January 11th, 2022
LimaCharlie & Velociraptor enable the automation of deep forensic capability
Christopher Luft
Digital forensics is about answering questions and building timelines. Who did what and when. When something malicious takes place on a computer there is evidence that can be collected and used to reconstruct what exactly happened.
Depending on the type of events that need to be reconstructed, the evidence required may be difficult to retrieve. In order to make the lives of DFIR professionals easier, LimaCharlie has integrated the Velociraptor open source endpoint visibility tool.
Velociraptor provides the ability to effectively investigate a wide range of digital forensic use cases. It can be used for the following:
Reconstruct attacker activities through digital forensic analysis
Hunt for evidence of sophisticated adversaries
Investigate malware outbreaks and other suspicious network activities
Monitor continuously for suspicious user activities, such as files copied to USB devices
Discover whether disclosure of confidential information occurred outside the network
Gather endpoint data over time for use in threat hunting and future investigations
Velociraptor’s power and flexibility comes from the Velociraptor Query Language (VQL). The VQL framework creates highly customized scripts, which can collect, query and monitor any aspect of an endpoint, groups of endpoints, or an entire network.
Custom VQL scripts are deployed as “Artifacts”. An artifact is a text file written in YAML which encapsulates the VQL, adds human readable descriptions and provides parameters allowing users to customize the operation of the artifact. Details on how artifacts are used to define and collect specific pieces of information can be in the Velociraptor Docs: Artifacts
LimaCharlie makes Velociraptor available as a service which can easily be run on any given endpoint or across the entire fleet.. This service will automate the deployment and running of Velociraptor Artifacts. It supports 3 actions:
list to show all built-in Artifacts the latest release of Velociraptor supports
show to display usage of a specific built-in Artifact
collect to trigger an actual collection of Artifacts
Once generated by Velociraptor a zip file with all collected data is ingested automatically into LimaCharlie where you can download it. The download from LimaCharlie can also be automated using an Output stream with detection triggers that are fired when it happens. The capabilities enabled by this approach allow teams to easily automate their forensic gathering process when responding to incidents at scale.
Regardless of how you use it, LimaCharlie’s integration of Velociraptor is a powerful tool for DFIR professionals.Further details are available on LimaCharlie Docs: Velociraptor