KAPE vs osquery
GitHub Stats
About KAPE
KAPE (Kroll Artifact Parser and Extractor) is a triage tool that finds and parses forensic artifacts in minutes. Developed by Eric Zimmerman at Kroll, it operates in two phases: collection targets gather specific files and artifacts from a system, while module processors parse those artifacts into human-readable formats. KAPE ships with hundreds of pre-built targets covering browser history, event logs, registry hives, prefetch files, SRUM data, scheduled tasks, and virtually every forensic artifact type on Windows. Its module system integrates with Eric Zimmerman's tools (LECmd, PECmd, MFTECmd, etc.) and community parsers to process collected data automatically. KAPE is designed for speed - it can collect and parse a full forensic triage from a live system in under 10 minutes, making it the go-to tool for rapid incident response triage.
About osquery
osquery, developed at Facebook, exposes an operating system as a high-performance relational database. This allows you to write SQL queries to explore operating system data - running processes, loaded kernel modules, open network connections, browser plugins, hardware events, file hashes, and hundreds of other system attributes are all available as SQL tables. For security teams, this means you can query your fleet in real-time: 'SELECT * FROM processes WHERE name LIKE \'%miner%\'' finds cryptominers, 'SELECT * FROM listening_ports WHERE port = 4444' finds suspicious listeners. osquery supports scheduled queries that log differential changes over time, making it powerful for continuous security monitoring and compliance verification. It runs on Linux, macOS, Windows, and FreeBSD, and integrates with fleet management tools like Fleet (formerly Kolide) for centralized querying and alerting across thousands of endpoints.
Platform Support
Tags
KAPE only
osquery only