top of page

KAPE: Few Use Cases for Incident Responders

After numerous requests, I've compiled a comprehensive list of practical use cases for KAPE (Kroll Artifact Parser and Extractor). This powerful tool can significantly enhance your investigative capabilities. Below are some everyday scenarios where KAPE can be invaluable:


1. Check UserAssist for Executed Programs

2. Check Amcache and ShimCache for Executed Programs

3. Check LNK Files for Opened Files

4. Check JumpLists (Automatic Destinations) for Opened Files

5. Check $MFT for File Creation Dates of Illicit Images, Videos, etc.

6. Check $MFT and USN Journal for File Knowledge

7. Check $l and $R Files in the Recycle Bin for Evidence of File Deletion

8. Check Volume Shadow Copies for Evidence of Files That May Not Exist on the Current Image

9. Check Prefetch Files for Executed Applications and Their Frequency

10. Check ShellBags for Accessed Folders and Their Timestamps

11. Check Windows Event Logs for Login Attempts, System Errors, and Security Events

12. Check Browser History and Cache for User Internet Activity

13. Check Windows Registry for Startup Programs and Persistence Mechanisms

14. Check Scheduled Tasks for Unauthorized or Suspicious Tasks

15. Check RecentDocs for Recently Accessed Documents

16. Check Network Logs and DNS Cache for Evidence of Suspicious Network Activity

17. Check System Restore Points for Deleted or Altered Files

18. Check Email Clients' Databases for Evidence of Communication

19. Check Installed Software Logs for Traces of Malicious Applications

20. Check Pagefile and Hibernation File for Residual Data of Active Sessions

The pagefile and hibernation file can contain remnants of data from active sessions, potentially revealing important forensic artifacts.


By integrating KAPE into your digital forensic and incident response workflows, you can streamline your investigations and enhance your ability to uncover critical evidence. Whether you are dealing with user activity, file access, or system anomalies.

Akash Patel

51 views0 comments

Comments


bottom of page