Exploits Abound

Kroll is headquartered in New York with offices around the world.

One World Trade Center
285 Fulton Street, 31st Floor
New York NY 10007
+1 212 593 1000
Sign up to receive periodic news, reports, and invitations from Kroll. Our privacy policy describes how your data will be processed.

More About Kroll

More About Kroll
© 2024 Kroll, LLC. All rights reserved. Kroll is not affiliated with Kroll Bond Rating Agency, Kroll OnTrack Inc. or their affiliated businesses. Read more.
Return to top