What This Collector Gathers
Artifacts collected:
- DocsKAPE Triage targets
- DocsSANS Triage collection
- DocsLive system data
- DocsBasic collection artifacts
- DocsSysinternals Autoruns analysis
Includes Volume Shadow Copy snapshots up to 3 days old.
How to Use the Collector
-
1
Download
Grab the latest release and place it on the host you are triaging.
-
2
Collect
Run the executable with administrative privileges and let it finish.
-
3
Extract
Retrieve the generated ZIP archive for immediate analysis.
Fast Deployment
Single download with pre-packaged artifacts keeps triage moving even during active incidents.
Defender Friendly
Predictable behavior and an open build pipeline reduce the friction of running evidence collection on critical hosts.
Actionable Output
Combines live system data with historical snapshots, giving investigators immediate context.
Need deeper customization?
Fork the project, tweak the Velociraptor artifacts, and keep your responders aligned with your playbooks.
Threat Hunting & Incident Response with Velociraptor
Hands-on training that dives into the same workflows powering this collector.