Thursday, September 3, 2015

Browser Forensics Investigation with Mandiant Redline - Part 1

When performing a forensic investigation, every piece/source of information becomes relevant. In this post, we will focus on the information which we can learn from browsers. For this post I will use Mandiant Redline. However, there are many tools out there which will can perform similar function.

Redline is considered Mandiant’s premier free tool for host investigative capabilities (Mandiant, 2015). While Redline has the ability to audit and collect running processes and drivers from memory, file system metadata, registry data, event logs, network information, service and tasks  (Mandiant, 2015) the objective of this post is to evaluate its web history component.

Figure below shows Mandiant's Redline Main Screen

OS used

Windows 10 Insider Preview

Browsers Tested

Firefox v39.0
Internet Explorer v11.0
Google Chrome -  v43.0.2357.134 m
Opera v30.0.1835.125
Project Spartan (Microsoft Windows [Version 10.0.10130])

Functional Analysis

This analysis will test Redline's ability to identify the following from all browsers.
Links visited
Date visited
Time visited
Search entries
Action taken
Browser used
Files downloaded

Links opened within each browser

Videos played from

Search for “Linux Security”

Files downloaded from

Files downloaded from portable apps:

Now that we have laid out the information relating to the test, in part two we will look at the actual analysis. See you there

1 comment: