rekall-agent-server icon indicating copy to clipboard operation
rekall-agent-server copied to clipboard

Published 20 hours ago verified publisher icon scudette

Rekall plugin other than APIPslist

Open Rukhsar-Khan opened this issue 7 years ago • 1 comments

When trying to run a plugin other than APIPslist in the UI under Clients I always receive a message under Collections: kernel_address_space not specified.

Rukhsar-Khan avatar Dec 22 '17 01:12 Rukhsar-Khan

Rekall has 2 live modes: API mode and Memory mode. The plugins with API in the name only apply to API mode, while other plugins apply to Memory mode (e.g. WinPsList is a windows memory process listing).

You need to change the live mode in the session drop down to Memory for the other plugins to work. Note that using live memory is not all that reliable because the client will need to find the profile for the live system. Currently Windows is the most reliable and OSX does not work due to lack of profiles.

This is probably poor UI - we should know which mode is applicable for each plugin and switch to the correct one but this is not done automatically at present.

scudette avatar Dec 22 '17 07:12 scudette