Velociraptor - Year In Review
VeloCon 2023
Mike Cohen, Digital Paleontologist
The year was a productive year!
- Latest release 0.7.0
- Stability and bug fixes with community engagement
- So many new features it is hard to keep track of
- More enterprise ready!
A quick tour of the past year...
NTFS Parser
- MFT Reconstruction returns all the hard links
- The MFT can contain multiple $FILENAME streams
- Each $FILENAME stream may indicate a different parent MFT Entry
- Therefore each file may exist in multiple directories at the same time
- This is called hard links!
NTFS Parser
- The same file can be accessed using multiple paths.
The offline collector: Encryption
The Offline Collector produces a ZIP file containing sensitive data
Previously only protected with ZIP password.
- This requires the password be in plain text in the collector binary.
Since 0.6.7 the offline collector can produce Asymmetric Encrypted ZIP files.
- This ensures they are protected in transit - Only the server can decrypt them!
The offline collector: Encryption
Selecting X509 encryption during the Offline Collector preparation process.
The offline collector: Encryption
The collector produces an encrypted container that requires the X509 private key to decrypt.
Importing/Exporting collections
Users need to be able to easily export/import collections between Velociraptor servers.
Therefore we need a standard collector format that can be read in again!
Importing/Exporting collections
The following container types can be reimported into Velociraptor with Server.Utils.ImportCollection
- Offline collector produced collections
- Collections exported using the GUI
- Contains all metadata to recreate the collection records
Performance improvements
New Client/Server Protocol
- Offloads a lot of tracking to the client
- Means the server can handle many more clients
The Virtual File System
- Used to view files on the endpoint
- Synced with the server
- Previously design was limited to smallish directories
- New design means we can handle arbitrary sized directories.
VQL improvements
Memory/Performance tradeoffs
- Previously certain operations resided in memory leading to excessive memory user.
- Now VQL resorts to disk for these operations so they are safe.
LET X <= SELECT * FROM glob(globs=specs.Glob, accessor=Accessor)
SELECT *, count()
FROM glob(globs="C:/Windows/System32/*")
GROUP BY NameVQL improvements
Debugging VQL queries
New keyword EXPLAIN allows VQL to explain how the query works.
GUI Improvements
Column filtering and sorting
All tables now allow directly filtering and sorting on each column.
GUI Improvements
Built in Hex Viewer/Preview
A Hexviewer is now included directly in the GUI allowing quick preview of collected data.
- Can search collected files by Regular Expression or hex strings.
GUI Improvements
Enhanced client search
Client indexing has been improved and is now extremely fast.
- We can also report total matches in the GUI
Locking down the server
Some security improvements:
Lockdown mode:
- Prevent the server from issuing new collections, updating artifacts etc.
Plugin allow-listing:
- On shared servers prevent certain plugins from being registered.
IP Filtering the GUI:
- Restrict GUI connections from certain CIDR ranges
New Accessors
Many new accessors facilitate sophisticated automation
Direct SMB access: Allows reading or uploading to remote SMB shares.
Azure blob storage upload.
S3 accessor allows reading from and uploading to S3 buckets
The Velociraptor Community
Who are our users?
The Velociraptor Community survey
We wanted to understand our user base - so we asked!
- Users range from
- very small (30%)
- large companies (20%)
- Use cases include
- Digital Forensic Collection (20%)
- Digital Forensic Analysis (21%)
- Incident Response (hunting) (21%)
- Monitoring and Detection (12%)
The Velociraptor Community survey
- Deployment sizes vary a lot
- Many users run deployments of less than 250 endpoints (44%)
- About 40% of users deploy to less than 5,000 endpoints.
- Approximately 10% of users have deployment sizes larger than 25,000 endpoints
- Approximately 2% of users over 100,000 endpoints.
The Velociraptor Community survey
Thank you for the Community and product feedback!
This is a game changer for the DFIR industry. Keep up the great work.
Keep the file system based back end, its simplicity makes chain of custody/court submissions possible.
I thoroughly love Velociraptor. The team and community are absolutely fantastic.
Looking into the future
Velociraptor as a platform!
Velociraptor as a platform!
Having a widely deployed Velociraptor installation creates many opportunities for automation and wider use cases!
Any time we can ask a question of many endpoints at once we can use Velociraptor!
Monitoring endpoints for changes makes Velociraptor an excellent candidate.
Auditing and Compliance
We can apply hardening checks to ensure endpoints are in compliance!
- Automatically generate VQL for hunting.
New project to explore Auditing and Compliance Checks https://github.com/Velocidex/Audit
SQLite Hunting
Started of as a consolidated SQLite artifact inspired by SQLECmd
Grew into much more than that! (ESE, Chrome, IECache, MacOS artifacts)
- Fully automated
- Flexible
- Extremely fast!
We need your help!
Velociraptor needs you to join the community and help drive future development!
Filing bug reports and feature requests helps building the ultimate DFIR tool YOU want to use!
Conclusions
- Join all the fun on Discord and Github!
- If you have not yet played with Velociraptor what are you waiting for?
| Docs | https://docs.velociraptor.app/ |
| Github | https://github.com/Velocidex/cloudvelo |
| Discord | https://docs.velociraptor.app/discord/ |
| Mailing list | velociraptor-discuss@googlegroups.com |