Rekall forensic

Cyber forensic tool

What is Rekall
• Rekall is an advanced forensic and incident response
framework. While it began life purely as a memory forensic
framework, it has now evolved into a complete platform.  Rekall
implements the most advanced analysis techniques in the field,
while still being developed in the open, with a free and open
source license.
Rekall Agent

• Rekall Agent is a complete endpoint incident response and forensic

tool. The Rekall Agent extends Rekall's advanced capabilities to a
scalable, distributed environment. The Rekall Agent is easy to deploy
and scale, based on modern cloud technologies. With enterprise
grade access control and auditing features built in, the Rekall Agent is
suitable to be deployed in small to large scale enterprises to provide
unprecedented visibility of endpoint security, and collection and
preservation of volatile endpoint evidence.
A Rekall walkthrough

• Verbose
This is a shorthand to setting the logging level to DEBUG. Rekall
will produce debug messages of its operation. You should use
this if you want to know more of what Rekall is doing and also to
attach output for bug reports.
Plugin
If provided, Rekall loads this python file at start time. The file may
define any plugins, overlays etc which might add additional
functionality to Rekall.
Memory Analysis
• Rekall's approach to memory analysis is unique - Rekall leverages
exact debugging information provided by the operating system
vendors to precisely locate significant kernel data structures. While
other tools rely on heuristics and signatures, Rekall aims to be the
most stable and reliable memory analysis framework.
Interactive plugins

• Rekall is more than just a framework for running plugins. It is a

complete interactive environment for memory analysis. Many of
the more interesting features Rekall provides exist as part of the
interactive environment.
The Rekall Session

Rekall uses a Session to encapsulate the analysis of a single image. The

reason Rekall is so fast is because information is cached in the session.
Normally when running from the interactive console, the session
persists in memory and therefore, the cache remains available for
subsequent modules.
Automating Rekall

• One of our main design goals is the automation of Rekall so it

can be used from external programs easily, as well as making it
easier to write custom scripts.
• This section demonstrates how to automate the framework,
both by embedding it completely inside another application, as
well as simply automating the analysis from rekall itself.
Tutorial video link
https://youtu.be/4rXMKRi_DBg
THANK YOU