triaging-windows-with-kape
Installation
SKILL.md
Triaging Windows with KAPE
Authorized Use Only: KAPE collects forensic artifacts from systems. Only run KAPE against systems you own or are explicitly authorized in writing to acquire and analyze. Preserve chain of custody and follow your organization's evidence-handling procedures.
Overview
KAPE (Kroll Artifact Parser and Extractor) is a free, Windows-native triage tool authored by Eric Zimmerman and distributed by Kroll. It performs two distinct phases controlled by separate configuration sets:
- Targets (
.tkapefiles) define what to collect. KAPE uses the raw NTFS file system (via direct volume access) to copy locked/in-use files such as registry hives,$MFT, event logs, prefetch, browser databases, and LNK files without triggering anti-tamper protections. Targets can be chained into "compound" targets (for exampleKapeTriage,!SANS_Triage) that pull a forensically rich subset in minutes. - Modules (
.mkapefiles) define how to process collected (or live) data. Modules wrap external binaries — primarily Eric Zimmerman's tools (PECmd, MFTECmd, RECmd, etc.) — and emit normalized CSV/JSON output. The!EZParsercompound module runs the full EZ Tools suite against a target collection.
KAPE ships with both a CLI (kape.exe) and a GUI front end (gkape.exe). Because of its speed, KAPE lets responders prioritize which hosts warrant deep forensic imaging, making it a cornerstone of modern remote/at-scale DFIR triage.
When to Use
- During the early containment/triage phase of an incident when you need execution, persistence, and account artifacts from one or many hosts quickly.
- When full disk imaging is impractical (large disks, remote sites, time pressure) but you still need a defensible, parseable artifact set.
- When automating collection across a fleet via remote execution (PSExec, EDR live response, SOAR) using batch-mode
_kape.clifiles. - When you need to collect from Volume Shadow Copies to recover historical artifact states.