This is the next point release for Velociraptor - Digging deeper!
Detailed release notes are posted at https://docs.velociraptor.app/blog/2023/2023-07-27-release-notes-0.7.0/
GUI improvements
Enhanced client search
In this release the client index was rewritten to store all client
records in a single snapshot file, while managing this file in
memory. This approach allows client searching to be extremely quick
even for large numbers of clients well over 100k.
Paged table in Flows List
In this release the GUI was updated to include a paged table (with
suitable filtering and sorting capabilities) so all collections can be
accessed.
VQL Plugins and artifacts
Chrome artifacts
Added a leveldb parser and artifacts around Chrome Session
Storage. This allows to analyse data that is stored by Chrome locally
by various web apps.
Lnk forensics
This release added a more comprehensive Lnk parser covering off on all
known Lnk file features. You can access the Lnk file analysis using
the `Windows.Forensics.Lnk artifact.
Direct S3 accessor
In this release Velociraptor adds an S3 accessor. This allows plugins
to directly operate on S3 buckets. In particular the glob() plugin can
be used to query bucket contents and read files from various
buckets.
Volume Shadow Copies analysis
In the 0.7.0 release, Velociraptor adds the ntfs_vss accessor. This
accessor automatically considers different snapshots and deduplicates
files that are identical in different snapshots. This makes it much
easier to incorporate VSS analysis into your artifacts.
The SQLiteHunter project
This release incorporates the SQLiteHunter artifact. A one stop shop
for finding and analyzing SQLite files such as browser artifacts and
OS internal files.
Server security improvements
In the 0.7.0 release, Velociraptor offers the GUI.allowed_cidr
option. If specified, the list of CIDR addresses will specify the
source IP acceptable to the server for connections to the GUI
application (for example 192.168.1.0/24).
This filtering only applies to the GUI and forms an additional layer
of security protecting the GUI application (in addition to the usual
authentication methods).
Conclusions
There are many more new features and bug fixes in the latest
release. Please help our community by testing this release and providing feedback through the GitHub issue board or on our discord channel
Notes
MacOS Binaries are now signed. You can verify the signature using the codesign utility
codesign -d -vvv ./velociraptor-v0.7.0-darwin-amd64