The Rekall Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.
The Rekall distribution is available from: http://www.rekall-forensic.com/
Rekall should run on any platform that supports Python
Rekall supports investigations of the following x86 bit memory images:
Rekall also provides a complete memory acquisition capability for all major operating systems (see the tools directory).
Rekall is hosted on github
A quick start guide is available in the Overview.
Downloads are available at the Download Page.
Mailing lists to support users and developers of Rekall can be found at the following addresses:
You can subsribe to these groups via the Google Groups site
There is no support provided with Rekall. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
If you think you’ve found a bug, please report it at:
In order to help us solve your issues as quickly as possible, please include the following information when filing a bug: