Investigating Clients

Imagine you have received an alert about a potential suspicious activity on a particular endpoint. One of the first things you would want to do is to interactively examine the endpoint.

Velociraptor allows you to do just that! Simply search for the client, in the GUI, and navigate its file system remotely. You can download remote files, read registry keys remotely and look at evidence stored in Volume Shadow Copies. All this in a natural, intuitive interface.

We will also demonstrate the FUSE interface. Velociraptor allows you to mount a remote system’s Virtual File System locally and then access the end point’s files transparently using the analysis tool of your choice.