Thu, Feb 14, 2019

Introducing KAPE – Kroll Artifact Parser and Extractor


I’m proud to announce KAPE (Kroll Artifact Parser and Extractor) is now available for download. KAPE is an efficient and highly configurable triage program that will target essentially any device or storage location, find forensically useful artifacts, and parse them within a few minutes.

Having worked with and taught digital forensics for over 10 years in both law enforcement and enterprise environments, I understood how DFIR professionals could benefit from a program that collected and processed forensically valuable data quickly, potentially before any full system images were completed.

With key input from the digital forensics/incident response (DFIR) community, we also included predefined “targets” and “modules” for KAPE that help investigators gather a wider range of artifacts in a fraction of the time, enriching evidentiary libraries.

 Kroll Artifact Parser and Extractor KAPE

KAPE is free for download here.

Note: If you're using KAPE commercially, we now have an enterprise license that will enable you to use KAPE on any engagements.

So… What Exactly is KAPE?

KAPE is a multi-function program that primarily:

  1. collects files and
  2. processes collected files with one or more programs.

KAPE reads configuration files on the fly and based on their contents, collects and processes relevant files. This makes KAPE very extensible in that the program’s author does not need to be involved to add or expand functionality.

As we will see later in more detail, KAPE uses the concepts of targets and modules to do its work. KAPE comes with a range of default targets and modules for operations most commonly required in forensic exams. These can also serve as models  for creating new targets and modules.

At a high level, KAPE works by adding file masks to a queue. This queue is then used to find and copy files from a source location. For files that are locked by the operating system, a second run bypasses the lock. At the end of the process, KAPE will make a copy and preserve metadata about all available files from a source location into a given directory. The second (optional) stage of processing is to run one or more programs against the collected data. This too works by targeting either specific file names or directories. Various programs are run against the files, and the output from the programs is then saved in directories named after a category, such as EvidenceOfExecution, BrowserHistory or AccountUsage.

By grouping things by category, examiners of all skill levels have the means to discover relevant information regardless of an individual artifact's source. In other words, an examiner no longer need to know how to process prefetch, shimcache, amcache, userassist, etc., as they relate to evidence of execution artifacts. Ultimately, a wider range of artifacts can be leveraged for any given requirement.

So, In the end, we have a process that looks like this:

Introducing KAPE

Before exploring how KAPE delivers these results, either as a single operation or in stages, let’s first discuss the concepts of targets and modules.

A Bit Deeper

As mentioned earlier, KAPE has two primary phases: target collection and module execution.

Targets and modules are both written using YAML, which is easy to read and to write. KAPE comes with many prebuilt targets and modules that can also serve as examples for building new ones in the future.


Targets are essentially collections of file and directory specifications. KAPE knows how to read these specifications and expand them to files and directories that exist on a target location. Once KAPE has processed all targets and has built a list of files, the list is processed, and each file is copied from the source to the destination directory.

Files that are locked by the operating system and cannot be copied by regular means are, added to a secondary queue. This secondary queue contains all the files that were locked or in use. After the primary queue is processed the secondary queue is processed and a different technique, using raw disk reads, is used to bypass the locks. This results in getting a copy of the file as it exists at the source.

Regardless of how the file is copied (either by regular means or via raw access), the original timestamps from all directories and the files themselves are reapplied to the destination files. The metadata is also collected into log files as well.


Like targets, modules are defined using simple YAML properties and are used to run programs. These programs can target anything, including files collected via the target capabilities as well as any other kinds of programs you may want to run on a system from a live response perspective. For example, if you collected jump lists, a tool like JLECmd could be used to dump the contents of the jump lists to CSV. If you also wanted to collect the output of netstat.exe or ipconfig /dnscache, you could do so as well. Each of these options would be contained in its own module and then grouped together based on commonality between the modules, such as “NetworkLiveResponse”, for example.

Why use KAPE?

KAPE is a robust, free-software triage program that will target a device or storage location, find the most forensically important artifacts (based on your needs), and parse them within a few minutes. Because of its speed, KAPE allows investigators to find and prioritize the systems most critical for their case. Additionally, KAPE can be used to collect key artifacts prior to the start of the imaging process. While the imaging completes, the data generated by KAPE can be reviewed for leads, building timelines, etc.

In short, KAPE gets you to the data (and its answers) much faster than more traditional means.

Download KAPE now.

Note: If you're using KAPE commercially, we now have an enterprise license that will enable you to use KAPE on any engagements.

Connect with us

Eric Zimmerman is a Senior Director
Eric Zimmerman
Senior Director
Cyber Risk
New York

Stay Ahead with Kroll

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Computer Forensics

Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.

24x7 Incident Response

Enlist experienced responders to handle the entire security incident lifecycle.

Office 365 Security, Forensics and Incident Response

Digital forensic experts investigate hundreds of Office 365 incidents per year and help strengthen your security.

Kroll Responder

Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.

End-to-End Litigation Support Services

Experienced investigators deliver case-changing insights to support the entire litigation lifecycle.

Malware and Advanced Persistent Threat Detection

Our expertise allows us to identify and analyze the scope and intent of advanced persistent threats to launch a targeted and effective response.

Incident Response Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.



Q2 2022 Threat Landscape: Ransomware Returns, Healthcare Hit

Aug 10, 2022

by Laurie IaconoKeith Wojcieszek George Glass


How to Assess Your Organization’s Application Security

Aug 10, 2022

by Rahul Raghavan


What Is Application Security? Trends, Challenges & Benefits

Aug 12, 2022

by Rahul Raghavan


KAPE Quarterly Update – Q2 2022

Jul 19, 2022

by Eric ZimmermanAndrew Rathbun


Webcast Replay

Webcast Replay – Incident Response Forum Europe 2022

Webinar Webinar Sep 22, 2022 | Webinar


Kroll at RSA Conference 2023

Conference Conference Apr 24 - Apr 27, 2023 | Conference


KAPE Intensive Training and Certification

Online Event Online Event Apr 13 - Dec 07, 2023 | Online Event


2023 APAC Economic Outlook and Impact on Company Valuations and Restructuring

Webinar Webinar Apr 12, 2023 | Webinar

Webcast Replays

Webcast Replay

Conducting Efficient Insider Threat Investigations using KAPE

Sep 29, 2020

Webcast Replay

Child Exploitation Investigation – Express Analysis with KAPE

Sep 22, 2020

Webcast Replay

Express Artifact Analysis Timeline Development with KAPE

Jun 04, 2020