Within the incident response realm, forensic tools are essential components in

intercepting and resolving security threats. Although many options are available, one instrument
for Windows operating systems is Redline. This tool provides users with immediate notice of
malicious activity through memory and file analysis, and the development of a threat
assessment profile (Accelerated Live Response). Knowing what processes are running is
important information when monitoring network systems.

After Redline
is downloaded, installed, and opened, a screen appears which gives the user a choice of
collecting data (create a standard collector, a comprehensive collector, or an IOC search
collector) or analyzing data (from a saved memory file or from a previous analysis). The
Standard Collector will collect data that will be used for the program to score and assess the

computer. This is an important function as it provides a starting point for the user to become
aware of what issues might be prevalent and the extent that each factor is a serious threat.
The screen shot below shows the opening screen for the Standard Collector with the
warning that this selection will not enable the options for the full range of data that Redline is
capable of collecting, reducing the effectiveness of many Indicators of Compromise. However,
it is a good starting place when evaluating a threat. Note that there is an option that can be
checked, Checking this option will acquire an image of memory that can be used to accurately
acquire process memory and drivers during analysis in Redline. This selection will increase the
information accessible for the user.

Once the collector package is created, the user is instructed to run the RunRedlineAudit.bat
script preferably from removable media (e.g. a USB Hard Drive). Per the instructions, the
information will then be saved in a folder named Sessions\AnalysisSession1.

The second choice the user can make under Collect Data is Create a Comprehensive
Collector. The additional piece with this search is that Redline will collect the standard data as
well as additional data that indicates any compromise that might have taken place. This choice
makes more use of the Redline software since the search will gather most of the data Redline
is capable of collecting. However, the user is warned that this will not collect strings which can
be manually enabled by choosing to edit the script below. An additional option is available for
this analysis session if the user clicks on the box Acquire Memory Image. This will allow the
program to take an image of the memory that can be use to accurately acquire process
memory and drivers during analysis in Redline. The screenshot below shows this information
so that the user is fully aware of the benefits of this particular search.

The last choice is to create an IOC search collector. This is a custom approach to
collecting the data where the Redline user can specify particular information wanted regarding
indicators of compromise. Starting this analysis session begins with a new screen instructing the
user that Indicators of Compromise are forensic artifacts left behind by an intrusion. An IOC file
describes these artifacts using the OpenIOC format. The instructions continue to state that the
information will be verified as the correct data. This gives the user some versatility as to the data
being analyzed. Sometimes, investigators are looking for specific intrusions or a specific
incident of compromise. This tool then acts as a magnifying glass on the individual threat being
observed.

One additional function that is valuable in using this tool as an incident response
document is the timeline feature. Although the program keeps a timeline to log all events,
searching through them for malicious activity would be time consuming and tedious. Two
components of Redline, Timeline, TimeCrunch, and TimeWrinkle, help to make this task easier
by allowing the user to list only relevant log events. Wilson (2012) posts an example of this
Timestamp in his article. Notice in the image below that the date and time are noted. Following
that column, the field such as Process/StartTime, Registry/Modified, User/LastLogin,
CookieHistory/Expiration are listed. A summary column follows the field which lists items such

as the path, the name, groups, whether it is disabled, and values. If the user clicks on each item
separately, more information can be viewed in the window pane on the right hand side. This is a
powerful feature since it lets the user limit the categories and the amount of data to be viewed at
one particular time.

The TimeCrunch can limit the information the user is viewing even more. By selecting a
particular time frame, the investigator can zoom in particular data. The screenshot below by
Wilson, 2012 gives a visual of the type of information and time stamp that can be seen using
this feature.

Finally the TimeWrinkle, according to Wilson (2012) can narrow the search even more.
In this example, the user has selected five minutes before and after the event. This provides a
logical sequence of events and a clear picture of what is happening in a small snippet of time.
The program mentions that there are two choices here -- custom and item-based. The custom
option is one the user can use of the time period is known when the malware attack occurred.
However, if the file name or checksum is known already about the malicious activity, then the
item-based TimeWrinkle would be the better option. Notice in the screenshot below that the user
is provided with an individual time stamp as well as a description of the total period the user has
selected (5 minutes before and after). The field is labeled -- File/Modified, File/Created,
Registry/Modified, and a summary of the event to include the path and MDS. This detailed
information will give the user an excellent log of the events that have transpired.

Another important feature of Redline is that the software assigns a malware risk index
(MRI) score. Compromises will be found in the higher MRI scores. Once a potential breach has
been discovered, the indicators of compromise (IOCs) can be used to look for deviations from
typical patterns within files or processes. One other component worth mentioning in Redline is
the whitelist which contains a list of valid MD5 hash values (Redline User Guide). The Redline
User Guide also lists examples of some of the risk factors that might be found. The screenshot
below shows not only a table of the factors listing the reason, count and name, but gives the
user the option of clicking on the thumbs up icon in order to take action. Graphs are also
always very helpful. Mandiant adds this feature to their software as well. In this same
screenshot, a pie graph is created broken down into negative, positive, and ignored factors in
the memory sections.

In a podcast venue, Lucas Zaichkowsky with Mandiants Redline tool discusses what he
states are pros to taking advantage of this incident response software. First, it is a free tool
which can be used by both beginners just starting to use detection software and experts who
are well-versed in running and analyzing programs such as this one. The beginners can access
the step-by-step mode which includes fun tips, whereas the experienced user can dig deep
down the rabbits hole to gather and analyze information related to intrusions in the network
system. For example, Redline discovered a backdoor program that was used, Poison Ivy, to
access the network. A second system was then introduced which included malware. The
forensic capability of Redline was able to detect both of these intrusions.
Mandiant claims to protect 5 of the top 6 U.S. telecom companies, 5 of the top 10
financial institutions, 7 of the top 10 energy companies, 7 of the top 10 high-tech companies,

and 5 of the top 10 aerospace/defense contractors (Mandiant, 2015). It is true that using
Redline or any other response tool for that matter will assist a company is tracking down and
resolving security threats and breaches. With the number of security incidents already in the
news, it is just a matter of time for a company to be hacked. Rather than examining networks
manually, Redline makes the process easy and organized.
The cons, as with any program, is that every program has areas that are strengths and
other areas that are not emphasized. The tool and the company intervention to assist
organizations in creating a solid incident response tool are definitely strengths. However,
companies must invest the money and time to work with Mandiant. The organization must be
willing to honestly assess their approach to breaches in security and be open minded enough to
make changes as well as obtain staff buy-in for the procedures that must be corrected,
initialized, or changed. Other tools should also be considered rather than relying on just
Mandiant and the Redline software.
Cyber attacks are in the news daily. Fortune 500 companies, casinos, banks, major retail
stores, and the list goes on and on. Mandiant, who continues to critically analyze their software
and improve its capabilities through its software called Redline is one of the companies that is
on the front line in combatting cyber attacks. These attacks not only cause organizations to lose
money but to lose the trust of the public when citizens find out that their personal information
has been stolen -- usernames, passwords, social security numbers, bank account information,
and so on.

References

Accelerated Live Response. (2015). Retrieved June 20, 2015, from

https://www.mandiant.com/resources/download/redline.

Brito, H. (2012, August 16). M-Unition Podcast; Mandiant's Redline Tool Makes Incident
Response Easy for Experts and Beginners [Audio podcast]. Podcast retrieved June 20, 2015,
from https://www.mandiant.com/blog/cool-tools-mandiants-redline-tool-incident-response-easyexperts-beginners.
Cooper, K. Mandiant. Podcast Retrieved on July 12, 2015 from
https://www.mandiant.com/blog/cool-tools-mandiants-redline-tool-incident-response-easyexperts-beginners/
Mandiant Software Downloads (Redline). 2015 Retrieved July 12, 2015 from
https://www.mandiant.com/resources/downloads/

Redline. June 12, 2015. Current Version: Redline 1.14 Release Retrieved July 12, 2015 from
https://www.mandiant.com/resources/download/redline
Redline User Guide (v1.12). nd. Retrieved July 12, 2015 from
http://www.mandiant.com/library/Redline1.12_UserGuide.pdf
Redline User Guide, Release 1.14. nd. Retrieved July 12, 2015, from www.fireeye.com.
Roberts, S. April 21, 2015. Incident Response Hunting Tools Retrieved July 12, 2015 from
http://sroberts.github.io/2015/04/21/hunting-tools/
Rocha, L. March 10, 2014. Redline - Finding Evil on my wifes laptop - part 1 Retreived on July
12, 2015 from http://countuponsecurity.com/2014/03/10/redline-finding-evil-on-my-wife-laptop/

U, T. (2014, July 29). C-APT-ure. [Web log post]. Retrieved July 12, 2015, from http://c-apture.blogspot.com/2014/07/using-redline-for-live-response-part-1.html
U., T. July 29, 2014. Using Redline for Live Response - Part 1 Retrieved July 12, 2015 from
http://c-apt-ure.blogspot.com/2014/07/using-redline-for-live-response-part-1.html
Wilson, T. December 17, 2012. Mandiant. Freeware Release: Redline 1.7. Retreived on July 12,
2015 from https://www.mandiant.com/blog/freeware-release-redline-17/.