When Dinosaurs Ruled the Blue Team: Quickly Retrieving Triage Images via EDR

With the recent rise in users working remotely, many security-related processes have had to adapt. One of these is capturing a forensic image for analysis. Acquiring a bit-for-bit copy of a full disk over the network is impractical, and obtaining the physical drive may introduce unacceptable delays. I will outline a process for using EDR to deploy the Velociraptor standalone executable and capture a triage image under 500MB in size. This can be done in under 30 minutes, and will hand your team the most important forensic artifacts to start the investigation.