This repository contains Rekall with additions made to support Windows 10 memory compression. The system should automatically detect whether the kernel in the snapshot used memory compression. If the compression version is supported, we will automatically load an address space that supports decompression. All of this should be invisible to the user.
Source code and additional information may be found here: https://github.com/mandiant/win10_rekall