This is the next point release of Velociraptor. This release introduces a number of large changes in the API and data store representation. It is possible that previous data will not be readable by the newer binary. Please make sure to backup your data store if you want to keep it through the upgrade process.
- Major refactor of client/server comms protocols. The new protocol is more efficient for larger uploads.
- Implemented active client side cancellation. When a flow is stopped it will immediately cancel all running queries on the client. This is especially useful if you find you do not need the artifact collected any more.
- velociraptor config repack can now repack external binaries.
- EVTX parser will now include the event message by extracting it from the message DLLs. The message will be expanded with the EventData parameters on the end point to provide a more complete picture of event logs on Windows.
- Added the parse_mft() plugin to parse and export all the filename in the MFT. This can be used in conjunction with the
Windows.NTFS.Recoverartifact to potentially recover deleted files.