Windows 10 Cyber Security Triage with Redline

Redline Overview

Mandiant’s free Redline utility allows you to triage Windows operating system (OS) memory and file structure to identify signs of malicious activity. Redline:

  • Collects run processes, files, registry data, and memory images from Windows operating systems.
  • Helps to identify when a compromise was introduced, which files were affected, and if (and how) it persists.
  • Performs Indicators of Compromise (IOC) analysis, looking look for specific artifacts, such as files or processes, that may indicate a breach has occurred.
  • Leverages features such as TimeCrunch, TimeWrinkle, filtering by a user and, or process, and whitelisting to hide data and activity that is irrelevant to your analysis.

Redline Version 1.20.1 Introduced

October 23, 2017, Redline version 1.20.1 introduces support Window 10 system collection and analysis. The new release also improves Redline’s initial load time by removing the MRI scoring calculations and addresses a number of other issues. For instance, not being able to run if there is FireEye’s Endpoint Threat Prevention Platform (HX) installed.

Version 1.20.1 also supports multiple new types of data visualization for responders analyzing collections acquired via FireEye HX. The newly added fields are BIOS Type for the System Information audit, Security ID (SID) for registry audits, and the Command Line field for HX agent process events.

Supported Operating Systems: Windows XP, Windows Vista, Windows 7, Windows 8 (32-bit and 64-bit), Windows 10.

You can download Redline here:

Running Redline Portable Collector on Windows 10

Step 1: Download and Install Redline

First, download Redline, verify its certificate, and install by double clicking on the Redline’s Windows Installer msi file.(“Redline User,” 2017).

Step 2: Create a Redline Collector on a USB flash drive that contains an executable script to collect data from a Windows 10 operating system.

Redline has three collector types: Standard Collector, Comprehensive Collector, and the IOC Search Collector, a full discussion of which is outside the scope this post. But in sort, the Standard Collector configures scripts to gather the minimum amount of data to complete an analysis. The Comprehensive Collector sets scripts to pick most of the data that Redline collects and analyzes. Mandiant recommends that you use this type of Redline Collector if you intend to do a full analysis or if you have only one opportunity to collect data from a system. The IOC Search Collector gathers data that matches selected Indicators of Compromise (IOCs). Mandiant recommends that you use this Redline Collector type when you are looking only for IOC hits and not any other potential compromises. I choose to “Create a Comprehensive Collector” (“Redline User,” 2017):

You can accept the Collector’s scripts default or edit the collector script you selected:

For instance, I edit the script by checking “Strings” and “Aquire an image of memory that can be used to accurately acquire process memory and drivers during analysis is Redline,” which are not checked by default:

After closing the editor, create and select a folder on the USB to save the collector to:

Click “OK” and Redline creates the portable collector:

View of collector files created on USB:

Step 3: Run the Redline Collector

Open an Administrator: Windows PowerShell session. Change directory to the USB folder. Run RunRedlineAudit.bat:

Step 4: Forensic Investigation with Redline

Once the collector script completes, it will create an “AnalysisSession.mans” file in the USB’s AnalysisSession folder (See below snippet). Open it in Redline. On Redline’s main page, click the link for “Open Previous Analysis” under Analyze Data. Go to “Sessions” -> “AnalysisSession” and select the “AnalysisSession.mans” file. Click Open. Redline will load the collector script’s session (This will take time). Once the session opens, select the external source option (See the Redline User Guide, Version 1.2 for a full list of investigation options

Once the events load, if you have an exact time of the SOC alert, go to the Time Wrinkle tab and select a few minutes before and after the reported time to focus and speed up your investigation; if you do not have an exact time show more minutes before and after the estimated time. Going through the timeline look for incidents of compromise (e.g., executable in the temp folder, antivirus or EMT blocks, etc.). Use search engines to do additional research to understand the results.

Step 5: Triage

Redline allows for a simple but effective triage process that can help you identify indicators of compromise, attack vectors (i.e., how attackers enter your environment and move about), targeted and infected systems, and where and how your defenses failed. Armed with this information, you can prioritize your response based on the highest-value targets such as removing malware and restoring system(s) from backups and building a stronger defense by prioritized security control investments.

Cybersecurity Framework Control Mapping

As per the Framework for Improving Critical Infrastructure Cybersecurity, Version 1, Detect (DE) function: Anomalies and Events (DE.AE): Anomalous activity is detected in a timely manner and the potential impact of events is understood, including DE.AE-2: Detected events are analyzed to understand attack targets and methods (“Cybersecurity,” 2014).

Informative References include:

  • ISA 62443-2-1:2009,,
  • ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR 2.12, SR 3.9, SR 6.1, SR 6.2
  • ISO/IEC 27001:2013 A.16.1.1, A.16.1.4
  • NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, SI- 4

About the Author

David Zwickl, MSci., CISSP, CEH, has spent over 20 years in information assurance and cybersecurity for companies such as RSA Security and Cisco Systems in various roles. Dave holds a Master’s degree in Information Assurance with a Cybersecurity Specialization from Regis University in Denver Colorado. Regis University’s School of Computer & Information Sciences, designated as a National Center of Excellence in Information Systems Security Education (CAE/IAE) by the National Security Agency (NSA) and the Department of Homeland Security (DHS). Dave is active in industry associations ISSA, OWASP, CSA, among others.

About the Author

David Zwickl, MSci., CISSP, CEH, has spent over 20 years in information assurance and cybersecurity for companies such as RSA Security and Cisco Systems in a variety of roles. Dave holds a Master’s degree in Information Assurance with a Cybersecurity Specialization from Regis University in Denver Colorado, designated as a National Center of Excellence in Information Systems Security Education (CAE/IAE) by the National Security Agency (NSA) and the Department of Homeland Security (DHS). Dave is active in industry associations ISSA, OWASP, CSA, among others.


Cybersecurity Framework.  (2014, February 12)  [Web site].  Retrieved October 24, 2017 from

Redline user guide, release 1.20.  (2017).  Retrieved November 7, 2017 from

0 thoughts on “Windows 10 Cyber Security Triage with Redline”

  1. health care
    When is texas * Video
    When is texas When is texas Spanish missionaries were the first European settlers in Texas, founding San Antonio in 1718. Hostile natives and isolation from other Spanish colonies kept Texas sparsely populated until following the Revolutionary War and the War of Mexican Independence, when the newly established Mexican government began to allow settlers from the U.S. to claim land there. This led to a population explosion, but dramatically reduced the percentage of the population with Mexican heritage, causing friction with the government in Mexico City. After several smaller insurrections, the Texas Revolution broke out, and the state became an independent …
    The post When is texas * Video appeared first on Car.

    Autos News
    www techtools me www thumperdc
    ?? ? ?? ??
    susan b anthony one dollar coin value
    vanquis credit

    BONUS 50 DOFOLLOW TRUST LINK LIST SITE,constituentstateoftheUnitedStatesofAmerica.Arkansasranks29thamongthe50statesintotalarea,but,exceptforLouisianaandHawaii,itisthesmalleststatewestoftheMississippiRiver.ItsneighboursareMissouritothenorth,TennesseeandMississippitotheeast,Louisianatothesouth,Texastothesouthwest,andOklahomatothewest.ThenameArkansaswasusedbytheearlyFrenchexplorerstorefertotheQuapawpeople%E2%80%94aprominentindigenousgroupinthearea%E2%80%94andtotheriveralongwhichtheysettled.Theterm…/ppThepostahref=

  2. my campus
    What is the econmy ^ Video
    What is the econmy What is the econmy 614-358-9900 Caller: First Federal Credit Call type: Debt collector First Federal called me although I didn’t know that until I did a Google search for the phone number. The caller spoke really fast, said her name was Wendy Sparks and that she had to talk to me about something. Yeah, well she can get in line. Call type: Debt collector The call came in on my prepaid cell number and I answered it – and it said “Please wait for the next availible attendent to come online.” I hate these idiots – …
    The post What is the econmy ^ Video appeared first on Credit.

    Retail News
    www moedu gov
    hoglund law

    TOP 250 FREE DOFOLLOW SITE LINK LIST;action=post;title=StartNewTopic

  3. my campus
    Map usa new jersey & Video
    United States Map Map usa new jersey United States Of America United States Of America’s Information US HISTORY America’s initial Stone Age inhabitants arrived here by traversing the Bering Strait. During the following centuries, a wide variety of Indian cultures developed and prospered across the land. After Columbus made his initial voyage to this New World, word of its potential riches spread across Europe, and explorers and settlers by the thousands soon stepped ashore along the Atlantic Ocean coastline. In 1620, the Pilgrims arrived on the Mayflower, landing in what is modern-day Massachusetts; their settlement named Plymouth survived, and the …
    The post Map usa new jersey & Video appeared first on Credit.

    Florida Business
    sample of query letter for lateness
    reliable rentals lakenheath


Leave a Reply

Your email address will not be published. Required fields are marked *