velociraptor v0.7 releases: Endpoint visibility and collection tool

Velociraptor – Endpoint visibility and collection tool.

Velociraptor is a unique, advanced open-source endpoint monitoring, digital forensic, and cyber response platform.

It was originally developed by DFIR professionals who needed a powerful and efficient way to hunt and monitor activities across fleets of endpoints for specific artifacts, in a wide range of digital forensic and cyber incident response investigations such as:

Velociraptor

  • Responding to data breaches
  • Reconstructing attacker activities through digital forensic analysis
  • Hunting for evidence of sophisticated adversaries
  • Investigating malware outbreaks and other suspicious network activities
  • Continual monitoring for suspicious user activities, such as files copies to USB devices
  • Disclosure of confidential information outside the network
  • Gathering endpoint data over time, for use in threat hunting and future investigations.

Velociraptor is actively being used by DFIR professionals across cases such as these and continues to grow and develop based on their feedback and ideas.

The design goals of Velociraptor that we’re working towards, are to be:

  • Useful – each artefact and use case must return valuable information to the user
  • Simple – the design and interface must be easy for a person to navigate and use
  • Guided – users don’t need to be DFIR experts, since all elements should provide informative descriptions and guidance
  • Powerful – the user should not have to perform too much additional work to achieve their objectives
  • Quick – performance should be speedy and resource impact low, while allowing performance to be managed when needed
  • Reliable – each feature and artefact should work as expected and be relatively free of bugs and issues

Changelog v0.7

GUI improvements

Enhanced client search

In this release the client index was rewritten to store all client
records in a single snapshot file, while managing this file in
memory. This approach allows client searching to be extremely quick
even for large numbers of clients well over 100k.

Paged table in Flows List

In this release the GUI was updated to include a paged table (with
suitable filtering and sorting capabilities) so all collections can be
accessed.

VQL Plugins and artifacts

Chrome artifacts

Added a leveldb parser and artifacts around Chrome Session
Storage. This allows to analyse data that is stored by Chrome locally
by various web apps.

Lnk forensics

This release added a more comprehensive Lnk parser covering off on all
known Lnk file features. You can access the Lnk file analysis using
the `Windows.Forensics.Lnk artifact.

Direct S3 accessor

In this release Velociraptor adds an S3 accessor. This allows plugins
to directly operate on S3 buckets. In particular the glob() plugin can
be used to query bucket contents and read files from various
buckets.

Volume Shadow Copies analysis

In the 0.7.0 release, Velociraptor adds the ntfs_vss accessor. This
accessor automatically considers different snapshots and deduplicates
files that are identical in different snapshots. This makes it much
easier to incorporate VSS analysis into your artifacts.

The SQLiteHunter project

This release incorporates the SQLiteHunter artifact. A one stop shop
for finding and analyzing SQLite files such as browser artifacts and
OS internal files.

Server security improvements

In the 0.7.0 release, Velociraptor offers the GUI.allowed_cidr
option. If specified, the list of CIDR addresses will specify the
source IP acceptable to the server for connections to the GUI
application (for example 192.168.1.0/24).

This filtering only applies to the GUI and forms an additional layer
of security protecting the GUI application (in addition to the usual
authentication methods).

Install & Use

Copyright (C) 2019 Velocidex