Kroll Artifact Parser and Extractor parses and extracts Windows forensics artifacts. It is widely used by digital forensics and incident response (DFIR) professionals to extract key forensic artifacts from disk images, live systems, or specific directories.

KAPE operates in two main stages:

1. Target Collection: It collects forensic artifacts based on predefined or custom targets, such as registry hives, event logs, memory dumps, and browser history.
2. Module Processing: It processes the collected data using modules, which include scripts or tools (e.g., RegRipper, MFTECmd, EvtxECmd) to parse and analyze artifacts.

• .tkape is a file extension used by KAPE Targets
• Compound Targets are used if we want to collect multiple artifacts with a single command
• bin directory contains executables that we want to run on the system but are not natively present on most systems

• Batch mode → KAPE can be run in batch mode, where your command will be inside _kape.cli, and if you run it, it’s just running the whole command above.