Softpedia >Windows >Security >Security Related >Mandiant Redline >  Changelog

Mandiant Redline Changelog

What's new in Mandiant Redline 2.0

May 7, 2020
  • What’s New:
  • The following sections describes the features that are new in the 2.0 release.
  • Redline collector now supports audit collection on OS X and Linux platforms. Results can be viewed on Windows only.
  • Redline collector in v. 2.0 no longer supports Windows XP and Windows 2003 Server environments. For these older systems, please continue to use Redline 1.20
  • Issues Fixed:
  • The following section describes the issues that were fixed in the 2.0 release.
  • Invalid timestamps showing 0001-01-01 00:00:00Z in Tasks and Timeline columns were resolved. (RED-629)
  • Redline can now display IPv6 where it is appropriate. (RED-648)
  • Fixed issue with Redline adding its startup directory to File audit files with unknown path.(RED-520)
  • Improved navigation performance in Process and File audits. Improved tagging performance in all audits.(RED-645)
  • Out of memory exceptions were resolved. Redline now supports up to 4 GB of RAM on 64-bit Windows. (RED-628)
  • Port information is now correctly shown in Process details. (RED-617)
  • Correctly processing file audits where files have an invalid timestamp in PE header (RED-623)
  • Resolved issue with showing audit as “Not Collected” even though it is present in imported data (RED-624)
  • No longer showing two “File System” audits in audit list. (RED-627)
  • Removed thousands separator for EID values in Event Log audit. (RED-634)
  • Now Redline collector for Windows can be r un from folder with space in full path. (RED-646)

New in Mandiant Redline 1.20.2 (Jun 11, 2018)

  • Redline version 1.20.2 introduces support for large file and registry audits. Redline has also been improved to address issues related to efficiency and memory management

New in Mandiant Redline 1.20 (May 6, 2017)

  • Redline version 1.20 introduces support for collection from and analysis of Window 10 systems. It also greatly improves the initial load time by removing the MRI scoring calculations and addresses a number of frequently encountered issues such as being unable to run while an HX endpoint agent is installed.
  • Version 1.20 also supports multiple new types of data visualization for responders analyzing collections acquired via FireEye HX. The newly added fields are BIOS Type for the System Information audit, Security ID (SID) for registry audits, and the Command Line field for HX agent process events

New in Mandiant Redline 1.14 (Sep 1, 2016)

  • New Features:
  • View in HX Button
  • There are now buttons in the Redline user interface that you use to view information that is an HX Series appliance. Thet are the View in HX buttons. Click these buttons to view details about alerts or indicators.
  • Support for URL Monitor Agents Events
  • A CSV export file or URL monitor agents events now displays in the Summary column. The Summary column is located in the Timeline Configuration area.
  • Parent Process Tab
  • A new Parent Process tab has been added to the UI when a process has a parent process ID associated with it. It provides additional information about the process: information about the process you selected to view and information about the user of the process.
  • File Tab
  • A new File tab as been added to the UI for the following types of agent event audits: File Write, Image Load, Process Lifecycle and URL Monitor. The File tab appears in the Selected Item Details pane.
  • Filtering Empty Parent PIDs in Image Loading Events
  • Support for Process Agents Events
  • Timeline Configuration Tab
  • Parent Identification Number
  • Fixed issues:
  • An agent triage now includes the event start time and MD5 information for each process life-cycle event.
  • The Show Details link appears in every row in the Tags and Comments area. Additionally, clicking the link now refreshes the information in that row.
  • The erroneous message Operation failed. This command is currently busy when the system is fetching an alert. The Busy state handling for the command message appears instead.
  • An Alert column now appears in the Tags and Comments pane.
  • Alert events are now displayed only once in DNS look-up events. Previously, the same alert event was displaced twice.
  • You can now sort the Alert column
  • A column called Summary has been added to the exported exploits events CSV file.
  • Using the Copy with Headers option in the Timeline Configuration area to copy rows no longer generates an error message.
  • Process names now are displayed in the Summary column in the Timeline Configuration pane when you select the Process Agent Event/Running/Generate check box
  • Each exploit detection event now is displayed as a hyperlink.
  • The Clear All Filters button in the Timeline Configuration pane has been renamed
  • The Buffer Collection Time Boundaries fields in the Agent Events area is now hidden if there are no processes to report.
  • Alert hyperlinks are now hidden if the event the link is pointing is in an out of boundaries state.
  • Minor errors in column headers have been corrected.

New in Mandiant Redline 1.12 (Jun 10, 2014)

  • New Features:
  • Redline collectors will now automatically create a new analysis session file (*.mans) every time it runs. Thus making it easier for you to double-click to open and analyze your newly collected data.
  • As a result of this, the "Import from a Collector" option is now only needed for supporting legacy collected data and was removed from the "Getting Started" page. You can still find this option under the main menu.
  • Redline now identifies and hides all duplicate items from your collected data in all views except for Timeline. This makes it easier to review data collected from audits that generate many entries for the same forensic artifact such as file items found in common persistence locations. It also allows Redline to remove the restriction on importing multiple documents containing the same type of audit data (e.g. API Files and Raw Files) in the same analysis session.
  • Redline determines which items are duplicates by comparing the values for a set of fields that adequately describes an items uniqueness. However, there may be cases where an item may be incorrectly classified as a duplicate. In these cases the hidden items can be found on a tab within an item's details pane for review, and always visible within the timeline view.
  • All files related to an analysis session will now be saved directly alongside the analysis session (*.mans) file. This includes file acquisitions, IOC reports, and source audit files. All of these files were previously stored in the temp folder by default.
  • When "Analyzing Data From a Collector" you now have the option to move (default), or copy your collected data to reside along side your analysis session file as opposed to having it remain in its original location. You can modify this choice under the "Advanced" section of the "Start your Analysis Session" configuration wizard.
  • Resolved Issues:
  • When using the directory tree filters under the File System view, Redline will no longer incorrectly filter out files from your view when a directory that begins with the same literal string as the file(s) is unselected.
  • The "Analyze this Computer" and "Analyze a Saved Memory File" options should once again function correctly on Windows XP 64-bit machines.
  • Redline collectors once again run correctly when saved to a path location that contains spaces in it.

New in Mandiant Redline 1.11.1 (Mar 12, 2014)

  • New Features:
  • The find panel available on all list views has been redesigned. It has been reorganized for improved space utilization, made to be always visible, and offers the ability to target a single column to apply your find and filter operations against.
  • The ability to filter your list views by tags and comments has been greatly enhanced. You now have the ability to filter your lists by multiple tags at once. You also have the ability to further refine your tag filters to include only items that either do or do not include a comment.
  • All Redline Collectors have been updated to allow collection against two additional operating systems: Windows 2012 and Windows 8. (Support for these operating systems is currently in beta status)
  • Mandiant Redline is now known as Redline, and most references in the application have been updated to reflect this.
  • Resolved Issues:
  • Redline is now compatible with Windows 8 and any other systems which have the .NET 4.5 framework installed.
  • Idle performance of Redline has been greatly improved, and will no longer consume large amounts of CPU when Redline is not actively analyzing data. This also greatly improves the usability on low powered computers and virtual machines.
  • Due to a number of issues, Redline no longer performs non-critical analysis in the background after your data has been imported. These analyses will once again be front loaded and performed during the initial import of data from your Redline Collector.
  • The "Analyze a Saved Memory File" and "Analyze this Computer" options will no longer fail with the following message "Redline was unsuccessful in creating audit results to analyze. Unable to determine where Memoryze stored the result documents".
  • Importing large MD5 whitelists will no longer cause Redline to fail with an out of memory exception.

New in Mandiant Redline 1.11 (Dec 3, 2013)

  • New Features:
  • The find panel available on all list views has been redesigned. In addition to always being available and being reorganized for improved space utilization, it also now offers the ability to target a single column to apply your find and filter operations against.
  • The ability to filter your list views by tags and comments has been greatly enhanced. You now have the ability to filter your lists by multiple tags at once. You also have the ability to further refine your tag filters to include only items that either do or do not include a comment.
  • All Redline Collectors have been updated to allow collection against two additional operating systems: Windows 2012 and Windows 8. (Support for these Operating Systems is currently in Beta Status)
  • Resolved Issues:
  • Redline is now compatible with Windows 8 and any other systems which have install the .NET 4.5 framework.
  • Due to a number of issues, Redline no longer performs non-critical analyses in the background after your data has been imported. These analyses will once again be front loaded and performed during the initial import of data from your Redline Collector.

New in Mandiant Redline 1.10.1 (Sep 25, 2013)

  • New Features:
  • Back-end storage for analysis sessions has been completely overhauled to allow for future extensibility and maintenance. It has also been optimized to provide improved performance systemwide.
  • The initial import of data from Redline Collectors into Redline has been broken into two phases to allow non-critical analyses to be performed in the background after your data has been imported. This allows you to access the data that matters to you faster.
  • The tagging option on the right-click menu will now work when you have multiple items selected, which allows you to apply tags to more than one item at once.
  • Another section called "I am Reviewing Web History Data" has been added to the Start Your Investigation page to assist you when you are investigating data that you previously viewed in Mandiant Web Historian™. Clicking that section brings you to the Browser URL History table view on the Data Analyis window's Host tab.
  • Additionally, the Browser URL History, Cookie History, File Download History, and Form History views now have investigative filters to aid you in reviewing Web Historian related data. The included filters mirror those that were packaged in a default install of Web Historian.
  • Resolved Issues:
  • The Frequency Count for Memory Sections was previously reported as a count of the number of times that the section was found across all the data in the analysis session. This has been changed to instead only count a section once per process in which it appears. As a result, the numbers in the Counts column in the Memory Sections/DLLs table view will be smaller in Redline v1.10 than the numbers in the Counts column in previous versions of Redline.
  • The Memory Sections view will now show all memory sections, not only those that have associated PE Information.

New in Mandiant Redline 1.10 (Aug 28, 2013)

  • This release completely overhauls the back-end storage mechanisms for analysis sessions, which will provide improved performance system-wide and allow for future extensibility and maintenance. It also breaks the initial data import from Redline Collectors into two phases to first import the data and then complete the non-critical analyses in the background. This change allows you to access the data that matters to you faster. Finally, the tagging option on the right-click menu will now work when you have multiple items selected, which allows you to apply tags to more than one item at once.

New in Mandiant Redline 1.9.2 (Jul 2, 2013)

  • New Features:
  • Mandiant for Security Operations customers can also take advantage of Redline's ability to open Triage Collections for performing in-depth host analysis. Including analysis of the Mandiant for Security Operations exclusive Agent Events Audit, which captures historical events as they occur on the host (such as process loads, file writes, network connections, and registry key modifications) and stores those events until the next Triage Collection.
  • Redline now automatically associates different audit data types and pulls additional information into your current view to help you go from "Zero-to-Evil" faster. For example, the processes analysis view will search the file audit for the executed process' matching file item and pull its MD5 hash and digital signature information directly into the grid so that you can sort, search, and filter. It will also include the full file details from the associated file as a tab on the "Show Details" pane. In other cases Redline will associate a list of items (for example, file write agent events to a process item). These will be displayed in a fully functional list view within the "Show Details" pane as well.
  • Redline now allows you to tag any top level analysis data item with one of six user configurable tags and add associated comments. All grid views now have new tagging options on the "Tags and Comments" tab within the "Show Details" pane, through the right click context menu, as well as directly on the grid itself by clicking on a row's tag icon. Using the tag filter drop down found at the bottom right corner of all list views that support tagging, Redline also allows you to filter any grid by its item's tagged and commented state.
  • Once you have applied tags and comments to items in your analysis session, Redline allows you to view, search, sort, and filter all of those items in a single view. The "Tags and Comments" view can be found under the "Host" tab of your "Analysis Data" pane to the left. Using the CSV export feature you can then quickly extract all of your relevant findings to your favorite reporting software.
  • Redline now supports whitelist analysis and filtering on any view where items contain MD5 Hashes.
  • This Redline release re-enables the old style searching which filters a list to only items matching the provided keyword. This filtering capability returns as an optional modifier within the new "Find" pane accessible by pressing Ctrl-F within a grid, or clicking on the find icon in the bottom right corner. It can also be combined with the "Apply as Regex" option (same Regex performance characteristics apply).
  • Previous Redline releases greatly expanded the amount of available host data. This release adjusts the user interface to better facilitate the analysis of this additional host data.
  • Resolved Issues:
  • The Timeline view now allows you to apply a "Unique Process" or "Unique Username" filter through the right click menu when you have a single item with either of these types of data selected.
  • The keyword find functionality will now correctly match within the "Partitions" view underneath "Disks".
  • Redline will no longer fail when attempting to open an analysis session file created with previous versions of Redline. Redline will also open and restore those analysis session files created in Redline-1.7 that were incorrectly upgraded when attempting to open with Redline-1.8.
  • Redline now allows access to the volumes and accessed files lists for prefetch data. The top level "Volumes" view will now filter out the highly duplicative set of volume items gathered by the prefetch audit, as they are now accessible elsewhere.
  • When navigating back and forth between various grid views, Redline will now remember your selected row for each grid and restore that selection when you return.
  • The Memory Sections view will now show all memory sections, not only those that have associated PE Information.

New in Mandiant Redline 1.9.1 (May 29, 2013)

  • New Features:
  • Mandiant for Security Operations customers can also take advantage of Redline's ability to open Triage Collections for performing in-depth host analysis. Including analysis of the Mandiant for Security Operations exclusive Agent Events Audit, which captures historical events as they occur on the host (such as process loads, file writes, network connections, and registry key modifications) and stores those events until the next Triage Collection.
  • Redline now allows you to tag any top level analysis data item with one of six user configurable tags and add associated comments. All grid views now have new tagging options on the "Tags and Comments" tab within the "Show Details" pane, through the right click context menu, as well as directly on the grid itself by clicking on a row's tag icon. Using the tag filter drop down found at the bottom right corner of all list views that support tagging, Redline also allows you to filter any grid by its item's tagged and commented state.
  • Once you have applied tags and comments to items in your analysis session, Redline allows you to view, search, sort, and filter all of those items in a single view. The "Tags and Comments" view can be found under the "Host" tab of your "Analysis Data" pane to the left. Using the CSV export feature you can then quickly extract all of your relevant findings to your favorite reporting software.
  • This Redline release re-enables the old style searching which filters a list to only items matching the provided keyword. This filtering capability returns as an optional modifier within the new "Find" pane accessible by pressing Ctrl-F within a grid, or clicking on the find icon in the bottom right corner. It can also be combined with the "Apply as Regex" option (same Regex performance characteristics apply).
  • Redline now automatically associates different audit data types and pulls additional information into your current view to help you go from "Zero-to-Evil" faster. For example, the processes analysis view will search the file audit for the executed process' matching file item and pull its MD5 hash and digital signature information directly into the grid so that you can sort, search, and filter. It will also include the full file details from the associated file as a tab on the "Show Details" pane. In other cases Redline will associate a list of items (for example, file write agent events to a process item). These will be displayed in a fully functional list view within the "Show Details" pane as well.
  • Redline now supports whitelist analysis and filtering on any view where items contain MD5 Hashes.
  • Previous Redline releases greatly expanded the amount of available host data. This release adjusts the user interface to better facilitate the analysis of this additional host data. The most noticeable modifications and their impacts are as follows:
  • The "Start your Investigation" page now helps you identify the best place to start your investigation for your specific analysis situation rather than providing you with a set of steps to perform. To help you further, clicking on one of the investigate links provided will open up the view best suited for the type of analysis to start with.
  • The investigative steps are now incorporated into the interface as guiding text and easy to use filters, which are always available in their respective views. The top level parallel views have been removed.
  • The "Hosts" tab has been reorganized to better present the different analysis data views and to remove the unnecessary navigational hierarchy.
  • When no data is collected due to configuration or errors, those items are moved from the "Host" tab to the "Not Collected" tab to place the focus on only data relevant to your investigation.
  • The "Processes" tab has been removed. The data and views it contained are available on the newly added details pages in the "Processes" and "Hierarchical Processes" views. Please use those views for cases where you previously used the "Processes" tab.
  • The "Handles Sub-Category" views, the "Device Tree Details" view, and the "Detailed Memory Sections" views have been replaced by the addition of more accessible investigative filters and expanded "Show Details" use.
  • Double-clicking on any row that has a "Show Details" pane will open up those details as a full page. This will allow you to utilize the full power of the information provided there without being constrained to such a tiny section of the screen real estate.
  • The "Analysis Data" tab and newly added investigative guidance pane now collapse for a friendlier user experience on smaller screen resolutions.
  • Resolved Issues:
  • The Timeline view now allows you to apply a "Unique Process" or "Unique Username" filter through the right click menu when you have a single item with either of these types of data selected.
  • The keyword find functionality will now correctly match within the "Partitions" view underneath "Disks".
  • Redline will no longer fail when attempting to open an analysis session file created with previous versions of Redline. Redline will also open and restore those analysis session files created in Redline-1.7 that were incorrectly upgraded when attempting to open with Redline-1.8.
  • Redline now allows access to the volumes and accessed files lists for prefetch data. The top level "Volumes" view will now filter out the highly duplicative set of volume items gathered by the prefetch audit, as they are now accessible elsewhere.
  • When navigating back and forth between various grid views, Redline will now remember your selected row for each grid and restore that selection when you return.