VanGuard is a cross-platform digital forensics and incident response (DFIR) toolkit designed for enterprise environments. Built as a single Go binary by Ridgeline Cyber Defence, it handles triage, threat hunting, memory forensics, disk collection, remote operations, and Velociraptor management on Windows and Linux systems. With 77 GitHub stars, the project at https://github.com/ridgelinecyberdefence/vanguard consolidates tools that DFIR teams typically run separately, reducing the need to track command flags or manage evidence manually.
The toolkit addresses common pain points in incident response workflows, such as dependency on multiple tools, network requirements, and evidence handling. It supports air-gapped operations fully, with online features as optional enhancements. Users get 28 pre-built use cases covering scenarios like ransomware, business email compromise (BEC), lateral movement, credential theft, and rootkit detection—each mapped to MITRE ATT&CK and structured for phased artifact collection. Output includes automated timeline generation, chain of custody logs, and HTML reports.
Core features
VanGuard packs capabilities into its portable binary:
- Velociraptor integration: Manages the full server lifecycle, including certificate generation, agent deployment via WinRM, SSH, or PSExec, offline collectors, VQL queries, and hunt operations. Passwords generate securely without logging.
- Quick triage: Gathers 20+ Windows artifacts (processes, event logs, registry hives, browser history, DNS cache) and 15+ Linux ones (cron jobs, systemd units, SSH configs, auth logs) using native OS commands. Artifacts hash automatically with MD5 and SHA256.
- Threat hunting and scanning: Runs Hayabusa for Sigma-based log analysis, Chainsaw for event hunting, Loki for IOC scans, and YARA rules. Detects LOLBins, suspicious autoruns, named pipes, DLL hijacks, rogue systemd units, SUID binaries, and C2 patterns live.
- Memory forensics: Captures dumps using DumpIt, WinPMEM (Windows), AVML, or LiME (Linux), locally or remotely. Analyzes with Volatility3 plugins for processes, networks, malware, registry, timelines, and YARA scans. Remote ops use randomized temp paths.
- Remote operations and reporting: Targets multiple endpoints via WinRM (NTLM), SSH, or PSExec with concurrency limits. Generates self-contained HTML reports and super-timelines from merged CSV artifacts.
Evidence integrity comes standard: append-only HMAC-SHA256 audit logs, dual hashing, and tamper-evident custody chains. Dual interfaces—a keyboard-driven TUI for terminals/SSH and a web UI for browsers—support varied workflows.
Getting it running
No installation steps apply. Download the pre-built binary for Windows or Linux from the GitHub releases page at https://github.com/ridgelinecyberdefence/vanguard/releases. It runs from any directory.
On Linux, set execute permissions with chmod +x vanguard then launch ./vanguard. Windows users run vanguard.exe directly. The TUI starts immediately; press keys to navigate menus for triage, Velociraptor setup, or hunts. For web UI, select the option to start the local server—accessible via browser on the same machine or network.
Air-gapped use works out of the box; no external dependencies or internet needed for core functions. Velociraptor server init generates certificates on first run. Remote ops require target credentials entered at runtime, stored ephemerally.
Disk collection uses KAPE targets on Windows (with EZ Tools like MFTECmd, EvtxECmd) and UAC profiles on Linux. Memory capture selects from built-in methods without extra downloads. Reports save as standalone HTML with embedded CSS.
Who this is for
DFIR teams in enterprises handling high-stakes incidents benefit most. It fits scenarios needing rapid deployment on live systems—think ransomware response where offline triage matters, or threat hunts across hybrid Windows/Linux fleets. Pre-built use cases speed up common investigations: select "ransomware" to run phased collections mapped to ATT&CK tactics.
Remote capabilities suit SOC analysts triaging multiple endpoints without physical access. Velociraptor users gain a unified interface for agent management and offline queries. Air-gapped orgs, like government or defense, value the zero-network baseline.
If your team juggles Volatility3, Hayabusa, KAPE, and Velociraptor manually, VanGuard cuts that overhead. Smaller teams or solo responders might find the 28 use cases handy for structured evidence gathering.
How it compares
VanGuard stands out by bundling tools like Velociraptor, Hayabusa, Chainsaw, Loki, YARA, Volatility3, KAPE, and EZ Tools into one binary, unlike standalone options requiring separate downloads and coordination. For example, Velociraptor alone handles endpoint querying but lacks built-in memory capture or disk forensics; VanGuard extends it with triage and remote deployment.
Pure memory tools like WinPMEM or LiME need Volatility3 separately for analysis—VanGuard chains them with timelines and reporting. KAPE collects files efficiently but demands targets predefined; here, use cases automate that. Air-gapped rivals like GRR or osquery agents often need installs or networks, while VanGuard drops and runs.
It's heavier than minimal scripts (a Go binary exceeds lightweight PowerShell one-liners) but lighter than full DFIR distros like Kali with dozens of packages. No cloud focus mentioned, so AWS-specific tools like S3 collection aren't covered natively.
Disk and network collection details
Beyond triage, disk ops on Windows parse with MFTECmd (MFT), EvtxECmd (events), PECmd (PE files), RECmd (registry). Linux pulls UAC profiles, logs, configs, with SHA256 per-file verification. Network artifacts include connections, DNS cache.
Hunting scans live state without dumps: Windows checks autoruns, pipes, DLLs; Linux flags kernel modules, SUIDs. Timeline merges parse artifacts into 30-minute granularity CSVs, sortable chronologically.
For Velociraptor, generate offline collectors for import later. Hunts launch across deployed agents.
Casual users or non-IR tasks won't need it—stick to basic sysinternals. Download from GitHub to test a use case like credential theft collection. Source: https://github.com/ridgelinecyberdefence/vanguard.
Comments