reddit hackernews mail facebook facebook linkedin


Rekall Memory Forensic Framework.

Rekall has introduced many improvements to memory analysis methodology over the years

Rekall framework allowed for limited modularization due to the nature of interdependent in-memory structure and early architectural decisions.

Increasing RAM sizes and security measures like memory encryption are making traditional physical memory analysis more cumbersome.

Physical memory analysis is fragile and maintenance heavy. Most physical memory analysis tools are basically kernel debuggers, without access to the source and debug symbols. Most memory analysis therefore can be a costly process of debugging / reverse engineering and keeping debug symbols / structure definitions up to date.