This course teaches learners how to conduct mass digital forensics and incident response using Velociraptor. The learning outcomes include understanding Velociraptor VFS, utilizing artifacts and automation with VQL, matching Sigma Rules with Hayabusa, and parsing findings for various artifacts. The course covers skills such as analyzing processes, tracking process changes, identifying PowerShell artifacts, and hunting for compromised machines. The teaching method involves a demonstration-based approach. This course is intended for individuals interested in digital forensics, incident response, and malware analysis.
Overview
Syllabus
Introduction
Velociraptor VFS
Artifacts & Automation w/ VQL
Sigma Rule matching w/ Hayabusa
Waiting on Hayabusa to finish scan.
How does Hayabusa compare to Chainsaw?
Parsing Hayabusa Findings
PsTree Attempt 1 w/PsList
PsTree Attempt 2 w/Velociraptor Process Tracker
Velociraptor Process Tracker
PSExec Change in v2.30 & How to look for the usage of PSExec
Why this is useful and example use case'
PowerShell Artifacts
Bits Transfer Artifact
How to hunt for multiple compromised machines.
Parsing the Results using VQL
Demo Conclusion
Taught by
John Hammond
Related Courses
Reviews
4.5 rating, based on 2 Class Central reviews
-
AMAKA LARRYThe course was enlightening by discussing the velociraptor application for digital forensics for mostly servers or endpoints. I really enjoyed this course. -
Michael MuchiriI found the presentation super helpful and easy to apply. The presenter was also very knowledgeable and was able to deliver the presentation in a way that is easy to follow and understand. I will definitely go to give a try on the tools suggested using the knowledge acquired.
