Hints to fix rekall

rekall setup.adoc

Instructions

Windows (easier)

• Run installer from here: https://github.com/google/rekall/releases/download/1.7.2rc1/Rekall_1.7.2.p1_Hurricane.Ridge_x64.exe

• Open a cmd.exe

Linux

apt install python3-dev
git clone https://github.com/google/rekall.git
cd rekall/
virtualenv -p python3 ./venv
source venv/bin/activate
pip install --upgrade setuptools pip wheel
# you can ignore errors from the pip install commands below
pip install --editable rekall-lib
pip install --editable rekall-core
pip install --editable rekall-agent
pip install --editable .
pip install pyaff4==0.26 future==0.16.0
rekall

Usage

Reference: http://www.rekall-forensic.com/documentation-1/rekall-documentation/plugins

Windows

cd c:\"program files"\rekall\
rekal.exe --autodetect linux -f desktop.vboxmem

Linux

rekall --autodetect linux -f desktop.vboxmem <commande>

References

• https://github.com/google/rekall

• pyaff4 issue

Hi, I followed these exact steps on Parrot OS but it is not working for me, could you please be so kind and let me know on what OS and version you have run these steps?

Linux test 5.2.0-2parrot1-amd64 #1 SMP Debian 5.2.9-2parrot1 (2019-08-25) x86_64 GNU/Linux

`rekall
Traceback (most recent call last):
File "/home/hackmebaby/Downloads/rekall/rekall/venv/lib/python3.7/site-packages/pkg_resources/init.py", line 583, in _build_master
ws.require(requires)
File "/home/hackmebaby/Downloads/rekall/rekall/venv/lib/python3.7/site-packages/pkg_resources/init.py", line 900, in require
needed = self.resolve(parse_requirements(requirements))
File "/home/hackmebaby/Downloads/rekall/rekall/venv/lib/python3.7/site-packages/pkg_resources/init.py", line 791, in resolve
raise VersionConflict(dist, req).with_context(dependent_req)
pkg_resources.ContextualVersionConflict: (prompt-toolkit 1.0.18 (/home/hackmebaby/Downloads/rekall/rekall/venv/lib/python3.7/site-packages), Requirement.parse('prompt-toolkit>=2.0.9'), {'aiocmd'})

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/home/hackmebaby/Downloads/rekall/rekall/venv/bin/rekall", line 6, in
from pkg_resources import load_entry_point
File "/home/hackmebaby/Downloads/rekall/rekall/venv/lib/python3.7/site-packages/pkg_resources/init.py", line 3191, in
@_call_aside
File "/home/hackmebaby/Downloads/rekall/rekall/venv/lib/python3.7/site-packages/pkg_resources/init.py", line 3175, in _call_aside
f(*args, **kwargs)
File "/home/hackmebaby/Downloads/rekall/rekall/venv/lib/python3.7/site-packages/pkg_resources/init.py", line 3204, in _initialize_master_working_set
working_set = WorkingSet._build_master()
File "/home/hackmebaby/Downloads/rekall/rekall/venv/lib/python3.7/site-packages/pkg_resources/init.py", line 585, in _build_master
return cls._build_from_requirements(requires)
File "/home/hackmebaby/Downloads/rekall/rekall/venv/lib/python3.7/site-packages/pkg_resources/init.py", line 598, in _build_from_requirements
dists = ws.resolve(reqs, Environment())
File "/home/hackmebaby/Downloads/rekall/rekall/venv/lib/python3.7/site-packages/pkg_resources/init.py", line 786, in resolve
raise DistributionNotFound(req, requirers)
pkg_resources.DistributionNotFound: The 'prompt-toolkit>=2.0.9' distribution was not found and is required by aiocmd
(venv) ┌─[✗]─[test123@test]─[~/Downloads/rekall/rekall]
└──╼ $
`

It was on Arch linux using rekall from git. Latest as of today (master didn't change since I last updated).

You just saved my ass monumentally. You are awesome!!!