Release 0.7.0
This is the next point release for Velociraptor - Digging deeper!
Detailed release notes are posted at https://docs.velociraptor.app/blog/2023/2023-07-27-release-notes-0.7.0/
GUI improvements
Enhanced client search
In this release the client index was rewritten to store all client
records in a single snapshot file, while managing this file in memory. This approach allows client searching to be extremely quick even for large numbers of clients well over 100k.
Paged table in Flows List
In this release the GUI was updated to include a paged table (with suitable filtering and sorting capabilities) so all collections can be
accessed.
VQL Plugins and artifacts
Chrome artifacts
Added a leveldb parser and artifacts around Chrome Session Storage. This allows to analyse data that is stored by Chrome locally
by various web apps.
Lnk forensics
This release added a more comprehensive Lnk parser covering off on all known Lnk file features. You can access the Lnk file analysis using
the `Windows.Forensics.Lnk artifact.
Direct S3 accessor
In this release Velociraptor adds an S3 accessor. This allows plugins to directly operate on S3 buckets. In particular the glob() plugin can
be used to query bucket contents and read files from various buckets.
Volume Shadow Copies analysis
In the 0.7.0 release, Velociraptor adds the ntfs_vss
accessor. This accessor automatically considers different snapshots and deduplicates
files that are identical in different snapshots. This makes it much easier to incorporate VSS analysis into your artifacts.
The SQLiteHunter project
This release incorporates the SQLiteHunter artifact. A one stop shop for finding and analyzing SQLite files such as browser artifacts and
OS internal files.
Server security improvements
In the 0.7.0 release, Velociraptor offers the GUI.allowed_cidr
option. If specified, the list of CIDR addresses will specify the
source IP acceptable to the server for connections to the GUI application (for example 192.168.1.0/24
).
This filtering only applies to the GUI and forms an additional layer of security protecting the GUI application (in addition to the usual
authentication methods).
Conclusions
There are many more new features and bug fixes in the latest release. Please help our community by testing this release and providing feedback through the GitHub issue board or on our discord channel
Notes
MacOS Binaries are now signed. You can verify the signature using the codesign
utility
codesign -d -vvv ./velociraptor-v0.7.0-darwin-amd64
If you see the error version GLIBC_2.33 not found
when running Velociraptor on your system, upgrade to 0.7.0-2 or the musl build. The 0.7.0 release was built on Ubuntu 22.04. A 0.7.0-2 release was now made built on Ubuntu 20.04
Release 0.7.0-3 is a bugfix release primarily for issue #2955 . If you are experiencing this issue (many duplicate clients) please test upgrading the clients to 0.7.0-3. This release also adds the ability for the writeback file to be stored in the registry instead of the filesystem on windows - simply modify the writeback_windows
value in the config file to something that starts with HKLM (for example HKLM\SOFTWARE\Velocidex\Velociraptor
) this should improve stability in writing the writeback on the client and prevent potential writeback file corruptions which may have previously lead to clients recreating the writeback file with a new client id.
NOTE: Please upgrade servers to 0.7.0-4 address CVE-2023-5950
We are very grateful to Mathias Kujala for reporting this issue. More information at https://docs.velociraptor.app//announcements/2023-cves/