Acquire Triage Image Using KAPE

Acquiring a Triage Image With KAPE

Setup: Download KAPE from Kroll’s site or GitHub. Run it from a USB or local folder with admin privileges on your forensic workstation.
Target: Choose your source—e.g., C: for a live system or a mounted image’s drive letter (use Arsenal Image Mounter for E01 files).
Command: Open an admin command prompt, navigate to KAPE’s directory, and run:

.\kape.exe --tsource C: --tdest "F:\EvidenceCollector\" --tflush --target !SANS_Triage --vhdx PC02 --mflush --gui

kape.exe --tsource C: --target KapeTriage --tdest D:\TriageOutput --vhdx TriageImage.vhdx --vss

--tsource C:: Source drive to triage.
--target KapeTriage: Grabs key artifacts (registry, event logs, etc.).
--tdest D:\TriageOutput: Output folder.
--vhdx TriageImage.vhdx: Saves as a VHDX file.
--vss: Includes Volume Shadow Copies for locked/historical data.

Execution: Takes minutes depending on system size. Logs are saved in D:\TriageOutput.
Verify: Mount TriageImage.vhdx (right-click > Mount in Windows) or open in FTK Imager/Autopsy to analyse.

Tips: Add --tflush to wipe the destination first. Customise targets in the Targets folder (e.g., RegistryHives or !BasicCollection). For parsing, add --module !EZParser --mdest D:\Parsed. Ready for triage!

KAPE Cheatsheet

Basic Commands

# Target
.\kape.exe --tsource [DRIVE LETTER] --tdest [DESTINATION INCLUDE FOLDER NAME] --module [MODULE NAME] --gui
# Module
.\kape.exe --msource [DRIVE LETTER] --mdest [DESTINATION INCLUDE FOLDER NAME] --module [MODULE NAME] --gui

Target

KAPE Target Extraction

.\kape.exe --tsource E: --tdest E:\EvidenceCaseFiles\ --target KapeTriage,MessagingClients,RemoteAdmin,ServerTriage,WebBrowsers,WebServers,WSL,MemoryFiles --gui

Module: Live Response

Memory Dump

.\kape.exe --msource C:\ --mdest E:\EvidenceCaseFiles\%m --module MagnetForensics_RAMCapture --gui

Live Response Command and Scanner

.\kape.exe --msource E:\ --mdest E:\EvidenceCaseFiles\%m --module PowerShell_Get-InjectedThread,PowerShell_Get-NetworkConnection,PowerShell_Netscan,PowerShell_Signed,SIDR_WindowsIndexSearchParser,WIFIPassView,MagnetForensics_EDD,Nirsoft_BluetoothView,Nirsoft_LastActivityView,Nirsoft_OpenedFilesView,NirSoft_USBDeview,NirSoft_VideoCacheView,NirSoft_WebBrowserPassView,Nirsoft_WhatInStartup,Nirsoft_WifiHistoryView,Nirsoft_WirelessKeyView,SysInternals_Autoruns,SysInternals_Handle,SysInternals_PsFile,SysInternals_PsInfo,SysInternals_PsList,SysInternals_PsLoggedOn,SysInternals_PsService,SysInternals_PsTree,SysInternals_Tcpvcon,Powrshell_LiveResponse_SystemInfo,PowerShell_Arp_Cache_Extraction,PowerShell_Bitlocker_Key_Extraction,PowerShell_Bitlocker_Status,PowerShell_Defender_Exclusions,PowerShell_DLL_List,PowerShell_Dns_Cache,PowerShell_Local_Group_List,PowerShell_LocalAdmin,PowerShell_NamedPipes,PowerShell_NetUserAdministrators,PowerShell_Network_Configuration,PowerShell_Network_Connections_Status,PowerShell_Network_Share,PowerShell_Process_Cmdline,PowerShell_ProcessList_CimInstance,PowerShell_ProcessList_WMI,PowerShell_Services_List,PowerShell_SMBMapping,PowerShell_SMBOpenFile,PowerShell_SMBSession,PowerShell_Startup_Commands,PowerShell_User_List,PowerShell_WMIRepositoryAuditing,Windows_ARPCache,Windows_DNSCache,Windows_GpResult,Windows_IPConfig,Windows_MsInfo,Windows_nbtstat_NetBIOSCache,Windows_nbtstat_NetBIOSSessions,Windows_Net_Accounts,Windows_Net_File,Windows_Net_LocalGroup,Windows_Net_Session,Windows_Net_Share,Windows_Net_Start,Windows_Net_Use,Windows_Net_User,Windows_netsh_portproxy,Windows_NetStat,Windows_qwinsta_RDPSessions,Windows_RoutingTable,Windows_schtasks,Windows_SystemInfo,Reghunter,hasherezade_HollowsHunter --gui

.\kape.exe --msource E:\ --mdest E:\EvidenceCaseFiles\%m --module Thor-Lite_Upgrade,Thor-Lite_Scan --gui

.\kape.exe --msource E:\ --mdest E:\EvidenceCaseFiles\%m --module Loki_LiveResponse --gui

.\kape.exe --msource E:\ --mdest E:\EvidenceCaseFiles\%m --module hasherezade_HollowsHunter --gui

.\kape.exe --msource E:\ --mdest E:\EvidenceCaseFiles\%m --module MagnetForensics_RAMCapture --gui

Module: Parsing & Scanning

All-in-one Artifact Parsing

Warning: Super Slow!

.\kape.exe --msource E:\ --mdest E:\EvidenceCaseFiles\ --module Loki_Scan,DensityScout,BackstageParser,BitsParser,CCMRUAFinder_RecentlyUsedApps,Chainsaw,DeepblueCLI,DHParser,EvtxHussar,hasherezade_HollowsHunter,INDXRipper,LevelDBDumper,OneDriveExplorer,PowerShell_Get-ChainsawSigmaRules,TeamsParser,ThumbCacheViewer,WMI-Parser,Zircolite_Scan,Zircolite_Update,LogParser_ApacheAccessLogs,LogParser_DetailedNetworkShareAccess,LogParser_LogonLogoffEvents,LogParser_RDPUsageEvents,LogParser_SMBServerAnonymousLogons,Nirsoft_AlternateStreamView,NirSoft_BrowsingHistoryView,NirSoft_FullEventLogView_AllEventLogs,NirSoft_FullEventLogView_Application,NirSoft_FullEventLogView_PowerShell-Operational,NirSoft_FullEventLogView_PrintService-Operational,NirSoft_FullEventLogView_ScheduledTasks,NirSoft_FullEventLogView_Security,NirSoft_FullEventLogView_System,NirSoft_TurnedOnTimesView,NirSoft_WebBrowserDownloads,Nirsoft_WinLogonView,SysInternals_SigCheck,TZWorks_CAFAE_Registry_System,Events-Ripper,Hayabusa,LogParser,MFTECmd,NTFSLogTracker,RECmd_AllBatchFiles,Reghunter,RegRipper,AmcacheParser,AppCompatCacheParser,EvtxECmd,EvtxECmd_RDP,iisGeoLocate,JLECmd,LECmd,PECmd,RBCmd,RecentFileCacheParser,SBECmd,SQLECmd,SQLECmd_Hunt,SrumECmd,SumECmd,WxTCmd,Sync_EvtxECmd,Sync_KAPE,Sync_RECmd,Sync_SQLECmd,Windows_ManageBDE_BitLockerKeys,Windows_ManageBDE_BitLockerStatus --gui

EventLog - Log Scanning & Parsing

.\kape.exe --msource E:\ --mdest E:\EvidenceCaseFiles\ --module !!ToolSync,PowerShell_Get-ChainsawSigmaRule,Chainsaw,DeepblueCLI,EvtxHussar,Zircolite_Update,Zircolite_Scan,Events-Ripper,hayabusa_EventStatistics,hayabusa_OfflineEventLogs,hayabusa_OfflineLogonSummary,hayabusa_UpdateRules,EvtxECmd,EvtxECmd_RDP,LogParser,iisGeoLocate

Program Execution

.\kape.exe --msource E:\ --mdest E:\EvidenceCaseFiles\ --module CCMRUAFinder_RecentlyUsedApps,AmcacheParser,AppCompatCacheParser,PECmd,RecentFileCacheParser --gui

File Folder Activity

.\kape.exe --msource E:\ --mdest E:\EvidenceCaseFiles\ --module BackstageParser,OneDriveExplorer,ThumbCacheViewer,JLECmd,LECmd,RBCmd,SBECmd,WxTCmd --gui

NTFS and FileSystem Parsing

.\kape.exe --msource E:\ --mdest E:\EvidenceCaseFiles\ --module !!ToolSync,INDXRipper,MFTECmd,NTFSLogTracker,RegRipper,RECmd_AllBatchFiles --gui

System Activity

.\kape.exe --msource E:\ --mdest E:\EvidenceCaseFiles\ --module SRUMDump,WMI-Parser,RECmd_AllBatchFiles,SrumECmd,SumECmd --gui

Mounted Image Scanner

.\kape.exe --msource E:\ --mdest E:\EvidenceCaseFiles\ --module Loki_Scan --gui
.\kape.exe --msource E:\ --mdest E:\EvidenceCaseFiles\ --module DensityScout --gui

PreviousEvidence Collection NextAcquire Triage Data Using Velociraptor

Last updated 15 days ago