Changelog v-1.2.1 Col de la Croix:
– For the first time Rekall includes experimental support for analysis of traditional Disk images. This release includes a full featured parser for NTFS. Some interesting plugins:
– fls: List files in the filesystem.
– istat: Displays information about an MFT entry.
– idump: hexdump an attribute or stream.
– iexport: Exports a file from the NTFS.
– This release includes full support for acquisition and analysis of the windows page file. Some interesting plugins include:
– pagefiles: Lists the currently active page files and their locations.
– vadmap: Displays each page in the VAD and resolves its location in physical memory (or the page file).
– vtop: This plugin was expanded to display where virtual pages are actually backed by the page file.
– dumpfiles: This plugin was finally implemented in Rekall.
– inspect_heap: Experimental support for heap enumeration on Win7 x64 allows enumeration of userspace heap allocation (e.g. malloc()).
– dns_cache: This is also used to enumerate the dns cache by inspecting heap allocations.
– This release adds a functional Entity layer. Currently confined to OSX analysis. Entities are a kind of query language for memory artifacts. Some useful plugins:
find: Search for entities based on a query.
– analyze: Analyze the internal query optimizer’s collectors that will be run in response to a query.
– Most other plugins are rewritten in terms of entities (e.g. lsof, netstat etc.)
This release brings a dedicated userspace imager to Linux. The lmap tool was expanded to write ELF core dump files and acquire directly from /proc/kcore, if the target system supports it (in this case no kernel module is needed).
MIPS address space added for support on Big Endian Machines.
– Rekall can now read and write EWF files natively. There have been many performance and stability improvements too.
– ewfacquire: Rekall can be used to acquire memory efficiently, writing an EWF compressed file (with an embedded ELF file).
– The Profile repository is now cached locally to make subsequent runs faster.
The Rekall Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.
Rekall supports investigations of the following 32bit and 64bit memory images:
– Microsoft Windows XP Service Pack 2 and 3
– Microsoft Windows 7 Service Pack 0 and 1
– Microsoft Windows 8 and 8.1
– Linux Kernels 2.6.24 to 3.10.
– OSX 10.6-10.9.x.