Provided by: rekall-core_1.6.0+dfsg-2_all 
NAME
rekall - memory forensics framework
SYNOPSIS
rekall [options]
DESCRIPTION
Rekall Framework is a completely open collection of tools, implemented in Python under the
Apache and GNU General Public License, for the extraction and analysis of digital
artifacts computer systems.
Rekall supports investigations of the following 32bit and 64bit memory images:
Microsoft Windows XP Service Pack 2 and 3
Microsoft Windows 7 Service Pack 0 and 1
Microsoft Windows 8 and 8.1
Microsoft Windows 10
Linux Kernels 2.6.24 to 4.4.
OSX 10.7-10.12.x.
optional arguments:
- A do nothing arg. Useful to separate options which take multiple args from
positional. Can be specified many times.
Output control:
-v, --verbose
Set logging to debug level.
-q, --quiet
Turn off logging to stderr.
--debug
If set we break into the debugger on error conditions.
--output_style {concise,full}
How much information to show. Default is 'concise'.
--logging_level {DEBUG,INFO,WARNING,ERROR,CRITICAL}
The default logging level.
--log_domain [{PageTranslation} [{PageTranslation} ...]]
Add debug logging to these components.
--plugin [PLUGIN [PLUGIN ...]]
Load user provided plugin bundle.
-h, --help
Show help about global parameters.
--cache CACHE
Type of cache to use.
--repository_path [REPOSITORY_PATH [REPOSITORY_PATH ...]]
Path to search for profiles. This can take any form supported by the IO Manager
(e.g. zip files, directories, URLs etc)
-f FILENAME, --filename FILENAME
The raw image to load.
--buffer_size BUFFER_SIZE
The maximum size of buffers we are allowed to read. This is used to control Rekall
memory usage.
--output OUTPUT
If specified we write output to this file.
--max_collector_cost MAX_COLLECTOR_COST
If specified, collectors with higher cost will not be used.
--home HOME
An alternative home directory path. If not set we use $HOME.
--logging_format LOGGING_FORMAT
The format string to pass to the logging module.
--performance {normal,fast,thorough}
Tune Rekall's choice of algorithms, depending on performance priority.
--live LIVE
Enable live memory analysis.
-o FILE_OFFSET, --file_offset FILE_OFFSET
A Relative offset for image file.
--cache_dir CACHE_DIR
Location of the profile cache directory.
--highlighting_style {manni, igor, lovelace, xcode, vim, autumn, vs, rrt, native, perldoc,
borland, tango, emacs, friendly, monokai, paraiso-dark, colorful, murphy, bw, pastie,
algol_nu, paraiso-light, trac, default, algol, fruity}
Highlighting style for interactive console.
--pagefile [PAGEFILE [PAGEFILE ...]]
A pagefile to load into the image.
--version
Prints the Rekall version and exits.
Interface:
--pager PAGER
The pager to use when output is larger than a screen full.
--paging_limit PAGING_LIMIT
The number of output lines before we invoke the pager.
--colors {auto,yes,no}
Color control. If set to auto only output colors when connected to a terminal.
-F FORMAT, --format FORMAT
The output format to use. Default (text)
--timezone TIMEZONE
Timezone to output all times (e.g. Australia/Sydney).
--name_resolution_strategies [{Module,Symbol,Export} [{Module,Symbol,Export} ...]]
Autodetection Overrides:
--dtb DTB
The DTB physical address.
--autodetect_build_local_tracked [AUTODETECT_BUILD_LOCAL_TRACKED
[AUTODETECT_BUILD_LOCAL_TRACKED ...]]
When autodetect_build_local is set to 'basic' we fetch these modules directly from
the symbol server.
--autodetect {linux_index,nt_index,tsk,osx,pe,windows_kernel_file,rsds,ntfs,linux}
[{linux_index,nt_index,tsk,osx,pe,windows_kernel_file,rsds,ntfs,linux} ...]
Autodetection method.
--autodetect_threshold AUTODETECT_THRESHOLD
Worst acceptable match for profile autodetection. (Default 1.0)
--autodetect_build_local {full,basic,none}
Attempts to fetch and build profile locally.
--autodetect_scan_length AUTODETECT_SCAN_LENGTH
How much of physical memory to scan before failing
Virtualization support:
--ept EPT [EPT ...]
The EPT physical address.
When no module is provided, drops into interactive mode