Description
A python memory analysis framework that can be difficult to install and setup.
| Platform | Python |
| Author | Rekall Forensics |
| License | GPLv2 |
| URL | http://www.rekall-forensic.com/ |
Usage
usage: rekal [-p PROFILE] [-v] [-q] [--debug] [--output_style {concise,full}]
[--logging_level {DEBUG,INFO,WARNING,ERROR,CRITICAL}]
[--pager PAGER] [--paging_limit PAGING_LIMIT]
[--colors {auto,yes,no}] [-F {text,json,wide,test,data}]
[--plugin [PLUGIN [PLUGIN ...]]] [-h]
[--cache {file,memory,timed}]
[--repository_path [REPOSITORY_PATH [REPOSITORY_PATH ...]]]
[-f FILENAME] [--buffer_size BUFFER_SIZE] [--output OUTPUT]
[--max_collector_cost MAX_COLLECTOR_COST] [--home HOME]
[--logging_format LOGGING_FORMAT]
[--performance {normal,fast,thorough}] [--dtb DTB]
[-o FILE_OFFSET] [--ept EPT [EPT ...]] [--timezone TIMEZONE]
[--cache_dir CACHE_DIR]
[--name_resolution_strategies [{Module,Symbol,Export} [{Module,Symbol,Export} ...]]]
[--autodetect_build_local_tracked [AUTODETECT_BUILD_LOCAL_TRACKED [AUTODETECT_BUILD_LOCAL_TRACKED ...]]]
[--pagefile [PAGEFILE [PAGEFILE ...]]]
[--autodetect {linux_index,nt_index,osx,pe,windows_kernel_file,rsds,ntfs,linux} [{linux_index,nt_index,osx,pe,windows_kernel_file,rsds,ntfs,linux} ...]]
[--autodetect_threshold AUTODETECT_THRESHOLD]
[--autodetect_build_local {full,basic,none}]
[--autodetect_scan_length AUTODETECT_SCAN_LENGTH] [--live]
[--version] [-]Examples
rekal -f <image> pslist
The following output is from running the pslist plugin inside rekall:
root@siftworkstation:~# rekal -f win7-32-nromanoff-memory-raw.001 pslist
2021-07-25 21:43:58,349:WARNING:rekall.1:Inventory for repository "http://profiles.rekall-forensic.com" seems malformed. Are you behind a captive portal or proxy? If this is a custom repository, did you forget to create an inventory? You must use the tools/profiles/build_profile_repo.py tool with the --inventory flag.
2021-07-25 21:43:58,349:WARNING:rekall.1:Repository http://profiles.rekall-forensic.com will be disabled.
2021-07-25 21:43:58,422:WARNING:rekall.1:Unable to parse profile section $CONSTANT_TYPES
2021-07-25 21:43:58,423:WARNING:rekall.1:Unable to parse profile section $CONSTANT_TYPES
_EPROCESS Name PID PPID Thds Hnds Sess Wow64 Start Exit
---------- -------------------- ----- ------ ------ -------- ------ ------ ------------------------ ------------------------
0x85c50958 System 4 0 105 532 - False 2012-04-04 11:47:29Z -
0x8824cd40 naPrdMgr.exe 200 704 8 252 0 False 2012-04-04 11:48:15Z -
0x860f2578 cmd.exe 208 1208 1 31 2 False 2012-04-04 18:43:24Z -
0x86ecaa70 smss.exe 280 4 3 32 - False 2012-04-04 11:47:29Z -
0x8622b4b8 explorer.exe 296 2392 22 853 2 False 2012-04-04 14:45:45Z -
0x88263648 mcshield.exe 332 564 28 459 0 False 2012-04-04 11:48:15Z -
0x86cfa540 csrss.exe 412 404 9 756 0 False 2012-04-04 11:47:41Z -
0x8827d9f0 mfefire.exe 456 564 7 108 0 False 2012-04-04 11:48:23Z -
0x87d85d40 wininit.exe 464 404 3 74 0 False 2012-04-04 11:47:44Z -
0x86e7f030 csrss.exe 472 456 9 75 1 False 2012-04-04 11:47:44Z -
0x87d8fd40 winlogon.exe 520 456 3 91 1 False 2012-04-04 11:47:44Z -
0x87f68030 services.exe 564 464 7 243 0 False 2012-04-04 11:47:45Z -
0x87f79600 lsass.exe 592 464 8 888 0 False 2012-04-04 11:47:46Z -
0x87f8c030 lsm.exe 600 464 10 248 0 False 2012-04-04 11:47:46Z -
0x87fc5590 svchost.exe 704 564 11 358 0 False 2012-04-04 11:47:48Z -
0x87fee6d0 svchost.exe 780 564 6 277 0 False 2012-04-04 11:47:51Z -
0x88000d40 svchost.exe 820 564 18 469 0 False 2012-04-04 11:47:51Z -
0x8800e178 LogonUI.exe 880 520 7 197 1 False 2012-04-04 11:47:51Z -
0x88295900 VMUpgradeHelpe 888 564 4 87 0 False 2012-04-04 11:48:24Z -
0x880308e8 svchost.exe 920 564 18 495 0 False 2012-04-04 11:47:51Z -
0x88047a58 svchost.exe 944 564 31 1213 0 False 2012-04-04 11:47:52Z -
0x880462b8 svchost.exe 1032 564 17 394 0 False 2012-04-04 11:47:52Z -
0x85dbcb48 taskhost.exe 1108 564 9 290 2 False 2012-04-04 14:45:43Z -
0x880a0758 svchost.exe 1184 564 20 634 0 False 2012-04-04 11:48:00Z -
0x8654c4a8 spinlock.exe 1208 3796 0 - 2 False 2012-04-04 15:48:18Z 2012-04-04 18:43:25Z
0x88070d40 spoolsv.exe 1308 564 13 328 0 False 2012-04-04 11:48:03Z -
0x86383c18 spinlock.exe 1328 2956 2 128 0 False 2012-04-04 18:54:51Z -
0x880e7030 svchost.exe 1344 564 17 295 0 False 2012-04-04 11:48:03Z -
0x88120658 armsvc.exe 1456 564 4 61 0 False 2012-04-04 11:48:04Z -
0x88145b38 FireSvc.exe 1516 564 22 355 0 False 2012-04-04 11:48:05Z -
0x881b8030 McSACore.exe 1604 564 11 199 0 False 2012-04-04 11:48:08Z -
0x881b4900 FireTray.exe 1624 1516 0 - 0 False 2012-04-04 11:48:09Z 2012-04-04 11:48:10Z
0x881dd770 FrameworkServi 1740 564 31 426 0 False 2012-04-04 11:48:10Z -
0x8820bd40 VsTskMgr.exe 1796 564 21 365 0 False 2012-04-04 11:48:11Z -
0x88227358 mfevtps.exe 1824 564 5 171 0 False 2012-04-04 11:48:12Z -
0x8821a660 mfeann.exe 1872 1796 14 181 0 False 2012-04-04 11:48:12Z -
0x88220d40 conhost.exe 1880 412 2 30 0 False 2012-04-04 11:48:12Z -
0x88235cf8 VMwareService. 1964 564 7 192 0 False 2012-04-04 11:48:14Z -
0x864e57c8 PSEXESVC.EXE 2100 564 6 104 0 False 2012-04-04 18:52:11Z -
0x862709a0 csrss.exe 2132 3112 9 271 2 False 2012-04-04 14:45:30Z -
0x861bb8f0 rdpclip.exe 2408 1184 4 88 2 False 2012-04-04 14:45:43Z -
0x86136a60 conhost.exe 2840 2132 2 28 2 False 2012-04-04 18:43:25Z -
0x863c8030 McTray.exe 2864 2944 23 341 2 False 2012-04-04 14:49:35Z -
0x86272d40 UdaterUI.exe 2944 1740 6 109 2 False 2012-04-04 14:49:35Z -
0x862bb290 spinlock.exe 2956 2100 1 26 0 False 2012-04-04 18:54:51Z -
0x8842a4b8 svchost.exe 2980 564 12 198 0 False 2012-04-04 11:50:42Z -
0x885561f8 SearchIndexer. 3092 564 14 992 0 False 2012-04-04 11:50:46Z -
0x85f98728 a.exe 3264 3440 0 - 2 False 2012-04-04 14:57:52Z 2012-04-04 18:40:58Z
0x86a1c8b8 conhost.exe 3408 412 2 31 0 False 2012-04-06 14:03:11Z -
0x861d93a0 cmd.exe 3472 3264 0 - 2 False 2012-04-04 15:47:47Z 2012-04-04 15:49:07Z
0x862a4d40 svchost.exe 3612 2100 0 - 0 False 2012-04-04 18:52:11Z 2012-04-05 13:25:07Z
0x861d4520 VMwareTray.exe 3780 296 5 65 2 False 2012-04-04 14:45:46Z -
0x862bfa40 spinlock.exe 3796 3472 0 - 2 False 2012-04-04 15:48:18Z 2012-04-04 18:43:25Z
0x861b6518 VMwareUser.exe 3804 296 3 77 2 False 2012-04-04 14:45:46Z -
0x8617bd40 winlogon.exe 3836 3112 3 112 2 False 2012-04-04 14:45:30Z -
0x8625b030 dwm.exe 3924 920 3 67 2 False 2012-04-04 14:45:44Z -
0x85e24030 OSPPSVC.EXE 4040 564 3 134 0 False 2012-04-04 15:42:01Z -
0x86d2b578 a.exe 5008 4212 0 - 0 False 2012-04-06 13:19:34Z 2012-04-06 16:58:26Z
0x85dde298 svchost.exe 5176 564 5 90 0 False 2012-04-06 20:34:44Z -
0x862f9a58 cmd.exe 5192 5008 1 28 0 False 2012-04-06 14:03:11Z -
0x8649d880 svchost.exe 6404 2100 8 256 0 False 2012-04-06 19:22:20Z -
0x86eeb430 f-response-ent 7776 564 8 75 0 False 2012-04-06 20:34:42Z -rekal -f <image> messagehooks
This command is useful for identifying keyloggers:
root@siftworkstation:~# rekal -f ./Post_Malware.raw messagehooks
2021-08-05 01:11:02,745:WARNING:rekall.1:Inventory for repository "http://profiles.rekall-forensic.com" seems malformed. Are you behind a captive portal or proxy? If this is a custom repository, did you forget to create an inventory? You must use the tools/profiles/build_profile_repo.py tool with the --inventory flag.
2021-08-05 01:11:02,746:WARNING:rekall.1:Repository http://profiles.rekall-forensic.com will be disabled.
tagHOOK(V) Sess Owner Thread Filter Flags Function Module
-------------- ---- ------------------------------ ------------------------------ --------------- ---------- -------------- ------
0xf900c06011d0 0 wininit.exe (388) <any> WH_CALLWNDPROC 0x12d8 C:\Windows\system32\wls0wndh.dll
0xf900c0620ce0 1 SysNative.exe (2676) <any> WH_KEYBOARD_LL 0xf013c0 sysnative+0x13c0
0xf900c06254f0 1 conhost.exe (352) 2016 (conhost.exe 352) WH_MSGFILTER 0xff350ed0 conhost!DialogHookProc
Blog Posts