AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Table of Contents

Examining KAPE Output (CSV)

CSV is the easiest format to analyze, in my opinion, simply for the reason of being able to harness the power of Excel’s filtering capabilities. If you don’t have Excel, you can use LibreOffice’s Calc or Eric Zimmerman’s Timeline Explorer/EZViewer as alternatives. 

UPDATE: Timeline Explorer guide is now live here! Check out this guide for the best tool to pair with KAPE for your analysis!

First Things First

There are a few things I always do when I open a CSV file in Excel:

  1. Enable Filtering
    1. Pro-Tip, select all cells via Ctrl+A prior to selecting Filter to avoid the potential for an error pop-up
  2. Freeze Top Row
  3. Locate Timestamp Column and Change Number Format(yyyy-mm-dd hh:mm:ss)

This will make your life a lot easier when you’re looking to drill down to specific artifacts and remove some of the irrelevant noise. Also, being able to sort on the timestamp column to see the order of events will be crucial to compiling a timeline of events that occurred on that system.

Using Column Filters

Below is an example of filtering on the KAPE EvtxECmd output by filtering on the EventID column for RDP Events (21, 22, 23, 24, 25).

Below is an example of how you can filter on the MFT looking for files created in the Program Files folders.

Understanding the Artifacts

The !EZParser Module will create subfolders for the various artifacts’ CSV output. These will include:

EventLogs
FileDeletion
FileFolderAccess
FileSystem
ProgramExecution
Registry

Within each of these folders will be CSV (by default) output files that you’ll use to examine the artifacts on the system, If you want to learn more about each of these artifacts, check out the following resources! AboutDFIR will be covering more of these tools in the future so this table will be updated as they are covered. 

As always, Tools & Artifacts – Windows is at your disposal for Windows-based artifacts, both system and third-party. The SANS Windows Forensic Analysis (FOR500) and Hunt Evil (FOR508) posters are great resources, as well.