EFilter cheatsheet - rekall-innovations/efilter GitHub Wiki

This page contains sample EFilter queries. Add your example below and do not forget to add a sample output and mention which mode Rekall was run in (Windows memory, Live API etc).

Find all processes launched from SSH and their users.

If a process is launched from ssh into the background, it should still inherit the SSH environment strings, even though the ssh process may have exited. This allows us to see backgrounded processes. The SSH daemon will store the original connection information in the SSH_CONNECTION environment string, so we can filter for all processes with this environment string. We can then display the username of the process and the commandline to get more information about the process.

Running Rekall in Live API mode on Linux.

[1] Live (API) 23:30:58> select proc.username, timestamp(proc.create_time) as created, join(" ", proc.cmdline) as cmdline, proc.environ.SSH_CONNECTION from pslist() where
                    ...:  proc.environ =~ "SSH_CONNECTION"
username       created                                                   cmdline                                                        SSH_CONNECTION             
-------- -------------------- --------------------------------------------------------------------------------------------- ---------------------------------------
mic      2018-01-03 06:03:50Z SCREEN -T screen-256color -S byobu -c /usr/share/byobu/profiles/byoburc /usr/bin/byobu-shell  192.168.1.1 41541 192.168.0.31 1022  
mic      2018-01-07 07:15:16Z emacs -nw                                                                                     192.168.1.1 41541 192.168.0.31 1022  
mic      2018-01-07 07:15:23Z /usr/bin/aspell -a -m -B --encoding=utf-8                                                     192.168.1.1 41541 192.168.0.31 1022  
mic      2018-01-30 19:08:08Z /usr/lib/openssh/sftp-server                                                                  192.168.1.1 57702 192.168.0.31 1022