Velociraptor can also be used as a triage collection tool.

We can use Velociraptor to hunt for many artifacts across the network. However ultimately, the Velociraptor agent simply runs VQL to collect its artifacts. What if we can just collect the artifacts interactive?

We certainly can do this!

Triaging a system.

When triaging a system our goal is to collect and preserve as much data from the system as possible, as quickly as possible.

First lets see what artifacts come built in with Velociraptor:

$ velociraptor artifacts list

Now we just select which artifact to collect and specify an output zip file to store the results to:

F:\>velociraptor.exe artifacts collect -v Windows.Triage.WebBrowsers --output f:\output\
[INFO] 2019-04-01T03:49:38-07:00 Loaded 99 built in artifacts
[INFO] 2019-04-01T03:49:38-07:00 Collecting file \C:\Users\test\AppData\Local\Google\Chrome\User Data\Default\Cookies
[INFO] 2019-04-01T03:49:38-07:00 Collecting file \C:\Users\test\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal
[INFO] 2019-04-01T03:49:38-07:00 Collecting file \C:\Users\test\AppData\Local\Google\Chrome\User Data\Default\Current Session