Velociraptor Dead-Disk Forensics

-

The Problem (and the solution)


So you need to perform dead-disk forensics on a Windows host, but post acquisition (which may typically be preceded by access to the host (live) or via an offline-collector) you want to continue with your standard way of working.

I did too, and fortunately Velociraptor has the ability to emulate a live client from dead disk images, meaning we can simply point our instance to the physically acquired disk and perform the investigation as normal.

In this quick post, I intend to show the steps after you have acquired the image.

Before starting I'd recommend reading the below link; this covers this capability in a lot more detail than I'm providing here in this quick 101 - and it will help you understand the negatives.

https://docs.velociraptor.app/blog/2022/2022-03-22-deaddisk/

But what's most important to us for right now is:

Velociraptor currently supports the following 4 disk image formats via built-in accessors:
- EWF: Expert Witness Compression Format, sometimes called “E01 images”
- VMDK: virtual hard drive format introduced by VMware
- VHDX: virtual hard drive format introduced by Microsoft
- raw format: bit-by-bit copy of a hard drive, also know as “DD” or “flat” format

Practical Example

For this example, I've taken an image dump of my machine's C Drive (500gb) in .e01 format using FTK Imager. Note: With fragmentation set to 0.

FTK Destination Folder

Downloading and setting up Velociraptor

Head to: https://github.com/Velocidex/velociraptor/releases/tag/v0.74 and download the binary.

Create a directory for storing your config file, I've chosen to create one inside the same directory containing my image file as seen below - named temp

Directory example


Run the following command (relevant to your file names and directories of choice) to create the remapping config file.

Windows:
velociraptor-v0.74.2-windows-amd64.exe -v deaddisk --add_windows_disk D:\DISK_OUTPUT\c_out.E01 D:\DISK_OUTPUT\temp\remapping.yaml

Linux:
velociraptor-linux-amd64 -v deaddisk --add_windows_disk /disk/path.dd /tmp/remapping.yaml
As per the documentation you can review the outputs and config files.

Expected command output

It won't create the output directory for you.

Then start the Velociraptor instance with:

Windows:
velociraptor-v0.74.2-windows-amd64.exe --remap ..\DISK_OUTPUT\temp\remapping.yaml gui -v

Linux:
velociraptor-v0.6.4-linux-amd64 --remap /tmp/remapping.yaml gui -v

And now you should be able to see your disk inside Velociraptor.

Client Display

Results

So at this point, you're likely seeing a familiar face (or GUI), from here you can interact with the disk as if it were a system.

In case you're unfamiliar, hit enter inside the 'Search Clients' search bar and you should be presented with the clients screen.

And now we can run relevant hunts against said 'client'.

Hunts example

Additionally, as stated in the documentation and above, we can also review the file system in the VFS (alongside all other things Velociraptor :) )

VFS example

Comments

Post a Comment

Popular posts from this blog

Velociraptor MCP

-
Image
With the MCP buzz still running hot I thought I would take some time to use and document one that really caught my eye recently. This MCP, was developed by @mgreen27  and I am very excited to see how it continues to grow. In this post, I’ll walk through how to spin up a Velociraptor MCP from this GitHub repo , explore what the protocol does under the hood, and demonstrate how you can contribute to or build on it yourself. Whether you're a threat hunter looking to streamline workflows or a DFIR practitioner building custom tooling, understanding and leveraging MCP will help you take full advantage of Velociraptor’s extensibility. Personal skippable waffle I am interested in seeing how the cybersecurity space adapts to MCPs (and AI as a whole..), I believe they should be used in conjunction ; i.e - you begin analysing the triage image or acquired artifacts whilst you run a simultaneous query targeting 'known-evil' or anything of the such - this provides us with quick wins...
Read more

XintraLabs - Waifu University Ransomware Case Writeup

-
Image
Scenario: Waifu University's cyber team has called you after their IT teams reported a number of servers with files that aren't opening and have a strange extension . On your scoping call, the victim also said they had identified a ransom note stating their data has been stolen . When asked about any earlier signs, the victim mentioned some strange, failed login activity early in March 2024 in their Entra ID , but it wasn't of concern at the time . Ransomware typically avoids system files to not cause crashes in the system, which also happens to be where a lot of forensic evidence is! You have been provided triage images of the hosts and log exports from the relevant systems. The Waifu University team took triage collections from the affected hosts using the account WAIFU\kscanlan6 at approximately 2024-03-07 05:00:00 UTC . Consider activity after this point related to the response. I've tried to make a point here to avoid directly giving the answers, they may b...
Read more