Scribd
Upload
34 views4 pages

Memory Forensics and Volatility Framework

Varc is a forensic tool that can be executed across multiple operating systems including Windows, Linux, and OSX, as well as cloud environments like AWS and Azure. The installation process involves cloning the repository and running a setup script, with elevated privileges required for certain data access. The document also outlines various plugins available for Volatility 2 and 3 for analyzing system processes, network activity, registry, and files.

Uploaded by

poctester00010
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
34 views4 pages

Memory Forensics and Volatility Framework

Varc is a forensic tool that can be executed across multiple operating systems including Windows, Linux, and OSX, as well as cloud environments like AWS and Azure. The installation process involves cloning the repository and running a setup script, with elevated privileges required for certain data access. The document also outlines various plugins available for Volatility 2 and 3 for analyzing system processes, network activity, registry, and files.

Uploaded by

poctester00010
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Source: https://github.

com/cado-security/varc

Varc executed accross

Windows

Linux

OSX

AWS Lambda

Cloud
environments
such as AWS EC2

Containerised
Docker/Kubernetes
environments such as
AWS ECS/EKS/Fargate
Cloud Forensics using Varc:
# python3 varc.py -h and Azure AKS

Varc Installation Process:


1. Clone the repository then install with:
# python3 setup.py install
2. Then call with:
#from varc import acquire_system
# python3 varc.py #output_file_path = acquire_system().zip_path
(execute command.. To access some data, you will need to run with elevated privileges (i.e. sudo or root on Linux )
Information about OS

Information
Plugins for Volatility 2 Plugins for Volatility 3
About

• vol.py -f “/path/file” imageinfo


IMAGEINFO • vol.py -f “/path/file” windows.info
• vol.py -f “/path/file” kdbgscan

Information about Process


Information
Plugins for Volatility 2 Plugins for Volatility 3
About
• vol.py -f “/path/file” --profile <profile>
pslist • vol.py -f “/path/file”
• vol.py -f “/path/file” --profile <profile> windows.pslist
psscan • vol.py -f “/path/file”
PSLIST
• vol.py -f “/path/file” --profile <profile> windows.psscan
pstree • vol.py -f “/path/file”
• vol.py -f “/path/file” --profile <profile> windows.pstree
psxview

• vol.py -f “/path/file” --profile <profile> • vol.py -f “/path/file” -o


PROCDUMP procdump -p <PID> --dump- “/path/dir”
dir=“/path/dir” windows.dumpfiles --pid <PID>

• vol.py -f “/path/file” -o
• vol.py -f “/path/file” --profile <profile>
“/path/dir”
MEMDUMP memdump -p <PID> --dump-
windows.memmap --dump --pid
dir=“/path/dir”
<PID>

• vol.py -f “/path/file” --profile <profile> • vol.py -f “/path/file”


HANDLES
handles -p <PID> windows.handles --pid <PID>

• vol.py -f “/path/file” --profile <profile> • vol.py -f “/path/file”


DLLS
dlllist -p <PID> windows.dlllist --pid <PID>

• vol.py -f “/path/file” --profile <profile>


cmdline
• vol.py -f “/path/file” --profile <profile> • vol.py -f “/path/file”
CMDLINE
cmdscan windows.cmdline
• vol.py -f “/path/file” --profile <profile>
consoles
Information about Network

Information
Plugins for Volatility 2 Plugins for Volatility 3
About

• vol.py -f “/path/file” --profile <profile>


netscan
• vol.py -f “/path/file” --profile <profile>
netstat

For XP/2003 • vol.py -f “/path/file”


• vol.py -f “/path/file” --profile <profile> windows.netscan
NETSCAN
connscan • vol.py -f “/path/file”
• vol.py -f “/path/file” --profile <profile> windows.netstat
connections
• vol.py -f “/path/file” --profile <profile>
sockscan
• vol.py -f “/path/file” --profile <profile>
sockets

Information about Registry

Information
Plugins for Volatility 2 Plugins for Volatility 3
About

• vol.py -f “/path/file” --profile • vol.py -f “/path/file”


<profile> hivescan windows.registry.hivescan
HIVELIST
• vol.py -f “/path/file” --profile • vol.py -f “/path/file”
<profile> hivelist windows.registry.hivelist
• vol.py -f “/path/file”
• vol.py -f “/path/file” --profile
windows.registry.printkey
<profile> printkey
• vol.py -f “/path/file”
• vol.py -f “/path/file” --profile
PRINTKEY windows.registry.printkey
<profile> printkey -K
--key
“Software\Microsoft\Windows\C
“Software\Microsoft\Windo
urrentVersion”
ws\CurrentVersion”
• vol.py -f “/path/file” -o
• vol.py -f “/path/file” --profile “/path/dir”
HIVEDUMP
hivedump -o <offset> windows.dumpfiles
--physaddr <offset>
Information about Files

Information
Plugins for Volatility 2 Plugins for Volatility 3
About

• vol.py -f “/path/file” --profile • vol.py -f “/path/file”


FILESCAN
<profile> filescan windows.filescan

• vol.py -f “/path/file” -o
• vol.py -f “/path/file” --profile “/path/dir”
<profile> dumpfiles --dump- windows.dumpfiles
dir=“/path/dir” • vol.py -f “/path/file” -o
• vol.py -f “/path/file” --profile “/path/dir”
FILEDUMP <profile> dumpfiles --dump- windows.dumpfiles
dir=“/path/dir” -Q <offset> --virtaddr <offset>
• vol.py -f “/path/file” --profile • vol.py -f “/path/file” -o
<profile> dumpfiles --dump- “/path/dir”
dir=“/path/dir” -p <PID> windows.dumpfiles
--physaddr <offset>

Information about Miscellaneous Activity

Information
Plugins for Volatility 2 Plugins for Volatility 3
About

• vol.py -f “/path/file” --profile • vol.py -f “/path/file”


MALFIND
<profile> malfind windows.malfind

• vol.py -f “/path/file”
windows.vadyarascan --yara-
rules <string>
• vol.py -f “/path/file”
• vol.py -f “/path/file” yarascan -y
YARASCAN windows.vadyarascan --yara-
“/path/file.yar”
file “/path/file.yar”
• vol.py -f “/path/file”
yarascan.yarascan --yara-file
“/path/file.yar”

🔥🔥The course is
Scan to learn more
on 50% Sale now! 🔥🔥

You might also like