Velociraptor: Past, Present and Future
### DFIR in an evolving world. ### Mike Cohen, Digital Paleontologist ### Rapid 7 Inc
--- ## Digital Forensics * Started as part of law enforcement * Secure a conviction * Court ready * Chain of custody * Preservation of evidence for court * Repeatable analysis * Exculpatory Evidence (i.e. prove lack of guilt). * Example: Trojan Defence
### Bit for bit copies of everything
---  --- ## Enterprise Forensics * Started as a way to assist Law Enforcement * Secure a conviction * Still used in many applications; * IP Theft * HR Dismissals * Espionage * Started off mimicking many of the Law Enforcement procedures * Chain of custody * Bit for bit copies ---  --- ## Challenges in Enterprise Forensics * Enterprises tend to be distributed * Geographic separation * Organizational separation * Rare to get conviction * A conviction does not compensate the organization * Profit driven - stem the bleeding
### How to stop it from happening again?
--- ## Time is of the essence! * Mean dwell time is now measured in hours or days * Adversaries are well trained and very efficient * Laterally move inside the network
### Need to improve scale and speed!
--- ## Focus on answering questions * What happened? * How can we prevent it in future? * What was taken? * Can we recover anything? --- ## Velociraptor is born! Velociraptor is the premier endpoint visibility tool. * Driven by Velociraptor Query Language artifacts. * Primarily a DFIR tool. * Compliance/Vulnerability management. * Endpoint monitoring. * Open source with a strong community --- ## Architecture  --- ## Scalable, fast, accurate * Support Linux, Windows, MacOS, FreeBSD … * Server simply collects the results of queries - clients do all the heavy lifting. * Client memory and CPU usage is controlled via throttling and active cancellations. * Server is optimized for speed and scalability --- ## Interactively investigate clients Digital forensic plugins turn VQL into a high quality DFIR tool  --- ## Velociraptor Artifacts Artifacts encode VQL into user shareable code snippets  --- ## Hunts - Collecting at scale Collecting artifacts at scale from multiple endpoints  --- ## Postprocessing using Notebooks Notebooks are collaborative shared VQL execution environments  --- ## Improving Scale and Speed * There are many types of forensic artifacts * Being able to remotely collect them is a game changer * Requires knowledge and experience! Ultimately we want to know `What went wrong?`
### Triage the endpoint - `What looks weird?`
--- ## Triaging Using Sigma * Endpoint tools can directly evaluate Sigma rules on the event logs
--- ## Collecting the sigma artifact  --- ## Triaging an endpoint  --- ## Stacking rules by title  --- ## Viewing the stacking stats  --- ## Viewing common rows  --- ## The future: ### Is Digital Forensics Good enough? * Many of the traditional Digital Forensics artifacts are not specifically designed for our needs. * For example: * Prefetch files * Evidence of execution * Jumplists * Evidence of user actions * USB device insertion * Various registry keys ---
## If we rely on Digital Forensics, we have already lost! ### Digital Forensics is reactive in nature
### In a perfect world we would not need Digital Forensics!
--- ## What if we could prepare for forensics? * Sometimes we go into an incident unprepared, but a lot of the time we can prepare in advance! * In a corporate setting we can actually prepare for forensic investigation and incident response * Similar but orthogonal to system hardening > Taking steps in advance to increase our chances of successfully > investigating an incident! --- ## Forensic Readiness 1. Maximizing an environment's ability to collect credible digital evidence 2. Minimizing the cost of forensics in an incident response. [Forensic Readiness John Tan @Stake (2001)](https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.480.6094&rep=rep1&type=pdf) --- ## What can we do with Velociraptor? * We can constantly check configuration for compliance  --- ## What can we do with Velociraptor? * Real time alerting on configuration modifications  --- ## Real Time Sigma alerting ### Configuring Velociraptor's client monitoring  --- ## Conclusions We only scratched the surface of what Velociraptor can do! Check out the following links and join our community…
Docs
https://docs.velociraptor.app/
Github
https://github.com/Velocidex/velociraptor
Discord
https://docs.velociraptor.app/discord/
Mailing list
velociraptor-discuss@googlegroups.com