Using Velociraptor for Live Response & Endpoint Visibility on The Acorn

Application Type: Live Forensics and Endpoint Visibility Platform
Primary Use: Performing live investigations on endpoints to collect volatile data, logs, and system artefacts, and performing incident scoping
Pre-installed in the Forensics Hub

Overview

Velociraptor, running on the Acorn forensic workstation, equips digital forensic examiners and incident responders with advanced capabilities to perform live response and endpoint visibility tasks across multiple systems. Together, they support scalable forensic investigations, enabling collection of volatile data, hunting for threats, and identifying indicators of compromise without shutting down endpoints.

This use case demonstrates how a responder uses Velociraptor on the Acorn to investigate a live security incident involving multiple endpoints suspected of compromise within a corporate network.

Case Context

A security operations centre (SOC) detects suspicious network traffic from several user endpoints, raising concerns of a potential malware infection or credential theft. A forensic investigator is dispatched with the Acorn to perform immediate live response across these endpoints.

Using Velociraptor, the investigator initiates remote data collections, hunts for known IOCs, and scopes the incident by gathering live forensic artefacts directly from the affected systems without powering them down.

1. Launching Velociraptor and Connecting to Endpoints

The examiner launches Velociraptor from the Acorn’s Forensics Hub and connects to the live endpoints within the corporate network. Authentication credentials and endpoint IDs are entered to establish remote sessions.

Screenshot: Velociraptor main dashboard displaying connected endpoints and session statuses

2. Collecting Volatile Data

The investigator uses pre-configured VQL (Velociraptor Query Language) queries to retrieve volatile system data such as:

• Running processes and memory artefacts
• Open network connections
• Loaded kernel drivers and services
This helps establish a baseline of running activities and detect anomalies such as rogue processes or unusual network traffic.

Screenshot: Query results displaying active processes, memory usage, and network connections

3. Gathering System Logs and Artefacts

Next, the examiner collects critical system logs, including:

• Windows Event Logs related to security, system, and application activities
• Browser histories, registry keys, and scheduled tasks
These artefacts help trace persistence mechanisms and evidence of unauthorised access.

Screenshot: System logs and browser artefact collection results in Velociraptor

4. Performing Threat Hunts Across Endpoints

Using Velociraptor’s hunting capabilities, the examiner executes YARA and Sigma-based hunts across multiple endpoints simultaneously.

• Scans for malware signatures and suspicious behaviours
• Searches for known IOCs such as file hashes, IP addresses, and domain names
This identifies infected machines and prioritises those requiring deeper investigation.

Screenshot: YARA hunt results showing matched malware signatures across endpoints

5. Incident Scoping and Analysis

Based on the data collected, the examiner builds a comprehensive view of the attack:

• Identifies lateral movement between systems
• Maps out the timeline of compromise and persistence
• Determines the scope of data potentially exfiltrated

Screenshot: Endpoint compromise timeline and lateral movement mapping within Velociraptor

6. Reporting and Documentation

The examiner compiles all findings into a structured incident report using WPS Writer on the Acorn. Report sections include:

• Summary of endpoints examined and methods used
• Collected artefacts and logs
• IOC findings and malware identifications
• Recommendations for remediation and containment

The report is exported as a secured PDF for delivery to the incident response team and senior stakeholders.

Why Velociraptor + The Acorn Works

Feature	Benefit
Scalable Live Forensics	Perform investigations across multiple endpoints without physical access.
All-in-One Platform	Velociraptor is pre-installed alongside other network and forensic tools like Wireshark and NetworkMiner.
Portable & Field-Ready	Conduct live response on-site with a lightweight forensic workstation.
Flexible Queries	VQL allows tailored data collection to suit specific investigation needs.

Learn more about Velociraptor

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.