Authors: Mike Cohen, Velocidex Enterprises
DFRWS EU 2021
Abstract
Workshop organiser: Mike Cohen, Velocidex Enterprises
Date and Time: Thursday 1st April, 2-4:15pm Irish/British Summer Time
Velociraptor is the new open source DFIR framework that everyone is talking about! Have you even needed to respond to an incident in a large enterprise network? Have you wondered how many of your 10,000 endpoints are compromised? You know you should be hunting for common forensic artifacts but how do you do it in a scalable way, in a reasonable time? Well… now you can!
This workshop is an introduction to forensic analysis and incident response at enterprise scale using Velociraptor. We cover the basics of installing Velociraptor and after a quick tour of the GUI we dive into the Velociraptor query language – the real workhorse behind Velociraptor.
We then proceed to look at some of the modern DFIR techniques exposing critical forensic artifacts such as process analysis (VAD, Mutants, Handles), low level NTFS analysis (USN analysis, timelining), evidence of execution (prefetch files, amcache, SRUM) and event log collection and analysis.
Some of the scenarios we cover include;
- A domain account was compromised. Where did the attacker laterally move to?
- Malware was delivered via a phishing email. Were other users in the domain compromised by the same malware
- Uncovering common malware persistence mechanisms.
We also consider the offline Velociraptor collector: How to collect evidence without installing an endpoint agent, at a touch of a button and automatically stream data to cloud buckets?
Finally we consider how to proactively hunt for attackers using low level forensic analysis. Using Velociraptor’s endpoint monitoring feature we will develop effective endpoint monitoring rules to detect future compromise quickly and efficiently.