KAPE
๐ง Threat Intelligence ยท C#
KAPE (Kroll Artifact Parser and Extractor) is a triage tool that finds and parses forensic artifacts in minutes. Developed by Eric Zimmerman at Kroll, it operates in two phases: collection targets gather specific files and artifacts from a system, while module processors parse those artifacts into human-readable formats. KAPE ships with hundreds of pre-built targets covering browser history, event logs, registry hives, prefetch files, SRUM data, scheduled tasks, and virtually every forensic artifact type on Windows. Its module system integrates with Eric Zimmerman's tools (LECmd, PECmd, MFTECmd, etc.) and community parsers to process collected data automatically. KAPE is designed for speed - it can collect and parse a full forensic triage from a live system in under 10 minutes, making it the go-to tool for rapid incident response triage.
Use Cases
- Rapid forensic triage collection from live systems in under 10 minutes
- Automated parsing of event logs, registry hives, and browser artifacts
- Processing collected artifacts with Eric Zimmerman tools and community modules
- Building standardized triage packages for consistent incident response workflows
- Collecting evidence from remote endpoints using network-mounted collection
Tags
Details
- Category
- ๐ง Threat Intelligence
- Language
- C#
- Platforms
- ๐ชwindows๐งlinux๐macos
Links
Alternatives & Comparisons
Velociraptor
GoEndpoint visibility and collection tool. Hunt for artifacts across thousands of endpoints simultaneously.
Compare KAPE vs VelociraptorCyLR
C#Live response collection tool for quickly gathering forensic artifacts from hosts during incident response.
Compare KAPE vs CyLRMISP
PHP/PythonOpen-source threat intelligence and sharing platform. Structured IOC management, feeds, correlation, and STIX/TAXII export.
Compare KAPE vs MISPOpenCTI
TypeScript/PythonCyber threat intelligence platform. Knowledge management for threat data with STIX2 native storage and graph visualization.
Compare KAPE vs OpenCTITheHive
Scala/JavaScriptIncident response case management platform. Collaborative investigation with observable analysis, playbooks, and MISP integration.
Compare KAPE vs TheHiveGRR Rapid Response
PythonRemote live forensics framework by Google. Deploy agents across thousands of endpoints for artifact collection and analysis.
Compare KAPE vs GRR Rapid ResponseCortex
Scala/PythonObservable analysis and active response engine. Analyze IOCs at scale with 100+ analyzers for IPs, hashes, URLs, and domains.
Compare KAPE vs CortexRegRipper
PerlWindows registry forensic parser. Extracts and decodes forensic artifacts from registry hives with extensible plugins.
Compare KAPE vs RegRipperosquery
C++SQL-powered endpoint visibility. Query operating system state as a relational database for security monitoring and compliance.
Compare KAPE vs osqueryMore in Threat Intelligence
MISP
PHP/PythonOpen-source threat intelligence and sharing platform. Structured IOC management, feeds, correlation, and STIX/TAXII export.
OpenCTI
TypeScript/PythonCyber threat intelligence platform. Knowledge management for threat data with STIX2 native storage and graph visualization.
TheHive
Scala/JavaScriptIncident response case management platform. Collaborative investigation with observable analysis, playbooks, and MISP integration.
GRR Rapid Response
PythonRemote live forensics framework by Google. Deploy agents across thousands of endpoints for artifact collection and analysis.
Cortex
Scala/PythonObservable analysis and active response engine. Analyze IOCs at scale with 100+ analyzers for IPs, hashes, URLs, and domains.
osquery
C++SQL-powered endpoint visibility. Query operating system state as a relational database for security monitoring and compliance.