Hints to fix rekall

rekall setup.adoc

Instructions

Windows (easier)

• Run installer from here: https://github.com/google/rekall/releases/download/1.7.2rc1/Rekall_1.7.2.p1_Hurricane.Ridge_x64.exe

• Open a cmd.exe

Linux

apt install python3-dev
git clone https://github.com/google/rekall.git
cd rekall/
virtualenv -p python3 ./venv
source venv/bin/activate
pip install --upgrade setuptools pip wheel
# you can ignore errors from the pip install commands below
pip install --editable rekall-lib
pip install --editable rekall-core
pip install --editable rekall-agent
pip install --editable .
pip install pyaff4==0.26 future==0.16.0
rekall

Usage

Reference: http://www.rekall-forensic.com/documentation-1/rekall-documentation/plugins

Windows

cd c:\"program files"\rekall\
rekal.exe --autodetect linux -f desktop.vboxmem

Linux

rekall --autodetect linux -f desktop.vboxmem <commande>

References

• https://github.com/google/rekall

• pyaff4 issue

It was on Arch linux using rekall from git. Latest as of today (master didn't change since I last updated).

You just saved my ass monumentally. You are awesome!!!