KAPE and EZ Tools Mastery

Focused skills. One thing, learned properly.

Learn to use KAPE and EZ Tools as a complete evidence collection and processing system. Master the target-module architecture, build custom collection profiles, select the right parser for every artifact type, and run repeatable processing pipelines. 4 hours to production proficiency.

Start Skill View Pricing

Content last updated: April 2026

Why take this course

For junior DFIR practitioners and SOC analysts moving into forensic triage. You finish able to run production-grade triage collection and artifact parsing with KAPE and the EZ Tools suite — the working toolkit for every Windows forensic investigation, free and industry-standard.

What this skill teaches

KAPE and Eric Zimmerman's tools are the standard collection and parsing toolkit for Windows DFIR. Every IR team uses them. Almost nobody learns them systematically — they learn by running !SANS_Triage, getting a directory of output, and guessing which EZ Tool to run against which file.

This skill teaches the architecture so you can build your own collection profiles, the tool mapping so you know exactly which parser handles which artifact, and the pipeline automation so your workflow is repeatable across engagements.

What you will be able to do

1. Explain KAPE's target-module architecture and predict what any .tkape or .mkape file will do by reading it.

2. Build custom targets for specific investigation needs — not just run pre-built compound targets.

3. Map every major Windows artifact to the correct EZ Tool, run it with the right flags, and interpret the key output columns.

4. Chain KAPE collection with EZ Tools parsing in a single automated pipeline, producing analyst-ready output.

5. Deploy KAPE in production scenarios: triage collection, fleet-wide hunting, remote collection, with chain of custody documentation.

Skill at a glance

Format: Ridgeline Skill — focused, practical, one topic

Sections: 6 content sections + guided lab

Estimated time: 4 hours (self-paced)

Tier: Premium subscription

Prerequisites: Windows forensics familiarity. The Practical IR or Windows Forensic Analysis courses strengthen your foundation but are not required.

Typical pace: 1-2 weeks at a few hours per week

What you leave with

Custom target library: Target files you built during the skill, ready to deploy.

Processing pipeline: A repeatable KAPE → EZ Tools → Timeline Explorer workflow you can use on Monday.

Quick reference: Tool-to-artifact mapping, command syntax, common flags — bookmarkable, returnable.

Chain of custody template: Collection documentation that survives legal review.

What this course does NOT cover

Deliberate scope boundaries. If any of these is your primary need, the sibling course is the better fit.

Remote collection at enterprise scale — see Velociraptor for Endpoint Investigation
Memory-resident artifact analysis — see Applied Memory Forensics

Sections

Six focused sections plus a guided lab. Each section is a worked example you execute in your own lab.

KE0.1

KAPE Architecture: Targets, Modules, and the Collection Model — What KAPE actually does and doesn't do. The target-module split. Directory structure. How KAPE discovers and loads targets and modules. The !SANS_Triage compound target — what it collects and why. Running your first collection. Understanding the output directory tree.

KE0.2

Building Custom Targets and Compound Targets — When !SANS_Triage isn't enough. Reading and modifying existing target files. Building targets for specific investigation needs. Compound targets: combining multiple targets into one collection profile. Testing targets before production deployment.

KE0.3

EZ Tools: The Right Parser for Every Artifact — The complete EZ Tools suite mapped to artifact types. MFTECmd, PECmd, AmcacheParser, AppCompatCacheParser, RECmd, SBECmd, LECmd, JLECmd, EvtxECmd, SrumECmd. Each tool's core command, common flags, and output format. End-to-end processing of a complete collection.

KE0.4

Processing Pipelines: Collection to Timeline in One Workflow — Chaining collection with parsing using KAPE modules. The !EZParser compound module. Building custom processing modules. Automating the full pipeline. Body file generation. Loading parsed output into Timeline Explorer.

KE0.5

Production Workflows: Triage, Hunting, and Remote Collection — Real-world deployment patterns. USB-boot triage. Fleet-wide hunting via SCCM/Intune. Remote collection with Velociraptor integration. Batch processing for multi-endpoint collections. Chain of custody documentation.

KE0.6

Artifact Analysis: Reading the Evidence — The analytical workflow that turns EZ Tools output into investigation findings. Five investigation questions applied systematically: What executed? How did they persist? What data was accessed? How did they get in? What's the timeline? Cross-artifact correlation, Timeline Explorer techniques, and the method for building a multi-source investigation timeline.

Lab

Guided Lab: Endpoint Triage — Collection to Findings — The complete workflow against a simulated compromised endpoint. Plant realistic indicators, collect with KAPE, process with EZ Tools, analyze across every artifact type, correlate a timeline, and produce a triage summary. 90 minutes. You finish with a documented investigation you ran yourself.

Related courses

Practical Incident Response — The investigation methodology that KAPE collections feed into. IR1 covers toolkit setup; this skill goes deeper on KAPE and EZ Tools specifically.

Advanced Windows Forensic Analysis — The artifact-level forensics that EZ Tools output enables. WF11 covers collection at scale; this skill focuses on the KAPE/EZ Tools system itself.

Incident Triage & First Response — The triage methodology where KAPE collection speed matters most.

About Ridgeline Skills

Skills are focused training on a single capability — 4-8 hours of practitioner-written content with the same depth standard as full Ridgeline courses. Some skills don't need 15 modules. These are the skills that do need proper treatment but don't warrant a full course.

Included with every Premium and Specialist subscription.