Velociraptor Deployment

<h1 style="font-size: 4ex">Velociraptor: Past, Present and Future</h1>

### DFIR in an evolving world.

### Mike Cohen, Digital Paleontologist
### Rapid 7 Inc

</div>

---

## Digital Forensics

* Started as part of law enforcement
   * Secure a conviction
* Court ready
   * Chain of custody
   * Preservation of evidence for court
   * Repeatable analysis
   * Exculpatory Evidence (i.e. prove lack of guilt).
       * Example: Trojan Defence

### Bit for bit copies of everything

</div>

---

![](dfir_lab.jpg)

---

## Enterprise Forensics

* Started as a way to assist Law Enforcement
    * Secure a conviction
* Still used in many applications;
    * IP Theft
    * HR Dismissals
    * Espionage
* Started off mimicking many of the Law Enforcement procedures
    * Chain of custody
    * Bit for bit copies

---

![](ransomeware.png)

---

## Challenges in Enterprise Forensics

* Enterprises tend to be distributed
    * Geographic separation
    * Organizational separation

* Rare to get conviction
    * A conviction does not compensate the organization
    * Profit driven - stem the bleeding

### How to stop it from happening again?

</div>

---

## Time is of the essence!

* Mean dwell time is now measured in hours or days
* Adversaries are well trained and very efficient
* Laterally move inside the network

### Need to improve scale and speed!

</div>

---

## Focus on answering questions

* What happened?
* How can we prevent it in future?
* What was taken?
* Can we recover anything?

---

## Velociraptor is born!

Velociraptor is the premier endpoint visibility tool.

* Driven by Velociraptor Query Language artifacts.
* Primarily a DFIR tool.
* Compliance/Vulnerability management.
* Endpoint monitoring.
* Open source with a strong community

---

## Architecture

![](../../modules/overview/deployment_overview.svg)

---

## Scalable, fast, accurate

* Support Linux, Windows, MacOS, FreeBSD …
* Server simply collects the results of queries - clients do all the heavy lifting.
* Client memory and CPU usage is controlled via throttling and active cancellations.
* Server is optimized for speed and scalability

---

## Interactively investigate clients

Digital forensic plugins turn VQL into a high quality DFIR tool

![](../../modules/gui_tour/vfs_view.png)

---

## Velociraptor Artifacts

Artifacts encode VQL into user shareable code snippets

![](../../modules/artifacts_introduction/artifacts.png)

---

## Hunts - Collecting at scale

Collecting artifacts at scale from multiple endpoints

![](../../modules/secure_shell/select_hunt_artifacts.png)

---

## Postprocessing using Notebooks

Notebooks are collaborative shared VQL execution environments

![](../../modules/secure_shell/postprocess_hunt.png)

---

## Improving Scale and Speed

* There are many types of forensic artifacts
    * Being able to remotely collect them is a game changer
* Requires knowledge and experience!

Ultimately we want to know `What went wrong?`

### Triage the endpoint - `What looks weird?`

</div>

---

## Triaging Using Sigma

* Endpoint tools can directly evaluate Sigma rules on the event logs

---

##  Collecting the sigma artifact

![](/presentations/what-is-velociraptor/collecting_sigma_rules.png)

---

## Triaging an endpoint

![](/presentations/what-is-velociraptor/query_logs.png)

---

## Stacking rules by title

![](/presentations/what-is-velociraptor/stacking_a_column.png)

---

## Viewing the stacking stats

![](/presentations/what-is-velociraptor/viewing_column_stack.png)

---

## Viewing common rows

![](/presentations/what-is-velociraptor/viewing_common_rows.png)

---

## The future:
### Is Digital Forensics Good enough?

* Many of the traditional Digital Forensics artifacts are not
  specifically designed for our needs.

* For example:
   * Prefetch files
      * Evidence of execution
   * Jumplists
      * Evidence of user actions
   * USB device insertion
      * Various registry keys

---

## If we rely on Digital Forensics, we have already lost!

### Digital Forensics is reactive in nature

### In a perfect world we would not need Digital Forensics!

</div>

---

## What if we could prepare for forensics?

* Sometimes we go into an incident unprepared, but a lot of the time
  we can prepare in advance!

* In a corporate setting we can actually prepare for forensic
    investigation and incident response

* Similar but orthogonal to system hardening

>  Taking steps in advance to increase our chances of successfully
>  investigating an incident!

---

## Forensic Readiness

1. Maximizing an environment's ability to collect credible digital
   evidence
2. Minimizing the cost of forensics in an incident response.

[Forensic Readiness John Tan @Stake (2001)](https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.480.6094&rep=rep1&type=pdf)

---

## What can we do with Velociraptor?

* We can constantly check configuration for compliance

![](/presentations/sans_apac_2023/checking_log_modifications.png)

---

## What can we do with Velociraptor?

* Real time alerting on configuration modifications

![](/presentations/sans_apac_2023/detection_log_modifications.png)

---

## Real Time Sigma alerting

### Configuring Velociraptor's client monitoring

![](/presentations/what-is-velociraptor/configuring_client_monitoring.png)

---

## Conclusions

We only scratched the surface of what Velociraptor can do!

Check out the following links and join our community…

<table class="noborder">
<tr>
    <td>Docs</td><td>
        <a href="https://docs.velociraptor.app/">https://docs.velociraptor.app/</a>
    </td>
</tr>
<tr>
    <td>Github</td><td>
        <a href="https://github.com/Velocidex/velociraptor">https://github.com/Velocidex/velociraptor</a>
    </td>
</tr>
<tr>
    <td>Discord</td><td>
        <a href="https://docs.velociraptor.app/discord/">https://docs.velociraptor.app/discord/</a>
    </td>
</tr>
<tr>
    <td>Mailing list</td><td>
        <a href="mailto:velociraptor-discuss@googlegroups.com">velociraptor-discuss@googlegroups.com</a>
    </td>
</tr>
</table>