Release 1.4.0 Etzel

This is the next release of the Rekall Memory Forensic framework, codenamed after the Etzel pass, not far from Zurich.

I am excited to announce the new Rekall release is out. This release introduces a lot of revolutionary features. The new feature list is broken as follows

• Windows support:
  • Windows 10 - This release supports WIndows 10 in most plugins. Although support is not complete yet, we will be working hard to make all plugins work.
  • Better support of pagefile. The address translation algorithm in Rekall has been overhauled and re-written. The new code supports describing the address translation process for increased provenance. On Windows,
    Rekall now supports mapping files into the physical address space. This allows plugins to read memory mapped files transparently (if the file data is available).
  • Better heap enumeration algorithms. Rekall supports enumerating more of the Low Fragmentation Heap (LFH).
  • All references to file names are now written with the full drive letter and path. Drive letters and path normalization is done by following the symlinks in the object tree.
• OSX and Linux support:
  • get common plugins like address resolver/dump/cc etc. This improves the workflow with these OSs.
  • Sigscan is now available for all OSs: Quickly determine if a machine matches a hex signature that supports wildcards.
• Framework
  • Rekall now has persistent stable cache. This means that re-launching Rekall on an image we analyzed in the past will suddenly be very fast. This is especially useful for plugins like pas2vas which take some time to run initially but when run subsequently this will be very fast.
  • Logging API changes. Logging is now done via the session object allowing external users of Rekall as a library to access log messages.
  • Efilter querying framework was externalized into its own project and expanded.
• Packaging
  • Rekall is now separated into three packages:
  • Rekall core contains all you need to use Rekall as a library. It does not have ipython as a dependency but if you also install ipython, the core can use it.
  • Rekall GUI is the Rekall web console GUI.
  • Rekall is now a metapackage which depends on both other packages.
• Imaging
  • Rekall gained the aff4acquire plugin in the last release but now:
  • The plugin can acquire the pagefile by itself using the Rekall NTFS parser.
  • Also acquire all the mapped files. This resolve all address translation requirements during the analysis stage as Rekall can later map all section objects to read memory mapped files.

Note: The windows binaries are also signed. Please check their signatures when downloading.

Pmem memory acquisition tools.

This preview release is an experimental release of the new pmem acquisition tools. The pmem acquisition suite has been rewritten from scratch to be an extensible and uniform set of acquisition tools with a common interface across all supported operating systems.

More information.

Release notes

Release 1.3.1 Dammastock

This is the next release of the Rekall Memory Forensic framework, codenamed after the amazing Dammastock mountain.

This release was made at the Rekall Memory Forensic Workshop at DFRWS. For the first time, we ran this workshop completely from the interactive Rekall web console. It was an astounding success, and an impressive medium to deliver an interactive workshop (Check it out here ).

Release Highlights

Memory Acquisition

The major thrust for this release was the updating of the Pmem Acquisition tools to AFF4. In addition to the stable WinPmem 1.6.2, we have made available an experimental pre-release of the WinPmem 2.0 series.

The new imagers feature:

1. A consistent interface. The same command line arguments used for all operating systems.
2. The new memory image format we have standardized on is AFF4. This allows us to store multiple streams in the image, such as the page file and additional files.
3. The pmem imagers are able to embed different files inside the final AFF4 image, such as the kernel image and miscellaneous binaries.

Note that the new imagers are still considered pre-release. Please test but continue using the old imagers for critical work.

GUI Web Console

The GUI was expanded to accommodate multiple sessions. A Rekall session is an object encapsulating all we know about a specific image. With multiple session support in the GUI, we are able to write a single web console document which runs plugins on multiple images simultaneously.

• The GUI was also adapted to allow for the export of static versions of the document, which can be hosted on a simple web server.

Windows

Rekall will now automatically fetch missing profiles from the Microsoft Symbol Server for critical modules.

• This was a huge pain point in the past - when MS updated kernels through a patch the kernel was rebuilt resulting in a new profile. By the time the Rekall team pushed the new profile to the profile repository, Rekall was non-functional, requiring users to know how to generate new profiles manually and push these to the profile repository. This is no longer the case! Now Rekall will fall back to asking the MS symbol server for profiles directly.

Linux

Added support for XEN paravirtualized guests.

Release 1.2.1 Col de la Croix

This is the next release of the Rekall Memory Forensic framework, codenamed after another awesome Swiss mountain pass - Col de la Croix

Cool things in this release:

1. Rekall can now analyse and acquire the windows pagefile (See blog post here).
2. Rekall has native NTFS support. You can even use it on the live device (Try rekall -f \\.\c:)
3. Lots of interesting new plugins:
   • ewfacquire - Rekall can now natively create and read EWF files. You can acquire an image of memory into an EWF file (Note - Writing is not compatible with Encase).
   • inspect_heap - Rekall can enumerate all usermode heap allocation (Win7x64 only right now).
   • MIPS support thanks to Karl Vogel
4. Lots of work on Entities - currently confined to OSX analysis only but please try it out!

See our release page for more details.

We also added travis-ci to Rekall and fixed lots of bugs :-)

Pre-Release 1.1.0 Buchenegg

This is the first RC from the Buchenegg series. It should be considered experimental still.

This release introduces a cool new GUI for Rekall. This GUI superceeds the
Ipython notebook interface which has been deprecated.

Rekall can now work on guest VMs through analyzing the Host's memory - either
live, or using a memory image!

Rekall release v1.0 - Albis.

Rekall Version 1.0 is now released. This release is code named Albis.

v1.0 Release Candidate 11

Rekall v1.0 Release Candidate

• This release brings mostly complete windows 8/8.1 support.
• We now also distribute a debian package file for 64 bit systems.
• Windows installers are also included.

Please test this so we can get ready for the full 1.0 release.