triage.zip provides an out-of-the-box Velociraptor triage collector for Windows, pre-configured for rapid and effective incident response. The project is intended for responders who need a reliable offline collector without the hassle of building from scratch.
-
Automated Build and Deployment:
Every commit to themainbranch triggers a CI workflow (see ci.yml) which:- Fetches the latest Velociraptor Linux binary from its official release using a shell script.
- Generates an offline collector using the provided configuration (spec.yaml).
- Deploys the collector as a GitHub release for easy download.
In addition, a GitHub Action trigger now runs every Monday at 6pm UTC to ensure the collector is always built using the latest Velociraptor release version.
-
Configuration:
The collector behavior is defined in spec.yaml, detailing operating system, artifacts, collection parameters, and output settings.
-
Automated Builds:
CI workflows ensure that every update is built automatically and the latest version is available as a GitHub release. -
Offline Collector:
Designed to run without network dependencies, the executable facilitates rapid triage on target systems. -
Pre-configured Response Options:
Tailored for Windows environments, the spec includes options for valuable artifacts (e.g., KAPE triage targets, SANS triage, live system data, and Sysinternals Autoruns) to cover a wide range of triage scenarios.
-
Download and Run:
Download the latest release of the collector here (permalink).
Run the executable as an Administrator on the target system. -
Triage Operation:
Upon execution, the collector gathers artifacts and zips them using a naming template (Triage-%FQDN%-%TIMESTAMP%.zip), making it easy to correlate with the system it was collected from.- NOTE: we intentionally chose not to encrypt or password protect the collection ZIP to make subsequent automated processing easier. Be mindful of this and never leave a triage collection behind on a compromised system or any other unsecured location.
-
Analyze Triage Collection:
Upon completion, you can either import the collection into a Velociraptor server or use a tool such as Plaso or OpenRelik to process the evidence.
If you wish to customize or build your own version, you can easily fork this repo:
-
Build Script:
Modify and examine the build_collector.sh script to understand how the collector is generated. -
Configuration:
Adjust collection specifics in spec.yaml to suit your needs. -
Continuous Integration:
The CI pipeline in .github/workflows/ci.yml orchestrates the build and release process. Commit tomainto trigger a new build.
-
Velociraptor Documentation:
More detailed information about offline collectors can be found on the Velociraptor docs. -
Processing Triage Acquisitions:
For inspiration on how to process triage acquisitions generated by this tool, check out OpenRelik. -
Understanding KAPE Targets:
The original KAPE Targets can be found here. The project uses Windows.Triage.Targets artifact. The underlying KAPE targets can be found here. The Windows.Triage.Targets artifact documentation is available at triage.velocidex.com. -
License:
This project is licensed under the MIT License.
If you encounter issues or have suggestions for enhancement, feel free to open a GitHub issue on the repository.
Happy triaging!