A quick tour of the past year...
The Offline Collector produces a ZIP file containing sensitive data
Previously only protected with ZIP password.
Since 0.6.7 the offline collector can produce Asymmetric Encrypted ZIP files.
Selecting X509 encryption during the Offline Collector preparation process.
The collector produces an encrypted container that requires the X509 private key to decrypt.
Users need to be able to easily export/import collections between Velociraptor servers.
Therefore we need a standard collector format that can be read in again!
The following container types can be reimported into Velociraptor with Server.Utils.ImportCollection
LET X <= SELECT * FROM glob(globs=specs.Glob, accessor=Accessor)
SELECT *, count()
FROM glob(globs="C:/Windows/System32/*")
GROUP BY Name
New keyword EXPLAIN
allows VQL to explain how the query works.
All tables now allow directly filtering and sorting on each column.
A Hexviewer is now included directly in the GUI allowing quick preview of collected data.
Client indexing has been improved and is now extremely fast.
Some security improvements:
Lockdown mode:
Plugin allow-listing:
IP Filtering the GUI:
Many new accessors facilitate sophisticated automation
Direct SMB access: Allows reading or uploading to remote SMB shares.
Azure blob storage upload.
S3 accessor allows reading from and uploading to S3 buckets
We wanted to understand our user base - so we asked!
Thank you for the Community and product feedback!
This is a game changer for the DFIR industry. Keep up the great work.
Keep the file system based back end, its simplicity makes chain of custody/court submissions possible.
I thoroughly love Velociraptor. The team and community are absolutely fantastic.
Having a widely deployed Velociraptor installation creates many opportunities for automation and wider use cases!
Any time we can ask a question of many endpoints at once we can use Velociraptor!
Monitoring endpoints for changes makes Velociraptor an excellent candidate.
We can apply hardening checks to ensure endpoints are in compliance!
New project to explore Auditing and Compliance Checks https://github.com/Velocidex/Audit
Started of as a consolidated SQLite artifact inspired by SQLECmd
Grew into much more than that! (ESE, Chrome, IECache, MacOS artifacts)
Velociraptor needs you to join the community and help drive future development!
Filing bug reports and feature requests helps building the ultimate DFIR tool YOU want to use!
Docs | https://docs.velociraptor.app/ |
Github | https://github.com/Velocidex/cloudvelo |
Discord | https://docs.velociraptor.app/discord/ |
Mailing list | velociraptor-discuss@googlegroups.com |