Thursday, September 3, 2015

Browser Forensics Investigation with Mandiant Redline - Part 1

When performing a forensic investigation, every piece/source of information becomes relevant. In this post, we will focus on the information which we can learn from browsers. For this post I will use Mandiant Redline. However, there are many tools out there which will can perform similar function.

Redline is considered Mandiant’s premier free tool for host investigative capabilities (Mandiant, 2015). While Redline has the ability to audit and collect running processes and drivers from memory, file system metadata, registry data, event logs, network information, service and tasks  (Mandiant, 2015) the objective of this post is to evaluate its web history component.

Figure below shows Mandiant's Redline Main Screen







OS used

Windows 10 Insider Preview

Browsers Tested


Firefox v39.0
Internet Explorer v11.0
Google Chrome -  v43.0.2357.134 m
Opera v30.0.1835.125
Project Spartan (Microsoft Windows [Version 10.0.10130])



Functional Analysis

This analysis will test Redline's ability to identify the following from all browsers.
Links visited
Date visited
Time visited
Cookies
Search entries
Action taken
Browser used
Files downloaded



Links opened within each browser

http://securitynik.blogspot.com
http://www.gmail.com
http://www.cnn.com
http://www.washingtonpost.com
http://www.nba.com
http://www.nhl.com
https://www.youtube.com
http://www.portableapps.com
http://www.sourceforge.net


Videos played from

htttp://www.youtube.com
Search for “Linux Security”
https://www.youtube.com/watch?v=Liw86dRI0Qo
https://www.youtube.com/watch?v=Liw86dRI0Qo
https://www.youtube.com/watch?v=c_PZvA9qi2k


Files downloaded from sourceforge.net

http://sourceforge.net/projects/clamwin/?source=directory
http://sourceforge.net/projects/ophcrack/?source=directory
http://sourceforge.net/projects/shielausbshield/?source=directory
http://sourceforge.net/projects/modbus-traffic-generator/?source=directory


Files downloaded from portable apps:

http://portableapps.com/apps/music_video/aimp-portable
http://portableapps.com/apps/music_video/cdex_portable
http://portableapps.com/apps/music_video/audacity_portable

Now that we have laid out the information relating to the test, in part two we will look at the actual analysis. See you there



1 comment: