KAPE had several updates during Q2 2022. Below, please find a recap of all the important enhancements and news from April through June 2022.

Key Q2 2022 KAPE Updates
  • KAPE-EZToolsAncillaryUpdater.ps1 updated to version 3.4
  • MFTECmd Module for Dumping Resident Files
  • Contributing Guide added to KapeFiles repository
  • READMEs added to Targets and Modules folders
  • Q2 2022 KapeFiles Changes


KAPE-EZToolsAncillaryUpdater.ps1 updated to version 3.4

Kroll’s Andrew Rathbun created a PowerShell script to automate the updating of the KAPE binary, EZ Tools binaries found in .\KAPE\Modules\bin and the ancillary files those tools rely upon to generate output. This was first covered in the KAPE Q4 2021 Quarterly Update

Michael Moran has provided multiple valuable updates to this script, including the most recent update, which provides an update check feature to see if the version of the script being ran by the end user is the most current version. 

Be sure to watch the KAPE-EZToolsAncillaryUpdater.ps1 GitHub repository to be notified of future improvements by Andrew or members of the community.

MFTECmd Module for Dumping Resident Files

On June 22, 2022, Eric Zimmerman added a new feature to MFTECmd that provides the ability for resident files within an $MFT file to be dumped into a Resident folder. In testing on multiple $MFT files, it has been found that anywhere from 30-80 mb of files are dumped by MFTECmd. Given this use case may not be applicable for everyone using MFTECmd through KAPE, a separate Module was created for this specific MFTECmd function. This new Module joins multiple other special purpose MFTECmd Modules which provides a variety of options for KAPE users. 

Contributing Guide added to KapeFiles Repository

At the root of the KapeFiles GitHub repository, Andrew created a short guide on how to contribute to KAPE. This guide provides links to the KAPE Target and Module Guides and Templates. Additionally, a short GIF providing guidance on how to properly complete a Pull Request using the checkboxes has been included in the repo. 

If anyone in the community needs further assistance contributing to KAPE, please do not hesitate to email [email protected] for help from one of our experts.

READMEs added to Targets and Modules Folders

Continuing the trend of administrative changes in the KapeFiles repository this quarter, Andrew added READMEs to the root of both Targets and Modules folders. These README files aim to provide a description of the intended purpose of each of the subfolders within the Targets and Modules folders. More READMEs will be added in the coming months to provide further descriptions of the contents of the subfolders within the Targets and Modules folders. 

Q2 2022 KapeFiles Changes

Here is an overview of the changes to the KapeFiles GitHub repository from April 1, 2022 to June 30, 2022.

KAPE-Related GitHub Repositories

Our experts recommend watching the following GitHub repositories for KAPE-related updates:

KAPE-Related GitHub Repositories


Looking for the EZ button to keep KAPE, EZ Tools and the ancillary files associated with your instance(s) of KAPE? Check out the PowerShell script created by Kroll’s Andrew Rathbun here to ensure your copy of KAPE is being updated! 

If you need additional KAPE support, explore our virtual live training and certification opportunities or contact our experts at [email protected]. An enterprise license is required when KAPE is used on a third-party network and/or as part of a paid engagement.

This article was written by Andrew Rathbun, a Vice President in Kroll's Cyber Risk practice.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Kroll Artifact Parser And Extractor (KAPE)

Find, collect and process forensically useful artifacts in minutes.

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Data Recovery and Forensic Analysis

Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.

Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Computer Forensics

Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.

KAPE Resources

The latest KAPE tutorials, webcasts and guides created by Kroll instructors.

KAPE Training

Learn how to jumpstart your forensic investigations and find meaningful data fast with a live KAPE training session led by a Kroll instructor.

Incident Response and Litigation Support

Kroll’s elite security leaders deliver rapid responses for over 3,000 incidents per year and have the resources and expertise to support the entire incident lifecycle.