Response

Rekall has developed a set of plugins aimed at incident responders. These plugins use the API to quickly fetch system state. Many of these plugins are available when Rekall in run in live mode with the --live Memory or the --live API mode.

artifact_collector

View Source

Collects artifacts.

Plugin Arguments

artifact_files

A list of additional yaml files to load which contain artifact definitions. (type: ArrayStringParser)

artifacts

A list of artifact names to collect. (type: ArrayStringParser)

copy_files

Copy files into the output. (type: Bool)

  • Default: False

create_timeline

Also generate a timeline file. (type: Bool)

  • Default: False

definitions

An inline artifact definition in yaml format. (type: ArrayStringParser)

output_path

Path suitable for dumping files. (type: String)

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

writer

Writer for artifact results. (type: Choices)

  • Valid Choices:
    • Zip
    • Directory

artifact_list

View Source

List details about all known artifacts.

Plugin Arguments

all

Show all artifacts. (type: Bool)

labels

Filter by these labels. (type: ArrayStringParser)

regex

Filter the artifact name. (type: RegEx)

  • Default: .

supported_os

If specified show for these OSs, otherwise autodetect based on the current image. (type: ArrayStringParser)

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

artifact_view

View Source

Plugin Arguments

artifacts

A list of artifacts to display (type: ArrayStringParser)

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

cc

View Source

A cc plugin for setting process context to live mode.

Plugin Arguments

pids

One or more pids of processes to select. (type: ArrayIntParser)

  • Default:

proc_regex

A regex to select a process by name. (type: RegEx)

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

file_yara

View Source

Yara scanner which operates on files.

Plugin Arguments

binary_string

A binary string (encoded as hex) to search for. e.g. 000102[1-200]0506 (type: String)

context

Context to print after the hit. (type: IntParser)

  • Default: 64

hits

Quit after finding this many hits. (type: IntParser)

  • Default: 10

paths

Paths to scan. (type: Array)

pre_context

Context to print before the hit. (type: IntParser)

  • Default: 0

string

A verbatim string to search for. (type: String)

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

yara_expression

If provided we scan for this yara expression. (type: String)

yara_file

The yara signature file to read. (type: String)

find

View Source

List files recursively from a root path.

Plugin Arguments

root

The root directory to start search from. (type: String)

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

fstat

View Source

Print information by filename.

Plugin Arguments

path

Path to print stats for. (type: String)

  • Default: /

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

glob

View Source

Search for files by filename glob.

This code roughly based on the Glob flow in GRR.

Plugin Arguments

case_insensitive

Globs will be case insensitive. (type: Bool)

  • Default: True

filesystem

The virtual filesystem implementation to glob in. (type: Choices)

  • Valid Choices:

    • API

  • Default: API

globs

List of globs to return. (type: ArrayString)

path_sep

Path separator character (/ or ) (type: String)

root

Root directory to glob from. (type: String)

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

hash

View Source

Plugin Arguments

hash

One or more hashes to calculate. (type: ChoiceArray)

  • Valid Choices:

    • md5
    • sha1
    • sha256

  • Default: sha1

paths

Paths to hash. (type: Array)

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

hexdump_file

View Source

Hexdump files from disk.

Plugin Arguments

case_insensitive

Globs will be case insensitive. (type: Bool)

  • Default: True

filesystem

The virtual filesystem implementation to glob in. (type: Choices)

  • Valid Choices:

    • API

  • Default: API

globs

List of globs to return. (type: ArrayString)

length

Maximum length to dump. (type: IntParser)

  • Default: 100

path_sep

Path separator character (/ or ) (type: String)

root

Root directory to glob from. (type: String)

rows

Number of bytes per row (type: IntParser)

  • Default: 4

start

An offset to hexdump. (type: IntParser)

  • Default: 0

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

width

Number of bytes per row (type: IntParser)

  • Default: 24

istat

View Source

Print information related to an MFT entry.

Plugin Arguments

mfts

MFT entries to list. (type: ArrayIntParser)

  • Default: 5

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

maps

View Source

Examine the process memory maps.

Plugin Arguments

offset

Only print the vad corresponding to this offset. (type: SymbolAddress)

pids

One or more pids of processes to select. (type: ArrayIntParser)

  • Default:

proc_regex

A regex to select a process by name. (type: RegEx)

regex

A regular expression to filter VAD filenames. (type: RegEx)

verbosity

With high verbosity print more information on each region. (type: IntParser)

  • Default: 1

pslist

View Source

A live pslist plugin using the APIs.

Plugin Arguments

pids

One or more pids of processes to select. (type: ArrayIntParser)

  • Default:

proc_regex

A regex to select a process by name. (type: RegEx)

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

stat

View Source

Plugin Arguments

paths

Paths to hash. (type: Array)

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

yarascan

View Source

Yara scan process memory using the ReadProcessMemory() API.

Plugin Arguments

binary_string

A binary string (encoded as hex) to search for. e.g. 000102[1-200]0506 (type: String)

context

Context to print after the hit. (type: IntParser)

  • Default: 64

hits

Quit after finding this many hits. (type: IntParser)

  • Default: 10

pids

One or more pids of processes to select. (type: ArrayIntParser)

  • Default:

pre_context

Context to print before the hit. (type: IntParser)

  • Default: 0

proc_regex

A regex to select a process by name. (type: RegEx)

string

A verbatim string to search for. (type: String)

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

yara_expression

If provided we scan for this yara expression. (type: String)

yara_file

The yara signature file to read. (type: String)