Kroll Artifact Parser and Extractor (KAPE)
Find, collect and process forensically useful artifacts in minutes.
KAPE Training | KAPE Enterprise License | KAPE Resources | Events
Cyber Risk
-
Cyber Governance and Risk
- Cyber Policy Review and Design
- Virtual CISO (vCISO) Advisory Services
- Incident Response Plan Development
- CFIUS Compliance and Review
- Security Culture as a Service (SCaaS)
- Incident Response Tabletop Exercises
- Data Protection Officer (DPO) Consultancy Services
- Optimized Third-Party Cyber Risk Management Programs
- Third Party Cyber Audits and Reviews
- CyberClarity360
-
Incident Response and Litigation Support
- Computer Forensics
- Data Collection and Preservation
- 24x7 Incident Response
- Cyber Risk Retainers
- Cyber Litigation Support
- PHI and PII Identification
- Office 365 Security, Forensics and Incident Response
- Data Recovery and Forensic Analysis
- Malware Analysis and Reverse Engineering
- Malware and Advanced Persistent Threat Detection
- Kroll Artifact Parser Extractor (KAPE)
- Payment Card Industry Services
-
System Assessments and Testing
- Cyber Vulnerability Assessment
- Penetration Testing Services
- Cyber Risk Assessments
- Ransomware Preparedness Assessment
- Cybersecurity Due Diligence for M&A
- HIPAA Security Risk Assessments
- CCPA Compliance Assessment
- Cloud Security Services
- CMMC Preparedness Assessment
- Data Mapping for GDPR, CCPA and Privacy Regulations
- FAST Attack Simulation
- Remote Work Security Assessment
- Notification, Call Centers and Monitoring
- Managed Security Services
- Kroll Partner Solutions
Predefined, Continually Updated Targets and Modules
Actionable Intelligence in Minutes
Standardize Forensic Processes
Developed by 3x Forensic 4:cast DFIR Investigator of the Year
Kroll's Artifact Parser and Extractor (KAPE) – created by Kroll senior director and three-time Forensic 4:cast DFIR Investigator of the Year Eric Zimmerman – lets forensic teams collect and process forensically useful artifacts within minutes. With KAPE, you can find and prioritize the most critical systems to your case and collect key artifacts before imaging. This means no longer having to wait until full system images are gathered and then wading through data where typically less than 10% will have any forensic value.
"The gist of [KAPE] is that in as little as half an hour, we can go from disk imaging to substantive analysis of filesystem, shell, execution, event, and registry data."
Troy Larson, Microsoft
How KAPE Works
Over 60 Predefined Targets and 90 Modules
KAPE has two primary phases – target collection and module execution:
- Targets are essentially collections of file and directory specifications.
- Modules are used to run programs, which can target anything, including files collected via targets as well as any other kinds of programs you may want to run on a system from a live response perspective.
KAPE gives you access to targets and modules for the most common operations required in forensic exams, helping investigators gather a wider range of artifacts in a fraction of the time, enriching evidentiary libraries.
Grouping Artifacts Expedites Triage
KAPE focuses on collecting and processing relevant data quickly, grouping artifacts in categorized directories such as EvidenceOfExecution, BrowserHistory and AccountUsage. Grouping things by category means an examiner no longer needs to know how to process prefetch, shimcache, amcache, userassist, etc., as they relate to evidence of execution artifacts.
Standardize Forensic Processes
When handling an incident, forensic examiners are tasked with knowing which artifacts to collect, where they may reside, and how to collect the data without damaging the evidence or chain of custody. With KAPE, forensic examiners have a solution to find, collect and process forensic artifacts in a way that standardizes forensic engagements by leveraging a wider range of extracted artifacts. KAPE can also help facilitate the onboarding and training of new investigators by standardizing and scaling artifact pulls.
Live KAPE Training with Kroll Experts
Eric Zimmerman and a team of Kroll experts structured a hands-on course to lead forensic examiners to KAPE mastery, enabling federal agents, law enforcement personnel, first responders, digital forensic analysts and incident response team members to:
- Understand the myriad applications of KAPE targets and modules
- Explore the capabilities of KAPE’s graphical interface
- Run a hands-on investigation lab to produce actionable intelligence in 15 minutes or less
- Browse KAPE Training packages
Virtual KAPE Training and Certification Events
Kroll is now offering KAPE Virtual Intensive Training and Certification programs online. See below for a list of the upcoming events, more will be announced soon:
- North America – December 9, 2021
- APAC – November 30, 2021
Continually Evolving Dynamic Solution
Kroll works on some of the most complex and highest profile cyber incidents in the world and performs digital forensics and evidence collection for thousands of companies. This unique frontline insight from our experts is enhanced by input from the global DFIR community to actively contribute to the development of KAPE. To learn more:
- Read the official KAPE Changelog
- Browse the KAPE Documentation
Clarifying KAPE Usage Permission
- KAPE is free for any local, state, federal or international government agency.
- KAPE is free for educational and research use.
- KAPE is free for internal company use.
- KAPE requires a enterprise license when used on a third-party network and/or as part of a paid engagement.
Read more about KAPE enterprise licenses here.
Download KAPE
Stay Ahead with Kroll
Business Services
Technology-enabled legal and business solutions for corporate restructurings, settlement administrations, issuer services, agent and trustee services, and other complex support needs.
Compliance and Regulation
End-to-end governance, advisory and monitorship solutions to detect, mitigate and remediate operational security, legal, compliance and regulatory risk.
Corporate Finance and Restructuring
Comprehensive corporate finance, investment banking and restructuring support to clients, investors and stakeholders.
Cyber Risk
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Investigations and Disputes
World-wide expert services and tech-enabled advisory through all stages of diligence, forensic investigation, litigation and testimony.
Restructuring
Financial and operational restructuring and enforcement of security, including investigation, preservation and realization of assets for investors, lenders and companies.
Valuation
Valuation of businesses, assets and alternative investments for financial reporting, tax and other purposes.