Forensic Analysis

In previous sections we learned the syntax of VQL. But VQL is not useful without a good set of plugins that make DFIR work possible.

One of Velociraptor’s key strengths is its wide array of VQL plugins, functions and accessors that enable in-depth, fast, and effective DFIR investigations and detections.

In this section we look at common forensic analysis tasks and recommended ways to accomplish them using VQL.

  • Searching Filesystems
  • One of the most common operations in DFIR is searching for files efficiently. When searching for a file, we may search by filename, path, file content, size or other properties.

  • Searching Content
  • A powerful DFIR technique is searching bulk data for patterns. YARA is a powerful keyword scanner that allows to search unstructured binary data based on user provided rules.

  • NTFS Analysis
  • NTFS is the standard Windows filesystem. Velociraptor contains powerful NTFS analysis capabilities.

  • Binary parsing
  • Velociraptor uses VQL to provide the flexibility for users to be able to craft a VQL query in order to retrieve valuable machine state data. Sometimes we need to parse binary data to answer these questions.

  • Evidence Of Execution
  • Windows has a rich set of forensic artifacts that we can use to infer program execution. This page covers some of the more common evidence of execution artifacts.

  • Event Logs
  • Windows event logs are a common source of evidence of malicious activity. Velociraptor supports reading Windows evtx files and events from Event Tracing for Windows (ETW) providers.

  • Volatile machine state
  • Traditional forensic analysis relies on filesystem artifacts. However, one of the best advantages of performing live response is the ability to access the live system’s state and uncover volatile indicators that only exist briefly and might change in future.