Mandiant have just released a new version of Redline free software that you can use for incident handling, the utility allow user to report and investigate any system compromised. Usually you need to verify changes in the system to understand what really happened during the attack.
After installing Redline you will have several options, you can start a fresh scan on local system or local memory, you can also supply the tool with saved memory file or you can even start a previous saved analysis, This what makes from this free tool very flexible and suitable for examiners.
Many people will ask what kind of information the tool will find, so the answer is the following:
- “Files, Directories, Processes, Registry Keys, Semaphores, Mutants, Events and Sections
- Memory sections, with details for each named section / dll including: MD5 (on disk), processes the section is found in and imported and exported functions
- Open Network ports
- Hooks: Driver IRP, SSDT and IDT
- Complete driver tree”
There are also possibility to conduct a guided operation that provide incident handler steps for performing the investigation and identify infected system:
- “Review processes with high MRI scores
- Review network connections
- Review memory sections
- Review untrusted handles
- Review hooks
- Review drivers”
You can read the full tool description and download this release on the official website.