KAPE + EZ Tools and Beyond

Eric Zimmerman


This talk will review the latest open source forensic tools created by Eric Zimmerman, including those for event logs and NFTS files such as $MFT, $SDS, etc. This will also include the newly added ability to pull artifacts both from the active file system as well as volume shadow copies. Finally, KAPE will be shown for both its ability to quickly collect data from a system, as well as processing collected data using both EZ tools and other CLI based tools. Also included will be a discussion of KAPE architecture, configurations, and demonstrations of how to build custom targets and modules. This allows anyone to extend KAPE to both collect anything from a system as well as add new processing capabilities according to an individual investigator’s needs.

About Eric Zimmerman

Eric Zimmerman is a senior director in Kroll's Cyber Risk practice. Eric has a tremendous depth and breadth of expertise in the cyber realm, spanning complex law enforcement investigations, computer forensics, expert witness testimony, computer systems design, and application architecture. He has received numerous recognitions for his work, is an award-winning author, and is a frequently sought-after instructor and presenter on cyber-related topics.

Before joining Kroll, Eric was a Special Agent with the Federal Bureau of Investigation (FBI), specializing in investigating criminal and national security-related computer intrusions, crimes against children (production, distribution, and possession of child pornography), intellectual property theft, and related crimes.

Eric has developed and maintains many open source forensic tools for many Windows artifacts.