Skip to content
This repository has been archived by the owner on Oct 18, 2020. It is now read-only.

Releases: google/rekall

Release 1.7.2 RC1

06 Dec 07:43
c73ef57
Compare
Choose a tag to compare
Release 1.7.2 RC1 Pre-release
Pre-release

This is a bugfix release. Highlights include:

  • Support new uncompressed PDB files downloaded from the MS symbol server.
  • Bugfixes for the most recent windows 10 for the most common memory plugins.

This release also comes with an OSX binary. Simply unzip somewhere and run. The binary is built with pyinstaller and should be self contained.

Release 1.7.1

06 Nov 05:37
a57e972
Compare
Choose a tag to compare

The release includes:

  • Full support for Python 3
  • A refactored and improved EFilter which should be more robust and powerful.

You can install this release with pip:

$ virtualenv -p python3 /tmp/MyEnv
Already using interpreter /usr/bin/python3
Using base prefix '/usr'
New python executable in /tmp/MyEnv/bin/python3
Also creating executable in /tmp/MyEnv/bin/python
Installing setuptools, pkg_resources, pip, wheel...done.
$ source /tmp/MyEnv/bin/activate
(MyEnv) $ pip install rekall

Rekall 1.7.0RC1 Hurricane Ridge

08 Aug 06:19
Compare
Choose a tag to compare
Pre-release

This DFRWS 2017 release of Rekall introduces the Rekall Agent - a full featured enterprise grade remote forensic framework. We also launch our new logo and website design. Read the white paper.

Watch the DFRWS 2017 Rekall Workshop page for more information.

The Rekall Agent Server software can be downloaded from its own repository.

You can install this release with pip:

$ virtualenv  /tmp/MyEnv
New python executable in /tmp/MyEnv/bin/python
Installing setuptools, pip...done.
$ source /tmp/MyEnv/bin/activate
$ pip install --upgrade setuptools pip wheel
$ pip install --pre rekall

Release 1.6.0 Gotthard

04 Nov 05:45
Compare
Choose a tag to compare

This is the next release of the Rekall Forensic Framework code named Gotthard. In this release we introduce the Rekall Agent - a new experimental endpoint security agent based on cloud technologies. The agent is described in the blog post.

As usual, you can install this version by first creating a virtual env and then installing using pip:

$ virtualenv  /tmp/MyEnv
New python executable in /tmp/MyEnv/bin/python
Installing setuptools, pip...done.
$ source /tmp/MyEnv/bin/activate
$ pip install --upgrade setuptools pip wheel
$ pip install rekall-agent rekall

Release 1.5.3 Furka

09 Aug 22:11
Compare
Choose a tag to compare

The next point release in this Rekall series is released just in time for our DFRWS workshop. The workshop slides are probably the best reference for all the new features included in this release: http://dfrws2016.rekall-forensic.com/

Release 1.5.2 Furka

01 Jul 20:59
Compare
Choose a tag to compare

This is the next point release in the 1.5 (Furka) series.

Some highlights of this release:

  • Rekall had obtained many live plugins for Incident Response:
    • glob, wmi, registry yara scanning of files etc. This capability makes Rekall a capable tool for incident response and triaging.
  • EFilter is now better integrated. Users can simple run SQL queries directly in the console.
  • Artifact collector allows Rekall to use the forensic artifacts project (https://github.com/ForensicArtifacts/artifacts)

As always install with pip and virtualenv:

$ virtualenv /path/to/env
$ source /path/to/env/bin/activate
$ pip install --upgrade pip setuptools wheel
$ pip install rekall

v1.5.2rc1: Release 1.5.2.rc1

01 Jun 23:42
Compare
Choose a tag to compare
Pre-release
Review URL: https://codereview.appspot.com/299220043 .

Release 1.5.1 Furka

24 May 00:48
Compare
Choose a tag to compare

This is the next point release in the 1.5 (Furka) series.

Some highlights of this release:

  • New windows plugins allowing inspection of the PFN database. This allows mapping of physical memory back to the owning process and file (if it is mapped from a file).
  • Improved scanning framework: Most scanners can now operate on specific memory regions, like process memory, kernel memory, pool memory etc. This allows scanners to be much faster because they are more targeted.

Releases are now also available here: http://releases.rekall-forensic.com/
We also make releases available in our own pypi repository. This allows us to host binary wheels which avoids the need for compilers on windows and osx at all. Visit http://pypi.rekall-forensic.com/ for directions about how to use that.

Release 1.5.0 Furka

08 Apr 05:44
Compare
Choose a tag to compare

This is the next release of the Rekall Memory Forensic framework, codenamed after the Furka Pass.

I am excited to announce the new Rekall release is out. This release introduces a lot of revolutionary features. The new feature list is broken as follows:

  • Rekall's disassembler support is now switched to Capstone. Rekall has a more accurate and expanded disassembler template system for automatic detected to reversed data.
  • Live plugin is now improved on all OSs.
  • The aff4acquire plugin is now using the new AFF4 library streaming interface. This reduces memory use and makes the acquisition very fast. The plugin now collects many useful files at acquisition time.
  • Rekall now implements a Linux profile index using /proc/kallsyms. This means that on live systems (or when AFF4 image was acquired), Rekall can immediately find the correct Linux profile and use it without requiring building of profiles in advance!
  • The pmem acquisition tools (in C++) now use the streaming AFF4 interface to control memory usage. The pmem acquisition tools can also write into structured RAW and ELF formats to support legacy memory analysis tools.
  • We are also releasing the new experimental layout_expert tool (The best paper at DFRWS). Install this via pip install rekall-layout-expert

As usual the best way to install from source is via pip:

pip install rekall

Release 1.4.1 Etzel

10 Sep 14:35
Compare
Choose a tag to compare

This is a bugfix release with few new features:

  • A new live plugin is added that allows Rekall to install kernel drivers by itself.
  • The aff4acquire plugin now uses the live plugin to just acquire the image. Acquisition is now a simple matter of:
rekall aff4acquire myimage.aff4
  • New MacPmem driver for OSX acquisition.
  • Bugfixes around Xen support should make it more reliable now.

As usual the best way to install from source is via pip:

pip install rekall