Release 1.6.0 Gotthard

@scudette scudette released this Nov 4, 2016 · 14 commits to master since this release

This is the next release of the Rekall Forensic Framework code named Gotthard. In this release we introduce the Rekall Agent - a new experimental endpoint security agent based on cloud technologies. The agent is described in the blog post.

As usual, you can install this version by first creating a virtual env and then installing using pip:

$ virtualenv  /tmp/MyEnv
New python executable in /tmp/MyEnv/bin/python
Installing setuptools, pip...done.
$ source /tmp/MyEnv/bin/activate
$ pip install --upgrade setuptools pip wheel
$ pip install rekall-agent rekall

Downloads

Release 1.5.3 Furka

@scudette scudette released this Aug 9, 2016 · 43 commits to master since this release

The next point release in this Rekall series is released just in time for our DFRWS workshop. The workshop slides are probably the best reference for all the new features included in this release: http://dfrws2016.rekall-forensic.com/

Downloads

Release 1.5.2 Furka

@scudette scudette released this Jul 1, 2016 · 62 commits to master since this release

This is the next point release in the 1.5 (Furka) series.

Some highlights of this release:

  • Rekall had obtained many live plugins for Incident Response:
    • glob, wmi, registry yara scanning of files etc. This capability makes Rekall a capable tool for incident response and triaging.
  • EFilter is now better integrated. Users can simple run SQL queries directly in the console.
  • Artifact collector allows Rekall to use the forensic artifacts project (https://github.com/ForensicArtifacts/artifacts)

As always install with pip and virtualenv:

$ virtualenv /path/to/env
$ source /path/to/env/bin/activate
$ pip install --upgrade pip setuptools wheel
$ pip install rekall

Downloads

v1.5.2rc1: Release 1.5.2.rc1

@scudette scudette released this Jun 1, 2016 · 76 commits to master since this release

Review URL: https://codereview.appspot.com/299220043 .

Downloads

Release 1.5.1 Furka

@scudette scudette released this May 24, 2016 · 85 commits to master since this release

This is the next point release in the 1.5 (Furka) series.

Some highlights of this release:

  • New windows plugins allowing inspection of the PFN database. This allows mapping of physical memory back to the owning process and file (if it is mapped from a file).
  • Improved scanning framework: Most scanners can now operate on specific memory regions, like process memory, kernel memory, pool memory etc. This allows scanners to be much faster because they are more targeted.

Releases are now also available here: http://releases.rekall-forensic.com/
We also make releases available in our own pypi repository. This allows us to host binary wheels which avoids the need for compilers on windows and osx at all. Visit http://pypi.rekall-forensic.com/ for directions about how to use that.

Downloads

Release 1.5.0 Furka

@scudette scudette released this Apr 4, 2016 · 100 commits to master since this release

This is the next release of the Rekall Memory Forensic framework, codenamed after the Furka Pass.

I am excited to announce the new Rekall release is out. This release introduces a lot of revolutionary features. The new feature list is broken as follows:

  • Rekall's disassembler support is now switched to Capstone. Rekall has a more accurate and expanded disassembler template system for automatic detected to reversed data.
  • Live plugin is now improved on all OSs.
  • The aff4acquire plugin is now using the new AFF4 library streaming interface. This reduces memory use and makes the acquisition very fast. The plugin now collects many useful files at acquisition time.
  • Rekall now implements a Linux profile index using /proc/kallsyms. This means that on live systems (or when AFF4 image was acquired), Rekall can immediately find the correct Linux profile and use it without requiring building of profiles in advance!
  • The pmem acquisition tools (in C++) now use the streaming AFF4 interface to control memory usage. The pmem acquisition tools can also write into structured RAW and ELF formats to support legacy memory analysis tools.
  • We are also releasing the new experimental layout_expert tool (The best paper at DFRWS). Install this via pip install rekall-layout-expert

As usual the best way to install from source is via pip:

pip install rekall

Downloads

Release 1.4.1 Etzel

@scudette scudette released this Sep 9, 2015 · 176 commits to master since this release

This is a bugfix release with few new features:

  • A new live plugin is added that allows Rekall to install kernel drivers by itself.
  • The aff4acquire plugin now uses the live plugin to just acquire the image. Acquisition is now a simple matter of:
rekall aff4acquire myimage.aff4
  • New MacPmem driver for OSX acquisition.
  • Bugfixes around Xen support should make it more reliable now.

As usual the best way to install from source is via pip:

pip install rekall

Downloads

Release 1.4.0 Etzel

@scudette scudette released this Aug 10, 2015 · 196 commits to master since this release

This is the next release of the Rekall Memory Forensic framework, codenamed after the Etzel pass, not far from Zurich.

I am excited to announce the new Rekall release is out. This release introduces a lot of revolutionary features. The new feature list is broken as follows

  • Windows support:
    • Windows 10 - This release supports WIndows 10 in most plugins. Although support is not complete yet, we will be working hard to make all plugins work.
    • Better support of pagefile. The address translation algorithm in Rekall has been overhauled and re-written. The new code supports describing the address translation process for increased provenance. On Windows,
      Rekall now supports mapping files into the physical address space. This allows plugins to read memory mapped files transparently (if the file data is available).
    • Better heap enumeration algorithms. Rekall supports enumerating more of the Low Fragmentation Heap (LFH).
    • All references to file names are now written with the full drive letter and path. Drive letters and path normalization is done by following the symlinks in the object tree.
  • OSX and Linux support:
    • get common plugins like address resolver/dump/cc etc. This improves the workflow with these OSs.
    • Sigscan is now available for all OSs: Quickly determine if a machine matches a hex signature that supports wildcards.
  • Framework
    • Rekall now has persistent stable cache. This means that re-launching Rekall on an image we analyzed in the past will suddenly be very fast. This is especially useful for plugins like pas2vas which take some time to run initially but when run subsequently this will be very fast.
    • Logging API changes. Logging is now done via the session object allowing external users of Rekall as a library to access log messages.
    • Efilter querying framework was externalized into its own project and expanded.
  • Packaging
    • Rekall is now separated into three packages:
    • Rekall core contains all you need to use Rekall as a library. It does not have ipython as a dependency but if you also install ipython, the core can use it.
    • Rekall GUI is the Rekall web console GUI.
    • Rekall is now a metapackage which depends on both other packages.
  • Imaging
    • Rekall gained the aff4acquire plugin in the last release but now:
    • The plugin can acquire the pagefile by itself using the Rekall NTFS parser.
    • Also acquire all the mapped files. This resolve all address translation requirements during the analysis stage as Rekall can later map all section objects to read memory mapped files.

Note: The windows binaries are also signed. Please check their signatures when downloading.

Downloads

Pmem memory acquisition tools.

@scudette scudette released this Apr 24, 2015 · 275 commits to master since this release

This preview release is an experimental release of the new pmem acquisition tools. The pmem acquisition suite has been rewritten from scratch to be an extensible and uniform set of acquisition tools with a common interface across all supported operating systems.

More information.

Release notes

Downloads