Kroll Artifact Parser And Extractor (KAPE)

Kroll's Artifact Parser and Extractor (KAPE) – created by Kroll senior director and three-time Forensic 4:cast DFIR Investigator of the Year Eric Zimmerman – lets forensic investigators collect and process forensically useful artifacts within minutes. Get more information on KAPE, access training materials or book a live session with a Kroll expert here.

With KAPE, users can find and prioritize the systems that are most critical to their case and collect key artifacts before imaging. With KAPE, forensic investigations no longer require long wait times to gather full system images and then wading through data where 90% typically has little or no forensic value. 

"The gist of [KAPE] is that in as little as half an hour, we can go from disk imaging to substantive analysis of filesystem, shell, execution, event, and registry data."
Troy Larson, Microsoft

Purpose–Built to Expedite and Optimize Forensic Investigations

Predefined, continually updated targets and modules
Predefined, Continually Updated Targets and Modules
Actionable intelligence in minutes
Actionable Intelligence in Minutes
Standardize forensic processes
Standardize Forensic Processes
DFIR Investigator of the Year
Developed by 3x Forensic 4:cast DFIR Investigator of the Year
How KAPE Works

Introducing KAPE

Over 60 Predefined Targets and 90 Modules

Over 60 Predefined Targets and 90 Modules
Over 60 Predefined Targets and 90 Modules

KAPE operates in two primary phases – target collection and module execution:

  • Targets are essentially sets of file and directory specifications.
  • Modules are used to run programs, which can target anything, including files collected via targets as well as any other kinds of programs you may want to run on a system from a live response perspective.

KAPE lets users access targets and modules for the most common operations required in a forensic exam, letting investigators gather many more artifacts in much less time, and enriching evidentiary libraries.

 
Over 60 Predefined Targets and 90 Modules

Grouping Artifacts Expedites Triage

Grouping Artifacts Expedites Triage
Grouping Artifacts Expedites Triage

KAPE’s primary focus is collecting and processing relevant data quickly, grouping artifacts in categorized directories – like, for example,  EvidenceOfExecution, BrowserHistory and AccountUsage. Grouping items by category means an examiner will no longer need to learn how to process prefetch, shimcache, amcache, userassist, etc., with respect to evidence of execution artifacts. 

Grouping Artifacts Expedites Triage

Standardize Forensic Processes

Standardize Forensic Processes
Standardize Forensic Processes

When investigating or collecting data after an incident, forensic examiners must know which artifacts to collect, where they may reside, and how to collect them without damaging the evidence or chain of custody. With KAPE, examiners can find, collect and process forensic artifacts using a process that standardizes forensic engagements by leveraging a wider range of extracted artifacts. KAPE can also help simplify the onboarding and training of new investigators by standardizing and scaling artifact pulls. 

Standardize Forensic Processes

Live KAPE Training with Kroll Experts

Live KAPE Training with Kroll Experts
Live KAPE Training with Kroll Experts

Eric Zimmerman and a team of Kroll experts developed a hands-on course to help forensic examiners to KAPE mastery, letting law enforcement personnel, first responders, digital forensic analysts and incident response team members to:

  • Understand the myriad applications for KAPE targets and modules
  • Explore and understand the capabilities of KAPE’s graphic interface
  • Run a hands-on investigation lab to produce actionable intelligence in 15 minutes or less
  • Browse KAPE Training packages
Live KAPE Training with Kroll Experts

Virtual KAPE Training and Certification Events

KAPE Events
Virtual KAPE Training and Certification Events

Kroll now offers KAPE Virtual Intensive Training and Certification programs online. See below for a list of the upcoming training events currently scheduled (more events TBA):

  • EMEA – October 4, 2022

Register now.

KAPE Events
Continually Evolving Dynamic Solution 

Kroll works on some of the most complex and high-profile cyber incidents in the world and performs digital forensics and evidence collection for thousands of companies a year. The work performed by our cyber experts is enhanced by input from the global DFIR community to actively contribute to the development of KAPE. To learn more:

 

Clarifying KAPE Usage Permission
  • KAPE is free for use by any local, state, federal or international government agency.
  • KAPE is free for educational and research use.
  • KAPE is free for internal company use.
  • KAPE requires an enterprise license when used on a third-party network and/or as part of a paid engagement.

Read more about KAPE enterprise licenses here.

Download KAPE
This field is required
This field is required
This field is required
This field is required
This field is required A valid email address is required
Please select an Option
This field is required
We will use this information to respond to your inquiry and process your data in accordance with our privacy policy.

ServicesStay Ahead with Kroll

Cyber Risk

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

System Assessments and Testing

System Assessments and Testing

Kroll’s field-proven cyber security assessment and testing solutions help identify, evaluate and prioritize risks to people, data, operations and technologies worldwide.

Notification, Call Centers and Monitoring

Notification, Call Centers and Monitoring

Kroll’s data breach notification, call centers and monitoring team brings unique expertise to global incident response to help clients efficiently manage regulatory and reputational needs.

Cyber Governance and Risk

Cyber Governance and Risk

Manage cyber risk and information security governance issues with Kroll’s defensible cyber security strategy framework.

Kroll Responder

Kroll Responder

Stop cyberattacks. Kroll Responder managed detection and response is powered by a team of seasoned IR experts and frontline threat intelligence to deliver unrivaled protection.

KAPE Intensive Training and Certification
Digital Forensics and Incident Response

KAPE Intensive Training and Certification

Event Event Dec 07, 2023

The Cyber Risk practice of Kroll is excited to offer virtual sessions of the Kroll Artifact Parser a...

KAPE Intensive Training and Certification
Return to top