Rekall, a framework for memory forensic
An end-to-end solution to incident responders and forensic analysts
Rekall is a collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory samples.
The extraction techniques are performed completely independent of the system being investigated but offer visibilty into the runtime state of the system.
Rekall is the most complete Memory Analysis framework. Rekall provides an end-to-end solution to incident responders and forensic analysts. From state of the art acquisition tools, to the most advanced open source memory analysis framework.
Rekall supports investigations of the following 32bit and 64bit memory images:
- Microsoft Windows XP Service Pack 2 and 3
- Microsoft Windows 7 Service Pack 0 and 1
- Microsoft Windows 8 and 8.1
- Linux Kernels 2.6.24 to 3.10.
- OSX 10.7–10.10.x.
On Linux, simply type (you still need to have python and pip installed first):
sudo pip install rekall
You might need to specifically allow pre-release software to be included (until Rekall makes a major stable release):
sudo pip instal--pre rekall
For Windows, Rekall is also available as a self contained installer package from this page