Velociraptor is an incredibly powerful tool, but sometimes it is hard to know where to start. This page aims to help newcomers to Velociraptor by presenting a set of playbooks to use when faced with certain tasks.
One of the most common tasks in DFIR is searching for files on the endpoint.
A compromised endpoint is likely to be destroyed. You want to preserve raw files until you have an opportunity to analyse them later.
An endpoint is suspected of being compromised but you dont know exactly what happened. You want to get an initial idea by examining the logs on the actual endpoint.