> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-5/endpoint-analysis/forensics-endpoint-analysis-redline.md).

# Redline

## Redline Analyze File Download History

In Redline, investigate system download history to identify initial file access, particularly for suspect binaries.

Navigate to the **File Download History** artifact. Review the list, paying close attention to executable (`.exe`) or other unexpected file types. The list typically includes columns such as **SourceURL**, **FileName**, **MD5**, **DestinationPath**, and **TransferDataTime**.

Select an entry to view its details. Extract critical information such as the **Source URL** (where the file was downloaded from) and the **MD5 hash** (for file identification and IOC comparison).

For example, finding an entry like `WinRAR2021.exe` downloaded from `http://192.168.75.129:4748/Documents/WinRAR2021.exe` with a specific MD5 hash (`890a58f200dfff23165df9e1b088e58f`) directly points to the initial compromise vector and specific binary used. This artifact is crucial for identifying files downloaded by the system, providing the source URL and the hash for correlation with threat intelligence.

***

## Redline Analyze Timeline File Modifications

In Redline's 'Timeline' view, you can quantify the impact of ransomware encryption by filtering events. Deselect all event types except `Modified` and `Changed` under the 'Files' section. Apply a filter to the `Summary` field, looking for the specific ransomware file extension. For example, if the ransomware appends `.t48s39la` to encrypted files, you would filter the 'Summary' field for entries containing `t48s39la`. Counting the resulting events provides the number of files modified or changed with that extension, indicating the scope of the encryption.

Within the Redline filter bar, specific syntax can be used to refine the timeline view. Events can be filtered by `EventType`, such as `"File Modified"`, `"File Renamed"`, `"File Created"`, or `"File Deleted"`. Additionally, the `Summary` or `FileName` fields can be filtered to search for specific patterns, like a ransomware extension. For instance, to find files that were modified and have a specific ransomware extension, a combined filter can be applied using `AND`:

```
EventType == "File Modified" AND Summary contains ".lockbit"
```

Alternatively, the filter could target the `FileName` field if the extension is appended there:

```
EventType == "File Modified" AND FileName contains ".lockbit"
```

Applying such filters isolates events directly related to the encryption process, allowing for a clear count of affected files based on the observed ransomware file extension. Filters can also be combined using `OR` for more complex searches.

***

## Redline Locate Ransomware Artifact Files

In Redline's analysis view, navigate to the 'File System' section. Browse common user directories such as `Desktop`, `Favorites`, and temporary folders like `AppData\Local\Temp`. Look for files based on characteristics often associated with ransomware artifacts:

* **Suspicious Names/Extensions:** Files with names like `readme`, or common image extensions (`.bmp`) used for altered wallpapers. Also, look for unusual extensions appended to normal files (e.g., `.url.ransom_ext`).
* **File Attributes:** Pay attention to files marked as `Hidden`, which ransomware may use for lock or state files (e.g., a 0-byte `.lock` file). Malware often uses file attributes like `Hidden` to conceal its presence or supporting files. The `attrib` command is a Windows command-line utility used to change the attributes of a file or directory. To hide a file, the command is:

  ```bash
  attrib +h <file_path>
  ```

  The `+h` parameter adds the hidden attribute, and `<file_path>` is the path to the file you want to hide. To remove the hidden attribute, use the `-h` parameter:

  ```bash
  attrib -h <file_path>
  ```

  While the `attrib` command can set attributes like read-only (+r) or system (+s), it does not provide true 'locking' in the sense of preventing deletion or modification by the operating system or other processes directly. In the context of malware, a 'lock file' often refers to a file whose *presence* indicates a state (like encryption complete) or is used as a simple mutex, not necessarily a file locked by OS attributes.
* **Locations:** Ransom notes, altered wallpapers, and lock files are commonly placed directly on the Desktop or within user profile subdirectories.

Use the filtering options in Redline's file system view (e.g., filtering by extension, size, or attributes) to help narrow down suspicious files. Look for patterns similar to examples like `t48s39la-readme.txt` (Desktop), `hk8.bmp` (`AppData\Local\Temp`), `GobiernoUSA.gov.url.t48s39la` (`Favorites\Links for United States`), or hidden files like `d60dff40.lock` (Desktop).
