One powerful tool that analysts should include in their toolkits is Mandiant Redline. This Microsoft Windows application provides a feature rich platform for analyzing memory images. These features include the ability to create a memory collector, although the tool will work with memory captures that have been performed via tools previously discussed. There is also the ability to utilize previously discovered Indicators of Compromise (IOCs) to aid in the examination. The tool can be downloaded at fireeye.com/MandiantRedline/FireEyeRedline.

The download package includes a Microsoft Self Installer:

1. Once installed, double-click on the icon and the following screen will appear. There are a number of options broken out into two categories: CollectData and AnalyzeData. In this case, the existing memory capture previously indicated will be analyzed.

2. Click on From a Saved Memory File under the Analyze Data category. This will open a second window. Under Location of Saved Memory Image, navigate to the location of the memory file, and select it. Once completed, click Next.

3. Once the memory file is loaded, the next screen will require a name for the session file that will be created by Redline. In this case, the filename IR 2017-001 Suspected Ransomeware will be utilized. Furthermore, select a folder that will contain all the data from this analysis session. It is a good practice to have separate folders for each session to ensure that each analysis is segregated. In the event that several systems are examined, this reduces the risk of comingling evidence. Once those parameters are set, click OK.

4. Redline will then begin the process of putting the data into a format for analysis. Depending on the size of the image, this may take several minutes.

5. After creating the analysis session, the following window will appear. For memory images that do not contain any other information, click on the section titled I am Reviewing a Full Live Response or Memory Image.

6. The next window will appear that details the results from the analysis:

The analysis pane shows the processes that were running when the memory image was created. Redline calculates a Malware Risk Indicator(MRI) score for each running process. Processes are reviewed according to risk indicators such as whether or not the process is common to the Windows Operating System, the use of digital signatures, or if the process in question appears to have been injected. When reviewing the results from this memory capture, there are two processes, PIDs 1928 and 868, associated with the executable lsass.exe that have been identified as having an MRI score of 93, which indicates a very high likelihood that these two processes are tied to malicious code.

To gain more detail on one of the suspect processors, click anywhere on the bar containing the process. From there, the following window will open:

In the lower portion of the window, there are several tabs that provide analysts with details concerning the process under analysis. In this case, click the tab titled MRI Report. This will open a window with several sections. The first of these sections will be details concerning the process:

In this case, the analyst can see that the process is being executed via the System32 folder under the services.exe process. Redline also allows the analyst to export the data in the form of a Microsoft Word document for inclusion in any reporting. Further down the window, Redline also provides insight into the MRI score.

Finally, the MRI tab allows analysts to examine the Named Memory Sections of the suspect process. This includes not only process counts, but the associated DLL files associated with the suspect process.

Redline provides an easier platform in which to analyze a memory image. As was demonstrated, the ability to graphically locate suspect processes is very useful, especially in incidents where there are a number of systems that need to be examined. While Redline does provide a good deal of information, it often takes the integration of Rekall or Volatility to get to the final stage of examining a potential malicious file.