Skip to content

Release 0.7.0
Compare
Choose a tag to compare
@scudette scudette released this 28 Aug 06:22
· 67 commits to v0.7.0 since this release
v0.7.0
0ef0e8b
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

This is the next point release for Velociraptor - Digging deeper!

Detailed release notes are posted at https://docs.velociraptor.app/blog/2023/2023-07-27-release-notes-0.7.0/

GUI improvements

Enhanced client search

In this release the client index was rewritten to store all client
records in a single snapshot file, while managing this file in memory. This approach allows client searching to be extremely quick even for large numbers of clients well over 100k.

Paged table in Flows List

In this release the GUI was updated to include a paged table (with suitable filtering and sorting capabilities) so all collections can be
accessed.

VQL Plugins and artifacts

Chrome artifacts

Added a leveldb parser and artifacts around Chrome Session Storage. This allows to analyse data that is stored by Chrome locally
by various web apps.

Lnk forensics

This release added a more comprehensive Lnk parser covering off on all known Lnk file features. You can access the Lnk file analysis using
the `Windows.Forensics.Lnk artifact.

Direct S3 accessor

In this release Velociraptor adds an S3 accessor. This allows plugins to directly operate on S3 buckets. In particular the glob() plugin can
be used to query bucket contents and read files from various buckets.

Volume Shadow Copies analysis

In the 0.7.0 release, Velociraptor adds the ntfs_vss accessor. This accessor automatically considers different snapshots and deduplicates
files that are identical in different snapshots. This makes it much easier to incorporate VSS analysis into your artifacts.

The SQLiteHunter project

This release incorporates the SQLiteHunter artifact. A one stop shop for finding and analyzing SQLite files such as browser artifacts and
OS internal files.

Server security improvements

In the 0.7.0 release, Velociraptor offers the GUI.allowed_cidr option. If specified, the list of CIDR addresses will specify the
source IP acceptable to the server for connections to the GUI application (for example 192.168.1.0/24).

This filtering only applies to the GUI and forms an additional layer of security protecting the GUI application (in addition to the usual
authentication methods).

Conclusions

There are many more new features and bug fixes in the latest release. Please help our community by testing this release and providing feedback through the GitHub issue board or on our discord channel

Notes

MacOS Binaries are now signed. You can verify the signature using the codesign utility

codesign -d -vvv ./velociraptor-v0.7.0-darwin-amd64

If you see the error version GLIBC_2.33 not found when running Velociraptor on your system, upgrade to 0.7.0-2 or the musl build. The 0.7.0 release was built on Ubuntu 22.04. A 0.7.0-2 release was now made built on Ubuntu 20.04

Release 0.7.0-3 is a bugfix release primarily for issue #2955 . If you are experiencing this issue (many duplicate clients) please test upgrading the clients to 0.7.0-3. This release also adds the ability for the writeback file to be stored in the registry instead of the filesystem on windows - simply modify the writeback_windows value in the config file to something that starts with HKLM (for example HKLM\SOFTWARE\Velocidex\Velociraptor ) this should improve stability in writing the writeback on the client and prevent potential writeback file corruptions which may have previously lead to clients recreating the writeback file with a new client id.

NOTE: Please upgrade servers to 0.7.0-4 address CVE-2023-5950

We are very grateful to Mathias Kujala for reporting this issue. More information at https://docs.velociraptor.app//announcements/2023-cves/

Assets 65