Monthly Archives: September 2016

using the rekall memory forensics tool

download the latest recall sourcecode tarball and decompress.
change to directory that was just decompressed
sudo python install

cd rekall-gui
edit file
search for line which is :exec open(“rekall_gui/”).read() in VERSION_ENV
replace with : exec open(“”).read() in VERSION_ENV

save file
sudo python install

now rekall and rekall gui are installed.

Now onto creating the profile:
cd ../  (back to main rekall src dir that was decompressed)
cd tools/linux
make profile

this creates the zip file which is converted to a json file (the final version of the profile)
in your tools/linux directory there will now be a zip file

convert that zipfile to a json file like follows: rekall convert_profile myFinalProfile.json
next copy this json file somewhere in your home directory so it can be used later.

now lets use LiME to create the image of your RAM.

Download LiME at:
I personally just download the zip of the github dir and decompress it. anyhow lets move on to building the kernel module for memory dumping.

cd to LiME dir
cd src/

this will create a LiME kernel module in this directory (granted you need to make sure you install any prerequisites for LiME)

Lets perform the memory dump assuming the module was named LiME.ko, but again it is the only .ko in the dir:
insmod LiME.ko “path=/home/fuion/RAM.lime format=lime”

I know that rekall has its own memory utility but I found it to be a pain in the ass so I used LiME and it works great.

I would say now to create a directory and place both the json file and the RAM.lime files in it for safe keeping.

I used the rekall gui becuase the konsole based version gave me issues with the inventory and there was little documentation on it,
and the gui does not have this problem. also you can be running many plugins at the same time and it has a nice output
format which is easy to read. say what you will 😉

we now start the rekall gui and get right to digging inside the image file.

first step is to create a dir for use with worksheets that the rekall program uses: mkdir worksheets

now start rekall: rekall webconsole –browser –port 8001 –worksheet /home/fuion/worksheets

rekall will open your web browser and the rekall gui will be in it.
make sure if you are using noscript you allow the local host based pages to use scripts as they are required.

to start out click the “Session” button on the upper to left hand side of the page.
for now we will use just the default session, which will show on your right hand side of the page.
leave ept alone
for “filename” click the text box and browse to your LiME image
leave pagefile alone
for “profile” click the text box and browse to your json file
now you are set to start running plugins on the image
to exit this screen click the grey background which surrounds the manage templates screen, it will go back to the main
screen and you will now click the “Cell” button
a popup will be shown with options, select “Rekall Plugin”

*note that after using rekall for the first time the directory you created for the worksheets is populated with data files,
and if you start the rekall gui again without rm’ing the files in that directory you will have gui problems*

now on your screen you will see a green checkmark with the word plugin next to it.
below this the plugins are listed, so scroll down to the one you want to test and click on it once.
now you will she it shows more options (which most are optional) and at this point you want to
click the little green check box at the very top of the screen
it will load the plugin and create an output box on close to the middle of the screen
this box has the output for the plugin.
sometimes it can take a while to populate the output in this box

to make reading the output of the plugin a bit easier click the two little arrows (the ones going diagonally not just up and down) button
which is located at the very top of the plugins output box close to “default session”
this will resize the output box.

and that is about it!

for more plugins to be loaded repeat the procedure above and they will be added to the screen.
have fun using rekall!