This document introduces VARC (Volatile Artifact Collector), a tool for collecting snapshots of volatile system data from Windows, Linux, macOS, EC2, containers, and serverless environments. It aims to provide a simple, cross-platform, and reliable solution for investigating security incidents. The document discusses the motivation for VARC, including limitations of existing tools, and technical challenges in accessing memory on different platforms. It then demonstrates VARC and outlines areas for further work, such as improving memory acquisition on Mac and support for older Linux kernels.
6. What is varc?
● Volatile artifact collector
● Collects snapshots of volatile
data from a system
● Useful for investigating security
incidents
● Cross-platform - Windows, Linux,
macOS, EC2, Containers,
Serverless
● Compiled binary and Python
library
8. Portability
● Existing solutions have
platform-specific
limitations
● Support same
platforms as Cado
Response
● Leverage
cross-platform Python
libraries
● Ability to use as a
Python library
Reliability
● “Just Works” solution
● Base level of
functionality across
supported platforms
Simplicity
● Output is JSON
● Human-readable and
easily-parsable
● Memory acquisition is
optional
● Run manually or as part
of an incident response
pipeline
Motivation and Design Philosophy
9. Volatility 2
● Profiles for modern Operating Systems no longer
published
● Volatility 3 no longer GPL-2.0
● No serverless/container support
Existing Solutions - where does varc fit?
10. Existing Solutions - where does varc fit?
Rekall
● Python-based
● Integrated into GRR
● Discontinued
● Final commits in 2020
12. Technical challenges
● Easy to understand and expand
● Dual use case of tool and product integration
● Striking the balance of usefulness, data volume,
system impact
● Actually accessing memory
13. Accessing memory
● Memory dumping isn’t new (but it is still a pain)
● Built-in OS memory tools more dev focussed
● Each supported platform is different
● Cloud and containers
14. Priority of volatility
● What do we want to grab?
● How will this affect other data?
● What order should we do things in?
● Catch it while you can
Network connections &
Open files
Running processes
Allocated file system
entries
Unallocated file system
entries
18. Recap
● VARC is a tool to collect volatile data
● Designed for investigators
● CLI tool or as part of a data pipeline
● Gives you info on:
○ Running processes
○ Network connections
○ Open files
○ Raw process memory
● GPLv3 Licence
19. Further Work
● Four key areas:
○ Mac memory acquisition
○ Mac network connection enumeration
○ Support for older Linux kernels
○ Improve process dumping
● Find us on GitHub, PR’s and issues welcome!