Using multiple deaddisks

[albatr0ss]

Hi everyone,

I was able to use velociraptor succesfully with the deaddisk parameter on a E01 image. I'd like to know if it is possible to feed velociraptor with multiple images once you have generated the different remap.yaml files for them?

I am in the situation where I have multiple images I'd like to feed into velociraptor and query some eventlog strings.

Thanks in advance for your reply.

[Mike Cohen]

Hi

The best way is to make your dead disk image appear like a client and connect to a proper Velociraptor server - then it will appear in the GUI and you can collect all the artifacts as normal and use notebooks etc. It will look just like any other client so if you also have live clients it will participate in hunts etc.

The way you do this is:

1. First generate the remapping configuration for the image at hand:

velociraptor deaddisk -v --add_windows_disk MyDiskImage.e01 /tmp/remap.yaml

This will build a remapping configuration by autodetecting the Windows partition - you can inspect the config to see if it is ok

2. Once you have the remapping config you just use the client.config.yaml from your Velociraptor deployment. If you dont have a proper deployment you can use 

velociraptor gui --datastore /path/to/datastore/ 

and it will generate a client.config.yaml in there.

With the client.config.yaml you can spin up a client manually that also uses the remapping to create a "virtual client"

./output/velociraptor --config ~/client.config.yaml --remap /tmp/remap.yaml client -v --config.client-writeback-linux=/tmp/MyDiskImage.writeback.yaml

This says to use the client config yaml (which has information about keys and connection url to the server) then apply the remapping to it. Finally this --config.client-writeback-linux overrides the location of the client writeback (which stores the client id) to a unique file bases on the image. This ensures that each image has a unique client representing it and appears as a distinct entity in the GUI.

Once the client starts you should see it in the GUI - the hostname should be by default "Virtual Host" but you can change that in the remapping file if you like.

Thanks

Mike

Mike Cohen  Digital Paleontologist,  Velocidex Enterprises E mi...@velocidex.com

--
You received this message because you are subscribed to the Google Groups "velociraptor-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to velociraptor-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/ec87e86a-59b5-49d7-9904-58b0edffe697n%40googlegroups.com.