![\"Rekall](\"https:\/\/c1.staticflickr.com\/1\/611\/22879645269_de0bab6506.jpg\")
<\/p>\nRekall is a memory forensic framework that provides an end-to-end solution to incident responders and forensic analysts. From state of the art acquisition tools, to the most advanced open source memory analysis framework.<\/p>\n
<\/p>\n
It strives to be a complete end-to-end memory forensic framework, encapsulating acquisition, analysis, and reporting. In particular Rekall is the only memory analysis platform specifically designed to run on the same platform it is analyzing: Live analysis allows us to corroborate memory artifacts with results obtained through system APIs, as well as quickly triage a system without having to write out and manage large memory images (This becomes very important for large servers where the time of acquisition leads to too much smear).<\/p>\n
The team also ensures the memory analysis tools are stable and work on all supported platforms (For example Rekall features the only memory imaging tool available for recent versions of OSX, that we know of – and it is open source and free as well!).<\/p>\n
Rekall is the only open source memory analysis tool that can work with the windows page file and mapped files. Rekall also includes a full acquisition solution (in the aff4acquire plugin) which allows the acquisition of the pagefile and all relevant mapped files (Rekall does this by executing a triaging routine during acquisition).<\/p>\n
Rekall should run on any platform that supports Python.<\/p>\n
Rekall supports investigations of the following 32bit and 64bit memory images:<\/p>\n
Rekall also provides a complete memory sample acquisition capability for all major operating systems (see the tools directory).<\/p>\n
Additionally Rekall now features a complete GUI for writing reports, and driving analysis, try it out with:<\/p>\n
rekall webconsole --browser<\/pre>\n