optional arguments:¶

-

A do nothing arg. Useful to separate options which take multiple args from positional. Can be specified many times.

Output control:¶

-v, --verbose

Set logging to debug level.

-q, --quiet

Turn off logging to stderr.

--debug

If set we break into the debugger on error conditions.

--output_style {concise,full}

How much information to show. Default is 'concise'.

--logging_level {DEBUG,INFO,WARNING,ERROR,CRITICAL}

The default logging level.

--log_domain [{PageTranslation} [{PageTranslation} ...]]

Add debug logging to these components.

--plugin [PLUGIN [PLUGIN ...]]

Load user provided plugin bundle.

-h, --help

Show help about global parameters.

--cache CACHE

Type of cache to use.

--repository_path [REPOSITORY_PATH [REPOSITORY_PATH ...]]

Path to search for profiles. This can take any form supported by the IO Manager (e.g. zip files, directories, URLs etc)

-f FILENAME, --filename FILENAME

The raw image to load.

--buffer_size BUFFER_SIZE

The maximum size of buffers we are allowed to read. This is used to control Rekall memory usage.

--output OUTPUT

If specified we write output to this file.

--max_collector_cost MAX_COLLECTOR_COST

If specified, collectors with higher cost will not be used.

--home HOME

An alternative home directory path. If not set we use $HOME.

--logging_format LOGGING_FORMAT

The format string to pass to the logging module.

--performance {normal,fast,thorough}

Tune Rekall's choice of algorithms, depending on performance priority.

--live LIVE

Enable live memory analysis.

-o FILE_OFFSET, --file_offset FILE_OFFSET

A Relative offset for image file.

--cache_dir CACHE_DIR

Location of the profile cache directory.

--highlighting_style {manni, igor, lovelace, xcode, vim, autumn, vs, rrt, native, perldoc, borland, tango, emacs, friendly, monokai, paraiso-dark, colorful, murphy, bw, pastie, algol_nu, paraiso-light, trac, default, algol, fruity}

Highlighting style for interactive console.

--pagefile [PAGEFILE [PAGEFILE ...]]

A pagefile to load into the image.

--version

Prints the Rekall version and exits.

Interface:¶

--pager PAGER

The pager to use when output is larger than a screen full.

--paging_limit PAGING_LIMIT

The number of output lines before we invoke the pager.

--colors {auto,yes,no}

Color control. If set to auto only output colors when connected to a terminal.

-F FORMAT, --format FORMAT

The output format to use. Default (text)

--timezone TIMEZONE

Timezone to output all times (e.g. Australia/Sydney).

--name_resolution_strategies [{Module,Symbol,Export} [{Module,Symbol,Export} ...]]

Autodetection Overrides:¶

--dtb DTB

The DTB physical address.

--autodetect_build_local_tracked [AUTODETECT_BUILD_LOCAL_TRACKED [AUTODETECT_BUILD_LOCAL_TRACKED ...]]

When autodetect_build_local is set to 'basic' we fetch these modules directly from the symbol server.

--autodetect {linux_index,nt_index,tsk,osx,pe,windows_kernel_file,rsds,ntfs,linux} [{linux_index,nt_index,tsk,osx,pe,windows_kernel_file,rsds,ntfs,linux} ...]

Autodetection method.

--autodetect_threshold AUTODETECT_THRESHOLD

Worst acceptable match for profile autodetection. (Default 1.0)

--autodetect_build_local {full,basic,none}

Attempts to fetch and build profile locally.

--autodetect_scan_length AUTODETECT_SCAN_LENGTH

How much of physical memory to scan before failing

Virtualization support:¶

--ept EPT [EPT ...]

The EPT physical address.

When no module is provided, drops into interactive mode