Documentation & Tools →
Sign In
Free Cheatsheet

KAPE & EZ Tools Cheatsheet

The complete Windows DFIR workflow: collect with KAPE, parse with Eric Zimmerman Tools, analyze in Timeline Explorer. Command syntax, custom targets and modules, every parser, output columns, and worked investigation examples. No account needed.

KAPE collection Custom targets/modules Execution Filesystem Event logs Registry User activity Timeline Explorer Quick lookup Pipeline

Both suites are free, open-source, and portable (no install, .NET only). KAPE: kape.exe (CLI) / gkape.exe (GUI) from Kroll. EZ Tools: Get-ZimmermanTools.ps1 from ericzimmerman.github.io. Official EZ Tools manual: leanpub.com/eztoolsmanuals. Throughout, evidence path is <EV>, output is <OUT>, tools in C:\IR\Tools.

Already parsed your logs? Triage them in the browser.
Paste your EvtxECmd CSV into the free Event Log Triage Analyzer and it flags the suspicious events, log clears, off-hours logons, service installs, PowerShell cradles, with the reasoning for each. Nothing uploaded.
Open the tool →
THE DFIR WORKFLOW: COLLECT, PARSE, ANALYZE 1. COLLECT KAPE Targets pull artifacts, fast, forensically sound 2. PARSE EZ Tools Binary artifacts to structured CSV 3. ANALYZE Timeline Explorer Filter, correlate, build the timeline

1. KAPE: collection

KAPE collects forensic artifacts via Targets (what to grab) and processes them via Modules (what to run on the collected data). gkape.exe is the GUI, kape.exe the command line. Run elevated.

Collection (Targets)

# Full triage collection to a VHDX container kape.exe --tsource C: --tdest E:\Evidence\{hostname} --target !SANS_Triage --vhdx {hostname} # Targeted collection, specific artifacts only (comma-separated, no spaces) kape.exe --tsource C: --tdest E:\Evidence\{hostname} --target EventLogs,Prefetch,Amcache,RegistryHives,FileSystem,SRUM # Collect from a mounted image (E:) instead of a live C: kape.exe --tsource E: --tdest F:\Evidence\{hostname} --target !SANS_Triage # Process Volume Shadow Copies too (historical versions of artifacts) kape.exe --tsource C: --tdest E:\Evidence\{hostname} --target !SANS_Triage --vss
FlagPurpose
--tsourceSource volume or path to collect from (C:, a mounted image, a directory)
--tdestDestination for collected files
--targetTarget name(s). Prefix ! denotes a compound target
--vhdx / --vhd / --zipPackage output into a container instead of loose files
--vssAlso collect from Volume Shadow Copies
--tflushClear the target destination before collecting
--debug / --traceVerbose logging for troubleshooting

Collect and parse in one pass (Targets + Modules)

# Collect triage artifacts AND run EZ Tools parsers in a single command kape.exe --tsource C: --tdest E:\Evidence\{hostname} --target !SANS_Triage --mdest E:\Output\{hostname} --module !EZParser # Run modules over already-collected files (no fresh collection) kape.exe --msource E:\Evidence\{hostname} --mdest E:\Output\{hostname} --module !EZParser # !EZParser runs the EZ Tools suite and writes CSV. Requires EZ Tools EXEs # + Maps copied into KAPE\Modules\bin (see setup note below).
Target / moduleCollects / does
!SANS_TriageCompound target: event logs, registry, Prefetch, Amcache, $MFT, SRUM, browser, LNK, jump lists, and more
!BasicCollectionLightweight compound target for fast initial triage
EventLogsAll .evtx under winevt\Logs
RegistryHivesSYSTEM, SOFTWARE, SAM, SECURITY, NTUSER.DAT, UsrClass.dat
FileSystem$MFT, $UsnJrnl, $LogFile, $Boot, $J
!EZParserModule: runs EZ Tools against collected artifacts, outputs CSV
!Disabled\\RECmdModule: runs RECmd batch processing during the module phase
Set up once: copy EZ Tools into KAPE so !EZParser works. Copy every .exe from your EZ Tools folder into C:\IR\Tools\KAPE\Modules\bin, then copy the Maps folder alongside, otherwise event-log parsing loses its named columns.

2. KAPE: management, batch mode, custom targets and modules

Listing and updating

# List all available targets / modules kape.exe --tlist . kape.exe --mlist . # Update targets, modules, and binaries from the KapeFiles GitHub repo kape.exe --sync # Update bundled EZ Tools binaries in Modules\bin kape.exe --sync https://github.com/EricZimmerman/KapeFiles

Batch mode (collect from many hosts / many targets)

# _kape.cli: drop a .cli file in the KAPE folder; KAPE runs each line as a job. # Useful for scripted or scheduled multi-host collection. One job per line: --tsource C: --tdest E:\Ev\HOST01 --target !SANS_Triage --vhdx HOST01 --tsource D: --tdest E:\Ev\HOST02 --target !SANS_Triage --vhdx HOST02

Custom Targets (.tkape)

A Target is a YAML .tkape file in KAPE\Targets listing the files/paths to collect. Build one when you need an artifact KAPE does not ship a target for. Targets can reference other targets to compose a compound target.

# Example .tkape structure (YAML). Place in KAPE\Targets\Custom\ Description: Custom app logs Author: Your Name Version: 1.0 Id: <generate-a-guid> RecreateDirectories: true Targets: - Name: AppLogs Category: ApplicationLogs Path: C:\ProgramData\MyApp\Logs\ Recursive: true FileMask: '*.log'

Custom Modules (.mkape)

A Module is a YAML .mkape file in KAPE\Modules that runs an executable against collected data. KAPE substitutes variables at run time: %sourceDirectory% (collected files), %destinationDirectory% (module output). Use a module to wire any CLI parser into the KAPE pipeline.

# Example .mkape structure (YAML). Place in KAPE\Modules\Custom\ Description: Run a custom parser Category: FileFolderAccess Author: Your Name Version: 1.0 Id: <generate-a-guid> BinaryUrl: <optional download URL> ExportFormat: csv Processors: - Executable: MyParser.exe CommandLine: -f %sourceDirectory% --csv %destinationDirectory% ExportFormat: csv
Note on exact syntax: the .tkape/.mkape field set evolves with KAPE releases. The structures above show the core fields; check an existing file in KAPE\Targets or KAPE\Modules on your version, or the KapeFiles GitHub repo, for the current full schema before authoring.

3. EZ Tools: execution evidence

What ran on the system, when, and how often.

# PECmd, Prefetch (.pf): what executed, when, run count PECmd.exe -d "<EV>\Windows\Prefetch" --csv "<OUT>\Prefetch" --csvf prefetch.csv -q # AmcacheParser, Amcache.hve: execution + SHA1 hashes (-> VirusTotal) AmcacheParser.exe -f "<EV>\Windows\AppCompat\Programs\Amcache.hve" -i --csv "<OUT>\Amcache" --csvf amcache.csv # AppCompatCacheParser, ShimCache from the SYSTEM hive AppCompatCacheParser.exe -f "<EV>\Windows\System32\config\SYSTEM" --csv "<OUT>\ShimCache" --csvf shimcache.csv # Many EZ Tools accept --vss to also parse Volume Shadow Copy versions
Column (PECmd)What it tells you
ExecutableNameThe program that ran. Expected on this host?
RunCountTimes executed. A count of 1 on a long-deployed host = first-ever run, worth scrutiny
LastRunMost recent execution (UTC). Correlate with 4624 logons
PreviousRun0-6Prior 7 execution times (Win10/11): one-off vs repeated
FilesLoadedDLLs/files referenced during execution: working directory, side-loaded DLLs
Worked example, PECmd

POWERSHELL.EXE, RunCount 1, LastRun 2026-03-15 14:32:07 UTC on a host deployed 8 months prior. First-ever PowerShell execution means it was invoked by an unusual mechanism, not normal admin activity or Windows Update (either would have incremented the count over 8 months).

Doesn't prove

Who ran it, what commands, or intent.

Next

4624 for the active session at 14:32; 4104 (ScriptBlock) for the commands run.

4. EZ Tools: filesystem timeline

Every file that exists or was deleted, with timestamps that expose timestomping, plus the operation history.

# MFTECmd, $MFT: every file/dir incl. deleted (InUse=false keeps metadata) MFTECmd.exe -f "<EV>\`$MFT" --csv "<OUT>\FS" --csvf mft.csv -q # MFTECmd, $UsnJrnl: operation history (create/rename/move/delete) MFTECmd.exe -f "<EV>\`$Extend\`$UsnJrnl:`$J" --csv "<OUT>\FS" --csvf usn.csv -q # MFTECmd, $LogFile and $Boot are also supported via -f # RBCmd, Recycle Bin: what was deleted, when, original path RBCmd.exe -d "<EV>\`$Recycle.Bin" --csv "<OUT>\RecycleBin" --csvf recyclebin.csv -q
Column (MFTECmd)What it tells you
Created0x10 / 0x30$STANDARD_INFORMATION vs $FILE_NAME creation. If they differ = possible timestomping (0x30 is harder to forge)
LastModified0x10Last content change (UTC)
InUsefalse = deleted, but name, path, size, and timestamps remain
ParentPath / FileNameFull location of the file or its remnant
SI<FN datesMFTECmd flag column highlighting $SI earlier than $FN, a timestomping indicator
Worked example, MFTECmd

update.exe (Entry 847291) created 14:36:07 UTC in \Users\jmorrison\AppData\Local\Temp\. 0x10 = 0x30 (no timestomping). 287,744 bytes. InUse=false, with a $UsnJrnl delete record at 14:52:33, deleted 16 minutes after creation.

Doesn't prove

Contents, execution, or who created it.

Next

PECmd for execution; AmcacheParser for the SHA1; hash to VirusTotal.

5. EZ Tools: event logs

The richest chronological record. Maps name the fields per event type, so sync them first.

# EvtxECmd, all .evtx to one normalized CSV EvtxECmd.exe --sync # update 700+ community maps first EvtxECmd.exe -d "<EV>\Windows\System32\winevt\Logs" --csv "<OUT>\EVTX" --csvf events.csv -q # Single log file EvtxECmd.exe -f "<EV>\...\Security.evtx" --csv "<OUT>\EVTX" --csvf security.csv # Event IDs worth filtering in Timeline Explorer: # 4624 logon 4625 failed logon 4634 logoff 4648 explicit-cred logon # 4688 process create 4697/7045 service install 4720 user created # 4104 PowerShell ScriptBlock 1102 Security log cleared 4698 scheduled task # 4672 special privileges 5140 share access 4769 Kerberos service ticket
Maps are not optional. Without them, output columns are generic; with them, a 4624 logon yields named TargetUserName, LogonType, and IpAddress columns. Map-extracted fields land in PayloadData1-6, with MapDescription giving the plain-English event meaning.
Worked example, EvtxECmd

Filtering events.csv to EventId 1102 shows a Security log clear at 15:04:11 UTC by account svc_backup, 12 minutes after the update.exe deletion. The clear is itself the evidence: an attacker removing tracks. Surrounding 4672/4624 events place svc_backup logged on from 10.4.2.61.

Doesn't prove

What was cleared, or that svc_backup is the original intruder vs a pivoted account.

Next

Check $UsnJrnl and Prefetch around 15:04; scope 10.4.2.61 across SigninLogs / other hosts.

6. EZ Tools: registry (incl. transaction-log recovery)

Persistence, configuration, and user activity baked into the hives. Replay transaction logs first to recover recently written or "cleaned" keys.

# RLA, replay transaction logs into the hive (recovers dirty/uncommitted keys) RLA.exe -d "<EV>\Windows\System32\config" --out "<OUT>\HivesClean" # RECmd, batch-process every hive against the community ruleset RECmd.exe --bn "C:\IR\Tools\EZTools\BatchExamples\RECmd_Batch_MC.reb" -d "<OUT>\HivesClean" --csv "<OUT>\Registry" --csvf registry.csv -q # RECmd, single hive against one rule file RECmd.exe -f "<EV>\Users\{user}\NTUSER.DAT" --bn BatchExamples\UserActivity.reb --csv "<OUT>\Registry" # SBECmd, ShellBags: folders the user opened (persist after deletion) SBECmd.exe -d "<EV>\Users\{user}" --csv "<OUT>\ShellBags" --csvf shellbags.csv # Registry Explorer (GUI): RegistryExplorer.exe, bookmarks flag forensic keys
RECmd_Batch_MC.reb extractsForensic value
Run / RunOnceAutostart persistence
UserAssistGUI program execution history per user
ServicesService-based persistence, including suspicious ImagePath
USBSTOR / MountedDevicesUSB device history
TypedPaths / RecentDocsUser navigation and recently opened files
Network profilesNetworks the host connected to, with first/last times
Replay logs before parsing. RLA applies the .LOG1/.LOG2 transaction logs into a clean copy of each hive. Skipping it means RECmd may miss the most recent writes, exactly the keys an attacker just created. Parse the RLA output, not the raw hive.

7. EZ Tools: user activity, devices, network

# LECmd, .lnk shortcuts: target path, MAC times + drive VOLUME SERIAL LECmd.exe -d "<EV>\Users\{user}\AppData\Roaming\Microsoft\Windows\Recent" --csv "<OUT>\LNK" --csvf lnk.csv -q # JLECmd, Jump Lists: recent files per pinned taskbar app JLECmd.exe -d "<EV>\Users\{user}\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations" --csv "<OUT>\JumpLists" --csvf jl.csv -q # WxTCmd, Windows 10/11 Timeline (ActivitiesCache.db): app + file usage WxTCmd.exe -f "<EV>\Users\{user}\AppData\Local\ConnectedDevicesPlatform\*\ActivitiesCache.db" --csv "<OUT>\Timeline" # SrumECmd, SRUM: per-app network bytes/hour, last 30-60 days SrumECmd.exe -f "<EV>\Windows\System32\sru\SRUDB.dat" -r "<EV>\Windows\System32\config\SOFTWARE" --csv "<OUT>\SRUM" # SumECmd, User Access Logging (Server): user/IP access counts to services SumECmd.exe -d "<EV>\Windows\System32\LogFiles\SUM" --csv "<OUT>\SUM" # SQLECmd, browser + app SQLite DBs (history, downloads, cookies) SQLECmd.exe -d "<EV>\Users\{user}" --csv "<OUT>\SQL" -q # bstrings, extract strings/regex from any file (URLs, IPs, base64, etc.) bstrings.exe -f "<EV>\suspect.bin" --lr ipv4 --csv "<OUT>\Strings"
ToolInvestigation value
LECmdVolume serial number ties a file to a specific USB drive at a specific time
WxTCmdReconstructs app and document usage with start/end times from the Timeline DB
SrumECmdNetwork-usage rows expose exfiltration even by legitimate-named binaries (LOLBins)
SumECmdOn Windows Server: which users/IPs accessed which services, and how often
SBECmdProves navigation to USB/network paths even after the folder is gone
bstringsPulls IOCs (IPs, URLs, base64) out of memory dumps, pagefile, or unknown binaries
Worked example, SrumECmd

SRUM network rows show certutil.exe sent 1.9 GB between 02:10 and 03:40 UTC, far outside business hours, to a single destination. certutil is a legitimate Windows binary, so AV stayed silent, but the egress volume for a certificate utility is the anomaly.

Doesn't prove

The destination, the data exfiltrated, or the triggering command.

Next

4688/4104 for the certutil command line; firewall/proxy logs for the destination IP.

8. Analysis: Timeline Explorer

TimelineExplorer.exe "<OUT>\EVTX\events.csv" # Handles million-row CSVs (Excel cannot). Core moves: # Filter any column header (EventId = 4624 -> logons only) # Combine filters (EventId=4624 AND TimeCreated > 14:00) # Text search across all columns ("powershell") # Colour rules: red 4625 (brute force), orange 7045 (persistence), # yellow 1102 (log cleared / anti-forensics) # Load MULTIPLE CSVs (Prefetch + EVTX + MFT), sort by timestamp # -> unified cross-artifact timeline # Tag rows + add notes, then export the tagged set for the report

Want a head start before Timeline Explorer? Paste your EvtxECmd CSV into the free Event Log Triage Analyzer and it pre-flags the high-signal events so you know what to filter for first.

9. Quick lookup

Investigation question to command

QuestionRun
What ran, and when?PECmd (Prefetch), AmcacheParser
Who logged on, from where?EvtxECmd, filter 4624/4625
What files were created/deleted at time T?MFTECmd ($MFT + $UsnJrnl)
Was a file timestomped?MFTECmd, compare Created0x10 vs 0x30
How did it persist?RLA then RECmd (Run keys, Services, tasks)
Was data exfiltrated?SrumECmd (network bytes per app)
Did a USB device connect?RECmd (USBSTOR), LECmd (volume serial)
What did the user open?JLECmd, LECmd, SBECmd, WxTCmd
Recover a recently changed registry key?RLA (replay transaction logs) then RECmd

Artifact to disk location

ArtifactPath
Prefetch\Windows\Prefetch\*.pf
Amcache\Windows\AppCompat\Programs\Amcache.hve
Event logs\Windows\System32\winevt\Logs\*.evtx
$MFT / $UsnJrnlvolume root \$MFT, \$Extend\$UsnJrnl:$J
System hives\Windows\System32\config\ (SYSTEM, SOFTWARE, SAM, SECURITY)
User hive\Users\{user}\NTUSER.DAT, ...\UsrClass.dat
SRUM\Windows\System32\sru\SRUDB.dat
LNK / Jump Lists\Users\{user}\AppData\Roaming\Microsoft\Windows\Recent\

One-pass pipeline + triage order

# Parse-All.ps1, run every EZ Tools parser against a collection (2-10 min) param([Parameter(Mandatory)][string]$CasePath) $ez="C:\IR\Tools\EZTools"; $ev="$CasePath\Evidence"; $out="$CasePath\Output" New-Item -ItemType Directory $out -Force | Out-Null $pf = gci $ev -Recurse -Dir -Filter Prefetch | select -First 1 $evtx= gci $ev -Recurse -Dir -Filter Logs | ? FullName -like *winevt* | select -First 1 $am = gci $ev -Recurse -Filter Amcache.hve | select -First 1 $mft = gci $ev -Recurse -Filter '$MFT' -EA SilentlyContinue | select -First 1 if($pf) { & "$ez\PECmd.exe" -d $pf.FullName --csv "$out\Prefetch" --csvf prefetch.csv -q } if($evtx){ & "$ez\EvtxECmd.exe" -d $evtx.FullName --csv "$out\EVTX" --csvf events.csv -q } if($am) { & "$ez\AmcacheParser.exe" -f $am.FullName -i --csv "$out\Amcache" --csvf amcache.csv } if($mft) { & "$ez\MFTECmd.exe" -f $mft.FullName --csv "$out\FS" --csvf mft.csv -q } & "$ez\RECmd.exe" --bn "$ez\BatchExamples\RECmd_Batch_MC.reb" -d $ev --csv "$out\Registry" --csvf registry.csv -q 2>$null # Triage order during an incident: # 1. EvtxECmd logons/process/services around the alert time # 2. PECmd confirm what executed and when # 3. MFTECmd file create/delete around that time; check timestomping # 4. AmcacheParser SHA1 of suspect binaries -> VirusTotal # 5. RLA + RECmd persistence (Run keys, services, tasks) # 6. SrumECmd data egress volume per app # 7. Timeline Explorer load all CSVs, sort by time, build the narrative

From parsing artifacts to proving what happened

This cheatsheet runs the tools. Windows Endpoint Investigation teaches the method behind them: correlating execution, filesystem, registry, and event-log artifacts into a defensible account of an intrusion, the part that turns parsed CSVs into a conclusion you can stand behind.

Explore the course