Rekall

The Rekall Framework is a completely open collection of tools, implemented in Python under the Apache and GNU General Public License, for the extraction and analysis of digital artifacts computer systems.
Rekall logo

Rekall Forensic and Incident Response Framework

Discontinued Project

The Rekall Framework is an open collection of Python-based tools for extracting and analyzing digital artifacts from computer systems.


Lessons Learned

  • Improvements to memory analysis methodology over the years
  • Limited modularization due to interdependent in-memory structure and early architectural decisions
  • Increasing RAM sizes and security measures making traditional physical memory analysis more cumbersome
  • Physical memory analysis is fragile and maintenance-heavy

Discontinuation

Active development on Rekall has been halted. GRR switched from using Rekall to YARA, which requires significantly less maintenance.


Quick Start

Install Rekall with pip:

virtualenv /tmp/MyEnv
source /tmp/MyEnv/bin/activate
pip install --upgrade setuptools pip wheel
pip install rekall-agent rekall

Or use the self-contained installer package for Windows:

Download page


Copyright (C) 2007-2011 Volatile Systems, Copyright 2012-2016 Google Inc.

Licensed under the GNU General Public License, version 2 or later.


Bugs and Support

No support provided. Reporting bugs at: github issues

Please include the following information:

  • Rekall version
  • Operating system used to run Rekall
  • Python version used to run Rekall
  • Suspected operating system of the memory image
  • Complete command line used to run Rekall

History

December 2011: Branch created for modularization, performance improvement, and usability increase. Became known as the "scudette" or "Technology Preview" branch.

December 13, 2013: Forked into a standalone project named Rekall.





> Visit Rekall Website <
Best Search
Popular Tags