How To Install rekall-core on Debian 10

Learn how to install rekall-core on Debian 10 with this tutorial. rekall-core is memory analysis and incident response framework

Introduction

In this tutorial we learn how to install rekall-core on Debian 10.

What is `rekall-core`

rekall-core is:

The Rekall Framework is a completely open collection of tools for the extraction and analysis of digital artifacts computer systems.

Rekall supports investigations of the following 32bit and 64bit memory images:

Microsoft Windows XP Service Pack 2 and 3
Microsoft Windows 7 Service Pack 0 and 1
Microsoft Windows 8 and 8.1
Microsoft Windows 10
Linux Kernels 2.6.24 to 4.4.
OSX 10.7-10.12.x.

Rekall also provides a complete memory sample acquisition capability for all major operating systems.

There are three methods to install rekall-core on Debian 10. We can use apt-get, apt and aptitude. In the following sections we will describe each method. You can choose one of them.

Install rekall-core Using apt-get

Update apt database with apt-get using the following command.

sudo apt-get update

After updating apt database, We can install rekall-core using apt-get by running the following command:

sudo apt-get -y install rekall-core

Install rekall-core Using apt

Update apt database with apt using the following command.

sudo apt update

After updating apt database, We can install rekall-core using apt by running the following command:

sudo apt -y install rekall-core

Install rekall-core Using aptitude

If you want to follow this method, you might need to install aptitude first since aptitude is usually not installed by default on Debian. Update apt database with aptitude using the following command.

sudo aptitude update

After updating apt database, We can install rekall-core using aptitude by running the following command:

sudo aptitude -y install rekall-core

How To Uninstall rekall-core on Debian 10

To uninstall only the rekall-core package we can use the following command:

sudo apt-get remove rekall-core

Uninstall rekall-core And Its Dependencies

To uninstall rekall-core and its dependencies that are no longer needed by Debian 10, we can use the command below:

sudo apt-get -y autoremove rekall-core

Remove rekall-core Configurations and Data

To remove rekall-core configuration and data from Debian 10 we can use the following command:

sudo apt-get -y purge rekall-core

Remove rekall-core configuration, data, and all of its dependencies

We can use the following command to remove rekall-core configurations, data and all of its dependencies, we can use the following command:

sudo apt-get -y autoremove --purge rekall-core

Dependencies

rekall-core have the following dependencies:

python

References

Summary

In this tutorial we learn how to install rekall-core package on Debian 10 using different package management tools: apt, apt-get and aptitude.