create_offline_collector

Generate self-contained forensic collection packages for air-gapped systems to gather artifacts without network connectivity.

Instructions

Create an offline collection package for air-gapped systems.

Generates a self-contained package that collects forensic artifacts without requiring network connectivity to a Velociraptor server.

Args: artifacts: List of artifacts to collect (e.g., ['Windows.System.Pslist']) target_os: Target OS - 'windows', 'linux', or 'macos' artifact_set: Use predefined artifact set instead of listing artifacts. Options: 'windows_triage', 'windows_quick', 'linux_triage', 'macos_triage', 'memory', 'ransomware' encrypt_output: Encrypt collection output with a generated password deployment_id: Optional deployment ID for tracking

Returns: Path to generated collector package and usage instructions.

Input Schema

TableJSON Schema

Name	Required	Default
`artifacts`	Yes
`target_os`	No	windows
`artifact_set`	No
`encrypt_output`	No
`deployment_id`	No

Implementation Reference

src/megaraptor_mcp/tools/deployment.py:601-678 (handler)

The handler for the create_offline_collector tool, which generates an offline forensic collection package.

async def create_offline_collector(
    artifacts: list[str],
    target_os: str = "windows",
    artifact_set: Optional[str] = None,
    encrypt_output: bool = False,
    deployment_id: Optional[str] = None,
) -> list[TextContent]:
    """Create an offline collection package for air-gapped systems.

    Generates a self-contained package that collects forensic artifacts
    without requiring network connectivity to a Velociraptor server.

    Args:
        artifacts: List of artifacts to collect (e.g., ['Windows.System.Pslist'])
        target_os: Target OS - 'windows', 'linux', or 'macos'
        artifact_set: Use predefined artifact set instead of listing artifacts.
                     Options: 'windows_triage', 'windows_quick', 'linux_triage',
                     'macos_triage', 'memory', 'ransomware'
        encrypt_output: Encrypt collection output with a generated password
        deployment_id: Optional deployment ID for tracking

    Returns:
        Path to generated collector package and usage instructions.
    """
    try:
        from ..deployment.agents import OfflineCollectorGenerator
        from ..deployment.agents.offline_collector import CollectorConfig
        from ..deployment.security.credential_store import generate_password

        generator = OfflineCollectorGenerator()

        # Use artifact set if specified
        if artifact_set:
            artifacts = generator.get_artifact_set(artifact_set)

        # Generate encryption password if needed
        encryption_password = None
        if encrypt_output:
            encryption_password = generate_password(32)

        config = CollectorConfig(
            artifacts=artifacts,
            encrypt_output=encrypt_output,
            encryption_password=encryption_password,
            deployment_id=deployment_id,
        )

        result = await generator.generate(config, target_os)

        response = result.to_dict()
        if encrypt_output:
            response["encryption_password"] = encryption_password
            response["password_warning"] = "Save this password - it will not be shown again"

        return [TextContent(
            type="text",
            text=json.dumps(response, indent=2)
        )]

    except ImportError as e:
        return [TextContent(
            type="text",
            text=json.dumps({
                "error": f"Missing dependency: {str(e)}",
                "hint": "Install required packages with: pip install megaraptor-mcp[deployment]"
            }, indent=2)
        )]

    except Exception:
        # Generic errors - don't expose internals
        return [TextContent(
            type="text",
            text=json.dumps({
                "error": "Operation failed",
                "hint": "Check deployment configuration and try again"
            }, indent=2)
        )]

Megaraptor MCP