Threat Research Blog

Freeware Release: Redline 1.7

Redline™ is Mandiant's free tool for investigating hosts for signs of malicious activity through memory and file analysis, and subsequently developing a threat assessment profile. It combines configurable collection of Mandiant's full range of forensic artifacts (the same set available to our enterprise product, Mandiant Intelligent Response®, guided analysis, Mandiant's Custom Malware Risk Index (MRI) scoring, and Indicator of Compromise (IOC) matching) to provide you with the tools needed to rapidly triage a potentially compromised host.

Recently, we released Redline version 1.7. To make this the most compelling release to date, we focused on two of the most frequently requested features: Timeline and Search.

Timeline

With Timeline, we wanted to do more than just slap together all date related items into a staggering list that buries you under more data than is humanly possible to review. Even on infrequently used systems, hundreds of thousands of dated artifacts are collected using the Redline Comprehensive Collector. To help narrow a complete timeline down to a manageable subset of data we have provided you with a trio of powerful filtering capabilities: Field Filters, TimeWrinkle™ and TimeCrunch™.

You can use these filters to shave down your timeline to a manageable number of events . We have made it simple to quickly scan your list for suspicious activity by providing you with a summary column that highlights valuable information about any given event. But do not fear, if you need to investigate any item in further detail, you can select that event and choose the "Show Details" button to view everything we have collected.

Figure 1: The new Timeline view in Redline

Field Filters

Field filters are a straightforward means of excluding or including entire categories of time related events from your view by simply checking those that you care about. For example, we often find that File Accessed events tend to be very noisy. With field filters you can remove them from view until they are absolutely necessary.

Even when you use field filters, we realized that there was still too much data for manual review. Naturally, we turned to our expert professional services consultants to see how they comb through large quantities of time-oriented data. Unable to find a good solution that met their needs, they developed the concepts of TimeWrinkle and TimeCrunch. We worked closely with them to bring these tools to Redline's new Timeline capabilities.

TimeWrinkle™

TimeWrinkle provides you with the means to filter your Timeline view to display only the events that occurred in a set of configurable windows of time. TimeWrinkle comes in two varieties: custom and item-based. Choosing which variety to use and when simply depends on the type of investigative lead you start with.

If you know the general time when suspected malicious activity occurred (whether from a user IT ticket, an IDS log, or some other similar means) you use a custom TimeWrinkle to restrict your timeline to only events that took place around that region of time. If the default five minute window radius is not sufficient, you can adjust it anywhere between 0 and 60 minutes to better suit your needs.

However, if you know something more specific about the suspected malicious activity (such as a file name or MD5 checksum) you can use an item-based TimeWrinkle. Creating an item-based TimeWrinkle will take a selected item (e.g. File, Registry Key, Process, etc.) and narrow your timeline to events that take place around any of the of the associated timestamps for that item. To create an item-based TimeWrinkle, right click on any item in the Timeline and select "Add New TimeWrinkle". This will use default settings to generate a TimeWrinkle around the selected item which can then be edited to exclude, include, or adjust any of the individual field windows within the TimeWrinkle.

Figure 2: Timeline Configuration

TimeCrunch™

There can still be times where you have too much data to review manually even after you have trimmed your timeline to a narrow window using TimeWrinkles. To further aid you in reducing your data, we also provide the ability to trim out a minute worth of events for a specific field by using a TimeCrunch. TimeCrunches are useful when Field Filters (being applied so broadly) are detrimental to your investigation, and instead you need to remove specific event types in a more surgical manner.

The most common example of this is when an antivirus scan updates the file accessed timestamp on a very large number of files in a very short amount of time. When this occurs, the file accessed timestamp will become too noisy to be of investigative use for the window in which the antivirus scan ran. Applying a TimeCrunch can quickly exclude a minute worth of this cluttersome data without losing potentially relevant file accessed timestamps elsewhere in your timeline as with Field Filters.

Figure 3: TimeCrunch

Search

Now you are probably saying to yourself, "Timeline sounds awesome, but what do I do if my investigative lead is not something that is time based?" For example, what do you do if your lead is a potentially compromised credit card number. No worries, we have considered you as well.

Now standard on every list shaped view in Redline is a full featured search capability. For example, by using the search feature you can quickly search the entire list of strings from all processes in memory to determine if the suspect credit card number was present. If any matches are found, we will highlight and scroll to each of them. And if your investigative lead is less specific (e.g. you suspect that some unknown credit card numbers may have been stolen) we also allow you to specify your search criteria as a Regular Expression.

For our current Redline users, upgrade to this latest version of the freeware tool to take advantage of the new features. For new users, don't wait another minute to download Redline and get your hands on this great set of analysis tools. Please be sure to check out the updated user documentation for more details and drop by the Redline section of the Mandiant forums to give us feedback on your experience and post any questions you may have.

Lastly, be sure to tune in to our upcoming Tools of Engagement Webinar on Thursday, Jan. 10th where we will be putting these new features to use in a live demo investigation of a host suspected of being compromised by an APT-type attack.