Home > Digital Forensics

KAPE

KAPE (Kroll Artifact Parser and Extractor) is a powerful triage-focused forensic tool designed to quickly collect, parse, and analyze digital evidence from Windows systems. It is widely used in incident response because it can extract critical artifacts within minutes, automate parsing workflows, and integrate with dozens of forensic utilities. KAPE is especially valuable during live investigations where time is limited and rapid evidence acquisition is essential.

This chapter explains how KAPE works, its core components, artifact targets, module-based parsing, and how investigators use it for fast and efficient forensic triage.

What Is KAPE?

KAPE stands for Kroll Artifact Parser and Extractor.
It is a modular, command-line and GUI-driven tool that:

  • Collects forensic artifacts from Windows systems

  • Parses those artifacts using external tools

  • Automates complex triage workflows

  • Creates structured output for investigators

It is not a full forensic suite but a highly optimized triage framework.

Why KAPE Is Important

KAPE is used because it can:

  • Collect key evidence in minutes

  • Run on live systems or offline images

  • Automate artifact-based collection

  • Parse dozens of forensic artifacts automatically

  • Provide consistent, repeatable outputs

  • Reduce investigation time significantly

It is one of the fastest ways to gather Windows evidence.

KAPE Architecture Overview

KAPE is built around two core components:

1. Targets (Collection Stage)

Targets define what artifacts to collect.

Examples:

  • Registry hives

  • Event logs

  • Browser history

  • Prefetch files

  • LNK files

  • Jump lists

  • Recycle Bin

  • SRUM databases

  • Windows Services

  • Scheduled Tasks

  • Memory dumps (if configured)

Targets describe filesystem paths and patterns that KAPE should extract.

2. Modules (Parsing Stage)

Modules define how to parse or analyze collected artifacts using external tools.

Examples:

  • EvtxECmd for event logs

  • RECmd for registry analysis

  • PECmd for prefetch

  • MFTECmd for MFT

  • WxTCmd for SRUM

  • AmcacheParser

  • Browsing history parsers (Hindsight, Browservice)

Modules transform raw evidence into structured output (CSV, JSON, XML).

How KAPE Works (Workflow)

Step 1: Collection with Targets (–t mode)

KAPE copies artifacts to a destination folder without altering the source.

Example command:

kape.exe --tsource C:\ --tdest D:\Output --target !SANS_Triage

This collects a predefined triage set of artifacts.

Step 2: Processing with Modules (–m mode)

After collection, KAPE runs modules to parse evidence.

Example:

kape.exe --msource D:\Output --mdest D:\Results --module !EZParser

EZParser processes many artifacts automatically.

Step 3: Analyze Results

Outputs include:

  • CSV reports

  • JSON logs

  • SQLite databases

  • Parsed artifacts for OSINT/YARA tools

Investigators load these into:

  • Excel

  • Timeline tools

  • SIEM platforms

  • Visualization dashboards

Popular KAPE Targets (Commonly Used)

!BasicCollection

Collects essential forensic artifacts quickly.

!SANS_Triage

SANS-recommended triage set including:

  • MFT

  • Registry hives

  • Event logs

  • Prefetch

  • Amcache

  • LNK

  • Jump lists

Registry Targets

Collect:

  • User hives (NTUSER.DAT)

  • SYSTEM

  • SOFTWARE

  • SAM

  • SECURITY

Browser Targets

From:

  • Chrome

  • Firefox

  • Edge

  • Brave

  • Opera

Memory / Processes

If configured:

  • RAM dumps

  • Process lists

  • Hotfix lists

Logs

Including:

  • Security.evtx

  • System.evtx

  • Application.evtx

  • Setup.evtx

Popular KAPE Modules (For Parsing)

EZParser

Most popular module. Automatically processes:

  • Event logs

  • Registry hives

  • Amcache

  • Prefetch

  • LNK/Jumplists

  • SRUM

  • MFT

  • USN Journal

Ideal for rapid triage.

RECmd

Deep registry analysis.

EvtxECmd

Advanced event log parsing.

PECmd

Prefetch interpreter.

MFTECmd

MFT parser.

WxTCmd

SRUM database parser (user activity + network usage).

JLECmd

Jump list parser.

LECmd

LNK file parser.

AppCompatCache Parser

Analyzes ShimCache.

KAPE Output

KAPE generates structured evidence output:

  • CSV

  • JSON

  • SQLite

  • XML

  • Parsed reports

These can be fed into:

  • Timeline tools

  • Splunk

  • Elastic

  • Excel

  • Power BI

  • Malware analysis tools

Typical Use Cases of KAPE

1. Rapid Incident Response

KAPE is ideal when:

  • You need quick answers

  • System is live and critical

  • Full disk imaging takes too long

2. Malware Investigation

Parse:

  • Prefetch

  • Event logs

  • Registry keys

  • Run keys

  • Services

3. User Activity Reconstruction

From:

  • SRUM

  • Browser data

  • Jump lists

  • Shellbags

  • LNK files

4. Ransomware Investigations

Identify:

  • Execution chain

  • Persistence keys

  • Encrypted files

  • Remote access attempts

5. Evidence Triage Before Deep Imaging

Used to determine:

  • Whether deep imaging is necessary

  • What areas to focus on

  • Timeline relevance

Advantages of KAPE

  • Extremely fast

  • Lightweight

  • Modular

  • Highly customizable

  • Massive artifact coverage

  • Ideal for IR teams

Limitations of KAPE

  • Windows-focused (limited Linux/macOS)

  • Dependent on external tools for parsing

  • Not a full disk imaging solution

  • Requires understanding of artifacts to configure properly

Intel Dump

  • KAPE is a triage-focused tool that collects (Targets) and parses (Modules) Windows forensic artifacts rapidly.

  • Targets extract data such as registry hives, event logs, browser activity, Amcache, MFT, SRUM, and prefetch.

  • Modules process artifacts using external parsers like EvtxECmd, PECmd, MFTECmd, RECmd, and EZParser.

  • KAPE is used for rapid incident response, malware analysis, user activity reconstruction, and ransomware investigations.

  • Output is structured (CSV, JSON, SQLite), enabling fast timeline building and correlation.

HOME COMMUNITY CAREERS DASHBOARD