Redline Log with airSlate SignNow

Redline log

hello everyone and welcome back to another video in the introduction to memory forensics series this time we're going to take a look at redline a free analysis tool from fireEye that allows us to analyze a potentially compromised Windows system redline can collect and analyze memory and disk based artifacts including all running processes and drivers from memory file system metadata registry data event logs network information services tasks and even web history it provides an easy-to-use GUI interface that can help us analyze that collected data to find the evil on a given system as of the recording of this video in September of 2017 the current version of red line is 1.20 released in May of this year version 1.2 0 makes some important changes including adding support for the collection and analysis of Windows 10 machines this version also speeds up initial load times by removing a feature called MRI which I've mentioned in previous videos MRI or malware risk index was a 1 to 100 scoring system that could help us easily identify potentially malicious processes running on a system for example if an svchost.exe process was found with an unexpected parent in other words not services XE or unexpected parameters were seen after the - k flag or perhaps it was located outside of system route / system 32 you could expect any one of those things to cause red line to flag it with a high MRI score probably somewhere in the 90s I actually found this useful for what I like to call point-and-shoot forensics at the very least it gave us the ability to quickly find low-hanging fruit so maybe fire I will give us the option in the future to re-enable this feature but for now it's simply not there in the next section of this video we're going to switch over to our Windows 10 analysis VM and create something called a Red Line collector a collector is a series of scripts that will automate the collection of forensic data from Atari system let's switch over to the red line user guide so we can get some more information about red line collectors there are actually three types of red line collectors available to us and the names are pretty self-explanatory we have a standard collector a comprehensive collector and an IOC search collector with any of these three collector types we have the optional ability to acquire memory which I would almost always suggest that you do the standard collector will configure scripts to gather the minimum amount of data necessary to complete an analysis the comprehensive collector as you might imagine will actually gather most of the data that red line is able to collect and analyze according to the manual this should be used if you intend to perform a full analysis or if you only have one opportunity to collect data from a computer and then lastly the IOC search collector will actually collect data based on indicators of compromise that you provide to it if you're not familiar with indicators of compromise this can be anything such as hashes IP addresses domain names or anything else that we have seen from previous incidents that would enable us to preemptively find evidence of malware or evidence of an intrusion in the future we're actually going to be creating a comprehensive collector on our Windows 10 analysis VM and we'll save that collector to an external USB flash drive will then run that collector on our target VM to gather the forensic data and then bring the results back into red line on the analysis VM and see what we've got so let's get started okay we are now in our Windows 10 analysis VM you'll notice I've got an E Drive titled flash this is the 64 gig exFAT formatted USB flash drive on which will be storing the collector that we're about to create currently there's nothing on the drive so let's go ahead and launch redline and when we do you'll notice we've got two major sections collect data and analyze data under collect data you'll see options for creation of the different types of collectors that we just covered and under analyzed data you'll notice that we can open a saved memory file or a previous analysis session and for convenience that recently used analysis sessions are located right here we're going to be creating a comprehensive collector and saving it to our USB flash drive but before we do let me show you a standard collector so you can see some of the differences between them under both the standard and the comprehensive collector this screen is going to look mostly identical we have the option under both to acquire memory image and we're almost always going to make sure this box is checked the real differences are here under edit your script when we click this you'll notice we see five major sections of forensic data that we can configure for this particular collector we've got memory disk system Network and other and if we choose the show advanced parameters checkbox we'll have additional options under each of these five sections mostly relating to filtering for example here you'll notice that selecting this show advanced parameters box allows us to filter on specific pits we can even use reg X to pattern match for now we're not going to worry about that so we'll uncheck this you'll notice that under the standard collector and under the memory section most things are selected by default in addition to md5 hashes we can also tell it to compute sha-1 in shot 256 hashes as well as mem D five hashes which are hashes of memory based objects and we can tell it to grab strings for processes as well under drivers again we can choose strings and in addition to md5 we can choose sha-1 and shot 256 hashes we also have the option to acquire memory image which again is the same as this checkbox that we already checked under disk you'll notice nothing is selected for the standard collector under system the only thing selected is machine and OS information so no user accounts or prefetch no registry information event locks under Network no art or routing tables no browser information under other none of these options are chosen either so you can see that by default a standard collector is indeed very bare-bones now let's take a look at a comprehensive collector you'll see the initial screen looks pretty much identical as I stated we'll check the acquire memory image checkbox and we'll click Edit your script you'll notice the memory section looks pretty much the same under disk however you'll notice almost everything is selected for the comprehensive collector we can optionally choose strings and in addition to md5 hashes sha-1 and shot 256 hashes under system everything is chosen so we will grab user account related information prefetch registry and event locks under network everything with the exception of to Firefox specific options is selected and under other most of these options are also selected by default so you can see there's quite a bit of difference between the default configuration of a standard collector and a comprehensive collector and as the Red Line manual stated if you only have one shot at acquiring the evidence always use the comprehensive collector and of course always acquire memory so we're going to leave everything at the default with the exception of checking this box and now we'll click browse and we'll choose the flash drive and hit select folder when we do you'll notice a red message that says please select an empty directory so we are unable to simply save it to the root of the E Drive let's click browse again and create a folder we'll call it collector when we do that and click select folder you'll notice the path changes to e colon backslash collector and the red message is now gone I'll now click OK and it's already done we have now created a collector which has been saved to our USB flash drive it tells us that we should run the run redline audit dot bat script on the target machine when we do so the results will be saved under the sessions folder with an analysis session 1 if we run the script again it will append the results to analysis session 2 3 and so on and so forth when we're done it tells us to transfer the results back to our analysis machine which is this machine and then open the analysis session man's file located within the specific analysis sessions folder if I click this blue link you'll actually see the files on the flash drive that have been created the run redline audit bat file is right here and you'll see this simply execute a few of the commands to grab the particular artifact that we told it to grab you'll also see additionals command files batch files VBS scripts and JavaScript and then we have a 64-bit and a 32-bit version of the XA GTX C file which is a fireEye agent it's used in the acquisition process and that's pretty much it so at this point all we need to do is go to our target machine pop in the flash drive and run the run Red Line audit bat file to grab the data then we'll bring the results back to this machine and analyze them so let's head over to our next section okay welcome back in between the last section of the video and now I took that comprehensive collector that we created and I ran it on the target VM and actually ended up taking a little more than an hour to complete so to do that I took this USB flash drive on which we created the comprehensive collector and attached it to the Windows 10 target VM and then from the flash drive I ran the run Red Line audit dot bat file that you see highlighted here this is a screenshot of the resulting operation you'll see a cmd.exe window was spawned and you can see X a GT exe along with these parameters being run this is the window that stays up during the entire collection process and at the end of the collection you don't get a nice message telling you it's finished it just disappears you'll notice a reference to memorize audit script XML memorize inium or yze is actually an older product from mandiant now fireEye that actually allowed us to perform forensic analysis on memory images so apparently readline uses some components associated with memorized still which is interesting so on the flash drive you'll notice that a sessions folder was created that wasn't there when we just created the collector and then underneath that we see analysis session 1 had there already been an analysis session 1 it would have created an analysis session 2 and so on and so forth and underneath that you'll see analysis session 1 dot Mans which is the file that we can double click to actually open it with redline and begin at the analysis under audits you'll find the meet of all the data that was collected which as you can see is mostly an XML format so to speed up processing I actually took this entire analysis session 1 folder and copied it locally to the desktop right here and then I went ahead and preemptively opened it with redline ahead of this recording because it takes about 2 or 3 minutes to do the initial load now when I open it you'll see it's almost instantaneous so now what we're going to do is take a look at the data that was collected for us by this comprehensive collector starting at the very top you'll see some basic system information such as the OS and or group in this case the name of the machine on which the collector was run which is redline test and the IP address underneath that we've got four different options for our investigation we can choose I am reviewing a triage collection from H X so this is actually fireEye's endpoint threat prevention platform this is a commercial product that if you have in your environment it's nice because it integrates with red line or rather red line integrates with it we have I am investigating a host based on an external investigative lead which is actually what we're going to be choosing because it most closely fits what we're trying to do we've got I am reviewing web history data if that happened to be the focus of our investigation and that's all we wanted to look at we could choose that option and then we've got I want to search my data within a set of io C's if we had developed said IOC s we can then search this collected data for them so we're gonna go ahead and choose this as I stated and on the left side you'll notice the leftmost column says analysis data this contains all of the data collected by the collector and what we're going to do now is actually go down through here and quickly look at each of these sections so you can see the wealth of information that was able to be gleaned from this particular computer under system information we've got some fairly detailed information about the machine the time zone it's in the CPU and memory related information bios related information registered owner and organization OS information even the install date and the business of the OS which is 64-bit in this case under processes you've got most of the memory related data that was collected so you'll see here obviously the processes that were present on the system and across the top you can see the process name the pit the path the arguments user names start times of course you'll see the parent pit hashes all kinds of information that's extremely useful now to pick on SVC host again since is so ubiquitous as I previously stated if we had a malicious svchost.exe process and this was an older version of red line you would see it at the very top of this list and it would be flagged in red the high MRI score to make it easy to stand out and say that hey this may require further analysis unfortunately that feature is removed in this version but just as an example with SVC host you can see the expected - K parameter and what follows after that and if we scroll across of course we can see the parent paid 596 which should correspond to services XE and a bunch of other information as well now there's also a hierarchical processes view which I like because you can see it in a tree format much like PS tree from volatility if you're familiar with that so for example this particular svchost.exe process we can clearly see has a parent of services which has a parent of wininet XE and we can of course expand out the arguments section and see the - k parameter and the things that follow after it the user names associated with its start times all kinds of interesting information relating to the process so very cool stuff there so now moving back to the file system section we've got a huge amount of information so if we look at this this is actually the file system that was present on that target machine so on that machine if I drill down into let's say the Downloads folder you'll see while there's a desktop that I and I file there but nothing too interesting if I look at how about documents okay so we've got a default rrdp session how about desktop is there anything on the desktop that might be of interest to us on this machine and you can see there is there's quite a few things on the desktop here's one called netcat dot zip that might be interesting to us so if I double click on this this will actually show us quite a bit of information about the file it shows the file size it shows the md5 sum and recall in the collector configuration we could have told it to also calculate sha-1 and shot 256 ashes as well you can see the user name that owns it this the CID associated with it so all kinds of information relating to all of the files that were present on the file system of the computer on which we ran this particular collector so obviously this is very very useful information especially because now we have a hash of all of the files along with their size and their location and obviously you can see how this will be quite useful if we click on windows services that's pretty self-explanatory this is the the services that were present on the system and their status at the time the acquisition occurred you can see the the stopped or running status you can even see the mode was it delayed starred on-demand Auto Start disabled etc if we click on persistence we can see the persistence mechanisms that may be present on the machine anything from for example the current version run and run what's keys that are so ubiquitous to various other areas from which you could automatically start programs at startup so persistence obviously would be a very good section to review under users pretty self-explanatory those are the users that were present on the system you can see these SIDS in the rid right here so the rid of 1001 was the first user created on this box which happens to be my account of course 500 is always administrator 501 is always guest but you can see all of that information here if we click on event logs you'll never guess what we see event locks the event logs here are shown as terms of their source you'll see the type informational error warning so on and so forth you'll see the timestamps associated with them so obviously very useful information here under tasks will see scheduled tasks related information which is always something you'll want to review on a target system as well under ports will see network related information we can see any of the particular daemons that are listening and the TCP or UDP ports on which they're listening we can see driver modules that were loaded we can see the device tree we can see our ARP entries so we can correlate MAC addresses to P addresses so this is actually the ARP table we can also see the route table on the machine we can see prefetch related information so let's pick on CC cleaner da 64 XC since that's been in the news quite a bit so you can see this particular program was executed 39 times last run on this date so very interesting information here this is not unlike some of the other tools that we've used to parse prefetch to show evidence of application execution and redline just does it for you right in the software under disks we can see physical drive 0 which is the virtual hard drive the C Drive and then physical drive one is the mounted USB flash drive that we have under volumes you can actually see the volume names for those devices and their Drive letters associated with them along with bytes per sector and sectors and space related information and even volume serial numbers registry hives of course will show us the registry hives present on the system and then the next three sections are always very useful browser URL history so we can see all the different sites to which this particular computer has visited and we can even filter on that by searching for well let's pick on C cleaner again if we search for that you'll see that it highlights all of the downloads associated with a seat cleaner and we can even in addition to searching and highlighting we can actually filter on URL so we can say show me you are ELLs that contain Google so we'll add that filter and then looks like someone was searching here for example for a domain generation algorithm related information and looks like ccleaner and Talis so very interesting to be able to filter on things like this if we click on cookies we can do the same thing and look at cookie related information we'll see of course Google Analytics cookies and Microsoft Office 365 cookies here and Symantec and Apple cookies and YouTube and of course we can search or filter on any of these values as well under file download history same thing we can search or filter on any of these as well let's once again pick on ccleaner by searching for CC setup you can see quite a few versions of ccleaner were downloaded on this test VM the timeline is actually a super timeline that's created for us with a huge amount of information here you can look at the scroll bar and see just how much data that has been assembled here but this actually attempts to paint a chronological picture of all of the events on the system much like we would get with log to Timeline or something to that effect under the tags and comments section anything that we have flagged earlier for example at one point I flied this as being clean and you can see it has a tag here and if we mouse over it you'll actually see it's clean if we click it we can actually change that but you'll notice this was a particular URL that was visited and I marked it previously as clean so any of our notes or marketing related informations and comments will be visible here and then nothing here under acquisitions and that's pretty much it that gives you a great idea of the default set of data that you can expect to see with a comprehensive collector and again we could have gone in and changed any of those defaults we saw what a standard collector collected which was very very minimal information and then again this is just the default set of options with a comprehensive collector any of this we could have easily customized and gathered more information than this or less information depending on the specific investigation in my opinion I would always get everything you can it's better to you know having not not need it than to need it and not have it so the other thing I would also point out is this is a fantastic tool but I never rely on a single tool for example when I'm performing a memory-related investigation I would very often use volatility and then I would compare the same results in red line and see if they they match never rely on a single tools output it's always good to be able to have several different tools in your belt to be able to to go in and and verify the information that you're seeing so that has been an introductory look at redline I hope this has been helpful for you if you're interested in more in-depth videos covering other forensic tools please do let me know but again hopefully this has provided a nice overview of redline is extremely easy to use all GUI based so there's no command-line arguments and things to memorize like there is with something like volatility but the tool definitely does have its value I should mention this is only used for analyzing Windows systems so you can't analyze for example a Linux system with redline so again I hope this video has been informative if this happens to be the first video that you've seen I would greatly appreciate it if you would subscribe to the channel that way you'll not miss any future videos that are released I tend to create at least one or two videos a month as I have time all of them generally relate to either digital forensics and Incident Response or penetration testing if you have any comments about this particular video please do let me know as always please like subscribe share and all that other good stuff and you can also reach me on twitter at davis richard g should you have any feedback i also often tweet upcoming videos and information relating to that so you may want to follow me on twitter if you're interested in this particular topic but again i'd like to thank you for taking the time out of your day to watch this video i hope it's been informative and i will see you next time