Rekall – Memory Forensic Framework
Rekall – Memory Forensic Framework
Rekall is a memory forensic framework that provides an end-to-end solution to incident responders and forensic analysts. From state of the art acquisition tools, to the most advanced open source memory analysis framework.
What is Rekall?
Image result for Rekall – Memory Forensic Framework
What is Rekall? Rekall is an advanced forensic and incident response framework. While it began life purely as a memory forensic framework, it has now evolved into a complete platform.
How do you run Rekall?
1. Installation
.Simply type (for example on Linux): $ virtualenv /tmp/MyEnv New python executable in /tmp/MyEnv/bin/python Installing setuptools, pip...done. $ ...
.To have all the dependencies installed. You still need to have python and pip installed first. ...
.$ pip install rekall-gui.
It strives to be a complete end-to-end memory forensic framework, encapsulating acquisition, analysis, and reporting. In particular Rekall is the only memory analysis platform specifically designed to run on the same platform it is analyzing: Live analysis allows us to corroborate memory artifacts with results obtained through system APIs, as well as quickly triage a system without having to write out and manage large memory images (This becomes very important for large servers where the time of acquisition leads to too much smear).
The team also ensures the memory analysis tools are stable and work on all supported platforms (For example Rekall features the only memory imaging tool available for recent versions of OSX, that we know of – and it is open source and free as well!).
Rekall is the only open source memory analysis tool that can work with the windows page file and mapped files. Rekall also includes a full acquisition solution (in the aff4acquire plugin) which allows the acquisition of the pagefile and all relevant mapped files (Rekall does this by executing a triaging routine during acquisition).
Comments
Post a Comment