VHDX remapping artifacts

https://labs.infoguard.ch/posts/automation_of_vhdx_investigations/

Several artifacts that can be used in the process of remapping VHDX images into a Velociraptor server for live analysis.

Notes#

Windows.Vhdx.RemapConfigBuilder - Create remapping configuration YAML files to virtually mount VHDX profiles into virtual Velociraptor clients.

Windows.Vhdx.Sys.Users - List user accounts by inspecting registry keys. This method is a reliable indicator for users who have physically logged into the system and thereby created local profiles.

Windows.Vhdx.VirtualClientRemover - Kill the Velociraptor agent used for the VHDX profile’s virtual host.

Windows.Vhdx.VirtualClientRunner - Run the Velociraptor agent using the remapping configuration created. This agent allows you to virtually map the VHDX profiles into virtual Velociraptor agents.

Links#

https://docs.velociraptor.app/exchange/artifacts/pages/windows.vhdx.remapconfigbuilder
https://docs.velociraptor.app/exchange/artifacts/pages/windows.vhdx.sys.users
https://docs.velociraptor.app/exchange/artifacts/pages/windows.vhdx.virtualclientremover/
https://docs.velociraptor.app/exchange/artifacts/pages/windows.vhdx.virtualclientrunner