Velociraptor Offline Collector
This is a living document and may be incomplete.
- Updated 1DEC2023
Locating Evidences of Execution using Prefetch, Velociraptor, and Zimmerman’s PECmd
Prefetch is a common Windows artifact used for determining the first and last incidences of a program being executed. This file is a binary blob stored at $:\Windows\Prefetch
and consists of a series of files named APPLICATION-GUID.pf
. These files contain the name of the executable, the last n
run date time groups a hash of the executable and path, and a list of files accessed by the .exe
in the first few seconds of loading.
Tools Recommended:
- Get-ZimmermanTools.ps1
- Velocidex/Velociraptor
- KAPE - note, it’s necessary to provide the vendor with your email to obtain KAPE but it will make your life much much easier.
Using Velociraptor to collect forensic artifacts from a Live System
-
Download Velociraptor and from an admin/sudo command prompt/CLI run
velociraptor gui
-
A browser will pop up,
Accept and Continue
when warned about the missing certificates. -
From the
Common Tasks
menu, chooseBuild an Offline Collector
-
In the top left, select the paper plane icon with a tool tip of
Build Offline Collector
below the search bar. -
On the
Create Offline collector: Select artifact to collect
page, chooseWindows.KapeFiles.Targets
and clickConfigure Parameters
in the bottom left. -
On the
Configure artifact parameters
page, click the wrench icon and ensure the following parameters are set:a. search for
_SANS_Triage
and ensure the check box is checked. You may review the triage to ensure the desired artifacts are available or choose to only collect theprefetch
files individually.b. Ensure the correct drive letters are present in the
Device:
setting. E.g.;C:,D:
-
Choose
Configure Collection
and if desired provide additional inputs. Notably the Encryption Scheme may be modified to provide a password protected file or the Collection type may be directed to an AWS S3 bucket, Azure Storage Blob, or GoogleDrive of your choosing. ChooseSpecify Resources
to continue -
On the
Specify Resources
page you may modify the following:a.
CPU Limit Percent
- this is beneficial for performing forensics on live systems that may not be removed from production or without users knowledge.b.
Max Execution Time in Seconds
- this has a default value of 10 minutes/600 seconds. This value may not be appropriate for systems with large file systems or a long history of use.c.
Max Idle Time in Seconds
- this may be set to prevent the collector from hanging during collection. This is again for live/user systems. -
Choose
Launch
and the window will close. -
From the collection list above, select
Server.Utils.CreateCollector
-
Click the
Uploaded Files
tab and select the file under headingvfs_path
. This will usually look like\Collector-velociraptor-v0.7.0-3-windows-amd64.exe
. Note the version number will depend on your velociraptor executable. -
From here, the file may be transferred to a USB drive or placed using EDR/MDM software and executed using an admin command prompt.
Using PEcmd.exe from ZimmermanTools to identify evidence of execution
- Unzip the Velociraptor collection and locate the
uploads
folder and note the path to thewindows\prefetch
folder. - In an admin command prompt, locate the
PEcmd.exe
executable within the Zimmerman tool set. - Run the following command
PEcmd.exe -d c:\path\to\windows\prefetch\identified\above --csv c:\path\to\velociraptor\collection\results\ --csvf name_of_output_file.csv
- This output file can be viewed most effectively with the
TimelineExplorer.exe
file in the same named folder in Zimmerman tools.
TODO:
Write up how to use KAPE Modules EZ
on Velociraptor collection.