Memory Forensic Framework

The Rekall Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

Rekall supports investigations of the following 32bit and 64bit memory images:
* Microsoft Windows XP Service Pack 2 and 3
* Microsoft Windows 7 Service Pack 0 and 1
* Microsoft Windows 8 and 8.1
* Linux Kernels 2.6.24 to 3.10.
* OSX 10.7-10.10.x.

Download from Github.

git clone

Download from Github.

Quick start
* Rekall is available as a python package installable via the pip package manager. Simply type (for example on Linux):

sudo pip install rekall

* You might need to specifically allow pre-release software to be included (until Rekall makes a major stable release):

sudo pip install --pre rekall

* To have all the dependencies installed. You still need to have python and pip installed first.

* If you want to use the yarascan plugin, install yara and yara-python.

Categories: Forensics
%d bloggers like this: