Today I created a new profile for one of my Windows 10 memory image. Because the currently posted instructions found here cover older versions of Rekall, I am sharing the step-by-step for Rekal 1.5.3 using the new syntax.
Step 1. Identify the kernel version with version_scan.
Step 2. Download the specific kernel symbols to the target directory with fetch_pdb.
Step 3. Create the .json profile with the downloaded kernel symbols with parse_pdb.
Step 4. Use newly added profile for target memory image.
