Every year, Kroll works on some of the most complex and highest profile cyber incidents in the world and performs digital forensics and evidence collection for thousands of companies. With Kroll's Artifact Parser and Extractor (KAPE), you gain direct access to our expertise to expedite your in-house investigations.
KAPE was developed by Eric Zimmerman, a senior director in Kroll’s Cyber Risk practice and an award-winning digital forensic investigator. This efficient and highly configurable triage program will target essentially any device or storage location, find forensically useful artifacts and parse them within a few minutes.
KAPE's exceptional speed gives forensic teams actionable intelligence so investigators are able to find and prioritize the most critical systems to their case and even collect key artifacts prior to the start of the imaging process.
Forensic teams often default to the time-consuming practice of gathering full system images as a first step, but typically, less than 10% of this data has forensic value. KAPE focuses on collecting and processing relevant data quickly, grouping artifacts in categorized directories such as EvidenceOfExecution, BrowserHistory and AccountUsage. This not only expedites triage, but also helps to standardize forensic engagements by leveraging a wider range of extracted artifacts.
KAPE has two primary phases: target collection and module execution. The program finds and collects artifacts from the source, groups them in a destination of your choosing and then runs modules against destination files. The KAPE free-software package includes: