Upon execution, the desired forensic evidence is collected from the device into an archive, which then can be either analyzed separately or imported back into a Velociraptor server.Įspecially for an initial triage, we often use preconfigured offline collectors. Such an offline collector comes as a single standalone Velociraptor executable, which can be transferred to a host over an arbitrary method. In most cases, GPOs are used to distribute the Velociraptor clients in the compromised infrastructure.Įven if it is not possible to deploy applications in client-server mode to a customer infrastructure or specific endpoint, Velociraptor can perform the task.īy selecting the desired forensic evidence to collect (such as from the well-known KapeFiles Repository), an offline collector can be built.
Velociraptor clients are automatically generated, and a deployment process is chosen depending on customer requirements. The Velociraptor server instance is part of and fully integrated trough it’s API into this infrastructure. Whenever a new incident is reported, we spin-up an incident infrastructure allowing all involved parties to safely communicate, exchange incident data and keep a logbook. It is built to work on multi-platform environments and comes with a handy web interface for analysts to investigate a case in collaboration. Velociraptor is a tool for collecting live information via client-server model architecture using its own Velociraptor Query Language (VQL). This is why, nowadays we mainly try to focus on Velociraptor. Certainly, it would be nice to have a single tool, which integrates the main functionality required to solve the typical case as well as allow for customization and extensibility. However, most of them have also drawbacks, such as being slow, limited support, costly, cumbersome to master and more. All these tools certainly served us well. We are used to analyze the typical incident using a variety of tools, such as The Sleuth Kit, Eric Zimmerman’s Tools, X-Ways Forensics, Plaso, Timesketch, KAPE, AXIOM and others. If there are none, the Incident Response Methodologies of CERT Societe Generale may provide a good starting point.Īside from organization level preparations, such as the prevention of incidents and general forensic readiness, tooling is a major point to consider. Many organizations nowadays have custom strategies and procedures for incidents at their disposal. In all phases of the incident, it is furthermore important to keep documentation of all performed steps, meetings and obtained evidence. NIST Computer Security Incident Handling Guide, figure from page 21
For the typical DFIR case, the process as laid out by NIST in the Computer Security Incident Handling Guide is sufficient. There are two de-facto incident response methodologies, SANS and NIST, which are very similar and almost interchangeable. In order to handle a typical DFIR case, a methodology is required.
#DEFCON CONFERENCE HOW TO#
This post provides ideas of processes to follow and gives basic guidance on how to collect, triage and analyze artifacts using Velociraptor.
0 kommentar(er)
