Velociraptor

Velociraptor stands out as a powerful, advanced, open-source endpoint monitoring, digital forensics, and incident response (DFIR) tool. Operating on a flexible client-server model (though capable of local execution via its GUI or command line), it utilizes its own powerful and expressive Velociraptor Query Language (VQL) to collect and analyze a vast array of artifacts from endpoints across Windows, Linux, and macOS. While its full capabilities extend far beyond typical screensharing, its targeted artifact collection and hunting features make it exceptionally useful for advanced investigations.

Key capabilities relevant to advanced screensharing/DFIR:

• Comprehensive Artifact Collection: Can query and collect nearly any artifact discussed in this guide and many more, including deep filesystem data, registry hives/keys, event logs, process information (running processes, modules, handles), memory artifacts, network state, browser history, etc., often parsing them directly on the endpoint.

• Deep NTFS Analysis: Includes specialized VQL functions ("NTFS parsers") designed to directly parse low-level NTFS structures like the Master File Table ($MFT), USN Journal ($J), $LogFile, Index Attributes ($I30), Alternate Data Streams (ADS), and Extended Attributes. This allows for highly granular filesystem timeline reconstruction, detection of timestomping ($SI vs $FN comparison), recovery of deleted file metadata from $I30, and hunting for hidden data in ADS, often more efficiently than combining multiple separate tools.

• Live System Querying ("Hunt" Capabilities): Excels at querying the live, volatile state of a running system. VQL queries can inspect running processes, list open network sockets and file handles, analyze loaded drivers, enumerate registry keys directly from memory, and interact with various system APIs, capturing data that disappears upon shutdown.

• YARA Integration: Seamlessly integrates YARA scanning. VQL queries can execute YARA rules (provided as strings or loaded from files) directly against files on disk (yara() function with accessor='file') or, crucially, against the memory space of running processes (yara() with accessor='process'). This enables flexible, signature-based hunting for cheats, malware, or specific bypass indicators within live memory or across the filesystem using custom or community YARA rules.

• Memory Evasion Detection: The VQL language allows for complex queries that can hunt for indicators of memory evasion techniques. Community-developed VQL artifacts often exist for detecting patterns associated with shellcode injection, reflective DLL loading, process hollowing, or other in-memory threats by analyzing process memory characteristics, loaded modules, and thread states.

• Extensibility: Users can write their own custom VQL queries (artifacts) to collect or analyze virtually any data accessible on the endpoint, tailoring investigations to specific needs or new threats.

• Usage in Screensharing: While potentially overkill for basic checks, Velociraptor offers unparalleled capabilities for advanced manual investigations during a screenshare. It allows the SSer to perform deep dives into NTFS artifacts, run targeted YARA scans against memory or specific file paths, investigate volatile process states, and collect specific evidence sets efficiently using VQL, potentially uncovering sophisticated cheats or bypasses missed by standard tools. Its GUI (velociraptor.exe gui) provides an accessible interface for running predefined or custom VQL queries locally.

Velociraptor represents a significant step up in tooling, bridging the gap between standard screensharing practices and full-scale digital forensic investigations.