Rekall Framework is an open source collection of tools that you can use for Forensics analyses. the program is based on Python and allow to have a full visibility for system state memory (RAM). Rekall runs on any platform that support Python and investigate the following images:
- Microsoft Windows XP Service Pack 2 and 3
- Microsoft Windows 7 Service Pack 0 and 1
- Microsoft Windows 8 and 8.1
- Linux Kernels 2.6.24 to 3.10.
- OSX 10.6-10.9.x.
With Rekall you can have:
- session information
- list of processes
- list of registers
- hashed passwords stored in memory
There is also a possibility to use API which helps to run any search you need on the system memory. the installation is possible using pip manager by running (pip install rekall). you can have more information on the official website: http://www.rekall-forensic.com/