Rekall, a framework for memory forensic

An end-to-end solution to incident responders and forensic analysts


Rekall is a collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory samples.

The extraction techniques are performed completely independent of the system being investigated but offer visibilty into the runtime state of the system.

Rekall is the most complete Memory Analysis framework. Rekall provides an end-to-end solution to incident responders and forensic analysts. From state of the art acquisition tools, to the most advanced open source memory analysis framework.

Rekall supports investigations of the following 32bit and 64bit memory images:

  • Microsoft Windows XP Service Pack 2 and 3
  • Microsoft Windows 7 Service Pack 0 and 1
  • Microsoft Windows 8 and 8.1
  • Linux Kernels 2.6.24 to 3.10.
  • OSX 10.7–10.10.x.

Installation

On Linux, simply type (you still need to have python and pip installed first):

sudo pip install rekall

You might need to specifically allow pre-release software to be included (until Rekall makes a major stable release):

sudo pip instal--pre rekall

For Windows, Rekall is also available as a self contained installer package from this page

More information and documentation on Official Website and GitHub Page.

Comments