Incident Response Analysis in VDI: Velociraptor scans in record time!

In digital enterprise landscapes, there is a growing reliance on Virtual Desktop Infrastructure (VDI) platforms. While some environments rely on non-persistent sessions with golden image recovery, others store user data permanently in VHDX (Virtual Hard Disk v2) files on remote servers - a crucial difference for forensic analysis.

Especially in wide-ranging VDI environments such as Citrix, this architecture represents a sticking point for incident response and forensics and makes it considerably more difficult to identify the initial point of attack. VHDX files often contain valuable forensic artifacts such as NTUSER.DAT hives, which may contain traces of program execution. However, manual examination becomes inefficient with several thousand user profiles.

The method presented below shows how the forensic analysis of VHDX-based user profiles can be automated using the DFIR tool Velociraptor. The goal: to scale forensic investigations efficiently and reliably without compromising forensic integrity.

This is why VHDX is considered a valuable artifact supplier

VHDX is a file format that represents a virtual hard disk and contains its own partition layout and file system. VHDX is commonly used in VDI environments to store user data such as roaming profile and NTUSER.DAT registry hive.

From a forensic perspective, VHDX files can contain particularly valuable artifacts, such as evidence of program executions via UserAssist and persistence mechanisms via registry run keys, both of which are usually found in NTUSER.DAT.

VDI platforms often store the contents of "C:\Users<Username>\" in a separate VHDX file, where each user profile is considered a separate virtual hard disk image.

Velociraptor in use: How automated VHDX forensics works

Velociraptor is a modern, open-source DFIR tool that is used by numerous companies to identify threats, collect artifacts and perform scalable investigations in large enterprise environments.

In a previous post, we discuss how Velociraptor creates artifacts and is used for efficient forensic analysis.

Velociraptor supports VHDX accessors that enable direct analysis of virtual hard disk images. This usually requires special artifacts for each use case, for example for the analysis of UserAssist or registry hives within a mounted VHDX file. Thus, a specific artifact that can interpret the VHDX structure would be required for each forensic check.

A more scalable approach is to reuse existing Velociraptor artifacts such as Windows.Registry.UserAssist or Windows.Registry.NTUser without customization.

The goal of this research was to enable exactly this: To enable the use of native artifacts when analyzing data stored in VHDX-based user profiles.

Virtual Velociraptor clients are used for this purpose: Instances whose environment is mapped to a specific VHDX file and operate in deaddisk mode similar to Velociraptor. In this article, we call them virtual Velociraptor clients.

The principle is simple: a virtual client runs on the file server where the VHDX profiles are stored and its configuration is mapped to point to one or more VHDX images. This requires a few technical steps to ensure reliable operation.

"Automating VHDX analyses gives you a decisive time advantage in an emergency - and lays the foundation for a successful forensic investigation."

Deepen your technical know-how: The detailed step-by-step guide in our "IG Labs" blog shows you how to master the technical implementation.

Forensic VHDX analyses only on offline profiles? Absolutely.

All tests in this paper were deliberately performed on offline VHDX files, i.e. on profiles that are no longer actively managed by services such as Citrix or Windows Profile Management, in order to ensure data integrity and forensic traceability.

In live environments where VHDX profiles are still in use or mounted, it is worth considering the following risks:

• Writeback conflicts: if Velociraptor or the operating system attempts to write to an active VHDX file, this can lead to data corruption or race conditions.
• Profile locking: Some virtualization platforms lock VHDX files during their use, which prevents remapping or leads to execution failures.
• System performance: Mounting and scanning many VHDX files can increase the system load enormously.

Recommendations for the safe handling of VHDX profiles:

• If possible, always perform examinations on copies of the VHDX files.
• Do not use them blindly in live Citrix or VDI environments without having tested them in a controlled manner.
• Start with small user groups and adapt the batch size to the resources.
• Monitor resource consumption (I/O, memory, open handles) when scaling to many profiles.

Forensics rethought: Scalable efficiency with Velociraptor

The VHDX artifact suite developed for Velociraptor opens up new dimensions in digital forensics. It enables a scalable and efficient investigation of user profiles stored in VHDX files - with proven standard artifacts such as UserAssist or NTUSER.DAT parsers, without any customization.

In our tests, over 1,000 VHDX profiles could be analyzed in less than a minute - with consistently high forensic integrity and significantly reduced effort compared to conventional methods. This not only speeds up triage, but also relieves the burden on security teams in time-critical DFIR situations.

Although step-by-step validation in live environments is recommended for productive use, the result is groundbreaking: forensic investigations become more predictable, faster and more reliable - without compromising on precision or security.

Conclusion: those who automate VHDX analyses gain crucial time in an emergency.

Algorithm and experience combined: The future of forensic precision

Every day, our CSIRT team uses Velociraptor in complex analyses - efficiently, reliably and with forensic precision. Benefit from this experience and take your own investigation processes to the next level - with the expertise of an ISO 27001:2022-certified incident response team.

Image caption: Image generated with AI