Redline Analysis Lab Part 1

00:00

Hello. My name's David. Welcome to analyzing attacks. Fellow journey er's

00:07

to the realm of knowledge.

00:10

Yes. Well, I don't know about you, but in our last episode, we ran our red line analysis

00:19

on an infected machine virtual machine in order to get some line memory analysis underway. So we had loaded up our redline lab. Right here was this folder is open, and we also began running her dot t x C,

00:37

which we had downloaded from the Internet.

00:40

Now, as you can see, I had my process hacker open. So it is running. So what I can do is now actually terminate that process and get it off of a system that's running

00:53

now for future reference for uses. So

00:59

we're on the same path here now that I've run this in my Windows virtual machine. If I'm not gonna use this portable receiver, anything else I'm gonna restored back through steak? That way, any other kind of analysis lab work that I do will possibly be affected.

01:17

Bye.

01:18

The infection I caused during this lab Now, in real world, that's too, because every time you do analysis, you want start clean system. That way, there's no contamination from prior infections that you ride or anything along those lines.

01:34

Now we can see that the audience folder was created here in my analysis session one. And the good thing about Red Line is you could run this across multiple systems, and then each analysis session's gonna be named something different. In this case of Alice, Session one, in some instances in, they

01:53

start naming them by the system name so that you can identify them when you go back to begin your analysis and in large outbreaks

02:00

of Mount where, where you're doing memory analysis for several machines, that's pretty handy, especially if you're utilizing a nice size. It's hard drive. Remember, what's one of the limitations of memory analysis?

02:16

Right? Your image has to fit onto the extra drive, along with any other

02:25

analysis that you get. So if we look here at our analysis session and check our properties out, we're going to see its nine gigs so we can't use a four gig come Dr thinking that

02:39

we're going to store all this data on it, it's gonna have to be

02:44

either an external hard drive over a very large thumb drive on in today's day and age. Of course, that's not hurt under on it. So you can take a look here. You can see some of the different files that have been created by red line. And if you want to be really curation started Mina 1 40

03:02

at one. Ooh,

03:05

See, you're one of three looks like

03:07

and it ran all the way down to 1 41

03:12

So it took Ah, roughly almost 40 minutes to run on this system itself. Right here. Now, since I haven't saved, what I want to do is get a copy off of my, um,

03:28

virtual machine, and I want to carry it over to my announced system. Now, in real world, you would do this via thumb drive. You bring some drive back

03:38

implanted into your announced system on DDE,

03:42

you realize in then to denounce is not, I repeat, not going to do this analysis on the infected machine on Di did repeat that because it sometimes people being in Russia at starting the analysis on the sheet and

04:00

it creates a whole other problem. So you want to wait, if at all possible.

04:06

Hopefully this year's there. Okay, I have run into some technical issues. Transferring Stiles. Look, for whatever reason, somebody's in my VM where that's like cotton them out on my machine on

04:26

there's the problem.

04:28

What's open this back up.

04:34

We can't possibly do something a little different here.

04:45

I love the fact that I'm Moses when she hears my red line. See Pinky copy out this way.

04:57

And unfortunately, some of this is the kind of things we're gonna run into our world. I've watched a lot of labs online. We're not smoothly functioning on. They don't run into any kind of technical issues. That's not the real world, just Italian. You need to be able to troubleshoot the tools that you're using,

05:16

Um,

05:17

because you're gonna have to do in the real world. So even in labs like this one, on any others that you run, you need to be able to actually troubleshoot through way through any issues that you might love it. And, you know, you can ask yourself questions. I could this be because I'm *** lives only, um,

05:36

therefore, kinds of the areas like that can cause problems

05:42

in the transfer of this information out

05:45

on. We'll see here. This one works

05:48

says, Let's cancel and P file in Berkeley. Machine is interested.

05:57

That did not correct Harry. Oh,

06:00

so since we

06:03

I need this device

06:06

Well, Jean, you're not walking after, says reacted. It's an added.

06:12

I said I was the only change that

06:21

So what I will do. Don't take my Sessions folder copy and this seems like Han drop out the entire file. Since it's probably a little bit smaller, we will work a little bit

06:38

just talking to my wife and blabbing because I was letting this run thought erl aside and she was like, Why aren't you in there recording your videos and we'll win? Am I supposed to do just that? They're insane to the audience while I wait for you to run in and you see, it's a minute troubling,

06:58

so you would have had a good 40 minutes

07:00

of my annoying, melodious voice seeing Europe. We had actually done it that way. Now, hopefully this method will work and who their session files out so we can take a look at it in red line. Unfortunately, this is the kind of thing which face again, like I said

07:19

in the real world, troubleshooting and try it.

07:23

Figure out what the problem. This and it looks like this is going to work. Now, I know this may seem like a waste of time to you for a lab, but again, 1/2 distress. You've got to be able to troubleshoot working away pursuit of some of these problems was leaves me now to say

07:43

so. It's pouring other avenues under the site security

07:46

Human burst.

07:48

Go learn some network plus go learn some A plus. That way you start getting good basic understanding of systems and networks. How work? In order to boost your own ability to handle incidents and understand what's going on in the background,

08:11

place those files in this case. Now, what I want to do is some of the parts, my beautiful machine.

08:20

Remember when I tell you to do with this,

08:24

huh?

08:24

Yes. Restore it back between version. I did not do it on that one. I'm just telling me that. So let's see. Here we have

08:33

are analyzed eight and you can see you've got different choices that you could rate so we could say from a safe file. Or we could say from a previous analysis,

08:43

Let's jump over here to desk up Here we have my lab. Red line.

08:48

It's X 64 with nothing, and we have six. Not so we've not done any analysis on the jet, which makes a certain amount of sense. So let's go back to 86. We've got nothing again and

09:05

nothing.

09:09

It is puzzling me. So,

09:16

yes, we've got quite a procession.

09:20

Come in here and knock it. ISS. Now again, let's trouble few keys. Walk through this process. Now, when you see here is it's ready to go ready, I'll click it.

09:33

It will open it up in red line and begin to live. Now again, this is gonna take a little bit of time. Locusts and higher session up in the red line. So we're gonna pause a video, ready it low, and then when it gets truly later, we'll come back with a little work together. Take a look at some of the things that you might be able to learn from this.

09:52

Yeah, And from that particular consume our