1.6. Coming From Other DFIR Tools

Cyber Triage has a different design philosophy than most DFIR tools. If you are coming from a background with tools like KAPE and EZ Tools, EnCase, or Magnet AXIOM, some things will feel unfamiliar at first. This page maps the key concepts and workflows so you can get oriented quickly.

1.6.1. The Core Difference: Scoring First

Most DFIR training and tooling teaches an artifact-first approach: you decide which artifact type to examine (Prefetch, event logs, registry hives, etc.), open that artifact, and scroll or filter through all entries looking for something suspicious.

Cyber Triage uses a scoring-first approach instead. Before you review anything, Cyber Triage automatically analyzes all collected artifacts and assigns each item a score: Bad, Suspicious, or unscored. Your job is to start with the Bad items, then the Suspicious ones, and only go artifact-by-artifact when you need to dig deeper.

Note

You do not need to decide where to look first. Cyber Triage already checked Prefetch, the event logs, the registry, and everything else. It surfaces what matters. Start with the scores, not the artifact type.

This is a deliberate workflow change. The sections below explain how specific tool habits map to the Cyber Triage way.

1.6.2. Coming From KAPE and EZ Tools

KAPE (Kroll Artifact Parser and Extractor) and Eric Zimmerman’s EZ Tools are widely used for triage collection and post-processing. The typical workflow is:

  1. Run KAPE on a live system or mounted image, using a Target (such as KapeTriage) to collect artifacts, and a Module (such as !EZParser) to parse them with EZ Tools into CSV output.

  2. Load the resulting CSV files into Timeline Explorer (or Excel) and manually filter, sort, and search to identify suspicious activity.

  3. Pivot between artifact types – for example, seeing a suspicious executable in Prefetch output, then switching to the event log CSV to correlate a logon event.

How this maps to Cyber Triage:

KAPE Collector / Targets (collecting raw artifacts)

Cyber Triage Collector Tool – the Cyber Triage Collector serves the same role, and can be deployed to a live system or run against a disk image.

EZ Tools Modules (parsing raw artifacts into CSV)

Ingest Phase – Cyber Triage automatically parses and normalizes artifacts on import.

!EZParser module output folder per artifact type

Data is organized by Information Artifact types (Processes, Accounts, Network, etc.) (Information Artifact Types) and can be found under the All Items view.

Browsing all Prefetch entries (PECmd CSV output)

The Cyber Triage equivalent is the Processes view, which already consolidates Prefetch along with other execution sources. If you specifically want to see only the Prefetch data, use Artifact Sources and choose the Prefetch node.

Filtering the Prefetch CSV to see all executions of a single process

Cyber Triage automatically groups executions by process and arguments; select a Process item to see all of its instances. No need to change filtering.

Manually pivoting between Prefetch CSV and event log CSV

Cyber Triage does this with the Related Items viewers in the lower right. When you find one item, you can see the related items. And automatically jump to the item in its parent folder or in teh timeline. There is no manual filtering across files. Use Timeline to see other events in the same time range.

Building a timeline across artifact types in Timeline Explorer

Cyber Triage has a full host timeline that correlates events across artifact types automatically; see Timeline.

The key shift: In the KAPE workflow, you build a picture by assembling CSVs. In Cyber Triage, that assembly and triage happens automatically during ingest. Your time starts at the scored results, not at a folder full of CSV files.

1.6.3. Coming From Magnet AXIOM

Magnet AXIOM uses an artifact-first approach with an “Artifact Explorer” that groups parsed evidence by category (Cloud, Computer, Mobile, etc.). Analysts typically load a case, wait for processing, and then browse artifact categories to review entries.

How this maps to Cyber Triage:

IOC dashboard (YARA hits, hash matches, MITRE ATT&CK flags)

Review Notable Items Section – Bad scored items with scoring reason shown.

Artifact Explorer category (e.g., “Operating System”, “Documents”)

Information Artifact type panels (Processes, Accounts, Network Connections, etc.) – see Information Artifact Types.

Browsing all entries in an artifact category (e.g., Prefetch via Artifact Explorer)

Examine All Items Section – the All Items view organizes data into the same kinds of categories (Processes, Inbound Logons, etc.) and lets you browse all entries of each type.

Artifact pivoting (clicking from one artifact to related ones)

Cyber Triage supports the same concept via Related Items – items sharing the same path are grouped together so you can pivot without switching views. The Sources panel in the lower-right corner also shows which raw data artifacts contributed to the selected item.

Timeline / event correlation view

Timeline – a full host timeline built automatically from all ingested artifacts.

Tagging / bookmarking items

Manually adjust the score of an item (Bad or Suspicious) and add a label to record why; see Scores and Labels.

The key shift: AXIOM still expects you to browse artifact categories and decide what is suspicious. Cyber Triage makes that judgment automatically and presents a prioritized list. You work the scored list, not the category tree.

1.6.4. Coming From EnCase (OpenText)

EnCase is a full-disk forensic platform with an artifact-first, file-manager-style UI. A typical EnCase workflow involves opening a case, browsing the file system or using EnScript automation to find artifacts, and reviewing them category by category.

How this maps to Cyber Triage:

File system tree / Evidence Browser

File Explorer – available under All Items.

Reviewing all Prefetch entries via a viewer or EnScript

The Cyber Triage equivalent is the Processes view, which already consolidates Prefetch along with other execution sources. If you specifically want to see the raw Prefetch data, use Artifact Sources and filter by Prefetch.

Timeline view (correlating events across artifact types)

Timeline – a full host timeline built automatically from all ingested artifacts.

Keyword search across the image

Use the Search features to find specific values across ingested artifacts.

Bookmarks (flagging items of interest)

Manually score an item as Bad or Suspicious to flag it, and add a label to record why; see Scores and Labels.

The key shift: EnCase centers on the file system and leaves artifact interpretation to the analyst. Cyber Triage centers on Information Artifacts – normalized, meaning-bearing items like “a process ran” rather than “a Prefetch file exists” – and surfaces scored results first.

1.6.5. Understanding Information Artifacts vs. Data Artifacts

This concept is central to all of the above and worth calling out explicitly. Tools like KAPE, EnCase, and AXIOM expose data artifacts – the raw forensic objects as they exist on disk: Prefetch files, registry hives, event log entries, LNK files, and so on. Cyber Triage normalizes these into Information Artifacts – higher-level objects that represent meaning rather than raw data.

Note

If you are looking for Prefetch specifically and cannot find a “Prefetch” section, this is why. Prefetch data becomes Processes. To see which items came from Prefetch, use the Artifact Sources view, which organizes data by source type rather than by Information Artifact type.

See Information Artifact Types for a full description of how data artifacts map to Information Artifact types, and how to trace any Information Artifact back to its underlying raw source using the Sources panel in the lower-right corner of the host view.

1.6.6. Validating Results Against Other Tools

If you are running Cyber Triage alongside KAPE or another tool during a transition period, you can use the Artifact Sources view to cross-check results. For example, if KAPE’s PECmd output shows a Prefetch entry for a suspicious executable, you can open the Artifact Sources view in Cyber Triage, filter to Prefetch, and confirm that Cyber Triage collected and parsed the same entry. This is also useful for auditing coverage – if an artifact appears in another tool but not in Cyber Triage’s Artifact Sources view, it may indicate a collection gap worth investigating.

1.6.7. Finding the Right View

Because the Cyber Triage UI is not organized as a file manager or artifact category browser, here is a quick orientation:

See what is most suspicious on a host

Summary Section (Host Summary).

Review and triage scored Bad and Suspicious items

Review Notable Items Section (Notable Items).

Browse all items of a specific type (e.g., all Processes)

Examine All Items Section (All Items, filtered by artifact type).

See everything collected from Prefetch, or a specific event log

Artifact Sources (organized by raw data source).

See a chronological timeline of activity across all artifact types

Timeline.

Understand where a specific artifact came from

Select the item; check the Sources panel in the lower-right corner of the host view.

Search for a specific value (hash, filename, IP address)

Use the Search feature across the incident or host.