Notebooks are interactive collaborative documents which can interleave markdown and VQL queries in to create an interactive report. Notebooks are typically used to track and post process one or more hunts or collaborate on an investigation.
Let’s create a notebook to see the feature at work.
velociraptor.exe gui. This will create a new server configuration and start a new server on the local machine. It will also start a local client communicating with the server.
Select Notebooks from the sidebar menu then “Add Notebook” .
Give the notebook a name and a description and submit. The new notebook is created.
A notebook consists of cells which may be edited. However, when not in focus a cell has no decorations in order to appear as a seamless part of a larger document. You have to click the cell into focus to be able to see it’s controls.
Edit Cellbutton to edit the cell contents.
There are two types of cells: A
Markdown cell receives markdown text
and renders HTML while a
VQL cell can receive VQL queries. The cell
type is shown on the right hand side of the cell toolbar. You may
change cells from one type to the other at any time.
Add Cellbutton and a pull down menu appears offering the type of Cell that can be added. For now, select a
After clicking the
Edit Cell button, you can type VQL directory into
the cell. As you type, the GUI offers context sensitive suggestions
about what possible completions can appear at the cursor. Typing “?”
will show all suggestions possible.
Suggestions are context sensitive, so VQL plugins which can only
appear after a
FROM clause will only be suggested when the cursor
appears are FROM.
Lets type the following VQL query into the VQL cell.
SELECT * FROM info()
The notebook may be switched into full screen to better emulate a full notebook. With this setting, the notebook takes up the entire width of the screen. You can switch back to the paned view by clicking on the collapse button at the top right of the screen.
Notebooks are an excellent medium to run arbitrary VQL queries. Much of the time, these queries are used to post process the results from collections or hunts.
Therefore Velociraptor automatically creates a
hunt notebook for
each hunt and a
flow notebook for each collection. Let’s see this
feature in action. I will collect the
artifact that will build a timeline of the prefetch files on the