How Will I Fill This Web Historian-Shaped Hole in My Heart?

With the recent integration of Mandiant Web Historian™ into
Mandiant Redline™
, you may be asking “How do I review my
Web History using Redline?” If so, then follow along as I
explain how to collect and review web history data in Redline – with
a focus on areas where the workflow and features differ from that of
Web Historian.

For those of you unfamiliar with Redline, it
is Mandiant’s premier free tool, providing host investigative
capabilities to help users find signs of malicious activity through
memory and file analysis and the development of a threat assessment
profile.

Configuring Web History Data Collection

Web
Historian provided three options for choosing how to find web
history data that you want to analyze: scan my local system, scan a
profile folder, and parse an individual history file. Redline allows
you to accomplish all three of these operations using a single
option, Analyze this Computer, which is found under the Main
Menu in the upper left corner. Specifying the path to a profile
folder or a history file will require some additional
configuration:

Figure 1: Finding your web history data
Web Historian (Left) vs. Redline (Right)

Click on Analyze this
Computer
to begin configuring your analysis session. To ensure
that Redline collects your desired web history data, click the link
to Edit your script
. On the View and Edit Your Script window are several
options; take a look around and turn on any and all data that might
interest you. For our purposes, we will be focusing on the
Browser History options underneath the Network
tab. This section contains all of the familiar options from
Web Historian; simply select the boxes corresponding to the data you
wish to collect.

One difference you may notice is the absence
of an option to specify the browser(s) you would like to target. You
can now find that option by selecting Show Advanced Parameters
from the upper right corner of the window. Once advanced
parameters are enabled, simply type the name of any browser(s) you
would like to target, each on its own separate line in the Target
Browser
field. To have Redline collect any web history data
regardless of browser, just leave this field empty.

You may
also notice that enabling advanced parameters activates a field for
History Files Location. As you may have guessed, this is
where you can specify a path to a profile folder or history file to
analyze directly, as you were able to do in Web Historian.

Figure 2: Configuring Redline to Collect
Browser History Data

Now that you have finished configuring your
script, choose a location to save your analysis session and then hit OK
. Redline will run the script, which will require
Administrator privileges and may trigger a UAC prompt before running
depending on how your system is configured. After a brief collecting
and processing time, your web history data will be ready for
review.

Reviewing your Data

For the actual review of
your web history data, you should feel right at home in Redline.
Just like Web Historian, Redline uses a sortable, searchable,
configurable table view for each of the individual categories of web
history data.

Figure 3: Displaying your web history
data for review in both Web Historian (behind) and Redline
(front)

Although similar, Redline does have a few minor
differences in how it visualizes your data:

  • Redline
    does not break the data into pages; instead it will discretely
    page in large data sets (25k+ rows) automatically as you scroll
    down through the list.
  • To configure the table view, you
    will need to manipulate the column headers for ordering and
    resizing, and right-click on a column header to show and hide
    columns – as opposed to using the column configuration menu in Web
    Historian.
  • Searching and simple filtering is done in each
    individual table view and is not applied globally. To access the
    find options, either press the magnifying glass in the
    bottom right corner, or press Ctrl-f while a table view is
    selected.
  • To export your data to a CSV (comma separated
    values) format file, click on export in the bottom right
    corner. Like Web Historian, Redline will only export data
    currently in the table view. If you applied any filtering or tags,
    those will affect the data as it is exported.

In
addition to the features that have always been available in Web
Historian, Redline also allows you to review your web history with
its full suite of analytical capabilities and investigative tools.
Check out the Redline user guide for a full description of these
capabilities. Here are just a few of the most popular:

  • Timeline provides a chronological listing of all web-based
    events (e.g., URL last browsed to, File Download Started, etc.) in
    a single heterogeneous display. You can employ this to follow the
    activities of a user or attacker as they played out on the system.
    You can also quickly reduce your target investigative scope using
    the Timeline’s powerful filtering capabilities.
  • Use tags
    and comments to mark-up your findings as you perform your
    investigation, making it easier to keep track of what you have
    seen while moving forward. You can then go back and export those
    results into your favorite reporting solution.
  • Use
    Indicators of Compromise (IOCs) as a quick way to determine if
    your system contains any potential security breaches or other
    evidence of compromise. Visit http://www.openioc.org/ to
    learn more about IOCs.
  • Last but not least, Redline gives
    you the ability to examine an entire system worth of metadata.
    With Redline, you are not simply restricted to Web History related
    data; you can investigate security incidents with the scope and
    context of the full system.

If your favorite feature
from Web Historian has not yet been included in Redline (Graphing,
Complex Filtering, etc.), feel free to make a request using one of
the contact methods specified below. We will be taking feedback into
consideration when choosing what the Redline team works on in the
future.

As always, feel free to contact
us
with send any additional questions. And just in case you do
not already have it, the latest version of Redline (v1.10 as of the
time of this writing) can always be found here.

By admin