This is the next point release for Velociraptor - Digging deeper!
For a full description of notable new features please read the release notes here https://docs.velociraptor.app/blog/2022/2022-03-23-release-notes/
Notable features
Dead disk analysis
Velociraptor offers top notch forensic analysis capability but it was primarily used as a live response agent. Many users have asked us if Velociraptor can be used on dead disk images. Although we rarely use dead disk images in practice, sometimes we do encounter these (e.g. in cloud investigations).
Previously we could not use Velociraptor easily on dead disk images without having to carefully tailor and modify each artifact. In the 0.6.4 release we now have the ability to emulate a live client from dead disk images. We can use this feature to run the exact same VQL artifacts that we normally do on live systems, but against a dead disk image. If you would like to read more about this new feature check out Dead Disk Forensics.
Resource control
When collecting artifacts from endpoints we need to be mindful of the overall load that collection will cost on endpoints. For performance sensitive servers, our collection can cause operational disruption. For example, running a yara scan over the entire disk would utilize a lot of IO operations and may use a lot of CPU resources. Velociraptor will then compete for these resources with the legitimate server functionality and may cause degraded performance. In 0.6.4 we have implemented a feedback based throttler which can control VQL queries to a target average CPU utilization.
Multiple OAuth2 authenticators
Velociraptor has always had SSO support to allow strong 2 factor authentication for access to the GUI. However, previously Velociraptor only supported one OAuth2 provider at a time. Users had to choose between Google, Github, Azure or OIDC (e.g. Okta) for the authentication provider. In 0.6.4 Velociraptor can be configured to support multiple SSO providers at the same time.
The Velociraptor knowledge base
Velociraptor is a very powerful tool. It’s flexibility means that it can do things that you might have never realized it can! For a while now we have been thinking about ways to make this knowledge more discoverable and easily available.
Many people ask questions on the Discord channel and learn new capabilities in Velociraptor. We want to try a similar format to help people discover what Velociraptor can do.
The Velociraptor knowledge base is a new area on the documentation site that allows anyone to submit small (1-2 paragraphs) tip about how to do a particular task. Knowledge base tips are phrased as questions to help people search for them. Tips should be short and refer to more detailed documentation - they are just a quick hint.
Known issues
Release 0.6.4-2 fixes a number of issues - some affecting clients and server, please upgrade.
The full change log can be seen here abe3ae6...b6c5764
Release 0.6.4-1 fixes #1743 which counted completed clients in hunts incorrectly.