KAPE + EZ Tools and Beyond

Explore the latest advancements in open-source forensic tools and techniques in this conference talk from OSDFCon 2019. Delve into Eric Zimmerman's cutting-edge tools for analyzing event logs and NTFS files, including $MFT and $SDS. Learn about the new capability to extract artifacts from both active file systems and volume shadow copies. Discover KAPE's powerful features for rapid data collection and processing, utilizing both EZ tools and other command-line interfaces. Gain insights into KAPE's architecture, configurations, and learn how to create custom targets and modules to extend its functionality for specific investigative needs. Understand the concept of toolchains in digital forensics and incident response (DFIR) and explore practical examples of their implementation. Address scalability concerns and get answers to common questions about these forensic tools and methodologies.

Intro
Review: Architecture
Some new(ish) stuff
Why maps?
Not just dead box files!
The problem
The requirements
The solution: KAPE!
Why KAPE?
What is a toolchain?
Toolchain creation (Think 'DFIR')
Some tool chain examples
Collect only, save to container
Yea, but does it scale?
Questions?