Passess only Forensic Artifects to the analyst and depends, most of the time, on OS

APIs to collect them.

Easy to scale Low bandwith usage

Remote Analysis Agent
Takes up more CPU/Memory

Higher complexity to install efficient

-> higher cost to install and maintain

Velociraptor
Technology types used for Remote IR tooling
gives analyst full remote access to disk and memory

Full memory/disk means it does not depends on Windows or other APIs. Best place to identify malware activity bypass packers, Binary obfuscators, rootkits etc
good to discover rootkits, which Windows APIs would not able to pull
Why/advantages Analyse recent activity
Remote Access Agent
low CPU or memory usage on host
memory malware
deploy analysis host in same network.
Needs a lot of network bandwith because analysis takes place at analyst side. Collect Evidence that cannot be found anywhere else Internet activities
Network analyst can then remote access this host

provides a direct iSCSI connection between an analysis system and target system for Memory-only malware
low-level examinations
F-Response
Kanse: need Powershell remoting enabled
Primary goal is to rapidly detect and mitigate ongoing attacks.
provides a direct iSCSI connection between an analysis system and target system for Enterprises must be able to track human behavior and attack methodologies.
(limitless tools/malware to extract data but a very small set of behaviors used by
low-level examinations Remote IR tooling these tools to accomplish their goals) -> that is why you need EDR
FMC: F-Response Management Console for collecting data Memory Forensics
Console to interact with a limitless number of target machines Process tree analysis is a critical part of memory forensics. Standard forensics only
for IR will show us the execution of malware but not how (p3.27)
A secondory connectivity tool allowing for an unlimited number of remote examiners F-Response Accelerator
Threat Hunting
as well as optional HIPPAA compliant and industry standard AES 256-bit encryption
Host-based Continuous Monitoring Anomaly Detection
Completely Vendor Neutral F-Response
F-Response Enterprise IT Support
collect artifects of over 10 different OS systems
Pattern Analysis
1 license = unlimited client installations, unlimited target connections
reduces identification and containment times and increases the cost to the adversary
Collection point of Endpoints and Network activities Historical Searches for hunting and remediation
1) Install F-Response license manager as their tradecraft is discovered
2) Create F-Response agent EDR
3) Deploy agent to target systems (via group policy, SCCM,...) Installation Guide Real-time Visibility
4) Install Agent service on target
Archival of command line data per process
5) Connect forensic workstation to target machines
6) attach remote drive or memory to forensic workstation recording of host-based netw ork activity (DNS cache, ARP, etc)
7) Acquire data (memory image, triage files,...)
memory-Based analysis Tracking of new process handles and execution tracing
provides a reliable and rapid means to collect forensic artifects from a system
Analyzing suspicious threat creation and memory allocation
normally executed on system itself but module is written to run it in Remote
Powershell to run KAPE in batch mode with data sent to an SFTP server in the cloud identication of common DLL injection and hoocking (rootkits) techniques
B3.13
Collects a small set of data points to limit host impact and storage
kape.exe --tsoource <drive/dir> --target <what data to collect .tkape file> -- Challenges
tdest <dest folder> KAPE difficult to get complete coverage because of all the different enterprise products
(mobile devices, servers, workstations, different OS systems, etc.)
- vss: find,mount, and search all available Volumne Shadow Copies on --tsource
nomral vs abnormal behavior needs to be astablished
- vhdx: creates a virtual hard disk
- debug: enables debug messages Scaling of monitoring and analysis
only supports Windows!!!

Remote Analysis Agent for Windows, Linux and iOS

onte-time immediate collection of data

Continuously monitor (windows events etc)

Launch 3party tools for additional collection or analysis

VQL: Velociraptor Query Language

Provides the plumbing for perforning queries
Velociraptor

Provide a way to store and execute VQLs. Artifects

simply preconfigured queries for the most common analysis jobs

stored for 7 days in the WebUI Hunts

Results of the VQL.
if client is offline, Velociraptor will return results once they come back online.