KAPE, short for Kroll Artifact Parser and Extractor, is a DFIR triage and collection framework developed by Eric Zimmerman. It is designed to quickly collect high value forensic artifacts from live systems or forensic images and optionally parse them using a curated set of forensic tools.

KAPE is widely used by incident responders, SOC teams, and forensic investigators to reduce evidence acquisition time while maintaining accuracy and consistency.

First time seeing this?

What KAPE Does

KAPE automates the targeted collection of forensic artifacts such as registry hives, event logs, browser data, file system metadata, and execution artifacts. It uses modular definitions called Targets and Modules to specify what data to collect and how to process it.

By focusing on evidence that matters most, KAPE enables rapid triage during active incidents and efficient preparation of data for deeper forensic analysis.

Find Tool

Key Features of KAPE

• Target Based Artifact Collection
  Collects specific forensic artifacts rather than full disk images.

• Module Driven Parsing
  Automatically runs forensic parsers against collected data.

• Live System and Offline Support
  Operates on live endpoints or mounted forensic images.

• High Speed Collection
  Optimized for rapid execution during time sensitive incidents.

• Customizable Targets and Modules
  Allows analysts to create and tailor collection profiles.

• Minimal System Impact
  Designed to reduce footprint and avoid disrupting operations.

• Consistent Output Structure
  Produces standardized results for easier analysis and reporting.

• Broad Toolchain Integration
  Works seamlessly with Zimmerman forensic tools and other parsers.

• Command Line Automation
  Ideal for scripted deployments and large scale response efforts.

Join CyberMaterial’s subscriber chat

Available in the Substack app and on web

Join chat

Advanced Use Cases

Incident Response and Triage

Rapidly collect critical evidence from compromised systems.

Ransomware Investigations

Gather execution, persistence, and encryption related artifacts.

Threat Hunting

Standardize artifact collection across multiple endpoints.

SOC and IR Automation

Integrate KAPE into playbooks and response workflows.

Legal and Forensic Investigations

Ensure repeatable and defensible evidence acquisition.

Report Incident

Latest Updates (as of 2026)

Recent maintenance and ecosystem developments include:

• Continued updates to artifact Targets aligned with new Windows versions

• Regular enhancements to parsing Modules

• Ongoing performance and stability improvements

• Strong community adoption and contribution

• Continued alignment with DFIR best practices

KAPE remains actively maintained and is considered a foundational DFIR triage tool.

Check Jobs

Why It Matters

Full disk imaging is often impractical during active incidents. KAPE enables responders to quickly collect the most valuable evidence without unnecessary delay.

For modern DFIR operations, it provides speed, consistency, and reliability when time and accuracy are critical.

Visit Book Club

Requirements and Platform Support

KAPE runs on:

• Windows

It requires:

• Administrative privileges for live collection

• Target system access or mounted forensic images

Official site and repository:

• https://ericzimmerman.github.io/

• https://github.com/EricZimmerman/Kape