Accelerated Live Response
Redline, Mandiant’s premier free tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile. With Redline, users can:
- Thoroughly audit and collect all run processes, audit data, and memory images.
- Analyze and view imported audit data, including narrowing and filtering results around a given timeframe using Redline’s Timeline functionality with the TimeWrinkle™ and TimeCrunch™ features.
- Streamline memory analysis with a proven workflow for analyzing malware based on relative priority.
- Identify processes more likely worth investigating based on the Redline Malware Risk Index (MRI) score.
- Perform Indicator of Compromise (IOC) analysis. Supplied with a set of IOCs, the Redline Portable Agent is automatically configured to gather the data required to perform the IOC analysis and an IOC hit result review.
- Investigators can open audits gathered in Mandiant for Intelligent Response (MIR) directly in Redline to quickly identify a malicious process and create an IOC based on the analysis. MIR can use this IOC to quickly sweep a network to identify all other systems running the same or similar malware.
- Mandiant for Security Operations users can open triage collections directly in Redline in order to perform in-depth analysis allowing the user to establish a timeline and the scope of an incident.
Want more information about Redline? Check out our User Forums.
Current Version: Redline 1.9.1
Release Date: May 01, 2013
Mandiant Redline 1.9 adds many improvements aimed directly at reducing your time to find evil and increasing your efficiency in performing your investigations.
Redline now enables you to tag any top level analysis data item with one of six user configurable tags and add associated comments. You can to filter any grid by its items tagged and commented state. Once you have applied tags and comments to items in your analysis session, you can view, search, sort, and filter all of those items in one place with the Tags and Comments view. Using the CSV export feature you can then quickly extract all of your relevant findings to your favorite reporting software.
Redline now automatically associates different audit data types and pulls additional information into your current view to help you go from “Zero-to-Evil” faster. For example, the processes analysis view will search the file audit for the executed process’ matching file item and pull its md5 hash and digital signature information directly into the grid so that you can sort, search, and filter.
Redline now supports whitelist analysis and filtering on any view where items contain MD5 Hashes.
Previous Redline releases greatly expanded the amount of available host data. This release adjusts the user interface to better facilitate the analysis of this additional analysis data. The most noticeable modifications include:
- A more workflow driven “Start your Investigation” page.
- Investigative guidance and filters within select views.
- Reorganized and cleaner “Hosts” tab that shows only collected data.
- Expanded details for select data types including Processes, Device Tree, and Memory Sections.
- Ability to view the details in the “Show Details” pane as a full page view by double clicking on any row in a list.
Supported Operating Systems: Windows XP, Windows Vista, Windows 7 (32-bit and 64-bit)
File Size: 56.1 MB
Release Notes: Mandiant Redline 1.9 (PDF)
User Guide: Mandiant Redline 1.9 (PDF)
Whitelist: Whitelist 1.0 for Redline (ZIP)
Current Version: Whitelist 1.0 for Redline
Release Date: July 11, 2012
File Size: 31.6 MB
A set of hashes from common (known good) executable files, used by Redline 1.6 (and newer) to filter out some of the memory analysis entries. Includes known good dlls and executable hashes from Microsoft Windows Server Update Service and National Software Reference Library.
The product includes a small subset of these hashes. In this file, a more extensive list is included.
To use, download the attached file to your favorite location, on the same host that Redline was installed on. Verify the MD5 /SHA1 hashes, to ensure you have the correct file. Start Redline. In the Options->Whitelist Management screen, there is an option to import a new whitelist. Following the procedure will completely replace the previous Whitelist in Redline. Note that when doing so, your old whitelist is lost. You may choose to save the old whitelist, again from Whitelist Management, under Redline Options.