Mandiant® - Detect. Respond. Contain.

Software Downloads

Mandiant Redline™

  • Accelerated Live Response

    Redline, Mandiant’s premier free tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile.  With Redline, users can:

    • Thoroughly audit and collect all run processes, audit data, and memory images.
    • Analyze and view imported audit data, including narrowing and filtering results around a given timeframe using Redline’s Timeline functionality with the TimeWrinkle™ and TimeCrunch™ features.
    • Streamline memory analysis with a proven workflow for analyzing malware based on relative priority.
    • Identify processes more likely worth investigating based on the Redline Malware Risk Index (MRI) score.
    • Perform Indicator of Compromise (IOC) analysis. Supplied with a set of IOCs, the Redline Portable Agent is automatically configured to gather the data required to perform the IOC analysis and an IOC hit result review.


    In addition, Redline can be used in conjunction with Mandiant for Intelligent Response®(MIR®) and Mandiant for Security Operations™:

    • Investigators can open audits gathered in Mandiant for Intelligent Response (MIR) directly in Redline to quickly identify a malicious process and create an IOC based on the analysis. MIR can use this IOC to quickly sweep a network to identify all other systems running the same or similar malware.
    • Mandiant for Security Operations users can open triage collections directly in Redline in order to perform in-depth analysis allowing the user to establish a timeline and the scope of an incident.



    Want more information about Redline? Check out our User Forums.



    Current Version: Redline 1.9.1
    Release Date: May 01, 2013

    Mandiant Redline 1.9 adds many improvements aimed directly at reducing your time to find evil and increasing your efficiency in performing your investigations.

    Redline now enables you to tag any top level analysis data item with one of six user configurable tags and add associated comments. You can to filter any grid by its items tagged and commented state. Once you have applied tags and comments to items in your analysis session, you can view, search, sort, and filter all of those items in one place with the Tags and Comments view. Using the CSV export feature you can then quickly extract all of your relevant findings to your favorite reporting software.

    Redline now automatically associates different audit data types and pulls additional information into your current view to help you go from “Zero-to-Evil” faster. For example, the processes analysis view will search the file audit for the executed process’ matching file item and pull its md5 hash and digital signature information directly into the grid so that you can sort, search, and filter.

    Redline now supports whitelist analysis and filtering on any view where items contain MD5 Hashes.

    Previous Redline releases greatly expanded the amount of available host data. This release adjusts the user interface to better facilitate the analysis of this additional analysis data. The most noticeable modifications include:

    • A more workflow driven “Start your Investigation” page.
    • Investigative guidance and filters within select views.
    • Reorganized and cleaner “Hosts” tab that shows only collected data.
    • Expanded details for select data types including Processes, Device Tree, and Memory Sections.
    • Ability to view the details in the “Show Details” pane as a full page view by double clicking on any row in a list.


    Supported Operating Systems: Windows XP, Windows Vista, Windows 7 (32-bit and 64-bit)

    File Size: 56.1 MB

    Integrity Hashes:

    Redline
      MD5: 1484ba81375d6216da4cd1507403b464
      SHA-1: f12644810d40bee3a959cf6a43698d8821bc54cd

    Release Notes: Mandiant Redline 1.9 (PDF)

    User Guide: Mandiant Redline 1.9 (PDF)

    Whitelist: Whitelist 1.0 for Redline (ZIP)

    Current Version: Whitelist 1.0 for Redline
    Release Date: July 11, 2012

    File Size: 31.6 MB

    Integrity Hashes:

    Whitelist
    ZIP
      MD5: 0e8fdc80faffe72bb02799d6cdc75d0a
      SHA-1: 22eb80e40ea3a84b0ed3d821730485253ab31738

    Extracted
      MD5: 8448C5E5D4F9273DFA15F00D708F9173
      SHA-1: F2A9E7A87BAB4AC41E893EB721739E41226D2BDC

    A set of hashes from common (known good) executable files, used by Redline 1.6 (and newer) to filter out some of the memory analysis entries. Includes known good dlls and executable hashes from Microsoft Windows Server Update Service and National Software Reference Library.

    The product includes a small subset of these hashes. In this file, a more extensive list is included.

    To use, download the attached file to your favorite location, on the same host that Redline was installed on. Verify the MD5 /SHA1 hashes, to ensure you have the correct file. Start Redline. In the Options->Whitelist Management screen, there is an option to import a new whitelist. Following the procedure will completely replace the previous Whitelist in Redline. Note that when doing so, your old whitelist is lost. You may choose to save the old whitelist, again from Whitelist Management, under Redline Options.

    Download Mandiant Redline™