EFilter documentation available?

[Rukhsar-Khan]

Is there a comprehensive EFilter documentation available?

[scudette]

There is an older paper here: http://blog.rekall-forensic.com/2016/07/searching-memory-with-rekall.html

But EFilter has been much improved in the last release. The syntax has been tightened and it has become much more stable. I was meaning to write a more up to date blog post soon. Until then you can see some of the queries in the test file:

https://github.com/rekall-innovations/rekall-test/blob/master/tigger/tests.config#L60

Although that concentrates more on language features since it is a test. Long term, we should build a repository of EFilter expressions which are actually useful for real DFIR work and accept contributions.

[scudette]

You might find the output of the test more readable: https://github.com/rekall-innovations/rekall-test/blob/master/tigger/TestEFilterSearch#L436

[scudette]

I started writing more docs here:

http://docs.rekall-forensic.com/en/latest/efilter.html

Feel free to improve by sending PRs (Click the edit on github at the top right).

[Rukhsar-Khan]

That's awesome, thanks!

Regards, Rukhsar

On 29.01.2018 10:01, Michael Cohen wrote:

I started writing more docs here:

http://docs.rekall-forensic.com/en/latest/efilter.html

Feel free to improve by sending PRs (Click the edit on github at the top right).

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/rekall-innovations/rekall-agent-server/issues/11#issuecomment-361180339, or mute the thread https://github.com/notifications/unsubscribe-auth/Ag4-duPYG10hNRYmTj94IsU_wI2xD82-ks5tPYjngaJpZM4RKigQ.