killchain-compendium/Forensics/Kape.md

Kroll Artifact Parser

• Collect and processes artifacts on windows
• Collects from live systems, mounted images and F-response tool

Targets

• Needs source and target directory, as well as a module to process the files on
• Target copies a file into a repository
• *.tkape files contains metadata of the files to copy
• Compound Targets contain metadata of multiple files in order to get a result quicker
• !Disable do not appear in the target list
• !Local keep on local

Modules

• Used on the targeted files
• *.mkape files
• Additional binaries are kept in bin