KAPE Quarterly Update - Q4 2023
by Andrew Rathbun, Eric Zimmerman
With KAPE, users can find and prioritize the systems that are most critical to their case and collect key artifacts before imaging.
With KAPE, forensic investigations no longer require long wait times to gather full system images and then wading through data where 90% typically has little or no forensic value.
"The gist of [KAPE] is that in as little as half an hour, we can go from disk imaging to substantive analysis of filesystem, shell, execution, event, and registry data."
Troy Larson, Microsoft
Screening and Monitoring
KAPE operates in two primary phases – target collection and module execution:
KAPE lets users access targets and modules for the most common operations required in a forensic exam, letting investigators gather many more artifacts in much less time, and enriching evidentiary libraries.
KAPE’s primary focus is collecting and processing relevant data quickly, grouping artifacts in categorized directories – like, for example, EvidenceOfExecution, BrowserHistory and AccountUsage. Grouping items by category means an examiner will no longer need to learn how to process prefetch, shimcache, amcache, userassist, etc., with respect to evidence of execution artifacts.
When investigating or collecting data after an incident, forensic examiners must know which artifacts to collect, where they may reside, and how to collect them without damaging the evidence or chain of custody. With KAPE, examiners can find, collect and process forensic artifacts using a process that standardizes forensic engagements by leveraging a wider range of extracted artifacts. KAPE can also help simplify the onboarding and training of new investigators by standardizing and scaling artifact pulls.
Eric Zimmerman and a team of Kroll experts developed a hands-on course to help forensic examiners to KAPE mastery, letting law enforcement personnel, first responders, digital forensic analysts and incident response team members to:
Kroll works on some of the most complex and high-profile cyber incidents in the world and performs digital forensics and evidence collection for thousands of companies a year. The work performed by our cyber experts is enhanced by input from the global DFIR community to actively contribute to the development of KAPE. To learn more:
Read more about KAPE enterprise licenses here.
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Kroll’s field-proven cyber security assessment and testing solutions help identify, evaluate and prioritize risks to people, data, operations and technologies worldwide.
Kroll’s data breach notification, call centers and monitoring team brings unique expertise to global incident response to help clients efficiently manage regulatory and reputational needs.
Manage cyber risk and information security governance issues with Kroll’s defensible cyber security strategy framework.
Stop cyberattacks. Kroll’s managed detection and response services are powered by an elite team of seasoned cyber risk experts and frontline threat intelligence to deliver unrivaled response.
by Andrew Rathbun, Eric Zimmerman
by Andrew Rathbun, Eric Zimmerman
by Eric Zimmerman, Andrew Rathbun
by Eric Zimmerman, Andrew Rathbun