By Tony Lee
Introduction
Do you use Mandiant's Redline (https://www.fireeye.com/services/freeware/redline.html) for performing host investigation? Do you use Splunk for centralized log collection and monitoring? How about using these two tools together? The team behind the Splunk Forensic Investigator app (https://splunkbase.splunk.com/app/2895/) is experimenting with ingesting Redline collections. We have made good progress on proving that it is possible to automate the ingestion of Redline collections and use Splunk to carve and display data from multiple hosts at the same time. However we were wondering how many people would find this capability useful enough to see the work completed. Check out the prototyping below and let us know if you would find this useful by leaving a comment below (account not necessary).
We have example output below:
We have example output below:
System info displayed in Redline
System info displayed in Splunk
Driver modules displayed in Redline
Driver modules displayed in Splunk
Above and beyond replication
Recreating the Redline output is all well and good, however keep in mind that ingesting the data into Splunk allows you to filter, search, and carve across multiple systems at the same time. Additionally, it would allow you to use Splunk's big data crunching capabilities. It is very simple to ask Splunk to apply statistical analysis to large data sets to help look for anomalies within hosts such as:
- Drive letters/mappings that don't meet corporate standards
- Logged in/on users that occur infrequently (such as service accounts)
- Forgotten operating systems that may be weak points or exploited first within a network
Or when analyzing drivers on multiple hosts, an investigator could glance at a dashboard and determine any of the following and more:
- Number of drivers per host
- Largest driver
- Smallest driver
- Most common driver file name
- Most common driver path
- Least common driver file name
- Least common driver path