NAME

rekall - memory forensics framework

SYNOPSIS

rekall [options]

DESCRIPTION

Rekall Framework is a completely open collection of tools, implemented in Python under the Apache and GNU General Public License, for the extraction and analysis of digital artifacts computer systems.

Rekall supports investigations of the following 32bit and 64bit memory images:

Microsoft Windows XP Service Pack 2 and 3
Microsoft Windows 7 Service Pack 0 and 1
Microsoft Windows 8 and 8.1
Microsoft Windows 10
Linux Kernels 2.6.24 to 4.4.
OSX 10.7-10.12.x.

optional arguments:

-: A do nothing arg. Useful to separate options which take multiple args from positional. Can be specified many times.

Output control:

-v, --verbose: Set logging to debug level.
-q, --quiet: Turn off logging to stderr.
--debug: If set we break into the debugger on error conditions.
--output_style {concise,full}: How much information to show. Default is 'concise'.
--logging_level {DEBUG,INFO,WARNING,ERROR,CRITICAL}: The default logging level.
--log_domain [{PageTranslation} [{PageTranslation} ...]]: Add debug logging to these components.
--plugin [PLUGIN [PLUGIN ...]]: Load user provided plugin bundle.
-h, --help: Show help about global parameters.
--cache CACHE: Type of cache to use.
--repository_path [REPOSITORY_PATH [REPOSITORY_PATH ...]]: Path to search for profiles. This can take any form supported by the IO Manager (e.g. zip files, directories, URLs etc)
-f FILENAME, --filename FILENAME: The raw image to load.
--buffer_size BUFFER_SIZE: The maximum size of buffers we are allowed to read. This is used to control Rekall memory usage.
--output OUTPUT: If specified we write output to this file.
--max_collector_cost MAX_COLLECTOR_COST: If specified, collectors with higher cost will not be used.
--home HOME: An alternative home directory path. If not set we use $HOME.
--logging_format LOGGING_FORMAT: The format string to pass to the logging module.
--performance {normal,fast,thorough}: Tune Rekall's choice of algorithms, depending on performance priority.
--live LIVE: Enable live memory analysis.
-o FILE_OFFSET, --file_offset FILE_OFFSET: A Relative offset for image file.
--cache_dir CACHE_DIR: Location of the profile cache directory.
--highlighting_style {manni, igor, lovelace, xcode, vim, autumn, vs, rrt, native, perldoc, borland, tango, emacs, friendly, monokai, paraiso-dark, colorful, murphy, bw, pastie, algol_nu, paraiso-light, trac, default, algol, fruity}: Highlighting style for interactive console.
--pagefile [PAGEFILE [PAGEFILE ...]]: A pagefile to load into the image.
--version: Prints the Rekall version and exits.

Interface:

--pager PAGER: The pager to use when output is larger than a screen full.
--paging_limit PAGING_LIMIT: The number of output lines before we invoke the pager.
--colors {auto,yes,no}: Color control. If set to auto only output colors when connected to a terminal.
-F FORMAT, --format FORMAT: The output format to use. Default (text)
--timezone TIMEZONE: Timezone to output all times (e.g. Australia/Sydney).

--name_resolution_strategies [{Module,Symbol,Export} [{Module,Symbol,Export} ...]]

Autodetection Overrides:

--dtb DTB: The DTB physical address.
--autodetect_build_local_tracked [AUTODETECT_BUILD_LOCAL_TRACKED [AUTODETECT_BUILD_LOCAL_TRACKED ...]]: When autodetect_build_local is set to 'basic' we fetch these modules directly from the symbol server.
--autodetect {linux_index,nt_index,tsk,osx,pe,windows_kernel_file,rsds,ntfs,linux} [{linux_index,nt_index,tsk,osx,pe,windows_kernel_file,rsds,ntfs,linux} ...]: Autodetection method.
--autodetect_threshold AUTODETECT_THRESHOLD: Worst acceptable match for profile autodetection. (Default 1.0)
--autodetect_build_local {full,basic,none}: Attempts to fetch and build profile locally.
--autodetect_scan_length AUTODETECT_SCAN_LENGTH: How much of physical memory to scan before failing

Virtualization support:

--ept EPT [EPT ...]: The EPT physical address.

When no module is provided, drops into interactive mode

December 2016

rekall 1.6.0