{"id":13738876,"url":"https://github.com/cado-security/varc","last_synced_at":"2025-05-08T18:31:07.693Z","repository":{"id":62593012,"uuid":"537488988","full_name":"cado-security/varc","owner":"cado-security","description":"Volatile Artifact Collector collects a snapshot of volatile data from a system. It tells you what is happening on a system, and is of particular use when investigating a security incident.","archived":true,"fork":false,"pushed_at":"2024-11-18T10:23:04.000Z","size":1268,"stargazers_count":253,"open_issues_count":4,"forks_count":13,"subscribers_count":7,"default_branch":"main","last_synced_at":"2025-04-05T17:02:11.164Z","etag":null,"topics":["aws","aws-fargate","aws-forensics","aws-lambda","cloud-security","dfir","dfir-automation","docker-forensics","eks-forensics","fargate-forensics","forensics","hacktoberfest","memory-forensics","security"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cado-security.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"Contributing.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-09-16T14:18:03.000Z","updated_at":"2025-03-26T02:06:46.000Z","dependencies_parsed_at":"2022-11-03T23:08:44.079Z","dependency_job_id":"55daf9cc-83ec-4098-8238-2a9f7113f16d","html_url":"https://github.com/cado-security/varc","commit_stats":{"total_commits":44,"total_committers":4,"mean_commits":11.0,"dds":"0.34090909090909094","last_synced_commit":"d878d97336587a7e0e7dd2ba6d9a37c2331603df"},"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cado-security%2Fvarc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cado-security%2Fvarc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cado-security%2Fvarc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cado-security%2Fvarc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cado-security","download_url":"https://codeload.github.com/cado-security/varc/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252954125,"owners_count":21830892,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-fargate","aws-forensics","aws-lambda","cloud-security","dfir","dfir-automation","docker-forensics","eks-forensics","fargate-forensics","forensics","hacktoberfest","memory-forensics","security"],"created_at":"2024-08-03T04:00:18.850Z","updated_at":"2025-05-08T18:31:06.771Z","avatar_url":"https://github.com/cado-security.png","language":"Python","readme":"# varc (Volatile Artifact Collector) #\n![ci](https://github.com/cado-security/varc/actions/workflows/app-ci.yml/badge.svg?branch=main)\n[![PyPI version](https://badge.fury.io/py/varc.svg)](https://badge.fury.io/py/varc)\n\nvarc collects a snapshot of volatile data from a system.\nIt tells you what is happening on a system, and is of particular use when investigating a security incident.\n\nIt creates a zip, which contains a number of different pieces of data to understand what is happening on a system:\n- JSON files e.g. running processes and what network connections they are making\n- Memory of running proccesses, on a per-process basis. This is also carved to extract log and text data from memory\n- Netstat data of active connections\n- The contents of open files, for example running binaries\n- Details of which processes triggered a provided compiled YARA rule file\n\nWe have successfully executed it across:\n- Windows\n- Linux\n- OSX\n- Cloud environments such as AWS EC2\n- Containerised Docker/Kubernetes environments such as AWS ECS/EKS/Fargate and Azure AKS\n- Even serverless environments such as AWS Lambda\n\nCheck out the example captures under the \"Releases\" tab to see some crazy data!\nThe screen recording below shows a collection from a Docker container (left) and the output from running inside and AWS Lambda function which deployed Xmrig (right):\n\n![](docs/varc_demo.gif)\n\nIn line with the order of volatility, we collect process memory before anything else. Note that varc, and any other tool that runs inside a system, will impact the memory of a system.\n\n### Using as a compiled binary ###\nYou can find compiled binaries for Windows, Linux and OSX under the Releases tab.\nSimply execute and a zip is created with the output.\nTo access some data, you will need to run with elevated privileges (i.e. sudo or root on Linux).\n```\nusage: varc [-h] [--skip-memory] [--skip-open] [--dump-extract] ...\n\noptional arguments:\n  -h, --help      show this help message and exit\n  --skip-memory   Skip collecting process memory, which can be slow\n  --skip-open     Skip collecting open files, which can be slow\n  --dump-extract  Extract process memory dumps, which can be slow\n```\n\n### Using as a Python library ###\n\nInstall from pip with:\n```\npip3 install varc\n```\n\nOr alternatively, clone this repository then install with:\n```\npython3 setup.py install\n```\n\nThen call with: \n```\nfrom varc import acquire_system\noutput_file_path = acquire_system().zip_path\n```\n\n### Automated Investigations and Response ###\nvarc significantly simplifies the acquisition and analysis of volatile data.\nWhilst it can be used manually on an ad-hoc basis, it is a great match for automatic deployment in response to security detections.\nThe output of varc is designed to be easily consumed by other tools, in standard JSON format as much as possible.\n\nA typical pipeline might be:\n* A detection is fired from a detection tool\n* varc is deployed to collect and identify further activity\n* Further remediation actions are taken based on the analysis of varc output\n\n ### Why are the collected memory files empty? ###\nProcess memory collection is not currently supported on OSX.\n\nIf you run varc on a Linux system without the Ptrace Kernel capability enabled, you will get empty memory files.\nYou will still get detailed system output.\n\nFor example, in our testing:\n* AWS Lambda successfully dumped process memory by default.\n* EKS on EC2 successfully dumped process memory by default.\n* ECS on Fargate required us to enable [CAP_SYS_PTRACE](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskdefinition-kernelcapabilities.html) in our task definition.\n\n\n### Using the collected data ###\nAll data is saved in an open, non-propietary format in the hope it can easily be processed by other community tools.\n\nOur free tool [Cado Community Edition](https://www.cadosecurity.com/cado-community-edition/) will happily parse this zip, and display the JSON data tables as intended.\n\nOur commercial tool [Cado Response](https://www.cadosecurity.com/platform/) additionally enables you to automatically capture both static and volatile data from systems through Cado Host. By using the API, you can automatically investigate and respond to to detections from third party tools such as an EDR like SentinelOne or a cloud detection tool like GuardDuty.\n\nHere is an example of varc output for a Lambda function running xmrig, viewed in [Cado Community Edition](https://www.cadosecurity.com/cado-community-edition/):\n![](docs/varc.png)\n\n### License ###\nThis is licensed under the GPL. Please contact us if this does not work for your use case - we may be able to alternatively license under a non-copyleft license such as the Apache License. We're friendly!\nAs this software is licensed under the GPL and used in our commercial product, we ask any contributors to sign a simple Contributor License Agreement (CLA). \n\n### License ###\nWe would love any Pull Requests or Bug Reports!\n\n\n","funding_links":[],"categories":["Tool"],"sub_categories":["Memory Acquisition"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcado-security%2Fvarc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcado-security%2Fvarc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcado-security%2Fvarc/lists"}