Presented by

  • Mike Cohen

    Mike Cohen
    https://www.velocidex.com/

    Mike is a renowned digital forensic researcher and senior software engineer. He's supported leading open-source DFIR projects including as a core developer of Volatility and lead developer of both Rekall and Grr Rapid Response. Mike is our "Digital Paleontologist" and brings his years of expertise to the role of principal developer of Velociraptor - an open source digital forensics and incident response tool.

Abstract

This hands-on lab introduces delegates to Velociraptor: a new open-source (AGPL) platform to perform surgical forensic evidence collection and incident response across a distributed computer network. It’s fast, precise, powerful … and free. It also supports Linux, Windows and MacOS. Velociraptor is a unique tool since it offers a query language so that users may query their end point flexibly in response to new threat information. Participants will download the latest Velociraptor executable, then configure and deploy a Velociraptor server and agent before collecting and examining evidence from across their personal test network. This workshop will focus on Linux. The instructors will walk through several real-life investigation scenarios, including collecting evidence of program execution, searching for evidence of lateral movement, hunting for back doors and hunting for attacker IOCs. We also explore how Velociraptor can be used to perform continuous security monitoring on the endpoints. Participants will become familiar with the main deployment options, elements of the Velociraptor interface and the procedure for configuring and executing basic hunts, before moving to the powerful Velociraptor Query Language (VQL) which opens the doors to developing custom hunts to meet specific investigation needs. We’ll also be covering management and monitoring features which ensure that Velociraptor can be used at scale, with minimal impact on network performance.