Authors: Michael Cohen (Velocidex)
DFRWS USA 2021
Abstract
Velociraptor is the new open source DFIR framework that everyone is talking about! Have you ever needed to respond to an incident in a large enterprise network? Have you wondered how many of your 10,000 endpoints are compromised? You know you should be hunting for common forensic artifacts but how do you do it in a scalable way, in a reasonable time? Well… now you can!
This workshop is an introduction to forensic analysis and incident response at enterprise scale using Velociraptor. We cover the basics of installing Velociraptor and after a quick tour of the GUI we dive into the Velociraptor query language – the real workhorse behind Velociraptor. The unique advantage behind VQL is that users can create their own queries to implement customised hunts for novel types of indicators.
This workshop will be a deeper dive into VQL and how it can be used in a practical way. We present a number of novel indicators from open sources, such as blog posts, research papers and vulnerability reports. Using this information, we will devise detection strategies to produce high fidelity signals of compromise. Finally we implement these strategies using VQL artifact hunts and illustrate how large scale detection and collection of novel forensic artifacts can be carried out in minutes.
We will cover the following use cases:
- Hunt for modified registry keys (e.g. Disabled event logs, Autoruns)
- Monitoring with ETW – Detecting and responding to events by harnessing ETW
- Timeline analysis using MFT, USN
- Process execution analysis using USN, Prefetch.
Required software:
1. A Windows VM with admin level access – you can download a windows VM from Microsoft here https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/
2. A copy of Velociraptor from our GitHub page at https://github.com/Velocidex/velociraptor