Introduction to Redline
Вставка
- Опубліковано 7 жов 2017
- As a continuation of the “Introduction to Memory Forensics” series, we’re going to take a look at Redline - a free analysis tool from FireEye that allows us to analyze a potentially compromised Windows system. Redline can collect memory and disk-based artifacts, including all running processes and drivers from memory, file system metadata, registry data, event logs, network information, services, tasks, and web history. The software provides an easy-to-use GUI interface that can help us analyze the collected data to find evil on a given system.
We’ll start with an overview of Redline collectors, and then we’ll create a collector and save it to a USB flash drive. We’ll then run that collector on our target Windows 10 VM and bring the results back to the analysis VM where we’ll briefly look at each category of collected forensic data.
Introduction to Memory Forensics:
• Introduction to Memory...
Redline:
www.fireeye.com/services/free...
Redline User Guide:
www.fireeye.com/content/dam/f...
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics #MemoryForensics #MalwareAnalysis #Malware - Наука та технологія
your content is amazing man. Seriously. Thanks!
Another good video. I look forward to the next one.
This video is very clear to understand / follow...
Another great video...
Thanks---
a bit long... but I couldn't stop watching...
really great piece of content
amazing as usual
Thanks you are always great.
24:18 Now we have options for mac OSX and linux as well
Belle réalisation !
Thanks!
nice.. please make more details video about it.
Good stuff Rich. Please consider creating a module for extracting passwords and using mimikatz.
how to take image while doing live forensics and window OS screen is locked?
I have been running Redline since 0930 today in a Mac laptop with Windows 10 Pro on it, is taking more than an hour and is not done yet, hopefully it will be done soon then ill run Ostriage to capture the RAM again to compare the results. One con in my opinion is that it take to long if I have to capture RAM from a life box in a crime scene.
What other tools could you use during the analysis section, if you just wanted to use redline for memory collection? (any FOSS for example?)
Volatility, Rekall, etc., but I wouldn't use Redline Collectors unless I was going to analyze the data with Redline. You could use FTK Imager, Belkasoft RAM Capturer, DumpIt, or any number of other tools to acquire memory.
13Cubed wow such swift response Thankyou!
@@13Cubed Can we collect Memory image through FTK Imager. My Prof has always recommended Red Line and Volatility for Memory image.
Time for a refresh, redline 2.0 (4/28/20)
Good point. I'll add that to the suggestion list.
Great video, do you mind making a memory analysis video using FTK imager?
Thanks
FTK Imager can be used to acquire memory, but not to analyze it. Redline, Volatility, Rekall, etc. would be better suited for that task. FTK could be used, but I don't have a personal license for that software, and generally stick with open-source (free) tools, or lesser expensive tools that can be utilized by many.
Have you ever use OsTriage? Is pretty much the same concept the .exe have to be run from the USB, It seem to me that after running OsTriage on a life box I get a lot of information from the RAM just like Redine, I'm going to give it a try for sure.
Very nice video keep up the great work, you are very knowledge.
can anyone offer advice? ive created a .dmp file with DumpIt and a .raw file with Magnet RAM Capture. When analysing the .raw file in redline i can get a lot of information, but when trying to analyse the .dmp there is no information at all. Any adivce?
What version of Redline are you running? Have you watched the "Introduction to Redline - Update" video? That may be of interest to you.
Hi, thanks for your reply. I am running version 1.20.1. I haven't watched that I will check it out.
Hmm. That is the new version that corrected many of the issues I had (including no results when analyzing certain captures). Can you try to obtain a memory capture with FTK Imager and see if you get the same results? If both FTK and Magnet's tools work, I would point the finger at DumpIt.
I've tried with FTK and Encase and both seem fine. Also tried another dump with DumpIt and Redline still didn't read anything. Probably a problem with DumpIt!
may motto Yep, sounds that way.
Hello sir! Congratulations for the detailed video...I am a student and i have an issue about redline. I have to restore deleted files using redline. Do you know where to search? And how to do that? Thank you in advance!
Redline is not a data recovery tool. I'm not sure what you are trying to do?
@@13Cubed "Use and analyze Redline by Fireeye. Perform host investigation and find malicious activity through memory and file analysis. Develop a threat assessment profile using the tool" that's exactly the exercise that i have about redline. So far i have found the deleted file through your video, but i am stuck...
What is -k parameter and what is means
Been trying to watch this video and there is a constant loop of ads playing. I click "Skip Ad" and another starts to play about 10 seconds later. Closed the browser and reopened, same thing. Weird.
Not sure what's going on there. I don't see any problems on my end. Maybe try an incognito/private browsing session, or a different browser?
I was wondering is there a possibility the file could take longer than an hour to run? At the two hour mark now and not sure if it’s right or not
Hard to say, but I've seen this take quite a while.