Difference between pages "Upcoming events" and "Rekall"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Scheduled Training Courses)
 
m (Linux)
 
Line 1: Line 1:
Here is a BY DATE listing of '''upcoming conferences and training events''' that pertain to [[digital forensics]]. Some of these duplicate the generic [[conferences]], but have specific dates/locations for the upcoming conference/training event.
+
{{Infobox_Software |
 +
  name = Rekall |
 +
  maintainer = [[Michael Cohen]] |
 +
  os = {{Cross-platform}} |
 +
  genre = {{Memory analysis}}, {{Memory imaging}} |
 +
  license = {{GPL}} |
 +
  website = [https://code.google.com/p/rekall/ code.google.com/p/rekall/] |
 +
}}
  
<b> The Conference and Training List is provided by the American Academy of Forensic Sciences (AAFS) Digital and Multi-media Listserv</b>
+
Rekall is the stand-alone continuation of the [[Volatility]] Technology Preview (TP) version, aka the scudette branch.
<i> (Subscribe by sending an email to listserv@lists.mitre.org with message body containing SUBSCRIBE AAFS-DIGITAL-MULTIMEDIA-LIST)</i>
+
<b> Any requests for additions, deletions or corrections to this list should be sent by email to David Baker <i>(bakerd AT mitre.org)</i>. </b>
+
  
== Calls For Papers ==
+
One of Rekalls goals is to provide better integration with [[GRR]] by improved modularity of the framework and having memory acquisition capability.[http://docs.rekall.googlecode.com/git/overview.html#_history]
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
|- style="background:#bfbfbf; font-weight: bold"
+
! Title
+
! Due Date
+
! Website
+
|-
+
|DFRWS 2007 File Carving Challenge
+
|Jul 09, 2007
+
|http://www.dfrws.org/2007/challenge/submission.html
+
|-
+
|Journal of Digital Forensic Practice
+
|Jul 31, 2007
+
|http://www.tandf.co.uk/journals/titles/15567281.asp
+
|-
+
|American Academy of Forensic Sciences 2008 Annual Meeting
+
|Aug 01, 2007
+
|http://www.aafs.org/abstracts/your_online_presentation_submiss.htm
+
|-
+
|Digital Forensic Forum Prague 2007
+
|Aug 31, 2007
+
|http://www.dff-prague.com/News/article/sid=17.html
+
|-
+
|}
+
  
== Conferences ==
+
== Memory acquisition drivers ==
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
|- style="background:#bfbfbf; font-weight: bold"
+
! Title
+
! Date/Location
+
! Website
+
|-
+
|Third Government Forum of Incident Response and Security Teams Conference
+
|Jun 25-29, Orlando, FL
+
|http://www.us-cert.gov/GFIRST/index.html
+
|-
+
|First International Workshop on Cyber-Fraud
+
|Jul 01-06, San Jose, CA
+
|http://www.iaria.org/conferences2007/CYBERFRAUD.html
+
|-
+
|Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA) 2007
+
|Jul 12-13, Lucerne, Switzerland
+
|http://www.gi-ev.de/fachbereiche/sicherheit/fg/sidar/dimva/
+
|-
+
|BlackHat Briefings
+
|Jul 28-Aug 02, Las Vegas, NV
+
|http://www.blackhat.com/html/bh-link/briefings.html
+
|-
+
|DefCon
+
|Aug 03-05, Las Vegas, NV
+
|http://www.defcon.org/
+
|-
+
|16th USENIX Security Symposium
+
|Aug 06-10, Boston, MA
+
|http://www.usenix.org/events/
+
|-
+
|GMU 2007 Symposium
+
|Aug 06-10, George Mason University, Fairfax, VA
+
|http://www.rcfg.org
+
|-
+
|[[Digital Forensic Research Workshop|Digital Forensic Research Workshop 2007]]
+
|Aug 13-15, Pittsburgh, PA
+
|http://www.dfrws.org/2007/index.html
+
|-
+
|HTCIA 2007 International Training Conference & Exposition
+
|Aug 27-29, San Diego, CA
+
|http://www.htcia-sd.org/htcia2007.html
+
|-
+
|Recent Advances in Intrusion Detection (RAID) 2007
+
|Sep 05-07, Gold Coast, Queensland, Australia
+
|http://www.isi.qut.edu.au/events/conferences/raid07
+
|-
+
|14th International Conference on Image Analysis and Processing (ICIAP 2007)
+
|Sep 10-14, Modena, Italy
+
|http://www.iciap2007.org
+
|-
+
|3rd International Conference on IT-Incident Management & IT-Forensics
+
|Sep 11-12, Stuttgart, Germany
+
|http://www.imf-conference.org/
+
|-
+
|Black and White Ball
+
|Sep 25-28, London, UK
+
|http://www.theblackandwhiteball.co.uk/
+
|-
+
|Wisconsin Association of Computer Crimes Investigators/Forensic Association of Computer Technologists
+
|Sep 26-28, Milwaukee, WI
+
|http://www.byteoutofcrime.org
+
|-
+
|BlackHat Japan - Briefings
+
|Oct 23-26, Tokyo, Japan
+
|http://www.blackhat.com/html/bh-japan-07/bh-jp-07-main.html
+
|-
+
|Global Conference on Economic and High-Tech Crime (NW3C Membership Required)
+
|Oct 24-26, Crystal City, VA
+
|https://conference.nw3c.org/index.cfm
+
|-
+
|Techno-Forensics Conference
+
|Oct 29 - 31, Rockville, MD
+
|http://www.techsec.com/html/TechnoForensics2007.html
+
|-
+
|DeepSec IDSC
+
|Nov 22-24, Vienna, Austria
+
|http://deepsec.net/
+
|-
+
|Digital Forensic Forum Prague 2007
+
|Nov 26-27, Prague, Czech Republic
+
|http://www.dff-prague.com/
+
|-
+
|DoD Cyber Crime Conference 2008
+
|Jan 13-18 2008, St. Louis, MO
+
|http://www.dodcybercrime.com/
+
|-
+
|AAFS Annual Meeting
+
|Feb 18-23 2008, Washington, DC
+
|http://aafs.org/default.asp?section_id=meetings&page_id=aafs_annual_meeting
+
|-
+
|}
+
  
== On-going / Continuous Training ==
+
The drivers can be found under:
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
<pre>
|- style="background:#bfbfbf; font-weight: bold"
+
rekall/tools/linux
! Title
+
rekall/tools/osx
! Date/Location or Venue
+
rekall/tools/windows
! Website
+
</pre>
|-
+
|Basic Computer Examiner Course
+
|Computer Forensic Training Online
+
|http://www.cftco.com
+
|-
+
|MaresWare Suite Training
+
|First full week every month, Atlanta, GA
+
|http://www.maresware.com/maresware/training/maresware.htm
+
|-
+
|Linux Data Forensics Training
+
|Distance Learning Format
+
|http://www.crazytrain.com/training.html
+
|-
+
|Evidence Recovery for Windows Vista&trade;
+
|First full week every month, Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Evidence Recovery for Windows Server&reg; 2003 R2
+
|Second full week every month, Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Evidence Recovery for the Windows XP&trade; operating system
+
|Third full week every month, Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|}
+
  
== Scheduled Training Courses ==
+
=== Linux ===
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
In rekall RC11 the advanced Linux acquisition tool (LMAP) was added. lmap allows to inject the pmem functionality into existing kernel modules to bypass having to build a pmem kernel module for every different kernel version. See the corresponding DFRWS EU 2014 paper for more information about LMAP.
|- style="background:#bfbfbf; font-weight: bold"
+
 
! Title
+
To build the kernel module for the current kernel version, make sure you have a working build environment and the kernel headers installed. Change into this directory and run make:
! Date/Location
+
<pre>
! Website
+
cd rekall/tools/linux/
! Limitation
+
make
|-
+
</pre>
|Paraben Handheld Forensic Course
+
 
|Jun 18-21, Potomac Falls, VA
+
The acquisition driver is named pmem.ko.
|http://www.paraben-training.com/
+
 
|-
+
To load the driver:
|AccessData Windows Forensics
+
<pre>
|Jun 19-21, Dallas, TX
+
sudo insmod pmem.ko
|http://www.accessdata.com/training
+
</pre>
|-
+
 
|SMART for Linux
+
To check if the driver is running:
|Jul 09-12, Austin, TX
+
<pre>
|http://asrdata.com/training/training2.html
+
sudo lsmod
|-
+
</pre>
|Cyber Counterterrorism Investigations Training Program (CCITP)
+
 
|Jul 09-13, FLETC, Glynco, GA
+
The driver create a device file named:
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
<pre>
|Limited to Law Enforcement
+
/dev/pmem
|-
+
</pre>
|SMART Windows Data Forensics
+
 
|Jul 16-18, Austin, TX
+
To unload the driver:
|http://asrdata.com/training/training2.html
+
<pre>
|-
+
sudo rmmod pmem
|Seized Computer Evidence Recovery Specialist (SCERS)
+
</pre>
|Jul 16-27, FLETC, Glynco, GA
+
 
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
To read acquire the memory just read from the device file. e.g.
|Limited to Law Enforcement
+
<pre>
|-
+
dd if=/dev/pmem of=image.raw
|AccessData BootCamp
+
</pre>
|Jul 17-19, Boise, ID
+
 
|http://www.accessdata.com/training
+
For more information see:
|-
+
<pre>
|Paraben Handheld Forensic Course
+
rekall/tools/linux/README
|Jul 23-26, Potomac Falls, VA
+
</pre>
|http://www.paraben-training.com/
+
 
|-
+
=== Mac OS X ===
|AccessData Windows Forensics
+
 
|Jul 24-26, Albuquerque, NM
+
For more information see:
|http://www.accessdata.com/training
+
<pre>
|-
+
rekall/tools/osx/OSXPMem/README
|Network Forensics and Investigations Workshop
+
</pre>
|Jul 25-27, Washington, DC
+
 
|http://www.strozllc.com/trainingcenter/
+
=== Windows ===
|-
+
Since recent versions of Windows require a signed driver rekall comes with both pre-built (signed binary) and source versions of the driver.
|First Responder to Digital Evidence Program (FRDE)
+
 
|Jul 31-Aug 02, FLETC, Glynco, GA
+
Both the i386 and amd64 binary version of the driver can be found in the directory:
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
<pre>
|Limited to Law Enforcement
+
rekall/tools/windows/winpmem/binaries
|-
+
</pre>
|Paraben Wireless Forensics
+
 
|Aug 01-03, Potomac Falls, VA
+
E.g.
|http://www.paraben-training.com/
+
<pre>
|-
+
rekall/tools/winpmem/binaries/amd64/winpmem.sys
|SARC Steganography Examiner Training
+
</pre>
|Aug 04-05, Fairfax, VA (RCFG/GMU Conference 2007)
+
 
|http://www.sarc-wv.com/training.aspx
+
A standalone tool for imaging memory that uses an embedded copy of the pmem driver can be found as winpmem.exe in:
|-
+
<pre>
|SMART for Linux
+
rekall/tools/winpmem/executables/Release/
|Aug 06-09, Austin, TX
+
</pre>
|http://asrdata.com/training/training2.html
+
 
|-
+
To load the driver:
|Introduction to Cyber Crime
+
<pre>
|Aug 06-08, Mississippi State University
+
winpmem.exe -l
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
</pre>
|Limited to Law Enforcement
+
 
|-
+
The device filename is (This can not be changed without recompiling):
|X-Ways Forensics
+
<pre>
|Aug 06-08, Seattle, WA
+
\\.\pmem
|http://www.x-ways.net/training/seattle.html
+
</pre>
|-
+
 
|Forensics Tools and Techniques
+
Note that running dd directly on this device file can crash the machine.
|Aug 08-10, Mississippi State University
+
Use the winpmem.exe tool instead because it handles protected memory regions.
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
 
|Limited to Law Enforcement
+
To read and acquire the physical memory and write it to image.raw:
|-
+
<pre>
|File Systems Revealed
+
winpmem.exe image.raw
|Aug 09-10, Seattle, WA
+
</pre>
|http://www.x-ways.net/training/seattle.html
+
 
|-
+
To unload the driver:
|Search and Seizure of Computers and Electronic Evidence
+
<pre>
|Aug 09-10, Oxford, MS
+
winpmem.exe -u
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
</pre>
|Limited to Law Enforcement
+
 
|-
+
For more information see:
|X-Ways Forensics
+
<pre>
|Aug 13-15, Long Beach, CA
+
rekall/tools/windows/README
|http://www.x-ways.net/training/long_beach.html
+
</pre>
|-
+
 
|Paraben Cellular/GPS Signal Analysis
+
== See Also ==
|Aug 13-14, Potomac Falls, VA
+
* [[Memory analysis]]
|http://www.paraben-training.com/
+
* [[Memory Imaging]]
|-
+
* [[Volatility]]
|Computer Network Investigations Training Program (CNITP)
+
 
|Aug 14-24, FLETC, Glynco, GA
+
== External Links ==
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
* [https://code.google.com/p/rekall/ Project site]
|Limited to Law Enforcement
+
* [http://docs.rekall.googlecode.com/git/index.html Project documentation]
|-
+
* [http://rekall-forensic.blogspot.com/ Rekall Memory Forensics blog]
|SMART Linux Data Forensics
+
* [http://www.rekall-forensic.com/docs/References/Papers/DFRWS2013.html Anti-forensic resilient memory acquisition]] by [[Johannes Stüttgena]] [[Michael Cohen]], August 2013
|Aug 13-15, Austin, TX
+
* [http://www.rekall-forensic.com/docs/References/Papers/DFRWS2014EU.html Robust Linux memory acquisition with minimal target impact], [[Johannes Stüttgena]] [[Michael Cohen]], May 2014
|http://asrdata.com/training/training2.html
+
|-
+
|Network Forensics and Investigations Workshop
+
|Aug 13-15, Los Angeles, CA
+
|http://www.strozllc.com/trainingcenter/
+
|-
+
|Macintosh Forensic Survival Course
+
|Aug 13-17, Fredricksburg, VA
+
|http://www.phoenixdatagroup.com/cart/index.php
+
|-
+
|AccessData Internet Forensics
+
|Aug 14-16, Austin, TX
+
|http://www.accessdata.com/training
+
|-
+
|File Systems Revealed
+
|Aug 16-17, Long Beach, CA
+
|http://www.x-ways.net/training/long_beach.html
+
|-
+
|Helix Live Forensics and Incident Response Course
+
|Aug 28-30, Tennessee Bureau of Investigations - Nashville, TN
+
|https://www.e-fense.com/register.php
+
|-
+
|Paraben Cellular/GPS Signal Analysis
+
|Aug 30-31, Potomac Falls, VA
+
|http://www.paraben-training.com/
+
|-
+
|SMART for Linux
+
|Sep 03-06, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Paraben Handheld Forensic Course
+
|Sep 04-07, Mississauga, Ontario, Canada
+
|http://www.paraben-training.com/
+
|-
+
|AccessData BootCamp
+
|Sep 04-06, Mississippi State University
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|Paraben Advanced Cell Phone Forensics
+
|Sep 10-12, San Diego, CA
+
|http://www.paraben-training.com/
+
|-
+
|Paraben E-Discovery: E-mail & Mobile E-mail Devices
+
|Sep 10-14, Potomac Falls, VA
+
|http://www.paraben-training.com/
+
|-
+
|First Responder to Digital Evidence Program (FRDE)
+
|Sep 11-13, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|AccessData Applied Decryption
+
|Sep 11-13, Dallas, TX
+
|http://www.accessdata.com/training
+
|-
+
|Paraben Advanced SIM Card Forensics
+
|Sep 13-14, San Diego, CA
+
|http://www.paraben-training.com/
+
|-
+
|Enterprise Data Forensics
+
|Sep 17-19, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Paraben Network Incident Response
+
|Sep 17-21, Potomac Falls, VA
+
|http://www.paraben-training.com/
+
|-
+
|Paraben Cellular/GPS Signal Analysis
+
|Sep 20-21, San Diego, CA
+
|http://www.paraben-training.com/
+
|-
+
|Paraben Advanced Cell Phone Forensics
+
|Sep 24-26, Potomac Falls, VA
+
|http://www.paraben-training.com/
+
|-
+
|Introduction to Cyber Crime
+
|Sep 24-26, Jackson, Mississippi
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|Macintosh Forensic Survival Course
+
|Sep 24-28, Santa Ana, CA
+
|http://www.phoenixdatagroup.com/cart/index.php
+
|-
+
|BlackBag Introductory MacIntosh Forensics
+
|Sep 24-28, Richmond, VA
+
|http://www.blackbagtech.com/products/training.htm
+
|Limited to Law Enforcement
+
|-
+
|AccessData Applied Decryption
+
|Sep 25-27, Chicago, IL
+
|http://www.accessdata.com/training
+
|-
+
|AccessData BootCamp
+
|Sep 25-27, Solna, SE
+
|http://www.accessdata.com/training
+
|-
+
|Forensics Tools and Techniques
+
|Sep 26-28, Jackson, Mississippi
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|Paraben Advanced SIM Card Forensics
+
|Sep 27-28, Potomac Falls, VA
+
|http://www.paraben-training.com/
+
|-
+
|Search and Seizure of Computers and Electronic Evidence
+
|Oct 29-30, Oxford, MS
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|Paraben Wireless Forensics
+
|Oct 01-03, San Diego, CA
+
|http://www.paraben-training.com/
+
|-
+
|SMART for Linux
+
|Oct 01-04, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Paraben Cellular/GPS Signal Analysis
+
|Oct 04-05, Potomac Falls, VA
+
|http://www.paraben-training.com/
+
|-
+
|SMART Windows Data Forensics
+
|Oct 08-10, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Paraben Handheld Forensic Course
+
|Oct 8-11, San Diego, CA
+
|http://www.paraben-training.com/
+
|-
+
|Paraben Handheld Forensic Course
+
|Oct 8-11, Potomac Falls, VA
+
|http://www.paraben-training.com/
+
|-
+
|Paraben Advanced Cell Phone Forensics
+
|Oct 15-17, Mississauga, Ontario, Canada
+
|http://www.paraben-training.com/
+
|-
+
|BlackBag Introductory MacIntosh Forensics
+
|Oct 15-19, Tacoma, WA
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|Digital Evidence Acquisition Specialist Training Program (DEASTP)
+
|Oct 15-26, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|Paraben Advanced SIM Card Forensics
+
|Oct 18-19, Mississauga, Ontario, Canada
+
|http://www.paraben-training.com/
+
|-
+
|Paraben E-Discovery: E-mail & Mobile E-mail Devices
+
|Oct 15-19, Mississauga, Ontario, Canada
+
|http://www.paraben-training.com/
+
|-
+
|X-Ways Forensics
+
|Oct 22-24, Hong Kong
+
|http://www.x-ways.net/training/hong_kong.html
+
|-
+
|File Systems Revealed
+
|Oct 25-26, Hong Kong
+
|http://www.x-ways.net/training/hong_kong.html
+
|-
+
|SARC Steganography Examiner Training
+
|Oct 26 - 27, Gaithersburg, MD (Techno Forensics Conference 2007)
+
|http://www.sarc-wv.com/training.aspx
+
|-
+
|Seized Computer Evidence Recovery Specialist (SCERS)
+
|Oct 29-Nov 9, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|Paraben Handheld Forensic Course
+
|Nov 05-08, Mississauga, Ontario, Canada
+
|http://www.paraben-training.com/
+
|-
+
|SMART for Linux
+
|Nov 05-08, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Introduction to Cyber Crime
+
|Nov 05-07, Jackson, Mississippi
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|AccessData BootCamp
+
|Nov 06-08, Austin, TX
+
|http://www.accessdata.com/training
+
|-
+
|AccessData Windows Forensics
+
|Nov 06-08, Solna, Sweden
+
|http://www.accessdata.com/training
+
|-
+
|Forensics Tools and Techniques
+
|Nov 07-09, Jackson, Mississippi
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|SMART Linux Data Forensics
+
|Nov 12-14, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|AccessData BootCamp
+
|Nov 13-15, Mississippi State University
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|SMART for Linux
+
|Dec 03-06, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Introduction to Cyber Crime
+
|Dec 03-05, Mississippi State University
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|AccessData Internet Forensics
+
|Dec 04-06 , Solna, Sweden
+
|http://www.accessdata.com/training
+
|-
+
|Forensics Tools and Techniques
+
|Dec 05-07, Mississippi State University
+
|http://www.security.cse.msstate.edu/ftc/schedule.php
+
|Limited to Law Enforcement
+
|-
+
|Enterprise Data Forensics
+
|Dec 10-12, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Paraben Advanced Cell Phone Forensics
+
|Dec 17-19, Mississauga, Ontario, Canada
+
|http://www.paraben-training.com/
+
|-
+
|Paraben Advanced SIM Card Forensics
+
|Dec 20-21, Mississauga, Ontario, Canada
+
|http://www.paraben-training.com/
+
|-
+
|}
+

Revision as of 04:33, 25 June 2014

Rekall
Maintainer: Michael Cohen
OS: Cross-platform
Genre: Memory Analysis,Memory Imaging
License: GPL
Website: code.google.com/p/rekall/

Rekall is the stand-alone continuation of the Volatility Technology Preview (TP) version, aka the scudette branch.

One of Rekalls goals is to provide better integration with GRR by improved modularity of the framework and having memory acquisition capability.[1]

Memory acquisition drivers

The drivers can be found under:

rekall/tools/linux
rekall/tools/osx
rekall/tools/windows

Linux

In rekall RC11 the advanced Linux acquisition tool (LMAP) was added. lmap allows to inject the pmem functionality into existing kernel modules to bypass having to build a pmem kernel module for every different kernel version. See the corresponding DFRWS EU 2014 paper for more information about LMAP.

To build the kernel module for the current kernel version, make sure you have a working build environment and the kernel headers installed. Change into this directory and run make:

cd rekall/tools/linux/
make

The acquisition driver is named pmem.ko.

To load the driver:

sudo insmod pmem.ko

To check if the driver is running:

sudo lsmod

The driver create a device file named:

/dev/pmem

To unload the driver:

sudo rmmod pmem

To read acquire the memory just read from the device file. e.g.

dd if=/dev/pmem of=image.raw

For more information see:

rekall/tools/linux/README

Mac OS X

For more information see:

rekall/tools/osx/OSXPMem/README

Windows

Since recent versions of Windows require a signed driver rekall comes with both pre-built (signed binary) and source versions of the driver.

Both the i386 and amd64 binary version of the driver can be found in the directory:

rekall/tools/windows/winpmem/binaries

E.g.

rekall/tools/winpmem/binaries/amd64/winpmem.sys

A standalone tool for imaging memory that uses an embedded copy of the pmem driver can be found as winpmem.exe in:

rekall/tools/winpmem/executables/Release/

To load the driver:

winpmem.exe -l

The device filename is (This can not be changed without recompiling):

\\.\pmem

Note that running dd directly on this device file can crash the machine. Use the winpmem.exe tool instead because it handles protected memory regions.

To read and acquire the physical memory and write it to image.raw:

winpmem.exe image.raw

To unload the driver:

winpmem.exe -u 

For more information see:

rekall/tools/windows/README

See Also

External Links