{"id":13540333,"url":"https://github.com/google/rekall","last_synced_at":"2025-12-30T06:43:33.729Z","repository":{"id":17099304,"uuid":"19864741","full_name":"google/rekall","owner":"google","description":"Rekall Memory Forensic Framework","archived":true,"fork":false,"pushed_at":"2020-10-18T04:33:58.000Z","size":145284,"stargazers_count":1972,"open_issues_count":201,"forks_count":401,"subscribers_count":165,"default_branch":"master","last_synced_at":"2025-09-25T07:31:51.590Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"http://www.rekall-forensic.com","language":"Python","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/google.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2014-05-16T17:22:51.000Z","updated_at":"2025-09-23T21:40:39.000Z","dependencies_parsed_at":"2022-08-07T08:15:50.756Z","dependency_job_id":null,"html_url":"https://github.com/google/rekall","commit_stats":null,"previous_names":[],"tags_count":19,"template":false,"template_full_name":null,"purl":"pkg:github/google/rekall","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Frekall","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Frekall/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Frekall/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Frekall/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/google","download_url":"https://codeload.github.com/google/rekall/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Frekall/sbom","scorecard":{"id":437795,"data":{"date":"2025-08-11","repo":{"name":"github.com/google/rekall","commit":"55d1925f2df9759a989b35271b4fa48fc54a1c86"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.1,"checks":[{"name":"Code-Review","score":8,"reason":"Found 24/27 approved changesets -- score normalized to 8","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Maintained","score":0,"reason":"project is archived","details":["Warn: Repository is archived."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Binary-Artifacts","score":1,"reason":"binaries present in source code","details":["Warn: binary detected: rekall-core/resources/WinPmem/winpmem_x64.sys:1","Warn: binary detected: rekall-core/resources/WinPmem/winpmem_x86.sys:1","Warn: binary detected: rekall-core/resources/nssm.exe:1","Warn: binary detected: tools/linux/lmap/test/test_data/host:1","Warn: binary detected: tools/linux/lmap/test/test_data/parasite:1","Warn: binary detected: tools/pmem/resources/MacPmem.kext/Contents/MacOS/MacPmem:1","Warn: binary detected: tools/pmem/resources/winpmem/winpmem_x64.sys:1","Warn: binary detected: tools/pmem/resources/winpmem/winpmem_x86.sys:1","Warn: binary detected: tools/windows/winpmem/executable/binaries/fcat.exe:1"],"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE.txt:0","Info: FSF or OSI recognized license: GNU General Public License v2.0: LICENSE.txt:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: npmCommand not pinned by hash: rekall-gui/manuskript/static/bower_components/bootstrap/test-infra/uncached-npm-install.sh:3","Info:   0 out of   1 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact 1.7.2rc1 not signed: https://api.github.com/repos/google/rekall/releases/8790420","Warn: release artifact v1.7.0rc1 not signed: https://api.github.com/repos/google/rekall/releases/7313777","Warn: release artifact v1.6.0 not signed: https://api.github.com/repos/google/rekall/releases/4567385","Warn: release artifact 1.5.3 not signed: https://api.github.com/repos/google/rekall/releases/3850921","Warn: release artifact 1.7.2rc1 does not have provenance: https://api.github.com/repos/google/rekall/releases/8790420","Warn: release artifact v1.7.0rc1 does not have provenance: https://api.github.com/repos/google/rekall/releases/7313777","Warn: release artifact v1.6.0 does not have provenance: https://api.github.com/repos/google/rekall/releases/4567385","Warn: release artifact 1.5.3 does not have provenance: https://api.github.com/repos/google/rekall/releases/3850921"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: github.com/google/.github/SECURITY.md:1","Info: Found linked content: github.com/google/.github/SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/google/.github/SECURITY.md:1","Info: Found text in security policy: github.com/google/.github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 29 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-19T05:04:35.766Z","repository_id":17099304,"created_at":"2025-08-19T05:04:35.767Z","updated_at":"2025-08-19T05:04:35.767Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":277009880,"owners_count":25744543,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-26T02:00:09.010Z","response_time":78,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T09:01:46.998Z","updated_at":"2025-09-28T21:30:42.489Z","avatar_url":"https://github.com/google.png","language":"Python","readme":"# Rekall discontinuation\n\nThis project is no longer maintained.\n\nIn December 2011, a new branch within the Volatility project was created to explore how to make the code base more modular, improve performance, and increase usability. This branch was later forked to become Rekall. The modularity allowed physical memory analysis functionality to be used in [GRR](https://github.com/google/grr) to enable remote live in-memory analysis.\n\n## Lessons learned:\n\n* Rekall has introduced many improvements to memory analysis methodology over the years. For more information see: http://blog.rekall-forensic.com/ \n* Rekall framework allowed for limited modularization due to the nature of interdependent in-memory structure and early architectural decisions.\n* Increasing RAM sizes and security measures like memory encryption are making traditional physical memory analysis more cumbersome.\n* Physical memory analysis is fragile and maintenance heavy. Most physical memory analysis tools are basically kernel debuggers, without access to the source and debug symbols. Most memory analysis therefore can be a costly process of debugging / reverse engineering and keeping debug symbols / structure definitions up to date.\n\nActive development on Rekall has been halted for a while. GRR has switched from using Rekall to [YARA](https://grr-doc.readthedocs.io/en/v3.2.0/release-notes.html) supporting a limited set of memory analysis capabilities that requires significantly less maintenance.\n\nCore developers / maintainers for Rekall have other priorities and no one has stepped up to help out with maintenance. Therefore the Rekall project is discontinued. The project will be archived, and you are free to fork it and continue to make [changes](https://en.wikipedia.org/wiki/Free_and_open-source_software).\n\nWinpmem will be continued as a separate project currently maintained at https://github.com/Velocidex/WinPmem. \n\n# The Rekall Forensic and Incident Response Framework\n\nThe Rekall Framework is a completely open collection of tools,\nimplemented in Python under the Apache and GNU General Public License,\nfor the extraction and analysis of digital artifacts computer systems.\n\nThe Rekall distribution is available from:\n\u003chttp://www.rekall-forensic.com/\u003e\n\nRekall should run on any platform that supports\n[Python](http://www.python.org)\n\nRekall supports investigations of the following 32bit and 64bit memory\nimages:\n\n- Microsoft Windows XP Service Pack 2 and 3\n- Microsoft Windows 7 Service Pack 0 and 1\n- Microsoft Windows 8 and 8.1\n- Microsoft Windows 10\n- Linux Kernels 2.6.24 to most recent.\n- OSX 10.7-10.12.x.\n\nRekall also provides a complete memory sample acquisition capability for all\nmajor operating systems (see the tools directory).\n\n## Quick start\n\nRekall is available as a python package installable via the pip\npackage manager. To install it, first create a virtal env, switch to\nit and then install rekall:\n\n```\n$ virtualenv  /tmp/MyEnv\nNew python executable in /tmp/MyEnv/bin/python\nInstalling setuptools, pip...done.\n$ source /tmp/MyEnv/bin/activate\n$ pip install --upgrade setuptools pip wheel\n$ pip install rekall-agent rekall\n```\n\nFor windows, Rekall is also available as a self contained installer\npackage. Please check the download page for the most appropriate installer to\nuse [Rekall-Forensic.com](http://www.rekall-forensic.com/)\n\nTo install from this git repository you will need to use pip\n--editable and follow the correct order of installation (otherwise pip\nwill pull released dependencies which might be older):\n\n```\n$ virtualenv  /tmp/MyEnv\nNew python executable in /tmp/MyEnv/bin/python\nInstalling setuptools, pip...done.\n$ source /tmp/MyEnv/bin/activate\n$ pip install --upgrade setuptools pip wheel\n$ git clone https://github.com/google/rekall.git rekall\n$ pip install --editable rekall/rekall-lib\n$ pip install --editable rekall/rekall-core\n$ pip install --editable rekall/rekall-agent\n$ pip install --editable rekall\n```\n\nOn Windows you will need to install the Microsoft Visual C compilers\nfor python (for more info see this blog post\nhttp://rekall-forensic.blogspot.ch/2015/09/installing-rekall-on-windows.html)\n\n## Mailing Lists\n\nMailing lists to support the users and developers of Rekall\ncan be found at the following address:\n\n    rekall-discuss@googlegroups.com\n\n## Licensing and Copyright\n\nCopyright (C) 2007-2011 Volatile Systems\nCopyright 2012-2016 Google Inc. All Rights Reserved.\n\nAll Rights Reserved\n\nThis program is free software; you can redistribute it and/or\nmodify it under the terms of the GNU General Public License\nas published by the Free Software Foundation; either version 2\nof the License, or (at your option) any later version.\n\nThis program is distributed in the hope that it will be useful,\nbut WITHOUT ANY WARRANTY; without even the implied warranty of\nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\nGNU General Public License for more details.\n\nYou should have received a copy of the GNU General Public License\nalong with this program; if not, write to the Free Software\nFoundation, Inc., 59 Temple Place - Suite 330, Boston, MA\n02111-1307, USA.\n\n\n## Bugs and Support\n\nThere is no support provided with Rekall. There is NO\nwarranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR\nPURPOSE.\n\nIf you think you've found a bug, please report it at:\n\n    https://github.com/google/rekall/issues\n\nIn order to help us solve your issues as quickly as possible,\nplease include the following information when filing a bug:\n\n* The version of rekall you're using\n* The operating system used to run rekall\n* The version of python used to run rekall\n* The suspected operating system of the memory image\n* The complete command line you used to run rekall\n\n## History\n\nIn December 2011, a new branch within the Volatility project was created to\nexplore how to make the code base more modular, improve performance, and\nincrease usability. The modularity allowed Volatility to be used in GRR, making\nmemory analysis a core part of a strategy to enable remote live forensics.  As a\nresult, both GRR and Volatility would be able to use each other's strengths.\n\nOver time this branch has become known as the \"scudette\" branch or the\n\"Technology Preview\" branch.  It was always a goal to try to get these changes\ninto the main Volatility code base.  But, after two years of ongoing\ndevelopment, the \"Technology Preview\" was never accepted into the Volatility\ntrunk version.\n\nSince it seemed unlikely these changes would be incorporated in the future, it\nmade sense to develop the Technology Preview branch as a separate project. On\nDecember 13, 2013, the former branch was forked to create a new stand-alone\nproject named \"Rekall.” This new project incorporates changes made to streamline\nthe codebase so that Rekall can be used as a library. Methods for memory\nacquisition and other outside contributions have also been included that were\nnot in the Volatility codebase.\n\nRekall strives to advance the state of the art in memory analysis, implementing\nthe best algorithms currently available and a complete memory acquisition and\nanalysis solution for at least Windows, OSX and Linux.\n\n\n## More documentation\n\nFurther documentation is available at\nhttp://www.rekall-forensic.com/\n","funding_links":[],"categories":["Tools","Endpoint","\u003ca id=\"e1fc1d87056438f82268742dc2ba08f5\"\u003e\u003c/a\u003e事件响应\u0026\u0026取证\u0026\u0026内存取证\u0026\u0026数字取证","Python (144)","Challenges","Python","4. [↑](#-content) Forensic \u0026 Malware Analysis","\u003ca id=\"0b1db12ec509cd6fb489c93a4cc837d5\"\u003e\u003c/a\u003eRekall","Tool","Memory Forensics"],"sub_categories":["Memory Forensics","Forensics","\u003ca id=\"1fc5d3621bb13d878f337c8031396484\"\u003e\u003c/a\u003e取证\u0026\u0026Forensics\u0026\u0026数字取证\u0026\u0026内存取证","Analysis / Gathering tool (Know your ennemies)","4.1 [↑](#-content) Forensic","Memory Analysis"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogle%2Frekall","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgoogle%2Frekall","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogle%2Frekall/lists"}