Slowing Down but Still Moving Forward
It's been a little while since my last DFIR post, not because I've lost interest, but because life has been a bit busier lately. Uni has kicked back into full swing for the new acedemic year, and I've also taken on a new web development project for a client. Between juggling coursework and designing layouts, my pace through the online DFIR course has definitely slowed down. Still, I've been squeezing in modules whenever I can, and this week I finally tackled one that really stood out, Velociraptor.
First Impressions
Until now, most of the tools I've used in this course have focused on analysing data that's already happened, pulling apart disk images, tracing logs, inspecting memory captures. Velociraptor felt different. It's more about actively hunting for evidence and gathering data in real time, which immediately made it feel more dynamic and modern. From my experience I learnt Velociraptor is basically an endpoint visibility and collection tool used by DFIR professionals. You can deploy it across systems, collect artifacts, and even query machines live using something called VQL (Velociraptor Query Language).
Getting It Running
Setting it up wasn't too bad thanks to the TryHackMe lab environment. Running both the frontend and the client got me a little nostalgic for my web development work; configuring components, managing communication between client and server, checking logs to make sure things connected properly. Once it was all running, I could see the client machine appear in the Velociraptor dashboard, ready to be queried.
Learning VQL
One thing that stood out was how much Velociraptor leans on its own query language (kind of like SQL but packed with forensic context). Commands like SELECT Name, Description FROM Artifact.Windows.Sys.Users() started to make more sense once I realised it's all about extracting structured information from endpoints. I liked that it wasn't just point and click, it actually made me think about what kind of data I was looking for and how to define that search.
Investigating PrintNightmare
The practical tasks had me exploring client data, running PowerShell commands remotely, and even setting up my own collection to pull forensic artifacts. There was a particularly tricky section around detecting PrintNightmare, a well-known Windows vulnerability. It was essentially a mini investigation, using VQL to comb through file paths, look for suspicious DLLs, and piece together the attacker's activity.
The Challenges
To be honest, some moments were frustrating. The documentation is dense, and Velociraptor has a lot of moving parts. It's the kind of tool that probably shines brightest in a real enterprise setup, not just a lab. But even from this controlled environment, I got a sense of how flexible and scalable it is.
Takeaways
- Each tool adds perspective: Every new module reveals another side of digital forensics, Volatility for memory, Autopsy for disk, and Velociraptor for proactive hunting.
- Proactivity matters: Velociraptor shows the value of collecting data before something goes wrong, not just after.
- Learning never stops: Between VQL syntax and tricky documentation, patience and curiosity go a long way.
Final Thoughts
Progress through the course might be slower right now, but working on this module reminded me why I started in the first place. There's something incredibly rewarding about learning how all these pieces fit together, development, systems, security, and forensics. I'll be back with the next module soon (hopefully before the semester consumes me entirely), but for now, I'm counting Velociraptor as a big milestone, one that really expanded how I think about digital investigations.