In previous sections we learned the syntax of VQL. But VQL is not useful without a good set of plugins that make DFIR work possible.
One of Velociraptor’s key strengths is its wide array of VQL plugins, functions and accessors that enable in-depth, fast, and effective DFIR investigations and detections.
In this section we look at common forensic analysis tasks and recommended ways to accomplish them using VQL.
One of the most common operations in DFIR is searching for files efficiently. When searching for a file, we may search by filename, path, file content, size or other properties.
A powerful DFIR technique is searching bulk data for patterns. YARA is a powerful keyword scanner that allows to search unstructured binary data based on user provided rules.
NTFS is the standard Windows filesystem. Velociraptor contains powerful NTFS analysis capabilities.
Velociraptor uses VQL to provide the flexibility for users to be able to craft a VQL query in order to retrieve valuable machine state data. Sometimes we need to parse binary data to answer these questions.
Windows has a rich set of forensic artifacts that we can use to infer program execution. This page covers some of the more common evidence of execution artifacts.
Windows event logs are a common source of evidence of malicious activity. Velociraptor supports reading Windows evtx files and events from Event Tracing for Windows (ETW) providers.
Traditional forensic analysis relies on filesystem artifacts. However, one of the best advantages of performing live response is the ability to access the live system’s state and uncover volatile indicators that only exist briefly and might change in future.