Authorized Use Only: KAPE collects forensic artifacts from systems. Only run KAPE against systems you own or are explicitly authorized in writing to acquire and analyze. Preserve chain of custody and follow your organization's evidence-handling procedures.
KAPE (Kroll Artifact Parser and Extractor) is a free, Windows-native triage tool authored by Eric Zimmerman and distributed by Kroll. It performs two distinct phases controlled by separate configuration sets:
.tkape files) define what to collect. KAPE uses the raw NTFS file system (via direct volume access) to copy locked/in-use files such as registry hives, $MFT, event logs, prefetch, browser databases, and LNK files without triggering anti-tamper protections. Targets can be chained into "compound" targets (for example KapeTriage, !SANS_Triage) that pull a forensically rich subset in minutes..mkape files) define how to process collected (or live) data. Modules wrap external binaries — primarily Eric Zimmerman's tools (PECmd, MFTECmd, RECmd, etc.) — and emit normalized CSV/JSON output. The !EZParser compound module runs the full EZ Tools suite against a target collection.KAPE ships with both a CLI (kape.exe) and a GUI front end (gkape.exe). Because of its speed, KAPE lets responders prioritize which hosts warrant deep forensic imaging, making it a cornerstone of modern remote/at-scale DFIR triage.
_kape.cli files.REM From the KAPE directory, sync community Targets/Modules from GitHub
kape.exe --sync
REM Download/update the EZ Tools binaries that Modules invoke
Get-KAPEUpdate.ps1
| ID | Official Technique Name | Relevance to this skill |
|---|---|---|
| T1005 | Data from Local System | KAPE reads artifacts directly from the local file system; defenders use the same capability to forensically acquire that data for analysis. |
KAPE is a defensive DFIR tool. The mapping reflects the data-source artifacts (local file system) that adversary actions leave behind and that KAPE preserves for investigation.
Always work from current Targets/Modules and EZ Tools binaries so parsers match the latest artifact formats.
cd C:\KAPE
kape.exe --sync
List what is available before building a collection so you scope precisely.
REM Show all Targets
kape.exe --tlist
REM Show all Modules
kape.exe --mlist
Targets require the three switches --tsource, --target, and --tdest. --tflush clears the destination first. Use a compound target such as KapeTriage for a fast, broad pull.
kape.exe --tsource C: ^
--target KapeTriage ^
--tdest E:\kape_out\HOST01\tdest ^
--tflush
Add --vss to also process every VSS snapshot on the source volume, recovering historical artifact states.
kape.exe --tsource C: ^
--target !SANS_Triage ^
--tdest E:\kape_out\HOST01\tdest ^
--vss --tflush
--vhdx (or --zip) wraps the output into a single mountable/transportable container. --vhdx takes a base name (an identifier), NOT a filename. KAPE writes a console log and copy log you should retain.
kape.exe --tsource C: ^
--target KapeTriage ^
--tdest E:\kape_out\HOST01\tdest ^
--vhdx HOST01 --tflush --gui
Modules require --module and --mdest. Point --msource at the collected target output and run !EZParser to parse everything into CSV/JSON.
kape.exe --msource E:\kape_out\HOST01\tdest\C ^
--mdest E:\kape_out\HOST01\mdest ^
--module !EZParser ^
--mflush
You can collect and process in a single invocation by supplying both Target and Module switches.
kape.exe --tsource C: ^
--target KapeTriage ^
--tdest E:\kape_out\HOST01\tdest ^
--mdest E:\kape_out\HOST01\mdest ^
--module !EZParser ^
--tflush --mflush --vss
_kape.cli for fleet deploymentKAPE reads a _kape.cli file (one argument set per line) placed next to kape.exe and executes each line in sequence — ideal for pushing identical collection via EDR/PSExec. Generate the exact CLI from the GUI's "Copy command line" button, then drop it into _kape.cli.
REM Contents of _kape.cli (each line = one full KAPE run):
--tsource C: --target KapeTriage --tdest %%d\Disk\%%m --vhdx %%m --zv false
%%d resolves to the KAPE directory and %%m to the machine name, so a single CLI auto-names output per host. Launch by running kape.exe with no arguments.
Confirm KAPE's CopyLog, ConsoleLog, and SkipLog CSVs are present in the target output, and validate the SHA-1 hashes KAPE records for each copied file against the source where possible.
| Resource | Purpose | Link |
|---|---|---|
| KAPE download | Official Kroll distribution (free) | https://www.kroll.com/kape |
| KAPE Documentation | MDwiki docs for switches and config | https://ericzimmerman.github.io/KapeDocs/ |
| KapeFiles repo | Community Targets and Modules | https://github.com/EricZimmerman/KapeFiles |
| EZ Tools | Parsers invoked by KAPE Modules | https://ericzimmerman.github.io/ |
| KAPE on SANS | Background, history, methodology | https://www.sans.org/tools/kape/ |
| Switch | Phase | Purpose |
|---|---|---|
--tsource |
Target | Source volume/drive to collect from |
--target |
Target | Target or compound target name |
--tdest |
Target | Destination for collected files |
--tflush |
Target | Empty --tdest before collecting |
--vss |
Target | Process all Volume Shadow Copies |
--vhdx / --zip |
Target | Package output into a container (base name) |
--module |
Module | Module or compound module name |
--msource |
Module | Source data for module processing |
--mdest |
Module | Destination for parsed output |
--mflush |
Module | Empty --mdest before processing |
--sync |
Both | Update Targets/Modules from GitHub |
--tlist / --mlist |
Both | List available Targets / Modules |
--tsource, --target, --tdest
!EZParser) producing CSV/JSON in --mdest
_kape.cli validated for fleet deployment where applicable