Accessors are used to access bulk data from various sources using a standard file-like interface.
| Plugin/Function | Type | Description |
|---|---|---|
| auto | Accessor | Access the file using the best accessor possible |
| bzip2 | Accessor | Access the content of bzip2 files |
| collector | Accessor | Open a collector zip file as if it was a directory - automatically |
| collector_sparse | Accessor | Open a collector zip file as if it was a directory |
| data | Accessor | Makes a string appears as an in-memory file |
| ewf | Accessor | Allow reading an EWF file |
| ext4 | Accessor | Access files by parsing the raw ext4 filesystems |
| fat | Accessor | Access the FAT filesystem inside an image by parsing FAT |
| file | Accessor | Access files using the operating system’s API |
| file_links | Accessor | Access the filesystem using the OS APIs |
| file_nocase | Accessor | Access files using the operating system’s API |
| fs | Accessor | Provide access to the server’s filestore and datastore |
| fs_sparse | Accessor | Provide access to the server’s filestore and datastore |
| gzip | Accessor | Access the content of gzip files |
| lazy_ntfs | Accessor | Access the NTFS filesystem by parsing NTFS structures |
| me | Accessor | Access files bundled inside the Velociraptor binary itself |
| mft | Accessor | The mft accessor is used to access arbitrary MFT streams as |
| mscfb | Accessor | Parse a MSCFB file as an archive |
| ntfs | Accessor | Access the NTFS filesystem by parsing NTFS structures |
| ntfs_vss | Accessor | Access the NTFS filesystem by considering all VSS |
| offset | Accessor | Allow reading another file from a specific offset |
| overlay | Accessor | Merges several paths into a single path |
| pipe | Accessor | Read from a VQL pipe |
| process | Accessor | Access process memory like a file |
| pst | Accessor | An accessor to open attachments in PST files |
| ranged | Accessor | Reconstruct sparse files from idx and base |
| raw_ext4 | Accessor | Access the Ext4 filesystem inside an image by parsing the image |
| raw_file | Accessor | Access the filesystem using the OS API |
| raw_ntfs | Accessor | Access the NTFS filesystem inside an image by parsing NTFS |
| raw_reg | Accessor | Access keys and values by parsing a raw registry hive |
| reg | Accessor | An alias for the registry accessor, which accesses the registry using the |
| registry | Accessor | Access the registry like a filesystem using the OS APIs |
| s3 | Accessor | Allows access to S3 buckets |
| scope | Accessor | Present the content of a scope variable as a file |
| smb | Accessor | Access smb shares (e |
| sparse | Accessor | Allows reading another file by overlaying a sparse map on top of |
| ssh | Accessor | Access a remote system’s filesystem via SSH/SFTP |
| vfs | Accessor | Access client’s VFS filesystem on the server |
| vhdx | Accessor | Allow reading a VHDX file |
| vmdk | Accessor | Allow reading a VMDK file |
| winpmem | Accessor | Access physical memory like a file |
| zip | Accessor | Open a zip file as if it was a directory |
| zip_nocase | Accessor | Open a zip file as if it was a directory |