Convert Figma logo to code with AI

google logorekall

Rekall Memory Forensic Framework

1,917
397
1,917
201
View on GitHub

Top Related Projects

volatilityfoundation's avatar

volatility

7,169

An advanced memory forensics framework

mandiant's avatar

flare-vm

6,345

A collection of software installations scripts for Windows systems that allows you to easily setup and maintain a reverse engineering environment on a VM.

sleuthkit's avatar

sleuthkit

2,569

The Sleuth Kit® (TSK) is a library and collection of command line digital forensics tools that allow you to investigate volume and file system data. The library can be incorporated into larger digital forensics tools and the command line tools can be directly used to find evidence.

mandiant's avatar

flare-floss

3,160

FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.

Quick Overview

Rekall is an advanced memory forensics and incident response framework. It provides a comprehensive set of tools for extracting and analyzing digital artifacts from volatile memory (RAM) images, allowing investigators to recover critical information from compromised systems.

Pros

  • Powerful and flexible memory analysis capabilities
  • Cross-platform support (Windows, Linux, macOS)
  • Extensible plugin architecture for custom analysis modules
  • Active development and community support

Cons

  • Steep learning curve for beginners
  • Limited documentation for advanced features
  • Can be resource-intensive for large memory dumps
  • Requires specific memory acquisition tools for optimal results

Code Examples

# Load a memory image
from rekall import session
s = session.Session(filename="memory.dmp")

# List running processes
for proc in s.plugins.pslist():
    print(f"PID: {proc.pid}, Name: {proc.name}")

# Search for a specific string in memory
hits = s.plugins.strings(regex="password")
for hit in hits:
    print(f"Address: {hit.address}, String: {hit.string}")

# Analyze network connections
for conn in s.plugins.netscan():
    print(f"Local: {conn.local_ip}:{conn.local_port}, Remote: {conn.remote_ip}:{conn.remote_port}")

Getting Started

  1. Install Rekall:

    pip install rekall

  2. Acquire a memory dump using a tool like WinPmem or LiME.

  3. Start analyzing:

    from rekall import session
s = session.Session(filename="memory.dmp")
s.plugins.pslist().run()

  4. Explore available plugins:

    s.plugins.plugin_db.plugin_list()

Competitor Comparisons

volatilityfoundation logo

volatility

7,169

An advanced memory forensics framework

Pros of Volatility

  • Larger and more active community, resulting in better support and more frequent updates
  • More extensive plugin ecosystem, offering a wider range of analysis capabilities
  • Better documentation and learning resources available

Cons of Volatility

  • Steeper learning curve, especially for users new to memory forensics
  • Slower performance on large memory dumps compared to Rekall

Code Comparison

Volatility (Python 2.x):

import volatility.utils as utils
import volatility.plugins.common as common

class MyPlugin(common.AbstractWindowsCommand):
    def calculate(self):
        addr_space = utils.load_as(self._config)
        # Plugin-specific logic here

Rekall (Python 3.x):

from rekall import plugin

class MyPlugin(plugin.TypedProfileCommand, plugin.Command):
    __name__ = "myplugin"

    def collect(self):
        # Plugin-specific logic here

Both frameworks use a plugin-based architecture, but Rekall's syntax is more modern and Pythonic. Volatility's codebase is older and relies on Python 2.x, while Rekall supports Python 3.x. Rekall's API is generally considered more user-friendly and easier to extend, but Volatility's larger plugin ecosystem often outweighs this advantage for many users.

mandiant logo

flare-vm

6,345

A collection of software installations scripts for Windows systems that allows you to easily setup and maintain a reverse engineering environment on a VM.

Pros of FLARE-VM

  • Comprehensive Windows-based malware analysis environment
  • Automated setup process for numerous security tools
  • Regular updates and community support

Cons of FLARE-VM

  • Limited to Windows operating systems
  • Requires significant disk space and system resources
  • May introduce potential security risks by installing multiple tools

Code Comparison

FLARE-VM (PowerShell):

cinst -y --force --allow-empty-checksums vcredist-all
cinst -y --force --allow-empty-checksums dotnet3.5
cinst -y --force --allow-empty-checksums dotnet4.5

Rekall (Python):

from rekall import session
s = session.Session(filename="memory.dmp")
print(s.plugins.pslist())

Summary

FLARE-VM is a Windows-based malware analysis toolkit with automated setup, while Rekall is a cross-platform memory forensics framework. FLARE-VM offers a comprehensive suite of tools but is limited to Windows, whereas Rekall provides flexibility across platforms. FLARE-VM's setup is more user-friendly, but Rekall offers more granular control for memory analysis tasks.

sleuthkit logo

sleuthkit

2,569

The Sleuth Kit® (TSK) is a library and collection of command line digital forensics tools that allow you to investigate volume and file system data. The library can be incorporated into larger digital forensics tools and the command line tools can be directly used to find evidence.

Pros of Sleuthkit

  • More active development with frequent updates and contributions
  • Broader scope for digital forensics, including file system analysis
  • Extensive documentation and community support

Cons of Sleuthkit

  • Steeper learning curve due to its comprehensive nature
  • Primarily command-line based, which may be less user-friendly for some

Code Comparison

Sleuthkit (C):

TSK_IMG_INFO *img = tsk_img_open_sing(argv[1], TSK_IMG_TYPE_DETECT, 0);
if (img == NULL) {
    tsk_error_print(stderr);
    exit(1);
}

Rekall (Python):

session = rekall.Session(filename="image.dd")
for proc in session.plugins.pslist():
    print(proc)

Summary

Sleuthkit is a comprehensive digital forensics toolkit with a focus on file system analysis, while Rekall specializes in memory forensics. Sleuthkit offers a broader range of features but may be more complex to use. Rekall provides a more user-friendly Python interface but has a narrower focus on memory analysis. Both tools have their strengths and are valuable in different forensic scenarios.

mandiant logo

flare-floss

3,160

FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.

Pros of FLARE-FLOSS

  • Specialized for string extraction from obfuscated malware
  • Actively maintained with regular updates
  • Lightweight and focused tool for specific use cases

Cons of FLARE-FLOSS

  • Limited scope compared to Rekall's broader memory forensics capabilities
  • Less extensive documentation and community support
  • Primarily command-line based, lacking a GUI interface

Code Comparison

FLARE-FLOSS (Python):

def extract_strings(vw, fva):
    for s in strings.extract_ascii_strings(vw.readMemory(fva, 1024)):
        if s.s and len(s.s) > 4:
            yield s

Rekall (Python):

def ScanForPool(self, pool_tag):
    for pool in self.profile.get_constant_object("PoolBigPageTable"):
        if pool.PoolType.v() == pool_tag:
            yield pool

Both projects use Python, but FLARE-FLOSS focuses on string extraction from binaries, while Rekall provides broader memory analysis capabilities. FLARE-FLOSS is more specialized for malware analysis, whereas Rekall offers a comprehensive memory forensics framework. FLARE-FLOSS is actively maintained, while Rekall has seen less recent development. Choose FLARE-FLOSS for targeted string extraction and obfuscation analysis, and Rekall for more general memory forensics tasks.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Rekall discontinuation

This project is no longer maintained.

In December 2011, a new branch within the Volatility project was created to explore how to make the code base more modular, improve performance, and increase usability. This branch was later forked to become Rekall. The modularity allowed physical memory analysis functionality to be used in GRR to enable remote live in-memory analysis.

Lessons learned:

  • Rekall has introduced many improvements to memory analysis methodology over the years. For more information see: http://blog.rekall-forensic.com/
  • Rekall framework allowed for limited modularization due to the nature of interdependent in-memory structure and early architectural decisions.
  • Increasing RAM sizes and security measures like memory encryption are making traditional physical memory analysis more cumbersome.
  • Physical memory analysis is fragile and maintenance heavy. Most physical memory analysis tools are basically kernel debuggers, without access to the source and debug symbols. Most memory analysis therefore can be a costly process of debugging / reverse engineering and keeping debug symbols / structure definitions up to date.

Active development on Rekall has been halted for a while. GRR has switched from using Rekall to YARA supporting a limited set of memory analysis capabilities that requires significantly less maintenance.

Core developers / maintainers for Rekall have other priorities and no one has stepped up to help out with maintenance. Therefore the Rekall project is discontinued. The project will be archived, and you are free to fork it and continue to make changes.

Winpmem will be continued as a separate project currently maintained at https://github.com/Velocidex/WinPmem.

The Rekall Forensic and Incident Response Framework

The Rekall Framework is a completely open collection of tools, implemented in Python under the Apache and GNU General Public License, for the extraction and analysis of digital artifacts computer systems.

The Rekall distribution is available from: http://www.rekall-forensic.com/

Rekall should run on any platform that supports Python

Rekall supports investigations of the following 32bit and 64bit memory images:

  • Microsoft Windows XP Service Pack 2 and 3
  • Microsoft Windows 7 Service Pack 0 and 1
  • Microsoft Windows 8 and 8.1
  • Microsoft Windows 10
  • Linux Kernels 2.6.24 to most recent.
  • OSX 10.7-10.12.x.

Rekall also provides a complete memory sample acquisition capability for all major operating systems (see the tools directory).

Quick start

Rekall is available as a python package installable via the pip package manager. To install it, first create a virtal env, switch to it and then install rekall:

$ virtualenv  /tmp/MyEnv
New python executable in /tmp/MyEnv/bin/python
Installing setuptools, pip...done.
$ source /tmp/MyEnv/bin/activate
$ pip install --upgrade setuptools pip wheel
$ pip install rekall-agent rekall

For windows, Rekall is also available as a self contained installer package. Please check the download page for the most appropriate installer to use Rekall-Forensic.com

To install from this git repository you will need to use pip --editable and follow the correct order of installation (otherwise pip will pull released dependencies which might be older):

$ virtualenv  /tmp/MyEnv
New python executable in /tmp/MyEnv/bin/python
Installing setuptools, pip...done.
$ source /tmp/MyEnv/bin/activate
$ pip install --upgrade setuptools pip wheel
$ git clone https://github.com/google/rekall.git rekall
$ pip install --editable rekall/rekall-lib
$ pip install --editable rekall/rekall-core
$ pip install --editable rekall/rekall-agent
$ pip install --editable rekall

On Windows you will need to install the Microsoft Visual C compilers for python (for more info see this blog post http://rekall-forensic.blogspot.ch/2015/09/installing-rekall-on-windows.html)

Mailing Lists

Mailing lists to support the users and developers of Rekall can be found at the following address:

rekall-discuss@googlegroups.com

Licensing and Copyright

Copyright (C) 2007-2011 Volatile Systems Copyright 2012-2016 Google Inc. All Rights Reserved.

All Rights Reserved

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

Bugs and Support

There is no support provided with Rekall. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

If you think you've found a bug, please report it at:

https://github.com/google/rekall/issues

In order to help us solve your issues as quickly as possible, please include the following information when filing a bug:

  • The version of rekall you're using
  • The operating system used to run rekall
  • The version of python used to run rekall
  • The suspected operating system of the memory image
  • The complete command line you used to run rekall

History

In December 2011, a new branch within the Volatility project was created to explore how to make the code base more modular, improve performance, and increase usability. The modularity allowed Volatility to be used in GRR, making memory analysis a core part of a strategy to enable remote live forensics. As a result, both GRR and Volatility would be able to use each other's strengths.

Over time this branch has become known as the "scudette" branch or the "Technology Preview" branch. It was always a goal to try to get these changes into the main Volatility code base. But, after two years of ongoing development, the "Technology Preview" was never accepted into the Volatility trunk version.

Since it seemed unlikely these changes would be incorporated in the future, it made sense to develop the Technology Preview branch as a separate project. On December 13, 2013, the former branch was forked to create a new stand-alone project named "Rekall.” This new project incorporates changes made to streamline the codebase so that Rekall can be used as a library. Methods for memory acquisition and other outside contributions have also been included that were not in the Volatility codebase.

Rekall strives to advance the state of the art in memory analysis, implementing the best algorithms currently available and a complete memory acquisition and analysis solution for at least Windows, OSX and Linux.

More documentation

Further documentation is available at http://www.rekall-forensic.com/