rekall-gui

[Thomas Connelly]

Hello Everyone,

I'm trying to install the Rekall GUI so I can test it out, and go through the training modules.  I've installed the Rekall agent, and Rekall, without any apparent issues. I've been able to run Rekall against saved memory images.  However, after I install the Rekall GUI, every time I try to run Rekall, I receive this error:

(MyEnv) connellyt@ubuntu:~$ rekal -h

Traceback (most recent call last):

  File "/tmp/MyEnv/bin/rekal", line 7, in <module>

    from rekall.rekal import main

  File "/tmp/MyEnv/local/lib/python2.7/site-packages/rekall/rekal.py", line 39, in <module>

    entry_point.load()

  File "/tmp/MyEnv/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2228, in load

    self.require(*args, **kwargs)

  File "/tmp/MyEnv/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2245, in require

    items = working_set.resolve(reqs, env, installer)

  File "/tmp/MyEnv/local/lib/python2.7/site-packages/pkg_resources/__init__.py", line 834, in resolve

    raise VersionConflict(dist, req).with_context(dependent_req)

pkg_resources.VersionConflict: (rekall-core 1.5.3.post1 (/tmp/MyEnv/lib/python2.7/site-packages), Requirement.parse('rekall-core<1.7,>=1.6.0rc1'))

Uninstalling rekall, rekall-agent, and rekall-gui, and then only reinstalling the agent and rekall (not the gui) fixes the problem, until I re-install the GUI.

I've attached the installation procedures I used, and results.  Perhaps I'm missing a step?

Thank you for the help.

Tom

[Michael Cohen]

Sorry, but the GUI is no longer supported. We just did not receive
enough interest to make it worthwhile. You should generally be able to
do the training module using the regular console though.

For the next release I will update the training material to refer to
the console instead. Which training modules were you looking at
specifically?

The next release of the Rekall Agent will have a full fledged GUI (for
the Agent which has some of the same features like the previous UI but
it is not based on the notebook concept).

Thanks
Michael.

> --
> You received this message because you are subscribed to the Google Groups
> "rekall-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to rekall-discus...@googlegroups.com.
> To post to this group, send email to rekall-...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

[Thomas Connelly]

Thanks for the quick reply.

I was looking at the memory analysis course here:  http://memory-analysis.rekall-forensic.com/www/TOC/

but I was also looking at the documentation here: http://www.rekall-forensic.com/docs/GUI/

From what I've read, it looked like the GUI could have been used to run plugins on multiple hosts though the agent.  Is that correct?

Is it still possible to do that, but perhaps though the Google Rapid Response?

Thank you.

Tom

[Michael Cohen]

On 02/07/2017, Thomas Connelly <conne...@outlook.com> wrote:
> Thanks for the quick reply.
>
> I was looking at the memory analysis course here:
> http://memory-analysis.rekall-forensic.com/www/TOC/
>
> but I was also looking at the documentation
> here: http://www.rekall-forensic.com/docs/GUI/

Thanks! I will make sure to update those documents before the next release.

> From what I've read, it looked like the GUI could have been used to run
> plugins on multiple hosts though the agent. Is that correct?

No. The Rekall GUI was a proof of concept application similar to the
ipython interactive notebook. It allowed to write a "report" around an
image analysis.

Although this was an interesting experiement it seems that there was
little interest since most people already have some kind of reporting
tool (even a google doc or MS word).

Running Rekall plugins on multiple hosts was GRR's primary intent but
GRR has some fundamental problems with scaling and Rekall integration.
In the next release of the Rekall Agent we have replaced GRR
completely with a much more functional system based on cloud
technologies (Will be launched at DFRWS
http://dfrws.org/conferences/dfrws-usa-2017/sessions/track-2-rekall-everywhere-dfir-cloud-workshop).

Shameless plug: Also vote for us at OSDFC to hear more about it :-)
https://www.surveymonkey.com/r/voteosdfcon

Thanks
Michael.

> Is it still possible to do that, but perhaps though the Google Rapid
> Response?
>
> Thank you.
>
> Tom
>
> On Sunday, July 2, 2017 at 10:14:06 PM UTC-4, Michael Cohen wrote:
>>
>> Sorry, but the GUI is no longer supported. We just did not receive
>> enough interest to make it worthwhile. You should generally be able to
>> do the training module using the regular console though.
>>
>> For the next release I will update the training material to refer to
>> the console instead. Which training modules were you looking at
>> specifically?
>>
>> The next release of the Rekall Agent will have a full fledged GUI (for
>> the Agent which has some of the same features like the previous UI but
>> it is not based on the notebook concept).
>>
>> Thanks
>> Michael.
>>

>> On 02/07/2017, Thomas Connelly <conne...@outlook.com <javascript:>>

>> > email to rekall-discus...@googlegroups.com <javascript:>.

>> > To post to this group, send email to rekall-...@googlegroups.com

>> <javascript:>.

[Thomas Connelly]

Thank you. 

Would you say that this white paper on the agent is still fairly accurate then:  http://rekall-forensic.blogspot.ch/2016/10/the-rekall-agent-whitepaper.html

Vote for OSDFC is in!

[Michael Cohen]

No the white paper is not accurate any more. The new agent is based on
Google App Engine and runs on a combination of bigtable, firebase and
Google Cloud Storage.

I am working on a new paper now which should be finished by DFRWS and
the next release :-).

Thanks
Michael.

On 7/3/17, Thomas Connelly <conne...@outlook.com> wrote:
> Thank you.
>
> Would you say that this white paper on the agent is still fairly accurate
> then:
> http://rekall-forensic.blogspot.ch/2016/10/the-rekall-agent-whitepaper.html
>
> Vote for OSDFC is in!
>
> On Sunday, July 2, 2017 at 11:52:20 PM UTC-4, Michael Cohen wrote:
>>

>> On 02/07/2017, Thomas Connelly <conne...@outlook.com <javascript:>>

>> wrote:
>> > Thanks for the quick reply.
>> >
>> > I was looking at the memory analysis course here:
>> > http://memory-analysis.rekall-forensic.com/www/TOC/
>> >
>> > but I was also looking at the documentation
>> > here: http://www.rekall-forensic.com/docs/GUI/
>>
>> Thanks! I will make sure to update those documents before the next
>> release.
>>
>> > From what I've read, it looked like the GUI could have been used to run
>> >
>> > plugins on multiple hosts though the agent. Is that correct?
>>
>> No. The Rekall GUI was a proof of concept application similar to the
>> ipython interactive notebook. It allowed to write a "report" around an
>> image analysis.
>>
>> Although this was an interesting experiement it seems that there was
>> little interest since most people already have some kind of reporting
>> tool (even a google doc or MS word).
>>
>> Running Rekall plugins on multiple hosts was GRR's primary intent but
>> GRR has some fundamental problems with scaling and Rekall integration.
>> In the next release of the Rekall Agent we have replaced GRR
>> completely with a much more functional system based on cloud
>> technologies (Will be launched at DFRWS
>>
>> http://dfrws.org/conferences/dfrws-usa-2017/sessions/track-2-rekall-everywhere-dfir-cloud-workshop
>>

>> <http://www.google.com/url?q=http%3A%2F%2Fdfrws.org%2Fconferences%2Fdfrws-usa-2017%2Fsessions%2Ftrack-2-rekall-everywhere-dfir-cloud-workshop&sa=D&sntz=1&usg=AFQjCNFhzB891GnUq_aZxK1ozvyonwFi5g>).

>>
>>
>>
>> Shameless plug: Also vote for us at OSDFC to hear more about it :-)
>> https://www.surveymonkey.com/r/voteosdfcon

>> <https://www.google.com/url?q=https%3A%2F%2Fwww.surveymonkey.com%2Fr%2Fvoteosdfcon&sa=D&sntz=1&usg=AFQjCNFF6In3_jBc38LCIS4UsL2xvTgi5A>