Posted: Thu Dec 07, 2017 6:19 pm
I've been looking at an asset on and off in Mandiant Redline regarding some data that was recently alerted on DLP for exfiltration. It turns out that we noticed some unusual data file names from a recent report audit and found that the user was uploading data to Vimeo via Chrome. However, I narrowed down on the timeline and I'm a little stumped as to how I might be able to better get an idea of how to determine what was really uploaded.
The data was clearly at rest and in use before transit so it had to get on the asset somehow. If I use the Timeline, I can correlate the Chrome events that correspond to the DNS requests to Vimeo, however (either I am blind here) or I am not seeing where the data was fetched from at rest to become in use with Chrome via upload and in transit to Vimeo. Has anyone had any experience with Redline and may be able to offer some suggestions?
Thank you and happy holidays