Kroll Artifact Parser And Extractor (KAPE)

Kroll's Artifact Parser and Extractor (KAPE) – created by Kroll senior director and three-time Forensic 4:cast DFIR Investigator of the Year Eric Zimmerman – lets forensic teams collect and process forensically useful artifacts within minutes. Get more information on KAPE, access training materials or book a live session with a Kroll expert here.

With KAPE, you can find and prioritize the most critical systems to your case and collect key artifacts before imaging. This means no longer having to wait until full system images are gathered and then wading through data where typically less than 10% will have any forensic value.

"The gist of [KAPE] is that in as little as half an hour, we can go from disk imaging to substantive analysis of filesystem, shell, execution, event, and registry data."
Troy Larson, Microsoft

Purpose–Built to Expedite and Optimize Forensic Investigations
Predefined, continually updated targets and modules
Predefined, Continually Updated Targets and Modules
Actionable intelligence in minutes
Actionable Intelligence in Minutes
Standardize forensic processes
Standardize Forensic Processes
DFIR Investigator of the Year
Developed by 3x Forensic 4:cast DFIR Investigator of the Year
How KAPE Works

Introducing KAPE

Over 60 Predefined Targets and 90 Modules

KAPE has two primary phases – target collection and module execution:

  • Targets are essentially collections of file and directory specifications.
  • Modules are used to run programs, which can target anything, including files collected via targets as well as any other kinds of programs you may want to run on a system from a live response perspective.

KAPE gives you access to targets and modules for the most common operations required in forensic exams, helping investigators gather a wider range of artifacts in a fraction of the time, enriching evidentiary libraries.

 
Over 60 Predefined Targets and 90 Modules
Grouping Artifacts Expedites Triage

KAPE focuses on collecting and processing relevant data quickly, grouping artifacts in categorized directories such as EvidenceOfExecution, BrowserHistory and AccountUsage. Grouping things by category means an examiner no longer needs to know how to process prefetch, shimcache, amcache, userassist, etc., as they relate to evidence of execution artifacts.

Grouping Artifacts Expedites Triage
Standardize Forensic Processes

When handling an incident, forensic examiners are tasked with knowing which artifacts to collect, where they may reside, and how to collect the data without damaging the evidence or chain of custody. With KAPE, forensic examiners have a solution to find, collect and process forensic artifacts in a way that standardizes forensic engagements by leveraging a wider range of extracted artifacts. KAPE can also help facilitate the onboarding and training of new investigators by standardizing and scaling artifact pulls.

Standardize Forensic Processes
Live KAPE Training with Kroll Experts

Eric Zimmerman and a team of Kroll experts structured a hands-on course to lead forensic examiners to KAPE mastery, enabling federal agents, law enforcement personnel, first responders, digital forensic analysts and incident response team members to:

  • Understand the myriad applications of KAPE targets and modules
  • Explore the capabilities of KAPE’s graphical interface
  • Run a hands-on investigation lab to produce actionable intelligence in 15 minutes or less
  • Browse KAPE Training packages
Live KAPE Training with Kroll Experts
Virtual KAPE Training and Certification Events

Kroll is now offering KAPE Virtual Intensive Training and Certification programs online. See below for a list of the upcoming events, more will be announced soon:

  • North America – September 27, 2022
  • EMEA – October 4, 2022
  • North America – December 8, 2022

Register now.

KAPE Events
Continually Evolving Dynamic Solution 

Kroll works on some of the most complex and highest profile cyber incidents in the world and performs digital forensics and evidence collection for thousands of companies. This unique frontline insight from our experts is enhanced by input from the global DFIR community to actively contribute to the development of KAPE. To learn more:

 

Clarifying KAPE Usage Permission
  • KAPE is free for any local, state, federal or international government agency.
  • KAPE is free for educational and research use.
  • KAPE is free for internal company use.
  • KAPE requires a enterprise license when used on a third-party network and/or as part of a paid engagement.

Read more about KAPE enterprise licenses here.

Download KAPE
This field is required
This field is required
This field is required
This field is required
This field is required A valid email address is required
Please select an Option
This field is required
We will use this information to respond to your inquiry and process your data in accordance with our privacy policy.

Increased Cyber Resilience with a Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

See all servicesStay Ahead with Kroll

Valuation

Valuation of businesses, assets and alternative investments for financial reporting, tax and other purposes.

Compliance and Regulation

End-to-end governance, advisory and monitorship solutions to detect, mitigate and remediate security, legal, compliance and regulatory risk.

Corporate Finance and Restructuring

Comprehensive investment banking, corporate finance, restructuring and insolvency services to investors, asset managers, companies and lenders.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Environmental, Social and Governance

Advisory and technology solutions, including policies and procedures, screening and due diligence, disclosures and reporting and investigations, value creation, and monitoring.

Investigations and Disputes

World-wide expert services and tech-enabled advisory through all stages of diligence, forensic investigation, litigation and testimony.

Business Services

Expert provider of complex administrative solutions for capital events globally. Our services include claims and noticing administration, debt restructuring and liability management services, agency and trustee services and more.

Cyber


Q3 2022 Threat Landscape: Insider Threat, The Trojan Horse of 2022

Nov 08, 2022

by Laurie IaconoKeith Wojcieszek George Glass

APAC State of Incident Response 2022


State of Incident Response: APAC

Oct 31, 2022

Cyber


KAPE Quarterly Update – Q3 2022

Oct 17, 2022

by Eric ZimmermanAndrew Rathbun

Cyber


KAPE Quarterly Update – Q2 2022

Jul 19, 2022

by Eric ZimmermanAndrew Rathbun

News


Kroll Partners with Armis to Extend Preparedness and Response for OT and ICS Environments

May 09, 2022

News


Kroll Named a Cyber Security Services Pacesetter by ALM Intelligence

Oct 28, 2020

News


Kroll Recognized Among Top Managed Security Service Providers Worldwide by MSSP Alert

Sep 29, 2020

News


Kroll Named in the GIR 100

Oct 23, 2020

Webcast


KAPE Intensive Training and Certification

Online Event Apr 12 - Dec 08, 2022 | Online Event

Webcast


Goodwill Impairment Testing in a Volatile Environment

Webinar Dec 07, 2022 | Webinar