Rekall Memory Forensic Framework

by do son · Published October 21, 2017 · Updated November 4, 2024

The Rekall Forensic and Incident Response Framework

The Rekall Framework is a completely open collection of tools, implemented in Python under the Apache and GNU General Public License, for the extraction and analysis of digital artifacts computer systems.

The Rekall distribution is available from http://www.rekall-forensic.com/

Rekall should run on any platform that supports Python

Rekall supports investigations of the following 32bit and 64bit memory images:

Microsoft Windows XP Service Pack 2 and 3
Microsoft Windows 7 Service Pack 0 and 1
Microsoft Windows 8 and 8.1
Microsoft Windows 10
Linux Kernels 2.6.24 to 4.4.
OSX 10.7-10.12.x.

Rekall also provides a complete memory sample acquisition capability for all major operating systems (see the tools directory).

Quickstart

Rekall is available as a python package installable via the pip package manager. To install it, first create a virtal env, switch to it and then install rekall:

$ virtualenv /tmp/MyEnv
New python executable in /tmp/MyEnv/bin/python
Installing setuptools, pip…done.
$ source /tmp/MyEnv/bin/activate
$ pip install –upgrade setuptools pip wheel
$ pip install rekall-agent rekall

For windows, Rekall is also available as a self-contained installer package. Please check the download page for the most appropriate installer to use Rekall-Forensic.com

To install from this git repository you will need to use pip –editable and follow the correct order of installation (otherwise pip will pull released dependencies which might be older):

$ virtualenv /tmp/MyEnv
New python executable in /tmp/MyEnv/bin/python
Installing setuptools, pip…done.
$ source /tmp/MyEnv/bin/activate
$ pip install –upgrade setuptools pip wheel
$ git clone https://github.com/google/rekall.git rekall
$ pip install –editable rekall/rekall-lib
$ pip install –editable rekall/rekall-core
$ pip install –editable rekall/rekall-agent
$ pip install –editable rekall

On Windows, you will need to install the Microsoft Visual C compilers for python (for more info see this blog posthttp://rekall-forensic.blogspot.ch/2015/09/installing-rekall-on-windows.html)