Ridgeline Skill

For DFIR Practitioners, SOC Analysts, and Threat Hunters

Aligned to MITRE ATT&CKMicrosoft forensic artifact reference

KAPE and EZ Tools Mastery

Focused skills. One capability. Production-ready.

Use KAPE and EZ Tools as a complete evidence collection and processing system. Build custom collection profiles, select the right parser for every artifact type, and run repeatable processing pipelines that produce analyst-ready output. 4 hours to production proficiency.

Start Skill See Full Curriculum + Pricing

Text-based · Persistent labs on your own hardware · 2 free modules available now · Content last updated: May 2026

What you'll deploy

✓ KAPE collection profiles for targeted endpoint triage

✓ EZ Tools parsing pipeline for MFT, registry, and event logs

✓ Evidence collection scripts with integrity verification

The problem this solves

KAPE and Eric Zimmerman's tools are the standard collection and parsing toolkit for Windows DFIR. Every IR team uses them. Almost nobody uses them systematically — they run !SANS_Triage, getting a directory of output, and guessing which EZ Tool to run against which file.

This skill builds three things: custom collection profiles you design for specific investigation needs, the tool-to-artifact mapping so you run the right parser every time, and automated pipelines that make your workflow repeatable across engagements.

What you will be able to do

1. Explain KAPE's target-module architecture and predict what any .tkape or .mkape file will do by reading it.

2. Build custom targets for specific investigation needs — not just run pre-built compound targets.

3. Map every major Windows artifact to the correct EZ Tool, run it with the right flags, and interpret the key output columns.

4. Chain KAPE collection with EZ Tools parsing in a single automated pipeline, producing analyst-ready output.

5. Deploy KAPE in production scenarios: triage collection, fleet-wide hunting, remote collection, with chain of custody documentation.

Skill at a glance

Format: Ridgeline Skill — focused, practical, one topic

Sections: 6 content sections + guided lab

Estimated time: 4 hours (self-paced)

Tier: Premium subscription

Prerequisites: Windows forensics familiarity. The Practical IR or Windows Forensic Analysis courses strengthen your foundation but are not required.

Typical pace: 1-2 weeks at a few hours per week

What you leave with

Custom target library: Target files you built during the skill, ready to deploy.

Processing pipeline: A repeatable KAPE → EZ Tools → Timeline Explorer workflow you can use on Monday.

Quick reference: Tool-to-artifact mapping, command syntax, common flags — bookmarkable, returnable.

Chain of custody template: Collection documentation that survives legal review.

Sections

Six focused sections plus a guided lab. Each section is a worked example you execute in your own lab.

KE0.1

KAPE Architecture: Targets, Modules, and the Collection Model — What KAPE actually does and doesn't do. The target-module split. Directory structure. How KAPE discovers and loads targets and modules. The !SANS_Triage compound target — what it collects and why. Running your first collection. Understanding the output directory tree.

KE0.2

Building Custom Targets and Compound Targets — When !SANS_Triage isn't enough. Reading and modifying existing target files. Building targets for specific investigation needs. Compound targets: combining multiple targets into one collection profile. Testing targets before production deployment.

KE0.3

EZ Tools: The Right Parser for Every Artifact — The complete EZ Tools suite mapped to artifact types. MFTECmd, PECmd, AmcacheParser, AppCompatCacheParser, RECmd, SBECmd, LECmd, JLECmd, EvtxECmd, SrumECmd. Each tool's core command, common flags, and output format. End-to-end processing of a complete collection.

KE0.4

Processing Pipelines: Collection to Timeline in One Workflow — Chaining collection with parsing using KAPE modules. The !EZParser compound module. Building custom processing modules. Automating the full pipeline. Body file generation. Loading parsed output into Timeline Explorer.

KE0.5

Production Workflows: Triage, Hunting, and Remote Collection — Real-world deployment patterns. USB-boot triage. Fleet-wide hunting via SCCM/Intune. Remote collection with Velociraptor integration. Batch processing for multi-endpoint collections. Chain of custody documentation.

KE0.6

Artifact Analysis: Reading the Evidence — The analytical workflow that turns EZ Tools output into investigation findings. Five investigation questions applied systematically: What executed? How did they persist? What data was accessed? How did they get in? What's the timeline? Cross-artifact correlation, Timeline Explorer techniques, and the method for building a multi-source investigation timeline.

Lab

Guided Lab: Endpoint Triage — Collection to Findings — The complete workflow against a simulated compromised endpoint. Plant realistic indicators, collect with KAPE, process with EZ Tools, analyze across every artifact type, correlate a timeline, and produce a triage summary. 90 minutes. You finish with a documented investigation you ran yourself.

Related courses

Practical Incident Response — The investigation methodology that KAPE collections feed into. IR1 covers toolkit setup; this skill goes deeper on KAPE and EZ Tools specifically.

Advanced Windows Forensic Analysis — The artifact-level forensics that EZ Tools output enables. WF11 covers collection at scale; this skill focuses on the KAPE/EZ Tools system itself.

Incident Triage & First Response — The triage methodology where KAPE collection speed matters most.

About Ridgeline Skills

Skills build one capability — 4-8 hours of practitioner-written content with the same depth standard as full Ridgeline courses. Some skills don't need 15 modules. These are the skills that do need proper treatment but don't warrant a full course.

Included with every Premium and Specialist subscription.