rekall

We have hosted the application rekall in order to run this application in our online workstations with Wine or directly.

Quick description about rekall:

Rekall is a powerful memory forensics framework that turns raw RAM captures�or live system state�into structured artifacts investigators can query and script. It ships with a large collection of plugins that parse OS internals to recover processes, modules, sockets, registry hives, and file objects, even when rootkits try to hide them. The design emphasizes repeatability: investigators run well-defined analyses that produce timelines, indicators, and reports suitable for case work or automation. Rekall supports profile-free operation for many targets, reducing setup friction and making it easier to handle varied images in the field. Extensibility is a core theme, with a plugin API and notebook-friendly workflows for custom hunts and triage. Used well, it compresses what would be hours of manual sleuthing into scripted passes over a consistent object model.

Features:

• Rich plugin set for processes, drivers, sockets, registry, and files
• Works with offline memory images and live response modes
• Artifact-centric object model for repeatable investigations
• Profile-free parsing paths for many operating systems
• Scripting and notebook workflows for custom hunts
• Reporting and timeline generation for DFIR casework

Programming Language: Python.
Categories: