Download
Rekall is a powerful memory forensics framework that turns raw RAM captures—or live system state—into structured artifacts investigators can query and script. It ships with a large collection of plugins that parse OS internals to recover processes, modules, sockets, registry hives, and file objects, even when rootkits try to hide them. The design emphasizes repeatability: investigators run well-defined analyses that produce timelines, indicators, and reports suitable for case work or automation. Rekall supports profile-free operation for many targets, reducing setup friction and making it easier to handle varied images in the field. Extensibility is a core theme, with a plugin API and notebook-friendly workflows for custom hunts and triage. Used well, it compresses what would be hours of manual sleuthing into scripted passes over a consistent object model.
Features
- Rich plugin set for processes, drivers, sockets, registry, and files
- Works with offline memory images and live response modes
- Artifact-centric object model for repeatable investigations
- Profile-free parsing paths for many operating systems
- Scripting and notebook workflows for custom hunts
- Reporting and timeline generation for DFIR casework
Project Samples
