How to Use Kroll Artifact Parser and Extractor (KAPE) for Timeline Analysis
Special guest: Mari DeGrazia, Associate Managing Director, Kroll Cyber Risk
In this episode, Mari discusses the Kroll Artifact Parser and Extractor (KAPE) and how this impacts “timelining.” Timelining is already critical to her analysis process for incident response investigations. KAPE is now relevant across all forensics investigations as it helps build out connections between events, activities, and more.
In traditional digital forensics, there are common artifacts that are investigated. These include events such as logs, prefix files, and USB activities, but they are separate areas distributed across solutions.
With timelining, you have the opportunity to take all of these disparate data points and consolidate them sequentially into an easy-to-view timeline. This helps establish visual connections between events and brings your attention to areas you may not have considered investigating before.
In typical cases, investigators may go to a prefix file and see a program that was executed. This would lead them to investigate who was logged in. From here they would probably go to the “event logs.” At this point, many investigators find themselves using an Excel sheet and copying and pasting relevant details as they go.
A tool like KAPE, however, solves this problem by automating the data connection process and merging it into one format.
Listen to the podcast to find out how KAPE can help speed up your digital investigations.