Difference between pages "Rekall" and "Template:Incident response"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
{{Infobox_Software |
+
[[Category:Incident Response]][[:Category:Incident Response|Incident Response]]
  name = Rekall |
+
  maintainer = [[Michael Cohen]] |
+
  os = {{Cross-platform}} |
+
  genre = {{Memory analysis}}, {{Memory imaging}} |
+
  license = {{GPL}} |
+
  website = [https://code.google.com/p/rekall/ code.google.com/p/rekall/] |
+
}}
+
 
+
Rekall is the stand-alone continuation of the [[Volatility]] Technology Preview (TP) version, aka the scudette branch.
+
 
+
One of Rekalls goals is to provide better integration with [[GRR]] by improved modularity of the framework and having memory acquisition capability.
+
 
+
== Memory acquisition drivers ==
+
 
+
The drivers can be found under:
+
<pre>
+
rekall/tools/linux
+
rekall/tools/osx
+
rekall/tools/windows
+
</pre>
+
 
+
=== Linux ===
+
 
+
To build the kernel module for the current kernel version, make sure you have a working build environment and the kernel headers installed. Change into this directory and run make:
+
<pre>
+
cd rekall/tools/linux/
+
make
+
</pre>
+
 
+
The acquisition driver is named pmem.ko.
+
 
+
To load the driver:
+
<pre>
+
sudo insmod pmem.ko
+
</pre>
+
 
+
To check if the driver is running:
+
<pre>
+
sudo lsmod
+
</pre>
+
 
+
The driver create a device file named:
+
<pre>
+
/dev/pmem
+
</pre>
+
 
+
To unload the driver:
+
<pre>
+
sudo rmmod pmem
+
</pre>
+
 
+
To read acquire the memory just read from the device file. e.g.
+
<pre>
+
dd if=/dev/pmem of=image.raw
+
</pre>
+
 
+
For more information see:
+
<pre>
+
rekall/tools/linux/README
+
</pre>
+
 
+
=== Mac OS X ===
+
 
+
For more information see:
+
<pre>
+
rekall/tools/osx/OSXPMem/README
+
</pre>
+
 
+
=== Windows ===
+
Since recent versions of Windows require a signed driver rekall comes with both pre-built (signed binary) and source versions of the driver.
+
 
+
Both the i386 and amd64 binary version of the driver can be found in the directory:
+
<pre>
+
rekall/tools/windows/winpmem/binaries
+
</pre>
+
 
+
E.g.
+
<pre>
+
rekall/tools/winpmem/binaries/amd64/winpmem.sys
+
</pre>
+
 
+
A standalone tool for imaging memory that uses an embedded copy of the pmem driver can be found as winpmem.exe in:
+
<pre>
+
rekall/tools/winpmem/executables/Release/
+
</pre>
+
 
+
To load the driver:
+
<pre>
+
winpmem.exe -l
+
</pre>
+
 
+
The device filename is (This can not be changed without recompiling):
+
<pre>
+
\\.\pmem
+
</pre>
+
 
+
Note that running dd directly on this device file can crash the machine.
+
Use the winpmem.exe tool instead because it handles protected memory regions.
+
 
+
To read and acquire the physical memory and write it to image.raw:
+
<pre>
+
winpmem.exe image.raw
+
</pre>
+
 
+
To unload the driver:
+
<pre>
+
winpmem.exe -u
+
</pre>
+
 
+
For more information see:
+
<pre>
+
rekall/tools/windows/README
+
</pre>
+
 
+
== See Also ==
+
* [[Volatility]]
+
 
+
== External Links ==
+
* [https://code.google.com/p/rekall/ Project site]
+
* [http://docs.rekall.googlecode.com/git/index.html Project documentation]
+

Latest revision as of 14:25, 12 January 2014

Incident Response