GNU/LinuxMalware AnalysisScannerSecurity

Rekall – Rekall Memory Forensic Framework

The Rekall distribution is available from:
Rekall should run on any platform that supports Python
Rekall supports investigations of the following 32bit and 64bit memory images:
  • Microsoft Windows XP Service Pack 2 and 3
  • Microsoft Windows 7 Service Pack 0 and 1
  • Microsoft Windows 8 and 8.1
  • Linux Kernels 2.6.24 to 3.10.
  • OSX 10.7-10.10.x.
Rekall also provides a complete memory sample acquisition capability for all major operating systems (see the tools directory).
Additionally Rekall now features a complete GUI for writing reports, and driving analysis, try it out with:
rekall webconsole --browser   
Quick start
Rekall is available as a python package installable via the pip package manager. Simply type (for example on Linux):
sudo pip install rekall   
You might need to specifically allow pre-release software to be included (until Rekall makes a major stable release):
sudo pip install --pre rekall   
To have all the dependencies installed. You still need to have python and pip installed first.
If you want to use the yarascan plugin, install yara and yara-python .
For windows, Rekall is also available as a self contained installer package. Please check the download page for the most appropriate installer to use
In December 2011, a new branch within the Volatility project was created to explore how to make the code base more modular, improve performance, and increase usability. The modularity allowed Volatility to be used in GRR, making memory analysis a core part of a strategy to enable remote live forensics. As a result, both GRR and Volatility would be able to use each others’ strengths.
Over time this branch has become known as the “scudette” branch or the “Technology Preview” branch. It was always a goal to try to get these changes into the main Volatility code base. But, after two years of ongoing development, the “Technology Preview” was never accepted into the Volatility trunk version.
Since it seemed unlikely these changes would be incorporated in the future, it made sense to develop the Technology Preview branch as a separate project. On December 13, 2013, the former branch was forked to create a new stand-alone project named “Rekall.” This new project incorporates changes made to streamline the codebase so that Rekall can be used as a library. Methods for memory acquisition and other outside contributions have also been included that were not in the Volatility codebase.
Rekall strives to advance the state of the art in memory analysis, implementing the best algorithms currently available and a complete memory acquisition and analysis solution for at least Windows, OSX and Linux.
More documentation
Further documentation is available at








OWASP Mth3l3m3nt Framework – Penetration Testing Aiding Tool And Exploitation Framework

Previous article

Parrot OS 3.1 (Defcon) – Friendly OS designed for Pentesting

Next article

You may also like


Leave a reply

Your email address will not be published. Required fields are marked *

More in GNU/Linux