Passess only Forensic Artifects to the analyst and depends, most of the time, on OS

APIs to collect them.

Easy to scale Low bandwith usage

Remote Analysis Agent
Takes up more CPU/Memory

Higher complexity to install efficient

-> higher cost to install and maintain

Velociraptor
Technology types used for Remote IR tooling
gives analyst full remote access to disk and memory

Full memory/disk means it does not depends on Windows or other APIs.

good to discover rootkits, which Windows APIs would not able to pull
Remote Access Agent Best place to identify malware activity bypass packers, Binary obfuscators, rootkits etc
low CPU or memory usage on host
Why/advantages Analyse recent activity
deploy analysis host in same network.
Needs a lot of network bandwith because analysis takes place at analyst side.
Network analyst can then remote access this host memory malware
provides a direct iSCSI connection between an analysis system and target system for Collect Evidence that cannot be found anywhere else Internet activities
low-level examinations
F-Response
Memory-only malware
Kanse: need Powershell remoting enabled

provides a direct iSCSI connection between an analysis system and target system for
low-level examinations Remote IR tooling Primary goal is to rapidly detect and mitigate ongoing attacks.

FMC: F-Response Management Console for collecting data Memory Forensics Threat Hunting
Console to interact with a limitless number of target machines
for IR Host-based Continuous Monitoring Anomaly Detection

A secondory connectivity tool allowing for an unlimited number of remote examiners F-Response Accelerator IT Support
as well as optional HIPPAA compliant and industry standard AES 256-bit encryption
Pattern Analysis
Completely Vendor Neutral F-Response
F-Response Enterprise Collection point of Endpoints and Network activities Historical Searches for hunting and remediation
reduces identification and containment times and increases the cost to the adversary
collect artifects of over 10 different OS systems as their tradecraft is discovered

1 license = unlimited client installations, unlimited target connections Real-time Visibility

EDR
1) Install F-Response license manager Archival of command line data per process
2) Create F-Response agent
3) Deploy agent to target systems (via group policy, SCCM,...) recording of host-based netw ork activity (DNS cache, ARP, etc)
Installation Guide
4) Install Agent service on target
memory-Based analysis Tracking of new process handles and execution tracing
5) Connect forensic workstation to target machines
6) attach remote drive or memory to forensic workstation Analyzing suspicious threat creation and memory allocation
7) Acquire data (memory image, triage files,...)
identication of common DLL injection and hoocking (rootkits) techniques
provides a reliable and rapid means to collect forensic artifects from a system
Challenges Collects a small set of data points to limit host impact and storage
normally executed on system itself but module is written to run it in Remote
Powershell to run KAPE in batch mode with data sent to an SFTP server in the cloud difficult to get complete coverage because of all the different enterprise products
B3.13 (mobile devices, servers, workstations, different OS systems, etc.)

kape.exe --tsoource <drive/dir> --target <what data to collect .tkape file> -- Scaling of monitoring and analysis
tdest <dest folder> KAPE
- vss: find,mount, and search all available Volumne Shadow Copies on --tsource
- vhdx: creates a virtual hard disk
- debug: enables debug messages

only supports Windows!!!

Remote Analysis Agent for Windows, Linux and iOS

onte-time immediate collection of data

Continuously monitor (windows events etc)

Launch 3party tools for additional collection or analysis

VQL: Velociraptor Query Language

Provides the plumbing for perforning queries
Velociraptor

Provide a way to store and execute VQLs. Artifects

simply preconfigured queries for the most common analysis jobs

stored for 7 days in the WebUI Hunts

Results of the VQL.
if client is offline, Velociraptor will return results once they come back online.