Skip to content
  • v0.3.8
  • 5195c3c
  • Compare
    Choose a tag to compare
    Search for a tag
  • v0.3.8
  • 5195c3c
  • Compare
    Choose a tag to compare
    Search for a tag

@scudette scudette released this Jan 11, 2020 · 11 commits to master since this release

This is the next point release of Velociraptor. This release introduces a number of new features as well as bug fixes and performance enhancements. Thanks everyone for reporting issues through the issue board and Discord!

This release adds a lot of Linux features and is required to follow the Tutorial we will present at Linux.Conf.Au 2020 https://linux.conf.au/schedule/presentation/80/ Slides are available at https://www.velocidex.com/docs/presentations/linux.conf.au.2020/ if you can't make it in person.

New Features

  • Add S3 upload functionality.
  • Added grok function and syslog watcher.
  • Autogenerate VQL references.
  • Parse auditd logs.
  • Added unzip and csv commands. Velociraptor will now assist in extracting and querying results exported in zip files.
  • Added more Linux artifacts

As always file issues on the bug tracker or ask questions on our mailing list velociraptor-discuss@googlegroups.com . You can also chat with us directly on discord https://www.velocidex.com/discord

Assets 7
  • v0.3.7
  • ff4d5f7
  • Compare
    Choose a tag to compare
    Search for a tag
  • v0.3.7
  • ff4d5f7
  • Compare
    Choose a tag to compare
    Search for a tag

@scudette scudette released this Dec 7, 2019 · 24 commits to master since this release

This is the next point release of Velociraptor. This release introduces a large number of new forensic artifacts, parsers and other features as well bugfixes and performance enhancements. Thanks everyone for reporting issues through the issue board and Discord!

New features

  • Process analysis plugins: VAD, Handles, Mutants, DLLList, Windows Object tree
  • Parser for ESE files - this allows us to process artifacts like the SRUM database and Internet Explorer history files.
  • Added JSONL as an optional output - This works well with tools like jq and logstash.
  • Added GUI prepare download features for hunts (previously this was only available for individual collections)
  • Added VQL trace feature to help people debug VQL queries.

Bugfixes

  • Fixed memory leak with watch_evtx() based queries.
  • Fixed bug in hunt manager which sometimes would schedule hunt on clients twice.
  • GUI was not including all data in the download bundle.

As always file issues on the bug tracker or ask questions on our mailing list velociraptor-discuss@googlegroups.com . You can also chat with us directly on discord https://www.velocidex.com/discord

Assets 7
  • v0.3.6
  • 0ef3a36
  • Compare
    Choose a tag to compare
    Search for a tag
  • v0.3.6
  • 0ef3a36
  • Compare
    Choose a tag to compare
    Search for a tag

@scudette scudette released this Nov 12, 2019 · 49 commits to master since this release

This is the next point release of Velociraptor. This release introduces a number of large changes in the API and data store representation. It is possible that previous data will not be readable by the newer binary. Please make sure to backup your data store if you want to keep it through the upgrade process.

  • Added a javascript interpreter within VQL
  • Major refactor of client/server comms protocols. The new protocol is more efficient for larger uploads.
  • Implemented active client side cancellation. When a flow is stopped it will immediately cancel all running queries on the client. This is especially useful if you find you do not need the artifact collected any more.
  • velociraptor config repack can now repack external binaries.
  • EVTX parser will now include the event message by extracting it from the message DLLs. The message will be expanded with the EventData parameters on the end point to provide a more complete picture of event logs on Windows.
  • Added the parse_mft() plugin to parse and export all the filename in the MFT. This can be used in conjunction with the Windows.NTFS.Recover artifact to potentially recover deleted files.

As always file issues on the bug tracker or ask questions on our mailing list velociraptor-discuss@googlegroups.com . You can also chat with us directly on discord https://www.velocidex.com/discord

Assets 7
  • v0.3.5
  • 0a748d9
  • Compare
    Choose a tag to compare
    Search for a tag
  • v0.3.5
  • 0a748d9
  • Compare
    Choose a tag to compare
    Search for a tag

@scudette scudette released this Oct 8, 2019 · 79 commits to master since this release

This is the next point release of Velociraptor. Major features in this release include:

  • Elastic VQL plugin and artifacts now allow automatic indexing of artifact collections.
  • Stand alone zip files can be encrypted.
  • An upload_gcs() plugin allowing VQL to automatically upload to GCS.
  • UI Changes - better rendering of VQL with syntax highlighting.

As always file issues on the bug tracker or ask your questions on our mailing list velociraptor-discuss@googlegroups.com . You can also chat with us directly on discord https://www.velocidex.com/discord

Assets 7
  • v0.3.4
  • 2cd9c3e
  • Compare
    Choose a tag to compare
    Search for a tag
  • v0.3.4
  • 2cd9c3e
  • Compare
    Choose a tag to compare
    Search for a tag

@scudette scudette released this Sep 30, 2019 · 97 commits to master since this release

This is the next point release for Velociraptor: 0.3.4

This release introduces many bug fixes and performance improvements. The main features in this release include the porting of the KapeFile repository into a single artifact. The KapeFiles rules are geared at forensic file collection for triaging. The Velociraptor artifact also implements VSS deduplication - retrieving all relevant versions of the files collected.

Also this release includes a number of interesting arifacts:

  • I30 scanning for recovering potentially deleted files.
  • Autoruns artifact - this artifact uses sysinternals autoruns to find potentially malicious programs. It is an excellent example of how third party tools can be integrated with velociraptor.
  • Kerberoasting collection - determines if a weak golden ticket is issued.

As always file issues on the bug tracker or ask your questions on our mailing list velociraptor-discuss@googlegroups.com

Assets 7
  • v0.3.3
  • 009b182
  • Compare
    Choose a tag to compare
    Search for a tag
  • v0.3.3
  • 009b182
  • Compare
    Choose a tag to compare
    Search for a tag

@scudette scudette released this Sep 6, 2019 · 124 commits to master since this release

This is the next point release. The main change in this release is the introduction of a client local buffer file. This means that event monitoring artifacts can continue being collected on the endpoint - even if the endpoint goes off line or becomes disconnected from the server.

Additionally zip files are now prepared on the server instead of being automatically streamed - this allows the user to pause or resume downloads of large ZIP files.

Assets 7
  • v0.3.2
  • 955a711
  • Compare
    Choose a tag to compare
    Search for a tag
  • v0.3.2
  • 955a711
  • Compare
    Choose a tag to compare
    Search for a tag

@scudette scudette released this Aug 9, 2019 · 144 commits to master since this release

This point release is just in time for the SANS Summit. If you are watching our presentation you can follow along at home with this release.

Assets 7

@scudette scudette released this Jul 15, 2019 · 152 commits to master since this release

This is the next point release for Velociraptor. This release coincides with the launch of the new Velociraptor documentation site at https://docs.velociraptor.velocidex.com/docs/ .

Some of the notable changes:

  • We have started to distribute Velociraptor as a signed MSI now. This makes deployment even easier than before. There is also an interactive configuration wizard which should help you get started in most common deployment scenarios. Read the getting started guide to see how to deploy Velociraptor.

  • We added a generic file finder artifact. This replaces the old deprecated flow of the same name. It is one of the more powerful artifacts and forms the basis to many others. Read more about it here

  • There are many GUI changes including a built in dashboard (you can still use Grafana but in most cases the built in dashboard is sufficient). Read the User Interface guide for a description of the new interface.

  • Many new binary parsers including AppCompatCache keys, sqlite and prefetch files.

  • We also have a new logo! Let us know if you like it...

image

As always, please file any issues to the issue board and ask your questions on the mailing list.

Assets 7

@scudette scudette released this May 20, 2019 · 188 commits to master since this release

This release introduces a major rework of the GUI:

  • Client monitoring artifacts are now settable via the GUI (without restarting the server)
  • Server event artifacts are now settable via the GUI
  • Better linking between screens.
  • Artifact collector can now search artifact descriptions.

Additionally we introduced reporting to the artifact view. A report is a template which can be added to the artifact to explain how to interpret the results. The report may issue VQL queries itself to to further post processing. There are a number of graphical primitives available to reports, such as tables, line charts and timelines.

As always file bugs and feature requests on https://github.com/Velocidex/velociraptor

Assets 6

@scudette scudette released this Apr 8, 2019 · 220 commits to master since this release

This is the next point release of Velociraptor - just in time for the CrikeyCon 2019 workshop!

Notable features:

  • Addition of raw registry accessor allows parsing of registry hives which are locked (like ntuser.dat or amcache).
  • Velociraptor now supports a reverse proxy for integration with Grafana.
  • Windows fuse implementation added.
  • Implemented artifact packs - Artifacts can now collect multiple VQL tables and contain other artifacts.
  • Ability to add read only users t the GUI.
Assets 6
You can’t perform that action at this time.