Monday, February 15, 2016

Processing Mandiant Redline Files Using Splunk

By Tony Lee


Do you use Mandiant's Redline ( for performing host investigation?  Do you use Splunk for centralized log collection and monitoring?  How about using these two tools together?  The team behind the Splunk Forensic Investigator app ( is experimenting with ingesting Redline collections.  We have made good progress on proving that it is possible to automate the ingestion of Redline collections and use Splunk to carve and display data from multiple hosts at the same time.  However we were wondering how many people would find this capability useful enough to see the work completed.  Check out the prototyping below and let us know if you would find this useful by leaving a comment below (account not necessary).

We have example output below:

System info displayed in Redline

System info displayed in Splunk

Driver modules displayed in Redline

Driver modules displayed in Splunk

Above and beyond replication

Recreating the Redline output is all well and good, however keep in mind that ingesting the data into Splunk allows you to filter, search, and carve across multiple systems at the same time.  Additionally, it would allow you to use Splunk's big data crunching capabilities.  It is very simple to ask Splunk to apply statistical analysis to large data sets to help look for anomalies within hosts such as:
  • Drive letters/mappings that don't meet corporate standards
  • Logged in/on users that occur infrequently (such as service accounts)
  • Forgotten operating systems that may be weak points or exploited first within a network

Or when analyzing drivers on multiple hosts, an investigator could glance at a dashboard and determine any of the following and more:
  • Number of drivers per host
  • Largest driver
  • Smallest driver
  • Most common driver file name
  • Most common driver path
  • Least common driver file name
  • Least common driver path


 These are just some examples of interesting data one might pull from analyzing many collections.  The possibilities are probably endless.  Let us know what you think.  Thanks.