Once we double click on the .mans file and Redline opens, we can now begin analyzing the contents of memory. Let's do that.
First we see we have the System Information available. From this, some of the "Machine Information" that may be of importance are "Machine Name", "Host Name", "System Date", "Time Zone DST", "Time Zone Standard" and "Uptime".
In addition, from the "Operating System Information" we may wish to extract the "Operating System", "Install Date" and "Operating System Bitness"
Moreover, from the "User Information", we may wish to extract the "Domain" and "Logged in User".
Next we may wish to look at any open ports or established connections that was available when the file was acquired. From this image, we currently have none. However, for each port, we can obtain the "Process Name", "PID", "Path", "Created", "Local IP Address", "Local Port", "Remote IP Address", "Remote Port" and "Protocol"
Once we have the relevant information pertaining to the system, and the open ports (if any), we may next wish to look at the processes which were running at the time this file was aquired. For this we can select the "Hiearchical Processes". This allows us to see each process and their child/children, etc. Some of the attributes we can identify from this screen are "Process Name", "MRI Score", "PID", "Path", "Arguments", "Username", "Start Time", etc.
One of the most important aspects of an analysis would be to establish a "Timeline". The "Timeline" window allows us to obtain a "Timestamp" for each process and the order in which process may have started.
So that it. Similarly to how dumpit and volatility were used in previous posts to perform memory analysis, Mandiant's redline was now used for the same purpose. Obviously I choose selected items to look at. However, there is much more to do with Redline. Explore and Enjoy!
Reference:
https://www.mandiant.com/resources/download/redline
No comments:
Post a Comment