Kroll Artifact Parser And Extractor (KAPE)

With KAPE, users can find and prioritize the systems that are most critical to their case and collect key artifacts before imaging.

With KAPE, forensic investigations no longer require long wait times to gather full system images and then wading through data where 90% typically has little or no forensic value. 

"The gist of [KAPE] is that in as little as half an hour, we can go from disk imaging to substantive analysis of filesystem, shell, execution, event, and registry data."
Troy Larson, Microsoft

KAPE operates in two primary phases – target collection and module execution:

• Targets are essentially sets of file and directory specifications.
• Modules are used to run programs, which can target anything, including files collected via targets as well as any other kinds of programs you may want to run on a system from a live response perspective.

KAPE lets users access targets and modules for the most common operations required in a forensic exam, letting investigators gather many more artifacts in much less time, and enriching evidentiary libraries.

When investigating or collecting data after an incident, forensic examiners must know which artifacts to collect, where they may reside, and how to collect them without damaging the evidence or chain of custody. With KAPE, examiners can find, collect and process forensic artifacts using a process that standardizes forensic engagements by leveraging a wider range of extracted artifacts. KAPE can also help simplify the onboarding and training of new investigators by standardizing and scaling artifact pulls.