How To Use FireEye RedLine For Incident Response | TryHackMe RedLine
Introduction
In This video walk-through, we explained RedLine from Fireeye to perform incident response, memory analysis and computer forensic. This was part 1 video of the redline room from tryhackme.
Many tools can aid a security analyst or incident responder in performing memory analysis on a potentially compromised endpoint. One of the most popular tools is Volatility, which will allow an analyst to dig deep into the weeds when examining memory artifacts from an endpoint. But this process can take time. Often, when an analyst is triaging, time is of the essence, and the analyst needs to perform a quick assessment to determine the nature of a security event.
That is where the FireEye tool Redline comes in. Redline will essentially give an analyst a 30,000-foot view (10 kilometers high view) of a Windows, Linux, or macOS endpoint. Using Redline, you can analyze a potentially compromised endpoint through the memory dump, including various file structures. With a nice-looking GUI (Graphical User Interface) — you can easily find the signs of malicious activities.
Here is what you can do using Redline:
- Collect registry data (Windows hosts only)
- Collect running processes
- Collect memory images (before Windows 10)
- Collect Browser History
- Look for suspicious strings
- And much more!
Note: Task 6 has a glitch and tryhackme is working on a fix for it. I will release the answers once the fix is validated.
Room Answers
Room answers can be found here.
