Redline

Redline is a free utility from MANDIANT that accelerates the process of triaging hosts suspected of being compromised or infected while supporting in-depth live memory analysis. Designed to help find even the best-hidden malware, it analyzes and rates every running process on a system according to risk, combining Memoryze's live memory analysis with MRI (Malware Risk Index) scoring. Redline makes memory forensics accessible to any investigator without relying upon easily-defeated signature-based detection.

Embedded Forensic Expertise

Most forensic tools display information without interpretation, requiring users to painstakingly review large amounts of raw data to find the “needle in the haystack”. For experienced investigators, this process is time consuming; for novices, it’s impossible.

In contrast, Redline makes experienced investigators more efficient and novices productive through automated calculation of the “riskiness” of each processes using MRI scoring. MRI works by applying a variety of analysis techniques, including:

• Verifying that various system processes are launched from the correct path by the correct user
• Detection of process injection
• Validation of digital signatures on disk
• Scoring the riskiness of DLLs based on how many processes load them

While no automated analysis method will be 100% successful in the face of ever-changing malware, MRI quickly directs users to the processes that are most likely to be malicious as the starting point of their investigation. As they evaluate processes, they can adjust scores by flagging any MRI false positives or false negatives, improving the accuracy of scoring in other processes.

Guided Memory Analysis

Redline guides investigators through the process of evaluating a system for compromise or infection. Starting from a small (<50MB) memory audit captured with the portable Redline Collector, from a memory image, or remotely through MANDIANT Intelligent Response, Redline provides a series of investigative steps that steer beginning users towards the information most likely to help them find malware.

1. Review processes with high MRI scores
2. Review network connections
3. Review memory sections
4. Review untrusted handles
5. Review hooks
6. Review drivers

These steps help guide beginning users, providing them a starting point for learning memory analysis. But Redline also includes the in-depth process and kernel information needed by experienced investigators, including:

• Handles: Files, Directories, Processes, Registry Keys, Semaphores, Mutants, Events and Sections
• Memory sections, with details for each named section / dll including: MD5 (on disk), processes the section is found in and imported and exported functions
• Strings
• Open Network ports
• Hooks: Driver IRP, SSDT and IDT
• Complete driver tree

Easy Reporting

As Investigators work in Redline, they can annotate processes or any changes they make to adjust MRI scoring. Once an investigation is complete, Redline can export a complete Microsoft Word MRI Report for any process, suitable for inclusion in any investigation report without requiring laborious cutting and pasting.

Works with MANDIANT Intelligent Response

Combined with MIR, Redline is a powerful tool for accelerated live response. Here’s a typical case:

1. IDS or other system detects suspicious activity on a host
2. From MIR, an investigator launches a remote live response script
3. The MIR Agent running on the host captures and analyzes memory locally, streaming back a small XML audit that downloads in minutes rather than hours
4. From MIR, the user can open the audit directly in Redline
5. Using Redline, the investigator quickly identifies a malicious process, and writes an IOC describing the forensic attributes found in Redline
6. Using MIR and MCIC, the investigator is quickly able to sweep for that IOC and discover all other systems on the network with the same (or similar) malware running.

* Required field