Analyzing a suspect system “live”, before disconnecting it and imaging the disks, often yields valuable forensic evidence. Further, it can help you determine whether a crime has been committed at all, or whether the system contains evidence at all, thereby avoiding time-consuming examination of irrelevant machines. Rekall is an advanced, open-source memory capture and analysis framework that has expanded to include a variety of live incident response tools. This lab introduces students to the Rekall framework, both for extracting evidence from memory images and for analyzing the current live state of the system. Students will learn about several Rekall tools, both on the command line and via the interactive console, for analyzing memory images. Students will then analyze several images of Windows systems with in-memory malware.




In order to get the most out of this lab, you should be familiar with cyber forensics best practices (chain of evidence, etc.) and be comfortable with a Linux/Unix command line. An understanding of operating systems concepts, such as processes and network connections, is also required.

While this lab makes use of Rekall’s “live” mode, which generates a virtual RAM image on the fly, this lab does not directly discuss the process of acquiring a RAM image. There are several free tools available on-line for this purpose.

Expected Duration

2 hours, self-paced. Pause and continue at any time.
2 CPEs awarded on successful completion.

Cyber Workforce Platform

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Donec sed finibus nisi, sed dictum eros.
Copyright © 2024 Divi. All Rights Reserved.