This is the next point release for Velociraptor - Digging deeper!
This change introduces some significant improvements, new features and bug fixes. Some notable changes include:
- New binary parser is now available in VQL. This allows for implementing powerful parsers right inside your query.
- Offline collector now stores into a multithreaded ZIP writer - this speeds up collection on multi core machines because multiple cores can compress at the same time.
- Performance optimization for VQL engine - more lazy more places.
- Fixed bugs in NTFS parser cache - this was causing failures in some queries.
- Disable MySQL as a filestore - MySQL backend proved to be lower performance than plain disk and had stability issues. We temporarily withdraw this option until we can work on it more.
- Server side event queues now implement file backed overflow - this makes them more scalable and faster.
Also including a number of interesting new artifacts:
- Splunk upload artifacts match the previous Elastic based ones
- Certutils metadata parser using the new binary parser framework
- Lnk file parser using the new binary parser in VQL.
- The Hive interfacing artifacts
As always please file issues on the Github bug tracker or ask questions on our mailing list velociraptor-discuss@googlegroups.com . You can also chat with us directly on discord https://www.velocidex.com/discord
PS We have a couple of training courses coming up in the next couple months. Consider those, if you want to be able to use Velociraptor like a pro! https://www.velocidex.com/training/
Known issues
- If you intend to use the API please use a CI build later than #879 as there is a known issue with API connections.