Another platform that is similar to Volatility is Rekall. Rekall was developed by Google and purports to be the most complete memory analysis framework. The software is available for Linux, macOS, and Windows platforms. Instructions on how to download and set up Rekall can be found at https://github.com/google/rekall/releases. The one major advantage that Rekall has over Volatility is that Google has also released the memory acquisition tool Pmem. This tool is designed to work with the Rekall framework giving a single point for the acquisition and analysis toolset.

Rekall has some deep similarities with Volatility. For example, there are a number of plugins that are similarly named and that perform very similar functions(the site http://www.rekall-forensic.com/docs/Manual/Plugins/ has a complete list of these plugins). To configure an analysis utilizing Rekall, first install on the appropriate operating system, in this case, Rekall will be run on a Windows 10 system. Navigate to the folder where the Rekall.exe program is located. From there, load the image that is to be analyzed utilizing the following command:

C:Program FilesRekall>rekal.exe -f Imagesstuxnet.vmem  

Unlike Volatility, this command essentially loads the image file so that the analyst does not keep having to point Rekall to its location. Once the command is run, the following output appears:

The output includes a new prompt from which the plugins and other analysis tasks are run. To run a plugin, the analyst needs only to type the plugin into the prompt and hit Enter.