The resulting directory structure should look something like this: Where a dump is being repeated for any reason, I have found it best practice to write the files to a new directory for that device rather than overwrite any existing dumps, even if they contain errors. If there is more than one device being investigated ensure that files are written to per device/per dump directories. Note: It is advisable for the investigator to create a directory in their home folder on the FTP server which they data is being transferred to. The captured image is the running IOS of the device. The data transfered from the cisco device will be a memory dump and an image of the device. The following information outlines how to configure a Cisco device for the transfer of data via FTP. 4.ĝiagnostic Data Capture, Preliminary Work Once this has been completed the following output will be displayed: The router will now start to calculate an MD5 hash of the IOS file you have selected. To generate an MD5 hash of the IOS enter the following command: ‘usbflash0’ indicates where the IOS is located, this may vary so double check the location listed. ‘154-3.M3’ is the version number of the IOS, this represents version 15.4.3M3. The above output tells us the router model is a Cisco 1921 and also contains the running IOS image, in this case it is ‘C1900-universalk9.mz.3.bin’. However this may not guarantee that the Cisco IOS device is free from compromise and further analysis described in this post will be required.įrom the Cisco command line of the router you wish to perform the integrity checks, issue the following command (This should have been recorded in the previous section): This section describes how to verify the integrity of the device firmware stored in flash. Note: If the router is a C3900e, don’t run the verify /md5 system:memory/text command as it will crash the routerįrom the above commands “show history all” will provide you with any commands that have run on that device. Note some may be required by Cisco if the incident is escalated to them i.e. Run the following commands to gather as much evidence as possible, feel free to amend and remove commands as required. To enter enable mode simply type ‘enable’ and then press enter. ‘Enable’ mode allows the user to run a higher level and wider range of ‘show’ commands such as ‘show running-config’. The following commands must be run in ‘enable’ mode, some commands may not work depending on the IOS version or certain features may not be in use. You will now be connected to the router and presented with the command line prompt.Ğnsure your port number is 22 and click ‘Open’ - Port 21 if your using telnet :-|.Ĝlick ‘Session’ and enter the IP address of the router in the ‘Host Name’ field.Save the filename as something unique such as the routers hostname and save it as a.Ĝlick ‘Browse’ and select the location you would like to save the log file.You will need to configure your PuTTy client to write a log file of your session. The initial stage of evidence gathering can be completed by issuing a number of ‘show’ commands and recording the output. This post does not cover routers which are running IOS-XR. Ensure that work is undertaken alongside the network team/admins and appropriate controls are in place. I accept no responsibility for any unexpected behaviour or sudden reboots of any Cisco router where this process has been implemented. When triaging or investigating any network device never perform a reboot, this will lose all volatile data within the device and compromise the investigation. This post outlines how to gather simple things such as logs from the device and also check to see if the IOS has been tampered with and potentially implanted with something malicious. This may be where an internet facing router has been identified and is using default logon creds, perhaps Cisco Smart install was left enabled or you may just want to take a look at who has been poking around on the box. This blog post is aimed at incident response teams who need to investigate and gather evidence from a cisco router in a forensically sound manner.
0 Comments
Leave a Reply. |