Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Linux support in Rekall

Linux support in Rekall requires a tailoured profile to the running kernel as
well as the System map file. Rekall calls this system specific information a
"profile". The profile file contains all the debugging symbols extracted into
a Rekall standard profile format (Using JSON).

To generate this file, it is necessary to build a kernel module with debugging
symbols enabled, and then parse the DWARF debugging symbols. Since it is not
guaranteed that the tools necessary to parse dwarf information are present on
the system which is used to build the kernel module, on linux, this process is
divided into two steps (Sometimes, if responding to incidents on a system for
which we have no standard kernel - for example one with a hand built kernel -
the only option is to build the debug module on the target system itself. In
this case, to minimize interference with the target system, we do not wish to
install further tools on the target system).

Step 1: Build the debug kernel module

Copy this directory to the target system, ensuring the kernel headers are
installed. Type:

bash$ sudo make profile
make -C /usr/src/linux-headers-3.8.0-34-generic CONFIG_DEBUG_INFO=y M=`pwd` modules
make[1]: Entering directory `/usr/src/linux-headers-3.8.0-34-generic'
  CC [M]  /home/scudette/rekall/tools/linux/module.o
  CC [M]  /home/scudette/rekall/tools/linux/pmem.o
  Building modules, stage 2.
  MODPOST 2 modules
  CC      /home/scudette/rekall/tools/linux/module.mod.o
  LD [M]  /home/scudette/rekall/tools/linux/module.ko
  CC      /home/scudette/rekall/tools/linux/pmem.mod.o
  LD [M]  /home/scudette/rekall/tools/linux/pmem.ko
make[1]: Leaving directory `/usr/src/linux-headers-3.8.0-34-generic'
cp module.ko module_dwarf.ko
zip "`uname -r`.zip" module_dwarf.ko /boot/`uname -r`
updating: module_dwarf.ko (deflated 66%)
updating: boot/ (deflated 79%)

The sudo command is often needed so that the /boot/* file can be read
(since modern distributions restrict permissions on this file). This will build
the debug module, and then include it into a zip file together with the

NOTE: This assumed you have the 'zip' command installed. If you do not, just
copy the two files off the system and zip them together elsewhere.

Step 2: Convert the zip file into a Rekall standard profile.

This step should be done on a system with rekall (and its dependencies) already

bash$ convert_profile tools/linux/ Ubuntu-3.8.0-34-generic.json

This will generate the correct rekall_profile. You may now use it directly:

bash$ --profile Ubuntu-3.8.0-34-generic.json -f my_image.dd

It is also possible to use the profile converter plugin to convert from legacy
profile files (e.g. those built for Volatility use). Simply specify these as the
source zip file to convert from in Step 2 above.