Extending Detection Engineering to Digital Forensics: The Velociraptor Unified Detection-Forensics Methodology

Abstract

Detection engineering and digital forensics have evolved in parallel rather than in partnership, leaving a gap between real-time alerting and forensic analysis. This paper develops a unified detection-forensics methodology using Velociraptor, where detection logic directly initiates targeted evidence acquisition at the point of detection. The contribution is threefold: (1) a four-stage methodology (baseline establishment, evidence correlation, attack chain analysis, and scenario labelling with confidence) that converts artefact knowledge into reusable and testable detection rules suitable for both post-incident triage and live monitoring; (2) a practical demonstration, using three Velociraptor BaseVQL log sources (/forensics/windows/prefetch, /forensics/windows/usn, and /windows/wmi) that practitioners can deploy today, showing that artefact-based detections enable scalable forensic triage without full disk acquisition; and (3) evidence that periodic artefact analysis offers continuous monitoring while substantially reducing data volume compared to conventional endpoint logging. Two case studies illustrate the approach: a Prefetch/USN baseline for triage when Windows Event Logs are cleared or unavailable, and a WMI persistence correlation supporting both triage and continuous monitoring through periodic artefact analysis.