Rekall

This is the next point release in the 1.5 (Furka) series.

Some highlights of this release:
- New windows plugins allowing inspection of the PFN database. This allows mapping of physical memory back to the owning process and file (if it is mapped from a file).
- Improved scanning framework: Most scanners can now operate on specific memory regions, like process memory, kernel memory, pool memory etc. This allows scanners to be much faster because they are more targeted.

Releases are now also available here: http://releases.rekall-forensic.com/
We also make releases available in our own pypi repository. This allows us to host binary wheels which avoids the need for compilers on windows and osx at all. Visit http://pypi.rekall-forensic.com/ for directions about how to use that.

This is the next release of the Rekall Memory Forensic framework, codenamed after the [Furka Pass](https://en.wikipedia.org/wiki/Furka_Pass).

I am excited to announce the new Rekall release is out. This release introduces a lot of revolutionary features. The new feature list is broken as follows:
- Rekall's disassembler support is now switched to Capstone. Rekall has a more accurate and expanded disassembler template system for automatic detected to reversed data.
- Live plugin is now improved on all OSs.
- The aff4acquire plugin is now using the new AFF4 library streaming interface. This reduces memory use and makes the acquisition very fast. The plugin now collects many useful files at acquisition time.
- Rekall now implements a Linux profile index using /proc/kallsyms. This means that on live systems (or when AFF4 image was acquired), Rekall can immediately find the correct Linux profile and use it without requiring building of profiles in advance!
- The pmem acquisition tools (in C++) now use the streaming AFF4 interface to control memory usage. The pmem acquisition tools can also write into structured RAW and ELF formats to support legacy memory analysis tools.
- We are also releasing the new experimental layout_expert tool (The best [paper](http://dfrws.org/2016eu/proceedings/DFRWS-EU-2016-2.pdf) at [DFRWS](http://dfrws.org/2016eu)). Install this via `pip install rekall-layout-expert`

As usual the best way to install from source is via pip:


pip install rekall

This is a bugfix release with few new features:
- A new _live_ plugin is added that allows Rekall to install kernel drivers by itself.
- The aff4acquire plugin now uses the live plugin to just acquire the image. Acquisition is now a simple matter of:


rekall aff4acquire myimage.aff4

- New MacPmem driver for OSX acquisition.
- Bugfixes around Xen support should make it more reliable now.

As usual the best way to install from source is via pip:


pip install rekall

This is the next release of the Rekall Memory Forensic framework, codenamed after the [Etzel pass](https://en.wikipedia.org/wiki/Etzel_Pass), not far from Zurich.

I am excited to announce the new Rekall release is out. This release introduces a lot of revolutionary features. The new feature list is broken as follows
- Windows support:
- Windows 10 - This release supports WIndows 10 in most plugins. Although support is not complete yet, we will be working hard to make all plugins work.
- Better support of pagefile. The address translation algorithm in Rekall has been overhauled and re-written. The new code supports describing the address translation process for increased provenance. On Windows,
Rekall now supports mapping files into the physical address space. This allows plugins to read memory mapped files transparently (if the file data is available).
- Better heap enumeration algorithms. Rekall supports enumerating more of the Low Fragmentation Heap (LFH).
- All references to file names are now written with the full drive letter and path. Drive letters and path normalization is done by following the symlinks in the object tree.
- OSX and Linux support:
- get common plugins like address resolver/dump/cc etc. This improves the workflow with these OSs.
- Sigscan is now available for all OSs: Quickly determine if a machine matches a hex signature that supports wildcards.
- Framework
- Rekall now has persistent stable cache. This means that re-launching Rekall on an image we analyzed in the past will suddenly be very fast. This is especially useful for plugins like pas2vas which take some time to run initially but when run subsequently this will be very fast.
- Logging API changes. Logging is now done via the session object allowing external users of Rekall as a library to access log messages.
- Efilter querying framework was externalized into its own project and expanded.
- Packaging
- Rekall is now separated into three packages:
- Rekall core contains all you need to use Rekall as a library. It does not have ipython as a dependency but if you also install ipython, the core can use it.
- Rekall GUI is the Rekall web console GUI.
- Rekall is now a metapackage which depends on both other packages.
- Imaging
- Rekall gained the aff4acquire plugin in the last release but now:
- The plugin can acquire the pagefile by itself using the Rekall NTFS parser.
- Also acquire all the mapped files. This resolve all address translation requirements during the analysis stage as Rekall can later map all section objects to read memory mapped files.

Note: The windows binaries are also signed. Please check their signatures when downloading.

This preview release is an experimental release of the new pmem acquisition tools. The pmem acquisition suite has been rewritten from scratch to be an extensible and uniform set of acquisition tools with a common interface across all supported operating systems.

[More information](http://rekall-forensic.blogspot.ch/2015/04/the-pmem-memory-acquisition-suite.html).

[Release notes](http://www.rekall-forensic.com/Releases/releases-1.3.1.html)