Kroll Artifact Parser and Extractor (KAPE) Resources

This page houses official documentation relating the Kroll Artifact Parser and Extractor (KAPE). It will also contain the latest KAPE news, as well as webcasts, case studies, tutorials and other training materials. For any KAPE related questions or assistance with customizations, please contact [email protected]

Primarily a triage program, Kroll’s Artifact Parser and Extractor (KAPE) will target both device or storage locations to find the most forensically relevant artifacts (based on your needs) and parse them within a few minutes. Thus, arming investigators with the right tool to find and prioritize the more critical systems to their case. 


"KAPE serves two primary functions: 1) collect files and 2) process collected files with one or more programs. By itself, KAPE does not do anything in relation to either of these functions, rather, they are achieved by reading configuration files on the fly, and based on the contents of these files, collecting and processing files. This makes KAPE very extensible in adding or extending functionality." – Eric Zimmerman .


This page will hold official documentation as well as the latest KAPE news, webcasts, tutorials, and more. See list below: 

Webcast – Insider Threat Investigations Using KAPE

The Kroll Artifact Parser and Extractor (KAPE) has assisted investigators in solving insider threats faster than ever before due to its ability to process forensic artifacts within minutes.

Learn from two of our resident experts, Anthony Knutson and Aaron Read, as they discuss how best KAPE is used during insider threat investigations, its efficiencies for their teams and how it’s changing the landscape of forensic analysis.

Watch the full Insider Threat Investigations Using KAPE webcast.

Webcast – Child Exploitation Investigation with KAPE

In this session, KAPE creator Eric Zimmerman showcases how key Windows artifacts can be collected from a live or forensic image, parsed and reviewed in a few minutes using KAPE. Additionally, Eric demonstrates how to make custom targets to collect child exploitation material such as .jpgs, .pngs, .mp4s, etc. These examples can then be extended to meet the requirements of even the most complex cases.

Watch the full Child Exploitation Investigation with KAPE webcast.

Webcast – Artifact Analysis Timeline with KAPE

In this webcast replay, KAPE instructor and Digital Forensics and Incident Response (DFIR) expert Mari DeGrazia showcases how key Windows artifacts can be collected from a live or forensic image, parsed and structured into a mini timeline in just a few minutes using KAPE.

Watch the full Express Artifact Analysis Timeline Development with KAPE webcast.

Webcast – Enhancing Event Log Analysis With EvtxECmd Using KAPE

How much time are you spending manually parsing and sorting event logs? In this webcast, Kroll’s Andrew Rathbun demonstrates how to run EvtxECmd through KAPE to expedite event log analysis and how to create your custom maps.

Watch the full Enhancing Event Log Analysis with EvtxECmd using KAPE webcast

Want Additional KAPE Support?

Kroll instructors conduct frequent KAPE Intensive Training and Certification to help you and your team get started. Our experts are also available to address your KAPE questions, assist with customizations and more via [email protected].

Please note: The solo edition of the Kroll Artifact Parser and Extractor (KAPE) allows the tool to be used at no cost by any local, state or international government agency, and by educational or research organization, or for internal company purposes. An enterprise license is required when KAPE is used on a third-party network and/or as part of a paid engagement.

Page last updated: Jan 15, 2021

See all servicesStay Ahead with Kroll


Valuation of businesses, assets and alternative investments for financial reporting, tax and other purposes.

Compliance and Regulation

End-to-end governance, advisory and monitorship solutions to detect, mitigate and remediate security, legal, compliance and regulatory risk.

Corporate Finance and Restructuring

Middle Market M&A, Strategic Advisory, Debt Advisory and Private Capital Markets, Restructuring and Insolvency Services, Financial Due Diligence, Fairness Opinions, Solvency Opinions and ESOP/ERISA Advisory.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Environmental, Social and Governance

Advisory and technology solutions, including policies and procedures, screening and due diligence, disclosures and reporting and investigations, value creation, and monitoring.

Investigations and Disputes

World-wide expert services and tech-enabled advisory through all stages of diligence, forensic investigation, litigation, disputes and testimony.

Business Services

Expert provider of complex administrative solutions for capital events globally. Our services include claims and noticing administration, debt restructuring and liability management services, agency and trustee services and more.


Kroll at RSA Conference 2023

Conference Conference Apr 24 - Apr 27, 2023 | Conference


KAPE Intensive Training and Certification

Online Event Online Event Apr 13 - Dec 07, 2023 | Online Event

KAPE Quarterly Updates


KAPE Quarterly Update – Q4 2022

Feb 06, 2023

by Eric ZimmermanAndrew Rathbun


KAPE Quarterly Update – Q3 2022

Oct 17, 2022

by Eric ZimmermanAndrew Rathbun


KAPE Quarterly Update – Q2 2022

Jul 19, 2022

by Eric ZimmermanAndrew Rathbun


KAPE Quarterly Update – Q1 2022

Apr 27, 2022

by Eric ZimmermanAndrew Rathbun


KAPE Quarterly Update – Q4 2021

Feb 02, 2022

by Eric ZimmermanAndrew Rathbun


KAPE Quarterly Update – Q3 2021

Oct 21, 2021

by Eric ZimmermanNickolas B. Savage Andrew Rathbun


Webcast Replay

How to Use KAPE and SQLECmd with EventTranscript.db

Oct 04, 2021


Forensically Unpacking EventTranscript.db: An Investigative Series

Jul 09, 2021

Anti-Forensic Tactics

Webcast Replay

Webcast Replay – How to Identify Timestomping Using KAPE

Jun 15, 2022 - Join Kroll's Andrew Rathbun as he walks through how to detect Timestomping using KAPE.


Sophisticated Anti-Forensic Tactics and How To Spot Them

Investigative research into anti-forensics tactics Kroll experts have observed in ongoing incident response investigations.

Press Release

Kroll Responder Recognized in 2023 Gartner Market Guide for Managed Detection and Response Services for the Third Consecutive Year

Mar 23, 2023


Kroll Launches Cyber Partner Program Delivering Lifetime Returns

Feb 28, 2023


Kroll Named an MDR “Champion” by Bloor Research

Feb 27, 2023

Press Release

Gartner Names Kroll a Representative Vendor for Managed Security Incident and Event Management

Jan 09, 2023