Thursday, September 3, 2015

Browser Forensics Investigation with Mandiant Redline - Part 2

In part one, we establish our criteria for testing, now let's see how well Redline does.

Initial Configuration

Redline has been configured to use all installed browsers. This is achieved by not specifying any browser but leaving the system to identify data from all installed browsers.

Below shows Redline configuration for detecting browsing history

Initial Data Retrieval

Figure below shows the results retrieved from the system, As can be seen no entry was returned for Project Spartan or Opera 11.

Filtering Data

Redline provides the ability to filter data based on multiple criteria such as “contains”, “equals”, regex, etc.

Figure below shows the filter options available in Mandiant’s Redline. These filters makes looking for specific data relatively easy.


In addition to filtering, Redline provides the ability to search across one or more fields using regular expressions (regex). This can help tremendously in quickly identifying patterns across the data, reducing the amount of time needed for capturing same and or similar data patterns.

Figure below shows Redline’s search capabilities using regex.


The ability to “tag” with the objective of understanding what is priority, important or what action should be taken on a specific entry is critical for focusing on the things which are considered relevant for your investigation. Redline tags uses various colors and numbers from 0 to 6 with actions which you may tag the items with.

Figure below shows Redline various tags


Redline’s ability to identify and extract the contents of cookie within the one tool is very important. Some of the information reported for cookies are its name, file path, contents, creation and expiration dates, etc.

Figure below shows an extract of some of the information retrieved from the various cookies

Download history

It’s critical to be able to identify any files which were downloaded during the browsing activity. Redline provides the Download Type”, the “URL” from which the download occurred, the “Target Directory” to where the file was saved, its “Filename” number of “Bytes Downloaded” etc.

Figure below shows the File Download History of Redline


Timeline analysis is very important to the forensics process. It’s provides the analyst with the ability to pinpoint exactly when an event occurred. The analyst can then correlate this information with data from other sources to get a clearer picture and context of what may have transpired.

By default, Redline provides fields such as “Created”,  “Modified”, “Changed”, etc as shown in figure 11 below.

In addition, timelines can be viewed by “Users”, “TimeWrinkles”, “TimeCrunches”, “Processes”, etc.
Time Wrinkles allows users to select a date and time, then based on this date and time you can specify a number of minutes for which you would like to see information before and after this time.

Figure below shows the TimeWrinkle configuration

Tags and Comments

Being able to tag and leave notes about items you identify during the forensics process is just as important as identifying the events. Redline’s “Tags and Comments” provides the ability to leave notes on an identified items while allowing the analyst to determine how important it is to the task being performed.

Well that's it for a detailed analysis of using Mandiant Redline to perform browser forensics investigations. In part one we laid the foundation of the testing and in this part two we looked at the how we can use Redline to verify that information.

No comments:

Post a Comment