Threat Research Blog

Redline: Answering Your Questions

Those of you who attended the "Tools of Engagement: Redline™ - We've Got the Tool, If You've Got the Time" webinar last month by David Ross and myself will recall that we ran short on time while answering all of your questions. The webinar covered the latest updates to Redline, Mandiant's free tool for investigating hosts for signs of malicious activity through memory and file analysis, and subsequently developing a threat assessment profile.

If your question was one of those we did not get to, don't worry. We are going to cover all of those unanswered questions in this post, as well as retread some of those which were covered during the Q&A for people who were unable to catch it live. 

Without further ado, following are your answers in no particular order:

Does Redline support disk images for collection and analysis?

At the moment, Redline only works on memory images and live hosts. We are currently focusing on providing the best possible set of analysis tools for incident response.

Does Redline work for Macs or Mac Memory images? Does it work on Linux?

Redline officially supports data collected with Mandiant Intelligent Response® (MIR), Mandiant Memoryze™, or a Redline Collector.

Unfortunately, all of those currently only support collection on the various Windows platforms. However, I have heard of people having success getting audits collected with Memoryze™ for the Mac to at least import into Redline. Be careful to note that if attempting this, the MRI scores and other analyses may be incorrect or invalid, as the scoring in Redline assumes it is operating against data collected from a Windows host.

Is there a specific audit you need to run in order to do Timeline Analysis?

Short answer: no. The timeline analysis will parse any and all data with timestamps available for collection. The comprehensive collector option in Redline is the recommended starting place if timeline analysis is your goal as the standard collector collects very little in the way of timestamps.

How valuable would Redline be against a virtual machine created from a forensic image?

As long as you can log in to the virtual machine with administrator rights to run the collection, Redline should have no problem importing and analyzing the data (provided it is one of the supported operating systems).

Is Redline free when used on an enterprise environment?

Redline is free to use in any sized environment, although the collection aspect of Redline quickly becomes challenging with large scale and globally distributed networks. This leads to the next question...

Can Redline collection be run on a remote machine?

Redline does not itself support remote collection. We recommend purchasing Mandiant Intelligent Response® if you would like centralized remote collection of your hosts' data over an enterprise sized network.

Can you demonstrate how to use TimeWrinkles™ for events that occur over multiple days and put them all into one view?

The easiest way to view timeline windows that are separated by greater than an hour is to create multiple manual TimeWrinkles around the points of time you are specifically interested in.

Using item based TimeWrinkles you can also potentially see time entries that occur over multiple days. For instance, you could see the actions that happened around the creating of a file, as well as when that same file was last accessed a few days later all in one view, just by creating a TimeWrinkle around that file.

How do you get a TimeWrinkle based on a file?

If you select any row within the Timeline and right click on it, Redline will give you the option to create a TimeWrinkle based on that item. In this case, you would just need to find the file in question within your timeline, select it, and choose "Add a New TimeWrinkle" from its right click menu.

Can Redline be used to pull strings from a memory image? We would like to pull info from the csrss process to see what commands might have run on a box.

Redline can be configured to collect strings using the process listing audit against both a memory image and a live machine. You can collect strings from files with the File listing audit, but this option is only available against a live machine.

We do recommend restricting string collection to a single process or file at a time though, as turning strings collection on for a full process or file listing will significantly increase the amount of data returned and the time it takes to collect it.

Can I export the data to a file?

Copy and Pasting from any of the list views (including Timeline), will place up to 20k selected rows onto your clipboard in CSV format. Using the right-click menu's copy options also allows you to specify if you would like to include a header row in your data or not. Full list CSV export directly to a file will be available in the next release of Redline.

Is the timeline feature available in Mandiant Intelligent Response® (MIR®)?

Timeline as it exists in Redline is not available in MIR. But using the "open with..." feature in the MIR Console on any audit result will allow you to import your data you would like to timeline directly into Redline for analysis.

Is there a way to get external data sources in to Redline that are not host-based? (ex. IDS, flow, etc.)

At the moment Redline only supports analysis of the xml data which is collected by the various Mandiant products listed above. Full schema definitions for those formats can be found here.

How much alteration is being done to the suspect system by Redline?

Depending on if the collector is being run from the host's hard disk as opposed to an external drive, the collection and log files have the potential to overwrite some amount disk slack space. Also if the "Preserve Timestamps" option is not configured on your collector, some audits may modify the timestamps for files they touch. You can find the "Preserve Timestamps" option at Main Menu -> Redline Options->Default Script Options->General->Preserve Timestamps". Redline defaults this option on.

Prior to re-image, what is a good Redline collector that can quickly get information to sift through later?

If the next immediate action is to re-image the box, I tend to err on the side of collecting as much information as time permits, since there will be no second chance to go back and recollect additional data. But for a little bit faster collection time, I suggest starting with the comprehensive collector and scaling back or removing the larger audits: files, registry, and processes.

While the collector run times depend heavily on machine in question, it is not unheard of for the comprehensive collector to run 1-2 hours. By limiting the files audit to a specific base path like the Windows directory or the System32 directory, and limiting your registry audit to a few specific keys (i.e. HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun) you can significantly reduce the time that your collection will take to run. If you need to collect even quicker, consider turning off the various hashes like MD5.

Can I run this tool via command line?

The collector runs as a batch script via the command line, but the analysis and visualization portions are only available through the graphical user interface.

Are you limited to the types of variants/intrusions you can scan for?

The Malware Risk Index (MRI) scoring configuration is limited in the types of things it allows you to look for, but within those confines you can add or tweak to your heart's content. Indicators of Compromise (IOC) provide a much more flexible definition format to describe what malware you would like to search for. The first Tools of Engagement: Redline webinar walks through an example of creating a new MRI rule and an Indicator of Compromise in the course of performing the investigation and applying them to a Redline analysis.

Can you tell if the attacker has manipulated the time stamps of the files?

Redline does not automatically detect timestamp manipulation. But often an experienced eye can pick it out by looking for things such as every potentially suspect files encountered having "00" for their seconds place, or similar statistically improbable occurrences.

Is there any known malware that targets Redline? Have you had any difficulties with attackers running their tools inside rootkit protection?

We have yet to encounter any malware that has specifically attempted to avoid collection or detection by Redline and its various analysis techniques. As for general rootkit protection, Redline uses raw disk access by default where possible to avoid being subverted by rootkits.

What metadata shows how many times an executable has executed?

Prefetch files (.pf) are windows specific cache files to improve application startup performance. They contain the first and last run time as well as how many executions have occurred in total. These files are parsed and their relevant data captured by the Prefetch audit available in the Redline Collector setup.

That wraps up all of unanswered (as well as answered) questions! And just in case you do not already have it, the latest version of Redline (1.7 as of the time of this writing) can always be found here.