ltechnologygroup.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com.
Those of you who attended the “Tools of Engagement: Redline™ –
We’ve Got the Tool, If You’ve Got the Time” webinar last month
by David Ross and myself will recall that we ran short on time while
answering all of your questions. The webinar covered the latest
updates to Redline,
Mandiant’s free tool for investigating hosts for signs of malicious
activity through memory and file analysis, and subsequently
developing a threat assessment profile.
If your question was
one of those we did not get to, don’t worry. We are going to cover
all of those unanswered questions in this post, as well as retread
some of those which were covered during the Q&A for people who
were unable to catch it live.
Without further ado, following
are your answers in no particular order:
Does Redline support disk images for collection and
At the moment, Redline only works on memory
images and live hosts. We are currently focusing on providing the
best possible set of analysis tools for incident response.
Does Redline work for Macs or Mac Memory images? Does it work on
Unfortunately, all of
those currently only support collection on the various Windows
platforms. However, I have heard of people having success getting
audits collected with Memoryze™
for the Mac to at least import into Redline. Be careful to
note that if attempting this, the MRI scores and other analyses may
be incorrect or invalid, as the scoring in Redline assumes it is
operating against data collected from a Windows host.
Is there a specific audit you need to run in order to do Timeline
Short answer: no. The timeline analysis will
parse any and all data with timestamps available for collection. The
comprehensive collector option in Redline is the recommended
starting place if timeline analysis is your goal as the standard
collector collects very little in the way of timestamps.
How valuable would Redline be against a virtual machine created
from a forensic image?
As long as you can log in to the
virtual machine with administrator rights to run the collection,
Redline should have no problem importing and analyzing the data
(provided it is one of the supported operating systems).
Is Redline free when used on an enterprise environment?
Redline is free to use in any sized environment, although the
collection aspect of Redline quickly becomes challenging with large
scale and globally distributed networks. This leads to the next
Can Redline collection be run on a remote machine?
Redline does not itself support remote collection. We recommend
Intelligent Response® if you would like centralized
remote collection of your hosts’ data over an enterprise sized
Can you demonstrate how to use TimeWrinkles™ for events that
occur over multiple days and put them all into one view?
The easiest way to view timeline windows that are separated by
greater than an hour is to create multiple manual TimeWrinkles
around the points of time you are specifically interested in.
Using item based TimeWrinkles you can also potentially see time
entries that occur over multiple days. For instance, you could see
the actions that happened around the creating of a file, as well as
when that same file was last accessed a few days later all in one
view, just by creating a TimeWrinkle around that file.
How do you get a TimeWrinkle based on a file?
select any row within the Timeline and right click on it, Redline
will give you the option to create a TimeWrinkle based on that item.
In this case, you would just need to find the file in question
within your timeline, select it, and choose “Add a New
TimeWrinkle” from its right click menu.
Can Redline be used to pull strings from a memory image? We would
like to pull info from the csrss process to see what commands
might have run on a box.
Redline can be configured to
collect strings using the process listing audit against both a
memory image and a live machine. You can collect strings from files
with the File listing audit, but this option is only available
against a live machine.
We do recommend restricting string
collection to a single process or file at a time though, as turning
strings collection on for a full process or file listing will
significantly increase the amount of data returned and the time it
takes to collect it.
Can I export the data to a file?
Copy and Pasting from
any of the list views (including Timeline), will place up to 20k
selected rows onto your clipboard in CSV format. Using the
right-click menu’s copy options also allows you to specify if you
would like to include a header row in your data or not. Full list
CSV export directly to a file will be available in the next release
Is the timeline feature available in Mandiant Intelligent Response
Timeline as it exists in Redline is not available
in MIR. But using the “open with…” feature in the MIR
Console on any audit result will allow you to import your data you
would like to timeline directly into Redline for analysis.
Is there a way to get external data sources in to Redline that
are not host-based? (ex. IDS, flow, etc.)
At the moment
Redline only supports analysis of the xml data which is collected by
the various Mandiant products listed above. Full schema definitions
for those formats can be found here.
How much alteration is being done to the suspect system by
Depending on if the collector is being run from
the host’s hard disk as opposed to an external drive, the collection
and log files have the potential to overwrite some amount disk slack
space. Also if the “Preserve Timestamps” option is not
configured on your collector, some audits may modify the timestamps
for files they touch. You can find the “Preserve
Timestamps” option at Main Menu -> Redline
Options->Default Script Options->General->Preserve
Timestamps”. Redline defaults this option on.
Prior to re-image, what is a good Redline collector that can
quickly get information to sift through later?
next immediate action is to re-image the box, I tend to err on the
side of collecting as much information as time permits, since there
will be no second chance to go back and recollect additional data.
But for a little bit faster collection time, I suggest starting with
the comprehensive collector and scaling back or removing the larger
audits: files, registry, and processes.
While the collector
run times depend heavily on machine in question, it is not unheard
of for the comprehensive collector to run 1-2 hours. By limiting the
files audit to a specific base path like the Windows directory or
the System32 directory, and limiting your registry audit to a few
specific keys (i.e.
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun) you can
significantly reduce the time that your collection will take to run.
If you need to collect even quicker, consider turning off the
various hashes like MD5.
Can I run this tool via command line?
runs as a batch script via the command line, but the analysis and
visualization portions are only available through the graphical user
Are you limited to the types of variants/intrusions you can scan
The Malware Risk Index (MRI) scoring configuration is
limited in the types of things it allows you to look for, but within
those confines you can add or tweak to your heart’s content.
Indicators of Compromise (IOC) provide a much more flexible
definition format to describe what malware you would like to search
for. The first Tools of
Engagement: Redline webinar walks through an example of
creating a new MRI rule and an Indicator of Compromise in the course
of performing the investigation and applying them to a Redline
Can you tell if the attacker has manipulated the time stamps of
Redline does not automatically detect
timestamp manipulation. But often an experienced eye can pick it out
by looking for things such as every potentially suspect files
encountered having “00” for their seconds place, or
similar statistically improbable occurrences.
Is there any known malware that targets Redline? Have you had any
difficulties with attackers running their tools inside rootkit
We have yet to encounter any malware that has
specifically attempted to avoid collection or detection by Redline
and its various analysis techniques. As for general rootkit
protection, Redline uses raw disk access by default where possible
to avoid being subverted by rootkits.
What metadata shows how many times an executable has
Prefetch files (.pf) are windows specific cache
files to improve application startup performance. They contain the
first and last run time as well as how many executions have occurred
in total. These files are parsed and their relevant data captured by
the Prefetch audit available in the Redline Collector setup.
That wraps up all of unanswered (as well as answered) questions!
And just in case you do not already have it, the latest version of
Redline (1.7 as of the time of this writing) can always be found
At L Technology Group, we know technology alone will not protect us from the risks associated with in cyberspace. Hackers, Nation States like Russia and China along with “Bob” in HR opening that email, are all real threats to your organization. Defending against these threats requires a new strategy that incorporates not only technology, but also intelligent personnel who, eats and breaths cybersecurity. Together with proven processes and techniques combines for an advanced next-generation security solution. Since 2008 L Technology Group has develop people, processes and technology to combat the ever changing threat landscape that businesses face day to day.
Call Toll Free (855) 999-6425 for a FREE Consultation from L Technology Group, https://www.ltechnologygroup.com.