To demonstrate some of the key features of Redline, the Stuxnet memory capture will be used. To conduct an analysis, follow these steps:

1. Install Redline via the Microsoft Self Installer.

2. Once installed, double-click on the icon and the following screen will appear. There are a number of options broken down into two categories: Collect Data and Analyze Data. In this case, the Stuxnet memory capture will be analyzed:

3. Click on From a Saved Memory File in the Analyze Data category. This will open a second window. Under Location of Saved Memory Image, navigate to the location of the memory file and select it. Click Next:

4. Once the memory file is loaded, the next screen will require a name for the session file that will be created by Redline. In this case, the filename Stuxnet Analysis will be utilized. Furthermore, select a folder that will contain all the data from this analysis session. It is a good practice to have separate folders for each session to ensure that each analysis is segregated. In the event that several systems are examined, this reduces the risk of commingling evidence. Once those parameters are set, click OK:

5. Redline will then begin the process of putting the data into a format for analysis. Depending on the size of the image, this may take several minutes:

6. After creating the analysis session, the following window will appear. For memory images that do not contain any other information, click on the section titled I am Investigating a Host Based on an External Investigative Lead:

7. The next window will appear, which details the results of the analysis:

Next, we will look at Redline process analysis.