Top Related Projects
An advanced memory forensics framework
A collection of software installations scripts for Windows systems that allows you to easily setup and maintain a reverse engineering environment on a VM.
The Sleuth Kit® (TSK) is a library and collection of command line digital forensics tools that allow you to investigate volume and file system data. The library can be incorporated into larger digital forensics tools and the command line tools can be directly used to find evidence.
FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.
Quick Overview
Rekall is an advanced memory forensics and incident response framework. It provides a comprehensive set of tools for extracting and analyzing digital artifacts from volatile memory (RAM) images, allowing investigators to recover critical information from compromised systems.
Pros
- Powerful and flexible memory analysis capabilities
- Cross-platform support (Windows, Linux, macOS)
- Extensible plugin architecture for custom analysis modules
- Active development and community support
Cons
- Steep learning curve for beginners
- Limited documentation for advanced features
- Can be resource-intensive for large memory dumps
- Requires specific memory acquisition tools for optimal results
Code Examples
# Load a memory image
from rekall import session
s = session.Session(filename="memory.dmp")
# List running processes
for proc in s.plugins.pslist():
print(f"PID: {proc.pid}, Name: {proc.name}")
# Search for a specific string in memory
hits = s.plugins.strings(regex="password")
for hit in hits:
print(f"Address: {hit.address}, String: {hit.string}")
# Analyze network connections
for conn in s.plugins.netscan():
print(f"Local: {conn.local_ip}:{conn.local_port}, Remote: {conn.remote_ip}:{conn.remote_port}")
Getting Started
-
Install Rekall:
pip install rekall
-
Acquire a memory dump using a tool like WinPmem or LiME.
-
Start analyzing:
from rekall import session s = session.Session(filename="memory.dmp") s.plugins.pslist().run()
-
Explore available plugins:
s.plugins.plugin_db.plugin_list()
Competitor Comparisons
An advanced memory forensics framework
Pros of Volatility
- Larger and more active community, resulting in better support and more frequent updates
- More extensive plugin ecosystem, offering a wider range of analysis capabilities
- Better documentation and learning resources available
Cons of Volatility
- Steeper learning curve, especially for users new to memory forensics
- Slower performance on large memory dumps compared to Rekall
Code Comparison
Volatility (Python 2.x):
import volatility.utils as utils
import volatility.plugins.common as common
class MyPlugin(common.AbstractWindowsCommand):
def calculate(self):
addr_space = utils.load_as(self._config)
# Plugin-specific logic here
Rekall (Python 3.x):
from rekall import plugin
class MyPlugin(plugin.TypedProfileCommand, plugin.Command):
__name__ = "myplugin"
def collect(self):
# Plugin-specific logic here
Both frameworks use a plugin-based architecture, but Rekall's syntax is more modern and Pythonic. Volatility's codebase is older and relies on Python 2.x, while Rekall supports Python 3.x. Rekall's API is generally considered more user-friendly and easier to extend, but Volatility's larger plugin ecosystem often outweighs this advantage for many users.
A collection of software installations scripts for Windows systems that allows you to easily setup and maintain a reverse engineering environment on a VM.
Pros of FLARE-VM
- Comprehensive Windows-based malware analysis environment
- Automated setup process for numerous security tools
- Regular updates and community support
Cons of FLARE-VM
- Limited to Windows operating systems
- Requires significant disk space and system resources
- May introduce potential security risks by installing multiple tools
Code Comparison
FLARE-VM (PowerShell):
cinst -y --force --allow-empty-checksums vcredist-all
cinst -y --force --allow-empty-checksums dotnet3.5
cinst -y --force --allow-empty-checksums dotnet4.5
Rekall (Python):
from rekall import session
s = session.Session(filename="memory.dmp")
print(s.plugins.pslist())
Summary
FLARE-VM is a Windows-based malware analysis toolkit with automated setup, while Rekall is a cross-platform memory forensics framework. FLARE-VM offers a comprehensive suite of tools but is limited to Windows, whereas Rekall provides flexibility across platforms. FLARE-VM's setup is more user-friendly, but Rekall offers more granular control for memory analysis tasks.
The Sleuth Kit® (TSK) is a library and collection of command line digital forensics tools that allow you to investigate volume and file system data. The library can be incorporated into larger digital forensics tools and the command line tools can be directly used to find evidence.
Pros of Sleuthkit
- More active development with frequent updates and contributions
- Broader scope for digital forensics, including file system analysis
- Extensive documentation and community support
Cons of Sleuthkit
- Steeper learning curve due to its comprehensive nature
- Primarily command-line based, which may be less user-friendly for some
Code Comparison
Sleuthkit (C):
TSK_IMG_INFO *img = tsk_img_open_sing(argv[1], TSK_IMG_TYPE_DETECT, 0);
if (img == NULL) {
tsk_error_print(stderr);
exit(1);
}
Rekall (Python):
session = rekall.Session(filename="image.dd")
for proc in session.plugins.pslist():
print(proc)
Summary
Sleuthkit is a comprehensive digital forensics toolkit with a focus on file system analysis, while Rekall specializes in memory forensics. Sleuthkit offers a broader range of features but may be more complex to use. Rekall provides a more user-friendly Python interface but has a narrower focus on memory analysis. Both tools have their strengths and are valuable in different forensic scenarios.
FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.
Pros of FLARE-FLOSS
- Specialized for string extraction from obfuscated malware
- Actively maintained with regular updates
- Lightweight and focused tool for specific use cases
Cons of FLARE-FLOSS
- Limited scope compared to Rekall's broader memory forensics capabilities
- Less extensive documentation and community support
- Primarily command-line based, lacking a GUI interface
Code Comparison
FLARE-FLOSS (Python):
def extract_strings(vw, fva):
for s in strings.extract_ascii_strings(vw.readMemory(fva, 1024)):
if s.s and len(s.s) > 4:
yield s
Rekall (Python):
def ScanForPool(self, pool_tag):
for pool in self.profile.get_constant_object("PoolBigPageTable"):
if pool.PoolType.v() == pool_tag:
yield pool
Both projects use Python, but FLARE-FLOSS focuses on string extraction from binaries, while Rekall provides broader memory analysis capabilities. FLARE-FLOSS is more specialized for malware analysis, whereas Rekall offers a comprehensive memory forensics framework. FLARE-FLOSS is actively maintained, while Rekall has seen less recent development. Choose FLARE-FLOSS for targeted string extraction and obfuscation analysis, and Rekall for more general memory forensics tasks.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
Rekall discontinuation
This project is no longer maintained.
In December 2011, a new branch within the Volatility project was created to explore how to make the code base more modular, improve performance, and increase usability. This branch was later forked to become Rekall. The modularity allowed physical memory analysis functionality to be used in GRR to enable remote live in-memory analysis.
Lessons learned:
- Rekall has introduced many improvements to memory analysis methodology over the years. For more information see: http://blog.rekall-forensic.com/
- Rekall framework allowed for limited modularization due to the nature of interdependent in-memory structure and early architectural decisions.
- Increasing RAM sizes and security measures like memory encryption are making traditional physical memory analysis more cumbersome.
- Physical memory analysis is fragile and maintenance heavy. Most physical memory analysis tools are basically kernel debuggers, without access to the source and debug symbols. Most memory analysis therefore can be a costly process of debugging / reverse engineering and keeping debug symbols / structure definitions up to date.
Active development on Rekall has been halted for a while. GRR has switched from using Rekall to YARA supporting a limited set of memory analysis capabilities that requires significantly less maintenance.
Core developers / maintainers for Rekall have other priorities and no one has stepped up to help out with maintenance. Therefore the Rekall project is discontinued. The project will be archived, and you are free to fork it and continue to make changes.
Winpmem will be continued as a separate project currently maintained at https://github.com/Velocidex/WinPmem.
The Rekall Forensic and Incident Response Framework
The Rekall Framework is a completely open collection of tools, implemented in Python under the Apache and GNU General Public License, for the extraction and analysis of digital artifacts computer systems.
The Rekall distribution is available from: http://www.rekall-forensic.com/
Rekall should run on any platform that supports Python
Rekall supports investigations of the following 32bit and 64bit memory images:
- Microsoft Windows XP Service Pack 2 and 3
- Microsoft Windows 7 Service Pack 0 and 1
- Microsoft Windows 8 and 8.1
- Microsoft Windows 10
- Linux Kernels 2.6.24 to most recent.
- OSX 10.7-10.12.x.
Rekall also provides a complete memory sample acquisition capability for all major operating systems (see the tools directory).
Quick start
Rekall is available as a python package installable via the pip package manager. To install it, first create a virtal env, switch to it and then install rekall:
$ virtualenv /tmp/MyEnv
New python executable in /tmp/MyEnv/bin/python
Installing setuptools, pip...done.
$ source /tmp/MyEnv/bin/activate
$ pip install --upgrade setuptools pip wheel
$ pip install rekall-agent rekall
For windows, Rekall is also available as a self contained installer package. Please check the download page for the most appropriate installer to use Rekall-Forensic.com
To install from this git repository you will need to use pip --editable and follow the correct order of installation (otherwise pip will pull released dependencies which might be older):
$ virtualenv /tmp/MyEnv
New python executable in /tmp/MyEnv/bin/python
Installing setuptools, pip...done.
$ source /tmp/MyEnv/bin/activate
$ pip install --upgrade setuptools pip wheel
$ git clone https://github.com/google/rekall.git rekall
$ pip install --editable rekall/rekall-lib
$ pip install --editable rekall/rekall-core
$ pip install --editable rekall/rekall-agent
$ pip install --editable rekall
On Windows you will need to install the Microsoft Visual C compilers for python (for more info see this blog post http://rekall-forensic.blogspot.ch/2015/09/installing-rekall-on-windows.html)
Mailing Lists
Mailing lists to support the users and developers of Rekall can be found at the following address:
rekall-discuss@googlegroups.com
Licensing and Copyright
Copyright (C) 2007-2011 Volatile Systems Copyright 2012-2016 Google Inc. All Rights Reserved.
All Rights Reserved
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
Bugs and Support
There is no support provided with Rekall. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
If you think you've found a bug, please report it at:
https://github.com/google/rekall/issues
In order to help us solve your issues as quickly as possible, please include the following information when filing a bug:
- The version of rekall you're using
- The operating system used to run rekall
- The version of python used to run rekall
- The suspected operating system of the memory image
- The complete command line you used to run rekall
History
In December 2011, a new branch within the Volatility project was created to explore how to make the code base more modular, improve performance, and increase usability. The modularity allowed Volatility to be used in GRR, making memory analysis a core part of a strategy to enable remote live forensics. As a result, both GRR and Volatility would be able to use each other's strengths.
Over time this branch has become known as the "scudette" branch or the "Technology Preview" branch. It was always a goal to try to get these changes into the main Volatility code base. But, after two years of ongoing development, the "Technology Preview" was never accepted into the Volatility trunk version.
Since it seemed unlikely these changes would be incorporated in the future, it made sense to develop the Technology Preview branch as a separate project. On December 13, 2013, the former branch was forked to create a new stand-alone project named "Rekall.â This new project incorporates changes made to streamline the codebase so that Rekall can be used as a library. Methods for memory acquisition and other outside contributions have also been included that were not in the Volatility codebase.
Rekall strives to advance the state of the art in memory analysis, implementing the best algorithms currently available and a complete memory acquisition and analysis solution for at least Windows, OSX and Linux.
More documentation
Further documentation is available at http://www.rekall-forensic.com/
Top Related Projects
An advanced memory forensics framework
A collection of software installations scripts for Windows systems that allows you to easily setup and maintain a reverse engineering environment on a VM.
The Sleuth Kit® (TSK) is a library and collection of command line digital forensics tools that allow you to investigate volume and file system data. The library can be incorporated into larger digital forensics tools and the command line tools can be directly used to find evidence.
FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot