Velociraptor is primarily a live analysis tool. However traditional forensics calls for the acquisition of raw disk images to preserve evidence.
In most incident response use cases it is very rare to acquire a raw disk image - modern disks are simply too large for this to be useful. Also physical storage devices, such as SSD implement TRIM protocols making it very unlikely to recover deleted data.
However sometimes (more commonly in cloud VM analysis), it is possible to encounter a raw disk image in one of the popular image formats:
EWF
images will have the .e01
, .e02
etc extension.VMDK
(VMware Disk) images will have the .vmdk
extensionVHDX
(Usually Microsoft images) will have the .vhdx
extensionRaw
images (sometimes called the dd
images)Velociraptor can read all the above image types and supports parsing data from images as opposed to the live system by using a mechanism called Accessor Remapping .
You can read the details in the link above but put simply, remapping
is a way to specify how Velociraptor should open specific files. The
Remapping Configuration
tells Velociraptor how to map IO requests
from VQL queries into the disk image instead of calling the OS APIs on
the analysis system itself.
Once a remapping file is created, you just need to start a client
using this remapping file. The new virtual client
appears like a
regular client, except that all IO requests come from the disk image.
The following will work in most simple cases - namely a disk or
partition image of a Windows system, stored at the C:
drive.
Server Artifacts
in the sidebar menu.New Collection
button.Server.Utils.DeadDiskClient
artifact and configure the
path to the image in the artifact parameters.The Hostname
parameter controls what the virtual client will
identify as. The WritebackFile
parameter will store the writeback of
the virtual client so you can reuse it next time to keep the same
client id.
Resources
tab you can update the Max Execution time
which controls how long the virtual client will be alive. By default
this is 1 hour.After launching the artifact, you can inspect the query log to see how the artifact automatically inspects each partition to detect the remapping configuration.
Although it appears the collection is not complete, it is actually starting a client with this remapping, and waits for the timeout before the client is torn down. During this time you can interact with the client, collect any artifacts, participate in any hunts etc.