Mandiant® - Detect. Respond. Contain.

Software Downloads

Redline ™

  • Accelerated Live Response

    Redline, Mandiant’s premier free tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile.  With Redline, users can:

    • Thoroughly audit and collect all running processes and drivers from memory, file system metadata, registry data, event logs, network information, services, tasks, and web history.
    • Analyze and view imported audit data, including narrowing and filtering results around a given timeframe using Redline’s Timeline functionality with the TimeWrinkle™ and TimeCrunch™ features.
    • Streamline memory analysis with a proven workflow for analyzing malware based on relative priority.
    • Identify processes more likely worth investigating based on the Redline Malware Risk Index (MRI) score.
    • Perform Indicator of Compromise (IOC) analysis. Supplied with a set of IOCs, the Redline Portable Agent is automatically configured to gather the data required to perform the IOC analysis and an IOC hit result review.


    In addition, users of FireEye’s Endpoint Threat Prevention Platform (HX) can open triage collections directly in Redline in order to perform in-depth analysis allowing the user to establish a timeline and the scope of an incident.

    Want more information about Redline? Check out our M-Unition Blog and User Forums.





    Current Version: Redline 1.11.1
    Release Date: March 11, 2014

    Redline 1.11.1 includes various changes to improve your user experience, adds support for Windows 8 and 2012. A redesigned find panel remains open and offers users the ability to search and filter on a specific column. You can also filter lists by multiple tags at the same time and choose whether to include only items that do or do not have a comment. The Redline Collector now provides beta support for gathering Windows 2012 and Windows 8 data.  In addition, this release focuses on resolving known issues and includes minor updates to the user interface.

    Supported Operating Systems: Windows XP, Windows Vista, Windows 7, Windows 8 (32-bit and 64-bit)

    File Size: 68.6 MB

    Integrity Hashes:

    Redline
      MD5: 57731aca74d87477e7fa310818c19a6f
      SHA-1: a581840dffc5c0d861fef4be878a63ca3e0c4aa4

    Release Notes: Redline 1.11.1 (PDF)

    User Guide: Redline 1.11.1 (PDF)

    Whitelist: Whitelist 1.0 for Redline (ZIP)

    Current Version: Whitelist 1.0 for Redline
    Release Date: July 11, 2012

    File Size: 31.6 MB

    Integrity Hashes:

    Whitelist
    ZIP
      MD5: 0e8fdc80faffe72bb02799d6cdc75d0a
      SHA-1: 22eb80e40ea3a84b0ed3d821730485253ab31738

    Extracted
      MD5: 8448C5E5D4F9273DFA15F00D708F9173
      SHA-1: F2A9E7A87BAB4AC41E893EB721739E41226D2BDC

    A set of hashes from common (known good) executable files, used by Redline 1.6 (and newer) to filter out some of the memory analysis entries. Includes known good dlls and executable hashes from Microsoft Windows Server Update Service and National Software Reference Library.

    The product includes a small subset of these hashes. In this file, a more extensive list is included.

    To use, download the attached file to your favorite location, on the same host that Redline was installed on. Verify the MD5 /SHA1 hashes, to ensure you have the correct file. Start Redline. In the Options->Whitelist Management screen, there is an option to import a new whitelist. Following the procedure will completely replace the previous Whitelist in Redline. Note that when doing so, your old whitelist is lost. You may choose to save the old whitelist, again from Whitelist Management, under Redline Options.

    Download Redline ™