Rekall broken on SIFT 1.8.0 on Ubuntu 18.04

[mrh1]

I did a fresh install of Ubuntu 18.04 in a VM, followed by a complication-free install of SIFT 1.8.0. I've tried out many of the included tools without problem but Rekall will not run, returning the following error (same with or without sudo):

$ sudo rekall -h
[sudo] password for forensics: 
Traceback (most recent call last):
  File "/usr/local/bin/rekall", line 7, in <module>
    from rekall.rekal import main
  File "/usr/local/lib/python2.7/dist-packages/rekall/rekal.py", line 41, in <module>
    entry_point.load()
  File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2442, in load
    self.require(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2465, in require
    items = working_set.resolve(reqs, env, installer, extras=self.extras)
  File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 791, in resolve
    raise VersionConflict(dist, req).with_context(dependent_req)
pkg_resources.ContextualVersionConflict: (future 0.17.1 (/usr/lib/python2.7/dist-packages), Requirement.parse('future==0.16.0'), set(['rekall-efilter']))

Does anyone recognize this error and have an idea of how to fix it? This error has shown up in the past, according to some closed issues, and the fix was to change the ".rekall.rc file", but that file seems to already be configured according to that fix.

The ~/.rekall.rc file contains the following:

cache_dir: .rekall_cache
repository_path:
  - https://github.com/google/rekall-profiles/raw/master
  - http://profiles.rekall-forensic.com

Right now, my fix is to use Volatility and ignore Rekall, but I'd really like to use Rekall. On the other hand, Rekall doesn't appear to be maintained any longer (https://github.com/google/rekall/issues/518), so maybe it should be dropped from SIFT?

[Fetchered]

This issue still exists with 1.8.1. Temporary fix is: sudo pip install future==0.16.0 sudo pip install rekall rekall-agent This is with the python 2.7 pip (not python3). Issue had been documented before in #375 , but the stale bot auto-closed the issue.

Recommend the fix to be have saltstate for pip install future==0.16.0 prior to the install of rekall and rekall-agent.

[ekristen]

2020.2.0-rc2 with this fix, please verify @Fetchered

[Fetchered]

2020.2.0-rc2 is not coming down with a sift install. Since I've already applied the 'fixes' to run rekall, there's no way for me to confirm the sift update/upgrade will work.

I've got a fresh snapshot, doing a sift install --pre-release and it's pulling down 2020.2.0-rc3. Will keep you posted.

[ekristen]

Rc2 was broken rc3 is it’s replacement

On Tue, Feb 18, 2020 at 17:16 Fetchered notifications@github.com wrote:

2020.2.0-rc2 is not coming down with a sift install. Since I've already applied the 'fixes' to run rekall, there's no way for me to confirm the sift update/upgrade will work.

I've got a fresh snapshot, doing a sift install --pre-release and it's pulling down 2020.2.0-rc3. Will keep you posted.

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub https://github.com/teamdfir/sift/issues/422?email_source=notifications&email_token=AAALZSMQZ2UMH2SWIRES2VLRDR27BA5CNFSM4KFBQL3KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEMF3K4Y#issuecomment-587969907, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAALZSONQ2S6433VKTXI2QDRDR27BANCNFSM4KFBQL3A .

[Fetchered]

Rekall appears to work (launches without error), but does not process a memory dump. My steps to fix were: sudo pip install future==0.16.0 pyaff4==0.26post6 sudo pip install rekall rekall-agent

Used the CFReDs NIST Memory images xp-laptop-2005-06-25.img memory image which rekall uses on their site as a test image. Confirmed these commands do work. Unsure how the salt is configured for the installation of rekall, but I recommend the two commands above be used, in this order (or something comparable).

Error received:

/opt/rekall/local/lib/python2.7/site-packages/rekall/plugins/addrspaces/aff4.pyc in init(self, filename, **kwargs) 123 lexicon.AFF4_FILE_NAME, 124 rdfvalue.XSDString( --> 125 os.path.join(cache_dir, "aff4_cache"))) 126 except IOError: 127 pass

TypeError: Set() takes exactly 5 arguments (4 given)

[ekristen]

We install how the readme said. However it seems to want the agent install separately now. No where does it talk about installing future or pyaff4 that I can see but I couple have missed it.

I need to fix it to install the agent which who knows might fix it all.

[ekristen]

Please install https://github.com/teamdfir/sift-saltstack/releases/tag/v2020.2.2-rc1 with --pre-release, there's also a new version of the CLI out, I recommend upgrading to that as well.

[Fetchered]

Will do that this when I get home this afternoon and report back soonest.

Cheers

On Fri, Feb 28, 2020 at 8:40 AM Erik Kristensen notifications@github.com wrote:

Please install https://github.com/teamdfir/sift-saltstack/releases/tag/v2020.2.2-rc1 with --pre-release, there's also a new version of the CLI out, I recommend upgrading to that as well.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/teamdfir/sift/issues/422?email_source=notifications&email_token=ACPZG6RDZBNXTNS7LX3VZITRFEH6PA5CNFSM4KFBQL3KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOENIRR6Y#issuecomment-592517371, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACPZG6XGC5XN6PQZS4V2FCTRFEH6PANCNFSM4KFBQL3A .

[Fetchered]

Can confirm, this is successful. No installation errors, no rekall errors, tested against a known good sample with pslist. Only difference is that when I installed the new sift-cli and installed --pre-release, the pre-release version that was pulled down was v2020.2.2-rc2 and not rc1.

This works for me, I guess now we need to know if it works for @mrh1 . Thanks @ekristen

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.