Sunday, August 10, 2014

Beginning Memory Forensics - Mandant's Redline - Setting up the collector

A while back I did a 2 part post on beginning memory forensics with dumpit and volatility. For whatever strange reason, those seems to be my most popular posts. I'm not sure why but I can appreciate that since I have a preference for the forensics side of things. With that said, this next 3 posts will be memory forensics with Mandiant's Redline. So without further ado, let's begin.

 Once the we have downloaded and successfully installed Redline, we next have to setup our collector. Let's use the 'Standard Collector". For this we will only collect the minimum amount of information required for an analysis.

















From the standard collector page we select "Acquire Memory Image" and then "Browse" for the directory to which the collector should be stored













Once the collector has finished running it will report the message below.










So now that we have finished setting up our collector. Let's look at the next post for how we will collect the contents of RAM from the suspect machine.

Reference:
https://www.mandiant.com/resources/download/redline
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)