Skip to Main Content
August 29, 2024

Gobbling Up Forensic Analysis Data Using Velociraptor

Written by Thomas Millar
Incident Response & Forensics

Lately I have been working with Velociraptor for its endpoint and digital forensic capabilities and specifically spent time in many cases in the past two years with Velociraptor Offline Collector functions to gather forensic data in IR cases.

Sometimes there are situations that come up where you have host systems that you would like to collect IR-triage data from, but maybe one or more of the following factors are inhibiting real time-communication to a Velociraptor server.

  • Maybe the client organization does not already have Velociraptor set up.
  • The desired endpoint is separated from the very network that an organization has a Velociraptor server instance running on.
  • Maybe it’s a laptop that is out on the road and not expected to come back onto the office network or connect back through VPN, and that data cannot get into the organization’s Velociraptor server. 

If you still want to leverage Velociraptor’s collection and post-processing of artifacts, this blog will guide the reader through the steps needed to integrate an already-run ’Offline Collector’ artifact package into your Velociraptor server, and showcase artifacts that come from a macOS host for quick, preliminary triage. This is applicable to other operating systems, but recently I have been spending time on Linux and Apple macOS systems, so it’s a perfect opportunity to give those some time in the blogosphere light and have this discussion while featuring them.

Preliminary

The Offline Collector results are packaged with a massive amount of data gathered from a prospective host and zipped up (as a .ZIP file) so they can be opened up and examined easily. The Offline Collector .ZIP file can also be presented into an existing Velociraptor server for ingestion, and that is what we want to go with today.

Keep in mind that when the Velociraptor runs through the collection, it will produce a .ZIP file, and when it does, it inherits the permission of who executed it. During this example, I am showcasing macOS systems, so user permissions really matter. When I look at my previously collected file, I observe having an ownership attribute only set to the user root (because I ran Velociraptor Offline Collector via sudo). So, it’s a must to check the .ZIP file and find out if it still is ‘owned by root’, and if so, make an ownership change before proceeding. I set the permissions with chown and move on to the Velociraptor UI.

Into the Velociraptor GUI

Start by logging into your Velociraptor GUI server instance and use the credentials as an Admin. We want to see all options within the Admin GUI. Now, navigate over to Server Artifacts from the side bar and look for the + button near the top in the frame that appears. This is where you can begin a new collection.

Figure 1 - Server Artifacts Sidebar Operation
Figure 2 - New Collection Function

The collection we need is special because we are going to order the Velociraptor Admin GUI to pull in an Offline Collector archive file (the .ZIP file) and ingest it so it appears as a client that we can do later processing on. Type within the search box the following terms (case-insensitive) and it will appear to the frame on the right: Server.Utils.ImportCollection.

Figure 3 - Search and Selection of Artifacts

We have to address the operation configuration options. One-third of the configuration parameters can be left alone. But do supply the ‘victim’ hostname so it can be differentiated in Velociraptor. Supply the path to the Offline Collector file and place it into the path field.

Figure 4 - Parameters

Proceed to Launch (at the far right) and then be sure to check the log and results, looking for any error messages or anomalies. One gotcha that can happen is that one might forget who ‘owns’ the file, and this is where you will see a ‘Permission Denied’ error report event in the output. So again, remember to change the file ownership attribute before kicking this off.

Looking at the Results

My artifact Offline Collector for my test macOS system had a number of artifacts I was hoping would yield some interesting results to go through—22 prospectives in all. Some of them were a mix of the baked-in artifacts already in a Velociraptor GUI when running it for the first time, as well as ones that I pulled down from the Artifact Exchange and integrated into my Velociraptor instance. The list I chose to showcase are the following that were aimed at some of the interesting things I can expect to find on an Apple macOS system and gather quickly without waiting.

Figure 5 - Example Sought-After Artifacts for macOS

There are many more, and plenty to choose from, that are offered within Velociraptor, but these were selected because they usually produce results quickly. 

Only these artifact items (below) had results. You can expect your own experience to vary, of course.

  • MacOS.System.Wifi
  • Exchange.MacOS.Applications.Cache
  • Exchange.MacOS.Applications.Safari.History/History
  • MacOS.Detection.InstallHistory/Install History
  • Generic.Applications.Chrome.SessionStorage
  • MacOS.Applications.Chrome.History
  • MacOS.Applications.MRU
  • Exchange.MacOS.System.LocationServices
  • MacOS.System.Plist
  • MacOS.Network.Netstat
  • Exchange.MacOS.Sys.BashHistory/History
  • Exchange.MacOS.Sys.BashHistory/Sessions
  • MacOS.Sys.Pslist
  • MacOS.System.Users

Now I can just parse through the results of those 14 that managed to be successfully collected and ingested and start to look for anything interesting or strange. For instance, looking through the Bash History artifact collection is always on the menu (in my opinion). This is a nice artifact offered on the Velociraptor Artifact Exchange.

Figure 6 - Results From Collected Exchange.MacOS.Sys.BashHistory/History

Additionally, getting a feel of what users are on a Linux or macOS system is helpful during a triage.

Figure 7 - Results of MacOS.System.Users

Closing

This blog was focused on taking a Velociraptor offline .ZIP file that perhaps you might have collected yourself, or maybe otherwise was provided to you, and adding that file’s contents into a Velociraptor GUI. We went over some highlights of how the file import capability is performed via the Velociraptor Admin UI, and what to look for before, during, and after the import process takes place. At this point, you come away with seeing another capability that Velociraptor offers, and how you can integrate it with offline collections regardless of the target operating system from which the Velociraptor Offline Collector gathered data. Thank you for reading, and good luck with the sleuthing!