Forensic Analysis

In the previous sections we learned the syntax of VQL. But VQL is not useful without a good set of plugins that make DFIR work possible. Velociraptor’s strength lies in the wide array of VQL plugins and functions that are geared towards making DFIR investigations and detections effective.

    Searching Filenames

    One of the most common operations in DFIR is searching for files based on their file names.

    Searching Content

    A powerful DFIR technique is searching bulk data for patterns. YARA is a powerful keyword scanner that allows to search unstructured binary data based on user provided rules.

    NTFS Analysis

    NTFS is the standard Windows filesystem. Velociraptor contains powerful NTFS analysis capabilities.

    Binary parsing

    Parsing binary is very a important capability for forensic analysis and DFIR - we encounter binary data in many contexts, such as file formats, network traffic and more.

    Velociraptor uses VQL to provide the flexibility for users to be able to craft a VQL query in order to retrieve valuable machine state data. Sometimes we need to parse binary data to answer these questions.

    While binary parsers written in Golang are typically the best options for speed and memory efficiency, the need to compile a parser into an executable and push it to the endpoint makes it difficult to implement adhoc parsers. Ideally we would like to have a parser fully implemented in VQL, so it can be added to an artifact and pushed to the endpoint without needing to recompile and rebuild anything.

    Evidence Of Execution

    Sometimes we need to find out when (or if) a particular binary was run on the endpoint. This question can come up in a number of contexts, such as running malware by a user, lateral movement from a threat actor etc.

    Windows has a rich set of forensic artifacts that we can use to infer program execution. This page covers some of the more common evidence of execution artifacts.

    Prefetch files

    Prefetch files are used to keep track of executions

    Event Logs

    Windows Event Logs

    The Windows event logs are stored in files with extension of *.evtx typically stored within C:\Windows\System32\WinEVT\Logs\*.evtx

    Unlike traditional unix style log files that consist of unstructured text, Windows EVTX files are stored in a binary format with several advantages:

    • Rollover - The EVTX file is divided into chunks and new chunks can overwrite older chunks. This allows the file size to be limited, and when the event log fills up, events simply rotate into the start of the file overwriting older events.
    • Binary XML format provides some compression. Although not as much compression as gzip or bzip, EVTX files use a binary encoding to save some space over plain XML.
    • Structured records with strong types - This is perhaps the most important difference with Unix style logs. Structured logs allow for accurate and fast filtering of log files and obviate the need to parse unstructured text.

    While the EVTX file is actually XML based, Velociraptor converts it internally into a JSON object to make it easier to filter specific fields using VQL constructs.

    Volatile machine state

    Traditional forensic analysis relies on filesystem artifacts. However, one of the best advantages of performing live response is the ability to access the live system’s state and uncover volatile indicators that only exist briefly and might change in future.

    Traditionally volatile evidence was acquired using a full memory dump of the running system, and then using a number of memory analysis frameworks to extract some of the types of forensic artifacts we discuss in this page.