Obtaining, Building and Installing Rekall

These instructions have been written for Rekall 2.2.x, and cover the prerequisites needef by Rekall, obtaining the source code to Rekall, configuring and building Rekall, and installation. They apply to building Rekall under Linux; the author has no experience of building under other Unix's.

Note that in this document, anything that looks like an eMail address has had the @ character replaced with (at) to try to foil eMail address harvesting software. You should make the appropriate change.

Prerequisites

In order to builds Rekall from source, you will need to have various things installed on your system. The exact details depend on which Linux distribution you are running, but should be broadly the same in all cases.

You will need the general development tools; this includes the g++ compiler and related tools, and the usual include files and libraries.

You must have the Python development packages installed. Without this Rekall will not build at all. The package names vary between distributions, some examples are:

RedHat8python-devel
Mandrake9.2libpython2.3-devel
Suse9.0python-devel

The Rekall code includes drivers for the MySQL and PostgreSQL databases. To build these drivers, you will need the corresponding development packages. If these are missing the Rekall will build, but will not build the corresponding drivers.

RedHat8mysql-devel, postgresql-devel
Mandrake9.2libmysql12-devel, postgresql-devel
Suse9.0mysql-devel, postgresql-devel

In addition, Rekall includes a driver which access XBase (DB-IV) fornat files via the XBSQL wrapper library. To build this driver, you will need either to (a) obtain, build and install these packages or (b) obtain and install the xbase, xbase-devel and xbsql binary packages. The source code tarballs for XBase and XBSQL, and a number of binary packages, can be downloaded from:

http://www.rekallrevealed.org/packages/

You will also need to have installed the KDE and QT development packages (or, just the QT development package if you are building the QT-only version).

Obtaining the Source Code

There are two ways in which you can obtain the Rekall source code.

(a) Source Code Tarball

The first option is to download and unpack the latest source code tarball, which can be found at http://www.rekallrevealed.org/packages/.

Note that the source tarball is configured to build Rekall to integrate with KDE; it is not set up to build the QT-only version referred to below.

(b) CVS

The second option to obtain the Rekall codebase CVS. Note that while we try to ensure that the code in CVS will build and run, this is bleeding edge code, and may not build or may contain more or less serious bugs.

Please note that to build from CVS you will need sufficiently recent versions of the autoconf and automake packages installed. The CVS source will work with autoconf 2.57 and automake 1.7.8.

To download from CVS you first need to get a login on the server. Under Linux, the command is (replace the (dot) in the obvious way):

cvs -d:pserver:anonymous@rekallrevealed(dot)org:/cvs/rekall login

When prompted for a password just hit return; the anonymous account has no password (and does not permit update). Then, to retrieve the code:

cvs -z9 -d:pserver:anonymous@rekallrevealed(dot)org:/cvs/rekall co rekall

The use of -z9 compression is strongly recommended, the compressed download is around 5MBytes.

Immediately after obtaining the source code from CVS you will need to run one of the the following two commands from within the rekall directroy.

make -f Makefile.cvs kde3
make -f Makefile.cvs qt3

The former is the "usual" case and well set up a build that integrates with KDE. The second will set up a build that is independant of KDE and uses only the QT library. Unless you have specific reasons, use the KDE build; note that the QT-only build may lag behind and is more likely to fail to build.

Building Rekall

After unpacking the source tarball (or downloading from CVS and running the "make -f Makefile.cvs ...." command), change to the rekall directory and configure the build by running the command:

./configure --prefix=PREFIX

PREFIX is the installation prefix for your system. Typical examples are as below. You must get this right! If you omit the --prefix option then Rekall will install into /usr/local/kde, which is almost certainly not what you want.

RedHat/usr
Mandrake/usr
SuSE/opt/kde3
SlakWare/opt/kde

At the end of this stage, the configure script should list the database drivers and whether or not they will be build. If they are not what you expect, then the most likely explanation is not having the appropriate development packages installed.

Then, run the command below and go get a cup of tea (or coffee, or whatever is your favourite poison). The build takes around 40 minutes on an Athlon XP-2600+ processor:

make

If all goes well, this will not produce any errors. If it does then please use the mailing lists (given below) for support queries.

Installation

Installing is a simple matter of the command below. Most likely you will need to be logged in (or su'd) as root for this to work.

make install

Preparing RPM Packages

If you download the source code tarball, or use CVS and run the "make -f Makefile.cvs ..." command, you will find that the rpm.spec directory contains a set of RPM specification files for a number of distributions (for instance, suse81.spec, suse82.spec and suse90.spec).

These can be used to build binary RPM packages of Rekall. The most straightforward way to do this is described below; this assumes some knowledge of the RPM packaging system.

You will need a source tarball named "rekall-2.2.0.tar.gz", constructed such that it contains a single top-level directory called "rekall-2.2.0". It should not contain the CVS directories. This tarball should be placed in the directory "/usr/src/RPMDIR/SOURCES" where RPMDIR is the appropriate directory for your distribution, for instance:

RedHatredhat
MandrakeRPM
SuSEpackages

Then copy the appropriate specification file to the directory "/usr/src/RPMDIR/SPECS" with the name "rekall.spec".

Change to the directory "/usr/src/RPMDIR" and run the command below (except that on recent RedHat distributions, replace the "rpm" command with "rpmbuild")

rpm -ba SPECS/rekall.spec

If this succeeds, you should be left with a set of RPMs in the "/usr/src/RPMBUILD/RPMS/i386" directory (or maybe i586 depending on the distribution), plus a corresponding source RPM. There are a fairly large number of RPMs. They have been split up this way so that the database drivers are in separate RPMs, and so that you can install either the full version, the runtime-only version, or both; the separation is also related to commercial use of the components. The RPMs are listed below: build_distr will be a build and the distribution. Note that for historical reasons, most libraries are named "libkbase_xxxx".