Skip to main content

varc Volatile Artifact Collector

Project description

varc (Volatile Artifact Collector)

This tool collects a snapshot of volatile data from a system. It tells you what is happening on a system, and is of particular use when investigating a security incident.

It creates a zip, which contains a number of different pieces of data to understand what is happening on a system:

  • JSON files e.g. running processes and what network connections they are making
  • Memory of running proccesses, on a per-process basis. This is also carved to extract log and text data from memory
  • Netstat data of active connections
  • Binary blob data, e.g. The allocated memory of running processes, along with extracted log events in a log format.
  • The contents of open files, for example running binaries

We have successfully executed it across:

  • Windows
  • Linux
  • OSX
  • Cloud environments such as AWS EC2
  • Containerised Docker/Kubernetes environments such as AWS ECS/EKS/Fargate and Azure AKS
  • Even serverless environments such as AWS Lambda

Check out the example captures under the "Releases" tab to see some crazy data! The screen recording below shows a collection from a Docker container (left) and the output from running inside and AWS Lambda function which deployed Xmrig (right):

In line with the order of volatility, we collect process memory before anything else. Note that varc, and any other tool that runs inside a system, will impact the memory of a system.

Using as a compiled binary

You can find compiled binaries for Windows, Linux and OSX under the Releases tab. Simply execute and a zip is created with the output. To access some data, you will need to run with elevated privileges (i.e. sudo or root on Linux).

usage: varc [-h] [--skip-memory] [--skip-open] [--dump-extract] ...

optional arguments:
  -h, --help      show this help message and exit
  --skip-memory   Skip collecting process memory, which can be slow
  --skip-open     Skip collecting open files, which can be slow
  --dump-extract  Extract process memory dumps, which can be slow

Using as a library

Or alternatively, clone this repository then install with:

python3 setup.py install

Then call with:

from varc import acquire_system
output_file_path = acquire_system().zip_path

Automated Investigations and Response

varc significantly simplifies the acquisition and analysis of volatile data. Whilst it can be used manually on an ad-hoc basis, it is a great match for automatic deployment in response to security detections. The output of varc is designed to be easily consumed by other tools, in standard JSON format as much as possible.

A typical pipeline might be:

  • A detection is fired from a detection tool
  • varc is deployed to collect and identify further activity
  • Further remediation actions are taken based on the analysis of varc output

Why are the collected memory files empty?

Process memory collection is not currently supported on OSX.

If you run varc on a Linux system without the Ptrace Kernel capability enabled, you will get empty memory files. You will still get detailed system output.

For example, in our testing:

  • AWS Lambda successfully dumped process memory by default.
  • EKS on EC2 successfully dumped process memory by default.
  • ECS on Fargate required us to enable CAP_SYS_PTRACE in our task definition.

Using the collected data

All data is saved in an open, non-propietary format in the hope it can easily be processed by other community tools.

Our free tool Cado Community Edition will happily parse this zip, and display the JSON data tables as intended.

Our commercial tool Cado Response additionally enables you to automatically capture both static and volatile data from systems through Cado Host. By using the API, you can automatically investigate and respond to to detections from third party tools such as an EDR like SentinelOne or a cloud detection tool like GuardDuty.

Here is an example of varc output for a Lambda function running xmrig, viewed in Cado Community Edition:

License and Contributing

We would love any Pull Requests or Bug Reports!

This is licensed under the GPL. Please contact us if this doesn’t work for your use case - we may be able to alternatively license under a non-copyleft license such as the Apache License. We're friendly! As this software is licensed under the GPL and used in our commercial product, we ask any contributors to sign a simple Contributor License Agreement (CLA).

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

varc-1.0.2.tar.gz (26.4 kB view details)

Uploaded Source

File details

Details for the file varc-1.0.2.tar.gz.

File metadata

  • Download URL: varc-1.0.2.tar.gz
  • Upload date:
  • Size: 26.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.1 CPython/3.9.13

File hashes

Hashes for varc-1.0.2.tar.gz
Algorithm Hash digest
SHA256 4fa6aab38043f782931f084ec3e17b32d2ecf3ed0575b1a2740e70ec84f82dc7
MD5 32e11f6fb975fe1d2b110006f02761d2
BLAKE2b-256 40a667d9f1e9f6fcf954f67c1b0e5ac658b80832fa1ea42730bde8cfc926c851

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page