Velociraptor is an incredibly powerful tool, but sometimes it is hard to know where to start. This page aims to help newcomers to Velociraptor by presenting a set of playbooks to use when faced with certain tasks.
One of the most common operations in DFIR is searching for files efficiently. When searching for a file, we may search by filename, file content, size or other properties.
As a system administrator you have a high level of confidence a certain endpoint is compromised. You wish to preserve critical evidence while arranging for a more experienced DFIR professional to examine the evidence.
An endpoint is suspected of being compromised but you don’t know exactly what happened. You want to get an initial idea by examining the logs on the actual endpoint.