Rekall - Memory Forensic Framework

Rekall - Memory Forensic Framework

Rekall is an advanced forensic and incident response framework.

It is a completely open collection of tools, implemented in Python under the Apache and GNU General Public License, for the extraction and analysis of digital artifacts computer systems.

It works on any platform that supports Python.

Rekall is the only memory analysis platform specifically designed to run on the same platform it is analyzing.

It is also the only open source memory analysis tool that can work with the windows page file and mapped files. Rekall also includes a full acquisition solution (in the aff4acquire plugin) which allows the acquisition of the pagefile and all relevant mapped files (Rekall does this by executing a triaging routine during acquisition).

One of the main differences between Rekall and other memory analysis frameworks is that Rekall uses symbols obtained from operating system vendors’ debugging information directly. This allows Rekall to just know the position of critical operating system constants, while other frameworks employ fragile scanning techniques to locate these symbols. Scanning techniques are notorious for being fragile, and malware can easily maliciously interfere with those by removing or adding spurious signatures.

A side effect of this feature, is that writing a plugin in Rekall is much simpler - one simply asks the framework for the location of the required global constant, and goes on to use it, instead of writing a new kind of scanner for each global symbol. 




No comments

Powered by Blogger.