Sunday, August 10, 2014

Beginning Memory Forensics - Mandant's Redline - Acquire the contents of RAM

In the previous post we dealt with setting up our collector. In this post we will acquire the memory contents of our suspect system for analysis.To do this let's execute the "RunRedlineAudit.bat", located in the folder we used previously when setting up our collector.









Once the .bat file is finished executing, you should now have an additional directory named "Sessions" in your parent folder. As we continue in the "Sessions" Folder, you will see a "AnalysisSession"+X folder, where X is a number. For me it is 1. Under the "AnalysisSession1" folder there should be a ".mans" file. Double click this file on the system which you have the Mandiant Redline software installed. Once you do this will then open up the file in Redline.

 In the next post, we will analyze this file.
Reference:
https://www.mandiant.com/resources/download/redline
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)