homepage
Open menu
Go one level top
  • Train and Certify
    • Overview
    • Get Started in Cyber
    • Courses
    • GIAC Certifications
    • Training Roadmap
    • OnDemand
    • Live Training
    • Summits
    • Cyber Ranges
    • College Degrees & Certificates
    • Scholarship Academies
    • NICE Framework
    • Specials
  • Manage Your Team
    • Overview
    • Group Purchasing
    • Why Work with SANS
    • Build Your Team
    • Hire Cyber Talent
    • Team Development
    • Private Training
    • Security Awareness Training
    • Leadership Training
    • Industries
  • Resources
    • Overview
    • Internet Storm Center
    • White Papers
    • Webcasts
    • Tools
    • Newsletters
    • Blog
    • Podcasts
    • Posters & Cheat Sheets
    • Summit Presentations
    • Security Policy Project
  • Focus Areas
    • Cyber Defense
    • Cloud Security
    • Digital Forensics & Incident Response
    • Industrial Control Systems
    • Cyber Security Leadership
    • Offensive Operations
  • Get Involved
    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    • About SANS
    • Our Founder
    • Instructors
    • Mission
    • Diversity
    • Awards
    • Contact
    • Frequently Asked Questions
    • Customer Reviews
    • Press
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Cisco Router Forensics
Craig Wright

Cisco Router Forensics

November 24, 2008

The basics of router forensics are collecting data from the device that can act as evidence. The standard process involves using issuing the "show" commands and collecting data such as logs and network activity data. Some of this information is detailed below.

Show Commands

Most of the required information to be collected from the router will be obtained using the Cisco "show" commands. The main commands that you need to become familiar with are:

  • show clock detail
  • show version
  • show running-config
  • show startup-config
  • show reload
  • show ip route
  • show ip arp
  • show users
  • show logging
  • show ip interface
  • show interfaces
  • show tcp brief all
  • show ip sockets
  • show ip nat translations verbose
  • show ip cache flow
  • show ip cef
  • show snmp user
  • show snmp group
  • show clock detail

Show audit

The Router Security Audit Logs feature allows for the creation of audit trails. If these are configured, they may be used to track changes that have been made to a router that is running Cisco IOS software.

The "show audit" command displays the contents of an audit file. The syntax of the command is:

show audit [filestat]

The option, "filestat" is used to displays the rollover counter for the circular buffer and the number of messages that are received. The rollover counter, which indicates the number of times circular buffer has been overwritten, is reset when the audit filesize is changed (via the audit filesize command). This command runs from the privileged exec mode. This command will create a hash of the information from the "show version" command.

Show Clock Detail

Timeline entanglement is import to forensic investigations. This command is used to display the time of day and the status of the SNTP server (if one is configured) that is used by the router.

Figure 1
Figure 1: Router Times are often not configured correctly

Show Version

The "show version" command is a powerful tool. It can display:

  • the version of the IOS on the router
  • the version of the ROM bootstrap
  • the version of the boot loader
  • how the router was last powered on (i.e. warm reboot or a system panic.)
  • the time and date when the system was last started
  • the "uptime" (i.e. how long the router has been running from the last power-on)
  • the image file that the device last started
  • how much RAM the device has and other hardware information such as:
    • the processor board ID can be used to determine the version of the router's motherboard
    • the number and type of each interface on the router
    • the number of terminal lines on the router and if asynchronous serial lines are used
    • the amount of nonvolatile RAM (NVRAM) used to hold the SAVED version of the configuration file or startup-config
    • The size and type of Flash memory on the router
  • The configuration register on the device
  • The hostname of the device

Show Access Lists

This command displays the content of all access lists (or one specified access list) on the router.

show access-lists [access-list-name] [applied]

The access-list-name keyword is used to display a specified access list and the show access-lists applied command is used to show the ACLs that are currently being applied to an interface and the configured behavior per interface.

Show Users

This command will Show or list which users are logged into a Cisco router.

Show Routing Table

This command will display the routing table used by the router. This will aid in determining if an attacker has:

  • Injected routing information (e.g. RIP poisoning attacks)
  • Deleted routes (i.e. to remove the path to a logging server)

Show Banners

This will display any banners that are configured on the router.

Show ARP & Show IP Arp

This command displays ARP statistics associated with the router interfaces. It can be set to display a specified interface, a specified host, a specified IP address, or a specified MAC hardware address. This command will aid in determining hardware address information (the MAC Address) of locally connected hosts and if MAC spoofing has occurred.

Show TCP

The commands show ip sockets, show udp and show tcp are used to display traffic passing through the router, display statistics about the protocols and to see which ports the router is listening on.

Show tech-support

As of Cisco IOS Software Release 11.2, the command "show tech-support" has allowed for the collection of multiple sources of information concerning the router in a single command. This one command will output the same as running all of the following commands:

  • show version
  • show running-config
  • show stacks
  • show interface
  • show controller
  • show process cpu
  • show process memory
  • show buffers

By limiting the number of commands run, we can limit the changes to the system.

Show Stacks

The "show stacks" command EXEC command is used to monitor the stack usage of processes and interrupt routines. The show stacks output is one of the most indispensable sources of information to collect when the router crashes. It is also one of the most detailed commands for the analysis of the routers memory and is useful in analyzing router compromises.

Advanced Data Collection

The most effective way to capture and analyze the router involves the creation of a core dump. A core dump will contain the complete memory image of the router at the time it was created.

Cisco has included an IOS command to test or trigger a core dump:

#write core

Use this command in privileged exec mode (enable mode). This command will cause a crash, and the content of the memory will be dumped accordingly. When a core dump is generated, the entire setup and config can be reviewed forensically.

A core dump can be saved to:

  • An FTP server
    • ip ftp usename username
    • ip ftp password password
    • exception protocol ftp
    • exception dump a.b.c.d
  • A TFTP server (exception dump a.b.c.d)
  • Using RCP
    • exception protocol rcp
    • exception dump a.b.c.d
  • To a Flash disk (exception flash <procmem|iomem|all> <device_name[:partition_number]> <erase | no_erase>)

The best option will depend on the individual device and situation.

Core Analysis

The analysis of a Cisco router core dump is not a simple task. It has been made easier with the introduction of a free service from CIR. In the event that loading a file to the Internet is not an option, there is a commercial product as well.

Figure 1
Figure 2: CIR Online allows network engineers and digital forensics experts to analyze Cisco IOS memory dumps

Cisco routers are essentially one single ELF binary that runs as a large, statically linked UNIX Program that is loaded by ROMMON. Written in C, the IOS dump can be reversed in order to analyze the system. A Cisco IOS core dump contains a complete image of the router's:

  • main memory,
  • IO memory, and
  • the PCI memory (if used).

Core dumps are useful as they contain the complete image of the Cisco device at an instant. They can even be used to extract network traffic from IO memory into a PCAP file for analysis.

Craig Wright, GFCA Gold #0265, is an author, auditor and forensic analyst. He has nearly 30 GIAC certifications, several post-graduate degrees and is one of a very small number of people who have successfully completed the GSE exam.

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kingdom of Saudi Arabia
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia (Slovak Republic)
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

Tags:
  • Digital Forensics and Incident Response

Related Content

Blog
Vote_now.png
Digital Forensics and Incident Response
April 24, 2022
Which DFIR Summit Mascots do you want to see as Lego giveaways this year? Vote now!
To celebrate the 15th year of the DFIR Summit, we are letting you choose your favorite Summit mascot over the years. Which will make our Lego set?
Viv_Ross_370x370.png
Viviana Ross
read more
Blog
Untitled_design-43.png
Digital Forensics and Incident Response, Cybersecurity and IT Essentials, Industrial Control Systems Security, Purple Team, Open-Source Intelligence (OSINT), Penetration Testing and Ethical Hacking, Cyber Defense, Cloud Security, Security Management, Legal, and Audit
December 8, 2021
Good News: SANS Virtual Summits Will Remain FREE for the Community in 2022
They’re virtual. They’re global. They’re free.
Emily Blades
read more
Blog
Digital Forensics and Incident Response
February 1, 2010
It's the little things (Part One)
For forensic analysts working in Windows environments, .lnk shortcut files and the thumbprint caches are valuable sources for details about missing data. Individuals wanting to hide their activities may flush their browser cache, Temp files, use, and even wipe the drive free space. However, they...
SANS_DFIR-370x370.png
SANS DFIR
read more
  • Register to Learn
  • Courses
  • Certifications
  • Degree Programs
  • Cyber Ranges
  • Job Tools
  • Security Policy Project
  • Posters & Cheat Sheets
  • White Papers
  • Focus Areas
  • Cyber Defense
  • Cloud Security
  • Cyber Security Leadership
  • Digital Forensics
  • Industrial Control Systems
  • Offensive Operations
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kingdom of Saudi Arabia
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia (Slovak Republic)
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe
  • © 2022 SANS™ Institute
  • Privacy Policy
  • Contact
  • Careers
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn