Authors: Michael Cohen (Velocidex)



Velociraptor is an advanced open source digital forensic and incident response tool that enhances your visibility into your endpoints. Featuring scalable architecture it makes it possible to hunt for forensic artifacts across large networks in minutes.

This workshop is an introduction to Velociraptor and how DFIR practitioners can leverage the Velociraptor Query Language (VQL) to implement novel detections in minutes.

You will download and install Velociraptor, then deploy a new deployment and become familiar with the GUI. Experience the power of scaling a hunt across a large network (over 1,000 endpoints). We then continue to post process the data to quickly identify anomalies.

Specifically, we will looking at the new Velociraptor dead-disk analysis mode which allows Velociraptor to be used on more traditional disk images. This way we can reuse our VQL artifacts on live systems, as well as disk images. We will also look at the limitations of this technique.

We cover some case studies in modern DFIR techniques exposing artifacts such as hunting memory for Cobalt Strike beacons, detecting lateral movement through forensic artifacts, and leveraging ETW to gain deeper visibility of endpoint activity.

This workshop will be hands on and include examples you should run on your own windows VM. All you need to participate is a Windows VM (e.g. a cloud instance or local VM).

Participants will learn
1. How to install Velociraptor locally
2. The basics of the Velociraptor Query Language (VQL)
3. How to apply community queries from the Artifact Exchange
4. Hunting large number of machines for compromise in minutes
5. Use Velociraptor artifacts on hard disk images.

Participants will need their own windows VM or cloud machine (with admin level access) and will download Velociraptor from Github to install it on that machine.

There will also be a small disk image to play with which should not take too long to download.

Slides are available on the Velociraptor website.