Rekall

This is the next release of the Rekall Memory Forensic framework, codenamed after the amazing [Dammastock mountain](http://en.wikipedia.org/wiki/Dammastock).

This release was made at the Rekall Memory Forensic Workshop at DFRWS. For the first time, we ran this workshop completely from the interactive Rekall web console. It was an astounding success, and an impressive medium to deliver an interactive workshop (Check it out [here](http://memory-analysis.rekall-forensic.com) ).

Release Highlights

Memory Acquisition

The major thrust for this release was the updating of the Pmem Acquisition tools to [AFF4](http://www.aff4.org). In addition to the stable WinPmem 1.6.2, we have made available an experimental pre-release of the WinPmem 2.0 series.

The new imagers feature:
1. A consistent interface. The same command line arguments used for all operating systems.
2. The new memory image format we have standardized on is AFF4. This allows us to store multiple streams in the image, such as the page file and additional files.
3. The pmem imagers are able to embed different files inside the final AFF4 image, such as the kernel image and miscellaneous binaries.

Note that the new imagers are still considered pre-release. Please test but continue using the old imagers for critical work.

GUI Web Console

The GUI was expanded to accommodate multiple sessions. A Rekall session is an object encapsulating all we know about a specific image. With multiple session support in the GUI, we are able to write a single web console document which runs plugins on multiple images simultaneously.
- The GUI was also adapted to allow for the export of static versions of the document, which can be hosted on a simple web server.

Windows

Rekall will now automatically fetch missing profiles from the Microsoft Symbol Server for critical modules.
- This was a huge pain point in the past - when MS updated kernels through a patch the kernel was rebuilt resulting in a new profile. By the time the Rekall team pushed the new profile to the profile repository, Rekall was non-functional, requiring users to know how to generate new profiles manually and push these to the profile repository. This is no longer the case! Now Rekall will fall back to asking the MS symbol server for profiles directly.

Linux

Added support for XEN paravirtualized guests.

This is the next release of the Rekall Memory Forensic framework, codenamed after another awesome Swiss mountain pass - [Col de la Croix](https://www.flickr.com/photos/arumpf/sets/72157633251701036/)

Cool things in this release:
1. Rekall can now analyse and acquire the windows pagefile (See blog post [here](http://rekall-forensic.blogspot.ch/2014/10/windows-virtual-address-translation-and.html)).
2. Rekall has native NTFS support. You can even use it on the live device (Try `rekall -f \\.\c:`)
3. Lots of interesting new plugins:
- ewfacquire - Rekall can now natively create and read EWF files. You can acquire an image of memory into an EWF file (Note - Writing is not compatible with Encase).
- inspect_heap - Rekall can enumerate all usermode heap allocation (Win7x64 only right now).
- MIPS support thanks to Karl Vogel
4. Lots of work on Entities - currently confined to OSX analysis only but please try it out!

See [our release page](http://www.rekall-forensic.com/releases.html) for more details.

We also added travis-ci to Rekall and fixed lots of bugs :-)

This is the first RC from the Buchenegg series. It should be considered experimental still.

This release introduces a cool new GUI for Rekall. This GUI superceeds the
Ipython notebook interface which has been deprecated.

Rekall can now work on guest VMs through analyzing the Host's memory - either
live, or using a memory image!

Rekall Version 1.0 is now released. This release is code named [Albis](http://en.wikipedia.org/wiki/Albis).

- This release brings mostly complete windows 8/8.1 support.
- We now also distribute a debian package file for 64 bit systems.
- Windows installers are also included.

Please test this so we can get ready for the full 1.0 release.