Distributed Evidence Collection and Analysis with Velociraptor: Fast, Surgical, at Scale...and Free! Having the ability to rapidly collect and examine artifacts across a network is a game changer for any Digital Forensics and Incident Response (DFIR) team. It provides unprecedented visibility into the state of the endpoint and the ability to tailor responses as the investigation evolves. Having this capability in an open-source tool that allows for truly surgical collection – at speed, at scale and free – is a triple bonus.
In this talk, we’ll present case studies from the Klein & Co. DFIR team on deploying and using Velociraptor in support of DFIR engagements for clients. Despite its young age, Velociraptor builds on the base of Grr (for which Mike Cohen was a lead developer) to feature some outstanding capabilities. Velociraptor introduces a powerful query language (VQL) to flexibly define artifacts to collect and hunt endpoints at scale and without needing to push new client code.
This approach allows for truly versatile and rapid response, as investigators are able to adapt queries quickly in response to shifting threats and new information gained through the investigation. We will explore how the Klein & Co. team has used this capability to forensically acquire critical evidence in a range of cases, from investigating the extent of a compromise to performing internal company investigations and carrying out ongoing operational security assessments of client networks – all without affecting endpoint performance. We’ll also cover some of the custom endpoint monitoring rules implemented to collect high-value event data in real time, using custom automated response configuration to immediately respond to endpoint events as they occur.
In addition to immediate response, we can also query these historical data at a later time to detect past compromise using newly discovered evidence.
Mike Cohen, Developer, Velocidex Innovations
Nick Klein (@kleinco), Director, Klein & Co.; Certified Instructor, SANS Institute
Музыка
Фильмы
ТВ Шоу
Категории видео
