Tue, Sep 29, 2020

Conducting Efficient Insider Threat Investigations using KAPE

Insider threat investigations involve collecting and analyzing tremendous amounts of data and can require considerable time and effort. Knowing what forensic data is relevant to your case and where to uncover these artifacts can save a substantial amount of time during your collection and analysis. The Kroll Artifact Parser and Extractor (KAPE) has assisted investigators in solving insider threats faster than ever before due to its ability to process forensic artifacts within minutes. 

Two of our resident experts, Anthony Knutson and Aaron Read, discussed the ways they use KAPE during insider threat investigations, its efficiencies for their teams and how it’s changing the landscape of forensic analysis. 

This webcast covers: 

  • How to collect only forensic artifacts relevant to your case 
  • Ways to automate the collections for non-technical users
  • How to tailor a forensically-sound tool to your needs to expedite investigations
  • Key areas to examine in an investigation to maximize your time 


Watch the Webcast Replay

Conducting Efficient Insider Threat Investigations using KAPE


  • Anthony Knutson, Senior Vice President, Cyber Risk 
  • Aaron Read, Senior Vice President, Cyber Risk

Download Webcast Slides

Notable Passages from the Presentation

On Why Insider Threats Matter

When we look at an insider threat there's two different ways to look at it. You've got intentional and unintentional. Intentional is pretty self-explanatory. That is, someone who is actually hitting your network and trying to get your data. Unintentional may be something that you're not looking for that you should be. Those are usually your employees who actually click on a phishing campaign that gets an intrusion into your network or it could be somebody who is getting leveraged by a nation state to do something against your network to get your proprietary data. A lot of it is going to be defined on your management and your policies that you have internally already. – Anthony Knutson

Time is of the essence. If it happened, you need to figure out exactly what happened and you need to move very, very quickly on that in order to provide that data back to the company before it goes at risk. Think of it just like if you were getting an unauthorized access into your network. What are you doing after those steps? After you've contained it, you need to go figure out what else happened with that data so you can provide that information to the decision makers so they can figure out either, one, how to get it back or, two, what legal ramifications need to happen inside of there. – Anthony Knutson 

On Collection Efficiency 

The real power behind KAPE if you're not familiar with it is its ability to collect key forensic artifacts in a matter of minutes. I say that because it's a tool we use day in and day out for our own collections in a number of matters. Really, it can be used in a lot of different scenarios. We find it useful in remote or automated collections. For example, we were able to use this through our responder product and some of our long-term monitoring for our own investigations. When we need to collect triaged data from a remote host we can automate that through KAPE and some of those other capabilities to pull back that triaged data that we know is going to be useful probably about 90% of the data, maybe 95% of the data you need. It's certainly not everything but it'll help you hit the highlights. – Aaron Read

KAPE is a command line tool at heart but it's got a GUI in front of it to help build that command line. This is what actually goes in the KAPE CLI. This is what it goes into as you're running it on a remote host or through another automation package but you can build this all in the GUI, if that's a little more convenient, especially as you're scrolling through targets and modules and going, "Oh, yeah. That's right. That flush option is important and I may or may not want to include that." Might be a little easier sometimes than just going straight to the CLI. – Aaron Read

On Analysis Efficiency 

The module side is designed to actually do the processing. The thing that makes it easy for you to actually read what all that data is actually doing so you can actually make the interpretation. To me, this is where KAPE shines incredibly because, one, how fast it is, and because of how robust it is. When we're looking at it, a module is the actual processing, right? It's grouped by categories. You can do things as far as, "I only care about file system," or, "I only need to go get file and folder access for this system." This is what allows you to do that and it's all been tailored and already pre-determined for things that you could use but, like anything else, you can actually create your own for this based on whatever your investigation requires. – Anthony Knutson 

The modules are written in YAML so it's very minimal program language. It's not like you need to learn Perl or some of those other very complex programming languages to actually design your own module. It's frequently updated by the community as well. I've seen a lot of people who are in specific industries that they see that they need specific type of files. Maybe you need to pull that CAD files, CAD files from systems to put them somewhere. This tool can do that. You just have to know how to write that tool and YAML is a pretty easy programming language to do that through. It's internally created so nothing has to be shared. – Anthony Knutson 

This tool is not just a cyber incident response tool that's used to go pull event logs and file system artifacts. If you see that your team is working in maybe ESI or e-discovery and you're looking to pull .docx files or .xls files, this tool can be tailored to pull all that information from a machine without having to specify it to maybe just a user's folder. Things to think about when you're looking at both the target and the module side of this. – Anthony Knutson 

On Intellectual Property Theft Case Study 

We've got both a D and E drive, which we could track back in the registry to the two USBs, just haven't done that here. What we find here is that there was one USB with a couple project folders on it. Then the second USB also has one of the projects on it. If you look closely, the shellbags is actually telling us when the folders were created. It looks like the shellbags are these project folders on the E drive, the second USB, were created shortly after it was plugged in, which is likely indicative of files being copied from this USB or another source to the E drive. That's interesting. In this case, the E drive we're able to track back and determine that wasn't the device that he turned over when he left the company. This is data consistent with copying data and onto a device that doesn't appear to be in the company's possession. – Aaron Read

On Exceeding Authorized Access Case Study

The link files are showing that the individual is accessing certain documents and pictures from those computers. As we talked to the company, that's not within their normal or expected work routine. You see here some have tax information, employee details. It turns out this employee listing is actually what hit on email alert so we're able to track back exactly where it came from and when. Now, looking at the actual file system. This is parsing the dollar MFT on this individual's laptop. Not only did we see that there was access to these files, we can see that within our IT employees' downloads folder there's a tickets folder and then nicely organized sub-folders for each of the users where he's accessing and then actual copying files from the original location back to his laptop. Then we see the creation of this ticket, 6/6/20, 7.zip, shortly after, which was actually the file that was emailed out containing all of these. Pretty quickly we can determine where it all came from and what happened. – Aaron Read

On Custom Targets and Modules Case Study 

We were able to remote into the machine and we were able to pull the specific artifacts that we were looking for from it and then do the processing and we were able to provide that very, very quickly. When you're working on things like that it's kind of the same concept that you would do if you were in person, only now you're distant but you've got to figure that part out and KAPE helps with that immensely because you can go and get the specific files that you're looking for. If you know that you may be working a white-collar type embezzlement case with your compliance people or with legal, you can write KAPE to go and pull all the spreadsheet files or any type of way that the financial documentation may be. You can make that password-protected and then send it over to you either via the cloud or secure FTP or through other means such as ship the hard drive with KAPE on there, have the local IT person or somebody who was embedded into the investigation effectively double-click KAPE and let it do its thing, pull everything and then ship the drive back to us. – Anthony Knutson

Once we initiated everything on this, it took about 10 minutes. 10 minutes and we had 90% of the artifacts that were needed in order to provide a concise amount of information to our customer very, very quickly. – Anthony Knutson

The insider threat allegation was substantiated very, very quickly. This person was still an employee so you're able to move very, very quickly on that person. The amount of dwell time was minimal. Like I said, they weren't even ready for the reports when we had the reports done. No expenses. You're not traveling anywhere. You don't have to go buy anything. If you've got a thumb drive laying around the office, you can use that if you really needed to. – Anthony Knutson

On Remote Collection 

We use KAPE for most of our remote collections, especially in IR engagements where we're in a company's network. We have our responder offering, which includes at the core of it, carbon black, typically, as EDR. So, we will automate it through carbon black to push KAPE, run the targets we need, and then pull it back as a package. – Aaron Read

Kroll Artifact Parser And Extractor (KAPE)

Find, collect and process forensically useful artifacts in minutes.


Proactively monitor, detect and respond to threats virtually anywhere – on endpoints and throughout the surface, deep and dark web.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.