In the previous sections we learned the syntax of VQL. But VQL is not useful without a good set of plugins that make DFIR work possible. Velociraptor’s strength lies in the wide array of VQL plugins and functions that are geared towards making DFIR investigations and detections effective.
One of the most common operations in DFIR is searching for files based on their file names.
A powerful DFIR technique is searching bulk data for patterns. YARA is a powerful keyword scanner that allows to search unstructured binary data based on user provided rules.
NTFS is the standard Windows filesystem. Velociraptor contains powerful NTFS analysis capabilities.
Parsing binary is very a important capability for forensic analysis and DFIR - we encounter binary data in many contexts, such as file formats, network traffic and more. Velociraptor uses VQL to provide the flexibility for users to be able to craft a VQL query in order to retrieve valuable machine state data. Sometimes we need to parse binary data to answer these questions. While binary parsers written in Golang are typically the best options for speed and memory efficiency, the need to compile a parser into an executable and push it to the endpoint makes it difficult to implement adhoc parsers.
Sometimes we need to find out when (or if) a particular binary was run on the endpoint. This question can come up in a number of contexts, such as running malware by a user, lateral movement from a threat actor etc. Windows has a rich set of forensic artifacts that we can use to infer program execution. This page covers some of the more common evidence of execution artifacts. Prefetch files Prefetch files are used to keep track of executions
Windows Event Logs The Windows event logs are stored in files with extension of *.evtx typically stored within C:\Windows\System32\WinEVT\Logs\*.evtx Unlike traditional unix style log files that consist of unstructured text, Windows EVTX files are stored in a binary format with several advantages: Rollover - The EVTX file is divided into chunks and new chunks can overwrite older chunks. This allows the file size to be limited, and when the event log fills up, events simply rotate into the start of the file overwriting older events.
Traditional forensic analysis relies on filesystem artifacts. However, one of the best advantages of performing live response is the ability to access the live system’s state and uncover volatile indicators that only exist briefly and might change in future. Traditionally volatile evidence was acquired using a full memory dump of the running system, and then using a number of memory analysis frameworks to extract some of the types of forensic artifacts we discuss in this page.