Usr6 Posted March 12, 2014 Report Posted March 12, 2014 “Redline, Mandiant’s premier free tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile”.[2] Installation: 1-Download Mandiant Redline from https://www.mandiant.com/resources/download/redline 2-Double click on Redline-1.11.msi 3-follow up the steps, then click closeRedline Usage: To analysis a memory image : 1-Select From a Saved Memory File under Analyze Data on the home screen 2-Click Browse under Location of Saved Memory Image (for this diary I will not use an Indicators of Comporomise) 3-Click Next then OK Depending on the size of the image and the speed of your PC, Mandiant Redline will take time to process the memory image. 4-For this example I am going to choose “I am reviewing A Full Live Response or Memory Image”Now our Image is ready for Review:From the left hand side you can choose which type of Data you would like to analysis in this view it’s the “Processes” Here you can find all the process which was running on the system when the memory image was acquired . It shows the full details about the process such as the Process ID,Path ,Arguemnts ,User name ,SID …etc . If you would like to view the open ports on the System while the image was acquired , To view ports, click Ports under Processes on the Analysis Data window’s Host tab.[1] InfoSec Handlers Diary Blog - Acquiring Memory Images with Dumpit[2] https://www.mandiant.com/resources/download/redlineSursa: InfoSec Handlers Diary Blog - Introduction to Memory Analysis with Mandiant Redline Quote
