Pre-release
Pre-release

@scudette scudette released this Dec 6, 2017 · 35 commits to master since this release

Assets 4

This is a bugfix release. Highlights include:

  • Support new uncompressed PDB files downloaded from the MS symbol server.
  • Bugfixes for the most recent windows 10 for the most common memory plugins.

This release also comes with an OSX binary. Simply unzip somewhere and run. The binary is built with pyinstaller and should be self contained.

@scudette scudette released this Nov 6, 2017 · 43 commits to master since this release

Assets 2

The release includes:

  • Full support for Python 3
  • A refactored and improved EFilter which should be more robust and powerful.

You can install this release with pip:

$ virtualenv -p python3 /tmp/MyEnv
Already using interpreter /usr/bin/python3
Using base prefix '/usr'
New python executable in /tmp/MyEnv/bin/python3
Also creating executable in /tmp/MyEnv/bin/python
Installing setuptools, pkg_resources, pip, wheel...done.
$ source /tmp/MyEnv/bin/activate
(MyEnv) $ pip install rekall

@scudette scudette released this Aug 8, 2017 · 58 commits to master since this release

Assets 5

This DFRWS 2017 release of Rekall introduces the Rekall Agent - a full featured enterprise grade remote forensic framework. We also launch our new logo and website design. Read the white paper.

Watch the DFRWS 2017 Rekall Workshop page for more information.

The Rekall Agent Server software can be downloaded from its own repository.

You can install this release with pip:

$ virtualenv  /tmp/MyEnv
New python executable in /tmp/MyEnv/bin/python
Installing setuptools, pip...done.
$ source /tmp/MyEnv/bin/activate
$ pip install --upgrade setuptools pip wheel
$ pip install --pre rekall

@scudette scudette released this Nov 4, 2016 · 102 commits to master since this release

Assets 5

This is the next release of the Rekall Forensic Framework code named Gotthard. In this release we introduce the Rekall Agent - a new experimental endpoint security agent based on cloud technologies. The agent is described in the blog post.

As usual, you can install this version by first creating a virtual env and then installing using pip:

$ virtualenv  /tmp/MyEnv
New python executable in /tmp/MyEnv/bin/python
Installing setuptools, pip...done.
$ source /tmp/MyEnv/bin/activate
$ pip install --upgrade setuptools pip wheel
$ pip install rekall-agent rekall

@scudette scudette released this Aug 9, 2016 · 131 commits to master since this release

Assets 4

The next point release in this Rekall series is released just in time for our DFRWS workshop. The workshop slides are probably the best reference for all the new features included in this release: http://dfrws2016.rekall-forensic.com/

@scudette scudette released this Jul 1, 2016 · 150 commits to master since this release

Assets 4

This is the next point release in the 1.5 (Furka) series.

Some highlights of this release:

  • Rekall had obtained many live plugins for Incident Response:
    • glob, wmi, registry yara scanning of files etc. This capability makes Rekall a capable tool for incident response and triaging.
  • EFilter is now better integrated. Users can simple run SQL queries directly in the console.
  • Artifact collector allows Rekall to use the forensic artifacts project (https://github.com/ForensicArtifacts/artifacts)

As always install with pip and virtualenv:

$ virtualenv /path/to/env
$ source /path/to/env/bin/activate
$ pip install --upgrade pip setuptools wheel
$ pip install rekall

@scudette scudette released this Jun 1, 2016 · 164 commits to master since this release

Assets 2
Review URL: https://codereview.appspot.com/299220043 .

@scudette scudette released this May 24, 2016 · 173 commits to master since this release

Assets 7

This is the next point release in the 1.5 (Furka) series.

Some highlights of this release:

  • New windows plugins allowing inspection of the PFN database. This allows mapping of physical memory back to the owning process and file (if it is mapped from a file).
  • Improved scanning framework: Most scanners can now operate on specific memory regions, like process memory, kernel memory, pool memory etc. This allows scanners to be much faster because they are more targeted.

Releases are now also available here: http://releases.rekall-forensic.com/
We also make releases available in our own pypi repository. This allows us to host binary wheels which avoids the need for compilers on windows and osx at all. Visit http://pypi.rekall-forensic.com/ for directions about how to use that.

@scudette scudette released this Apr 8, 2016 · 188 commits to master since this release

Assets 3

This is the next release of the Rekall Memory Forensic framework, codenamed after the Furka Pass.

I am excited to announce the new Rekall release is out. This release introduces a lot of revolutionary features. The new feature list is broken as follows:

  • Rekall's disassembler support is now switched to Capstone. Rekall has a more accurate and expanded disassembler template system for automatic detected to reversed data.
  • Live plugin is now improved on all OSs.
  • The aff4acquire plugin is now using the new AFF4 library streaming interface. This reduces memory use and makes the acquisition very fast. The plugin now collects many useful files at acquisition time.
  • Rekall now implements a Linux profile index using /proc/kallsyms. This means that on live systems (or when AFF4 image was acquired), Rekall can immediately find the correct Linux profile and use it without requiring building of profiles in advance!
  • The pmem acquisition tools (in C++) now use the streaming AFF4 interface to control memory usage. The pmem acquisition tools can also write into structured RAW and ELF formats to support legacy memory analysis tools.
  • We are also releasing the new experimental layout_expert tool (The best paper at DFRWS). Install this via pip install rekall-layout-expert

As usual the best way to install from source is via pip:

pip install rekall

@scudette scudette released this Sep 10, 2015 · 264 commits to master since this release

Assets 6

This is a bugfix release with few new features:

  • A new live plugin is added that allows Rekall to install kernel drivers by itself.
  • The aff4acquire plugin now uses the live plugin to just acquire the image. Acquisition is now a simple matter of:
rekall aff4acquire myimage.aff4
  • New MacPmem driver for OSX acquisition.
  • Bugfixes around Xen support should make it more reliable now.

As usual the best way to install from source is via pip:

pip install rekall