Release 1.5.0 Furka

This is the next release of the Rekall Memory Forensic framework, codenamed after the Furka Pass.

I am excited to announce the new Rekall release is out. This release introduces a lot of revolutionary features. The new feature list is broken as follows:

• Rekall's disassembler support is now switched to Capstone. Rekall has a more accurate and expanded disassembler template system for automatic detected to reversed data.
• Live plugin is now improved on all OSs.
• The aff4acquire plugin is now using the new AFF4 library streaming interface. This reduces memory use and makes the acquisition very fast. The plugin now collects many useful files at acquisition time.
• Rekall now implements a Linux profile index using /proc/kallsyms. This means that on live systems (or when AFF4 image was acquired), Rekall can immediately find the correct Linux profile and use it without requiring building of profiles in advance!
• The pmem acquisition tools (in C++) now use the streaming AFF4 interface to control memory usage. The pmem acquisition tools can also write into structured RAW and ELF formats to support legacy memory analysis tools.
• We are also releasing the new experimental layout_expert tool (The best paper at DFRWS). Install this via pip install rekall-layout-expert

As usual the best way to install from source is via pip:

pip install rekall