KAPE vs RegRipper
GitHub Stats
About KAPE
KAPE (Kroll Artifact Parser and Extractor) is a triage tool that finds and parses forensic artifacts in minutes. Developed by Eric Zimmerman at Kroll, it operates in two phases: collection targets gather specific files and artifacts from a system, while module processors parse those artifacts into human-readable formats. KAPE ships with hundreds of pre-built targets covering browser history, event logs, registry hives, prefetch files, SRUM data, scheduled tasks, and virtually every forensic artifact type on Windows. Its module system integrates with Eric Zimmerman's tools (LECmd, PECmd, MFTECmd, etc.) and community parsers to process collected data automatically. KAPE is designed for speed - it can collect and parse a full forensic triage from a live system in under 10 minutes, making it the go-to tool for rapid incident response triage.
About RegRipper
RegRipper is a Windows registry data extraction and correlation tool, written in Perl with an extensible plugin architecture. It parses offline Windows registry hive files (SAM, SYSTEM, SOFTWARE, NTUSER.DAT, UsrClass.dat) and extracts forensically significant data including user accounts, network connections, USB device history, application execution, file access timestamps, autorun entries, and hundreds of other artifacts. Each plugin targets a specific registry key or set of keys, formatting the output for analyst consumption. RegRipper is the standard tool for Windows registry forensics - its plugin library covers virtually every registry artifact documented in DFIR literature. It can process hives from mounted images, extracted files, or live systems, and outputs timestamped data suitable for timeline analysis. Harlan Carvey, the author, continuously maintains the plugin library as new forensic artifacts are discovered.
Platform Support
Tags
Shared
KAPE only
RegRipper only