Release 0.3.7

This is the next point release of Velociraptor. This release introduces a large number of new forensic artifacts, parsers and other features as well bugfixes and performance enhancements. Thanks everyone for reporting issues through the issue board and Discord!

New features

• Process analysis plugins: VAD, Handles, Mutants, DLLList, Windows Object tree
• Parser for ESE files - this allows us to process artifacts like the SRUM database and Internet Explorer history files.
• Added JSONL as an optional output - This works well with tools like jq and logstash.
• Added GUI prepare download features for hunts (previously this was only available for individual collections)
• Added VQL trace feature to help people debug VQL queries.

Bugfixes

• Fixed memory leak with watch_evtx() based queries.
• Fixed bug in hunt manager which sometimes would schedule hunt on clients twice.
• GUI was not including all data in the download bundle.

As always file issues on the bug tracker or ask questions on our mailing list velociraptor-discuss@googlegroups.com . You can also chat with us directly on discord https://www.velocidex.com/discord

Release 0.3.6

This is the next point release of Velociraptor. This release introduces a number of large changes in the API and data store representation. It is possible that previous data will not be readable by the newer binary. Please make sure to backup your data store if you want to keep it through the upgrade process.

• Added a javascript interpreter within VQL
• Major refactor of client/server comms protocols. The new protocol is more efficient for larger uploads.
• Implemented active client side cancellation. When a flow is stopped it will immediately cancel all running queries on the client. This is especially useful if you find you do not need the artifact collected any more.
• velociraptor config repack can now repack external binaries.
• EVTX parser will now include the event message by extracting it from the message DLLs. The message will be expanded with the EventData parameters on the end point to provide a more complete picture of event logs on Windows.
• Added the parse_mft() plugin to parse and export all the filename in the MFT. This can be used in conjunction with the Windows.NTFS.Recover artifact to potentially recover deleted files.

As always file issues on the bug tracker or ask questions on our mailing list velociraptor-discuss@googlegroups.com . You can also chat with us directly on discord https://www.velocidex.com/discord

Release 0.3.5

This is the next point release of Velociraptor. Major features in this release include:

• Elastic VQL plugin and artifacts now allow automatic indexing of artifact collections.
• Stand alone zip files can be encrypted.
• An upload_gcs() plugin allowing VQL to automatically upload to GCS.
• UI Changes - better rendering of VQL with syntax highlighting.

As always file issues on the bug tracker or ask your questions on our mailing list velociraptor-discuss@googlegroups.com . You can also chat with us directly on discord https://www.velocidex.com/discord

Release 0.3.4

This is the next point release for Velociraptor: 0.3.4

This release introduces many bug fixes and performance improvements. The main features in this release include the porting of the KapeFile repository into a single artifact. The KapeFiles rules are geared at forensic file collection for triaging. The Velociraptor artifact also implements VSS deduplication - retrieving all relevant versions of the files collected.

Also this release includes a number of interesting arifacts:

• I30 scanning for recovering potentially deleted files.
• Autoruns artifact - this artifact uses sysinternals autoruns to find potentially malicious programs. It is an excellent example of how third party tools can be integrated with velociraptor.
• Kerberoasting collection - determines if a weak golden ticket is issued.

As always file issues on the bug tracker or ask your questions on our mailing list velociraptor-discuss@googlegroups.com

Release 0.3.3

This is the next point release. The main change in this release is the introduction of a client local buffer file. This means that event monitoring artifacts can continue being collected on the endpoint - even if the endpoint goes off line or becomes disconnected from the server.

Additionally zip files are now prepared on the server instead of being automatically streamed - this allows the user to pause or resume downloads of large ZIP files.

Release 0.3.2

This point release is just in time for the SANS Summit. If you are watching our presentation you can follow along at home with this release.

Release 0.3.1

This is the next point release for Velociraptor. This release coincides with the launch of the new Velociraptor documentation site at https://docs.velociraptor.velocidex.com/docs/ .

Some of the notable changes:

• We have started to distribute Velociraptor as a signed MSI now. This makes deployment even easier than before. There is also an interactive configuration wizard which should help you get started in most common deployment scenarios. Read the getting started guide to see how to deploy Velociraptor.

• We added a generic file finder artifact. This replaces the old deprecated flow of the same name. It is one of the more powerful artifacts and forms the basis to many others. Read more about it here

• There are many GUI changes including a built in dashboard (you can still use Grafana but in most cases the built in dashboard is sufficient). Read the User Interface guide for a description of the new interface.

• Many new binary parsers including AppCompatCache keys, sqlite and prefetch files.

• We also have a new logo! Let us know if you like it...

As always, please file any issues to the issue board and ask your questions on the mailing list.

Release 0.3.0

This release introduces a major rework of the GUI:

• Client monitoring artifacts are now settable via the GUI (without restarting the server)
• Server event artifacts are now settable via the GUI
• Better linking between screens.
• Artifact collector can now search artifact descriptions.

Additionally we introduced reporting to the artifact view. A report is a template which can be added to the artifact to explain how to interpret the results. The report may issue VQL queries itself to to further post processing. There are a number of graphical primitives available to reports, such as tables, line charts and timelines.

As always file bugs and feature requests on https://github.com/Velocidex/velociraptor

Release 0.2.9

This is the next point release of Velociraptor - just in time for the CrikeyCon 2019 workshop!

Notable features:

• Addition of raw registry accessor allows parsing of registry hives which are locked (like ntuser.dat or amcache).
• Velociraptor now supports a reverse proxy for integration with Grafana.
• Windows fuse implementation added.
• Implemented artifact packs - Artifacts can now collect multiple VQL tables and contain other artifacts.
• Ability to add read only users t the GUI.

Release 0.2.8

This is the next release of Velociraptor.

This release brings many improvements to scalability and efficiency. The main features are:

• Velociraptor can now use self signed SSL for all connections (gRPC, client/server and GUI).
• Velociraptor can now dump process memory using the proc_dump() VQL plugin.
• Implemented exported files which are included in artifacts verbatim.
• Added the ability to set artifact parameters in GUI.
• Velociraptor can now collect dns query logs on the end point and stream to the server.
• Client side throttling allows heavy collections on the endpoint with minimal performance impact.
• Flow completion notifications allow VQL queries to track completed flows.
• Python bindings added.
• Console added for command line completion of VQL queries.
• VBA macro extractor can dump VBA macros from office documents.
• A fifo() VQL plugin allows to write artifacts with time detection (e.g. detect a successful login after 3 failed ones).
• Prometheus metrics
• Authenticode support.
• All connections now use TLS - gRPC API is always using TLS now.
• Updated license to AGPLv3.
• Window and macOS binaries are now signed.