Published on November 25th, 2015 | by NJ Ouchn0
Rekall The Memory Forensic Framework
The Rekall Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.
Rekall supports investigations of the following x86 bit memory images:
- Microsoft Windows XP Service Pack 2 and 3
- Microsoft Windows 7 Service Pack 0 and 1
- Linux Kernels 2.6.24 to 3.10.
- OSX 10.6-10.8.