Rekall

In December 2011, a new branch was established within the Volatility project. The aim of this branch was to investigate ways to make the code base more modular, enhance performance, and improve usability.

This branch was subsequently forked, resulting in the creation of Rekall.

The modularity enabled the functionality for physical memory analysis to be utilized in GRR, facilitating remote live in-memory analysis. Key insights: Rekall has implemented numerous enhancements to memory analysis methodologies over the years.

http://blog.rekall-forensic.com/ The Rekall framework supports limited modularization due to the interdependent nature of its in-memory structure and early architectural choices. As RAM sizes continue to increase and security measures, such as memory encryption, become more prevalent, traditional physical memory analysis is becoming more challenging. Analyzing physical memory is often fragile and requires significant maintenance. Most tools used for physical memory analysis function primarily as kernel debuggers, and they typically lack access to source code and debug symbols. Consequently, memory analysis can turn into an expensive process involving debugging or reverse engineering, along with the ongoing task of keeping debug symbols and structure definitions updated. Active development on Rekall has been ongoing.