How can I automate the creation of the offline collector?

The Velociraptor Offline collector is a pre-configured triage and acquisition tool.

Velociraptor features a convenient GUI to allow creating the offline collector’s including building the configuration file and embedding it inside the collector.

But what if we need to automate the creation of the collector? While a GUI is nice it can be made much more efficient to automate the collector.

When building the collector using the GUI you might notice that the GUI simply preconfigured and launches a new server artifact and the server simply collects that.

The Create Offline Collector artifact
The Create Offline Collector artifact

You can actually collect the same artifact using the command line (on the server) or using the API (from anywhere). Here is an example with PowerShell (assuming the server is running on Windows):

velociraptor.exe --config server.config.yaml -v artifacts collect
   Server.Utils.CreateCollector
   --args OS=Windows
   --args artifacts='["""Generic.System.Pstree"""]'
   --args parameters='{"""Generic.System.Pstree""":{}}'
   --args target=ZIP
   --args opt_admin=N
   --args opt_prompt=N
   --output collector.zip

This command will create a new offline collector binary and store it inside the file collector.zip

We can now extract the executable from the ZIP file (using powershell)

Note that running this in powershell requires quotes to be escaped in the powershell specific way. Usually it means expanding double quotes (") into 3 double quotes (""")

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_quoting_rules

A collector creation script

There is a simple script that makes it easier to create the collector without a GUI here https://github.com/Velocidex/velociraptor/tree/master/docs/offline_collector

This script uses a specification file to avoid the need to escaping on the command line. The specification file is simply the same as what will be generated by the GUI (So you can check the output of the GUI for the ultimate reference what each variable means).

To run the script simply create a new directory and point the script to the Velociraptor binary for your platform and the spec file.

The script will create a small Velociraptor deployment in the current directory and automatically download any third party tools needed.

The script should work with earlier versions but was tested for Release 0.7.0 onwards.