Thu, Jun 4, 2020

Express Artifact Analysis Timeline Development with KAPE

How much can you accomplish while a full disk image is completing? And what portion of that disk is relevant to your case? With Kroll Artifact Parser and Extractor’s (KAPE) collection and triage capabilities, full-disk forensics is becoming a thing of the past. In this webcast replay, KAPE instructor and Digital Forensics and Incident Response (DFIR) expert Mari DeGrazia showcases how key Windows artifacts can be collected from a live or forensic image, parsed, and structured into a mini timeline in just a few minutes using KAPE.

Watch the Webcast Replay

Express Artifact Analysis and Timeline Development with KAPE

This 30-minute webcast covers:

  • How to leverage KAPE to collect triage data
  • How to normalize data across multiple artifacts
  • How to build a mini timeline using KAPE
  • How to analyze a mini timeline

Tools used in the session:


Download Webcast Slides

Notable Passages From Mari Degrazia During the Presentation

On Approach

“When I start thinking about the key questions to my case, I can usually really focus in on a handful of artifacts that are relevant and important to my investigation. With this approach, with the mini timeline with KAPE, we're thinking, we're going to do that sniper approach instead of like the shotgun approach. We're not going to try and get all of the things; we're going to try and get things that are relevant to our case so that we can get answers quickly.”

On Triage Data

“What are those artifacts? The main one and the main three that we're going to be dealing with today, as it relates is the file system, right? We're talking about files that have been treated on the system, files that have been deleted on the system. This is what we call the MFT in forensics—the master file table. That's going to give us our modified access created, born dates. It can even give us visibility into things like as own identifier, as something was downloaded from the internet, and the MFT can also contain references to deleted files. Just within a file that might be 500 megs in size, we get a ton of information. So, if we think about taking a full disk image in terabytes and terabytes of data, really there's MFT 500 makes small file lots and lots of information. The registry tracks so much of what a user does on the system. We talk about things like recent documents that have been opened up by user and applications that have been executed on the system. We can even tie that to a particular user, things like the USR class, the ntuser.dathive, the sound system security hive. So, the registry gives us a wealth of information into the system as well.”

On KAPE Basics

“When we talk about KAPE, the way that KAPE works is, we have something called targets and modules kind of at the core of it. The targets tell you what information it is that you want to collect from the system, which I just went over right here in the slides. So, we need to tell KAPE of what to collect, and we do that with what's called target files. Next, we want to process that data and to process that data, we use something called modules. And modules will say, okay, now that I have this MFT, how are you going to parse out that data?

KAPE can be ran against either a mounted image, so if you've already had a collection and you already have an image, you can mount that up using something like Arsenal Image Mounter, or you can run CAPE externally from a USB drive. One limitation, if you will, of KAPE, is that it is designed for a Windows system to run with framework. So, if we're talking something about a live system or running it on a mounted image that would be from the Windows platform.  So, we have lots of options when we use KAPE.”

On Collection

“One of the really cool things about KAPE, and I'm going to be talking about them in a minute here, are these targets in the modules. These are open source. These are written by the community. So, if you're working a case or you've been working cases in like you know what? I really find that the shrimp has been very valuable to see data exfiltration. I need a target for that. You can use this little sink with GitHub button and pull down all the targets and modules that have been written by the community, or you can write one yourself. And I think there are over 100 different target modules that have been written either by Eric Zimmerman or the community. To that end, I wrote my own target that collects this information that I've talked about. A lot of times in forensics, we have to use so many different tools to look at our data. We have tools like X-Ways where you can open up an image, run your keyword, searches, filter sort, find interesting files. And if you're working a case, ultimately at some point in time, you're going to have to share your findings with somebody, right? Whether it's your manager who then passes on the information or it's a client, and you have to write a report. So, there's this concept of data messaging that happens.”

On Why There Are Timelines

“I can see this malware watched in the user assist in my registry key, but I want to know how did that person connect into the system to do that? Did they log in locally? Did they come in through RDP? You might jump over and you have to go look at your event logs. So, you have to filter it by the date. But now on a timeline, as soon as you see that user assist happened, you can just scroll up and down your timeline to see what happened, which lets you build out these really cool connections because now you're going to start noticing things that you may not have known to go look for. So for example, if malware executes on the system, you might see an installed service and then you might see an install service, then you might see a run key, and then you might see to actually modify the registry where it alters the firewall. What happens is instead of kind of being responsible for going out in doing and looking at all these different things because it's in this timeline, it's all there for you.”

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Kroll Artifact Parser And Extractor (KAPE)

Find, collect and process forensically useful artifacts in minutes.


Proactively monitor, detect and respond to threats virtually anywhere – on endpoints and throughout the surface, deep and dark web.

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Penetration Testing Services

Validate your cyber defenses against real-world threats. Kroll’s world-class penetration testing services bring together front-line threat intelligence, thousands of hours of cyber security assessments completed each year and a team of certified cyber experts — the foundation for our sophisticated and scalable approach.