Free MANDIANT Redline Malware Analysis Tool
MANDIANT might have just dealt another costly blow to HBGary’s Responder business with the release of their Redline memory dump and live system analysis tool. Considering what is available for free in this tool space (Volatility Framework 1.3 and 1.4, MANDIANT Memoryze, and now MANDIANT Redline) it is increasingly difficult to justify the $9000 USD upfront cost of HBGary Responder Pro plus the annual maintenance for Responder and HBGary DDNA (Digital DNA). It is awfully difficult to compete with free.
And unlike HBGary Responder Pro, I can actually reliably open up and analyze a Windows 7 RAM dump successfully with MANDIANT Redline. Redline currently doesn’t have all of the features that HBGary Responder Pro has (e.g. built-in disassembler), but it has enough to make it a viable triage tool, and is worthy of consideration for inclusion in your toolbox.
The 1.4 Volatility Framework fully installed with all available plugins is still the best Windows RAM dump analysis tool in this space, but it lacks a GUI and is thus might not well suited for junior analysts who might not yet be completely comfortable and proficient yet with Volatility’s spartan command line interface.
I am having trouble at the moment with Redline doing live analysis of Windows 7 machines, so hopefully MANDIANT will get that issue sorted out soon. Static analysis of Windows RAM dumps appears to be working fine in Redline. I will be trying some big iron Windows Server 2008 and Server 2003 static RAM dumps later to see how well Redline handles those.