Skip to content
This repository has been archived by the owner on Oct 18, 2020. It is now read-only.

Release 1.3.1 Dammastock
Compare
Choose a tag to compare
@scudette scudette released this 31 Mar 22:52
· 415 commits to master since this release
v1.3.1
cb29811

This is the next release of the Rekall Memory Forensic framework, codenamed after the amazing Dammastock mountain.

This release was made at the Rekall Memory Forensic Workshop at DFRWS. For the first time, we ran this workshop completely from the interactive Rekall web console. It was an astounding success, and an impressive medium to deliver an interactive workshop (Check it out here ).

Release Highlights

Memory Acquisition

The major thrust for this release was the updating of the Pmem Acquisition tools to AFF4. In addition to the stable WinPmem 1.6.2, we have made available an experimental pre-release of the WinPmem 2.0 series.

The new imagers feature:

  1. A consistent interface. The same command line arguments used for all operating systems.
  2. The new memory image format we have standardized on is AFF4. This allows us to store multiple streams in the image, such as the page file and additional files.
  3. The pmem imagers are able to embed different files inside the final AFF4 image, such as the kernel image and miscellaneous binaries.

Note that the new imagers are still considered pre-release. Please test but continue using the old imagers for critical work.

GUI Web Console

The GUI was expanded to accommodate multiple sessions. A Rekall session is an object encapsulating all we know about a specific image. With multiple session support in the GUI, we are able to write a single web console document which runs plugins on multiple images simultaneously.

  • The GUI was also adapted to allow for the export of static versions of the document, which can be hosted on a simple web server.

Windows

Rekall will now automatically fetch missing profiles from the Microsoft Symbol Server for critical modules.

  • This was a huge pain point in the past - when MS updated kernels through a patch the kernel was rebuilt resulting in a new profile. By the time the Rekall team pushed the new profile to the profile repository, Rekall was non-functional, requiring users to know how to generate new profiles manually and push these to the profile repository. This is no longer the case! Now Rekall will fall back to asking the MS symbol server for profiles directly.

Linux

Added support for XEN paravirtualized guests.

Assets 8
Loading