KAPE (Kroll Artifact Parser and Extractor)
What is KAPE (Kroll Artifact Parser and Extractor)?
KAPE (Kroll Artifact Parser and Extractor)A Windows triage tool from Kroll that collects forensic artifacts from live systems or images and then runs parser modules to produce ready-to-review output.
KAPE, written by Eric Zimmerman at Kroll, is a free triage framework for Windows DFIR. It uses two pluggable libraries: Targets describe which forensic artifacts to copy (Prefetch, registry hives, event logs, $MFT, browser history, etc.) and Modules describe how to parse them with third-party tools such as the EZ Tools or Volatility. Investigators run KAPE against a live endpoint, mounted image or volume shadow copy to collect data in minutes rather than hours, preserving timestamps and source paths. Output can be CSV, JSON or formats consumable by Timeline Explorer and Elastic. KAPE has become a standard part of intrusion response playbooks.
● Examples
- 01
Running `kape.exe --tsource C: --tdest D:\Triage --target KapeTriage` to collect baseline artifacts.
- 02
Chaining a Targets run with `--module !EZParser` to produce parsed CSV output in one pass.
● Frequently asked questions
What is KAPE (Kroll Artifact Parser and Extractor)?
A Windows triage tool from Kroll that collects forensic artifacts from live systems or images and then runs parser modules to produce ready-to-review output. It belongs to the Forensics & IR category of cybersecurity.
What does KAPE (Kroll Artifact Parser and Extractor) mean?
A Windows triage tool from Kroll that collects forensic artifacts from live systems or images and then runs parser modules to produce ready-to-review output.
How does KAPE (Kroll Artifact Parser and Extractor) work?
KAPE, written by Eric Zimmerman at Kroll, is a free triage framework for Windows DFIR. It uses two pluggable libraries: Targets describe which forensic artifacts to copy (Prefetch, registry hives, event logs, $MFT, browser history, etc.) and Modules describe how to parse them with third-party tools such as the EZ Tools or Volatility. Investigators run KAPE against a live endpoint, mounted image or volume shadow copy to collect data in minutes rather than hours, preserving timestamps and source paths. Output can be CSV, JSON or formats consumable by Timeline Explorer and Elastic. KAPE has become a standard part of intrusion response playbooks.
How do you defend against KAPE (Kroll Artifact Parser and Extractor)?
Defences for KAPE (Kroll Artifact Parser and Extractor) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for KAPE (Kroll Artifact Parser and Extractor)?
Common alternative names include: Kroll Artifact Parser and Extractor.
● Related terms
- forensics-ir№ 388
Eric Zimmerman's EZ Tools
A free suite of Windows DFIR command-line and GUI tools by Eric Zimmerman for parsing common forensic artifacts and building timelines.
- forensics-ir№ 644
Magnet AXIOM
A commercial DFIR platform from Magnet Forensics that ingests disks, mobile and cloud sources, parses artifacts and presents them in a unified review interface.
- forensics-ir№ 366
E01 (EnCase Evidence) Image Format
A forensic disk image format originally introduced by Guidance Software for EnCase, storing acquired data in compressed, segmented files with embedded metadata and checksums.
- forensics-ir№ 289
dd (Raw Disk Image)
A flat, bit-for-bit copy of a storage device produced by the Unix dd utility (or compatible tools), without compression, metadata or per-block hashing.
- forensics-ir№ 162
Chain of Custody
The chronological, documented trail showing every person, location, and action affecting a piece of evidence from seizure through final disposition.
● See also
- № 153Cellebrite UFED
- № 450GrayKey