SANS Digital Forensics and Incident Response Blog: Daily Archives: Nov 24, 2008

What Programs Do - Part 1

The project and the "What Programs Do" series

Digital Forensics is a technical and scientific field dependent on the research each of us does every day.Our communityshares informationopenly when asked.Unfortunately we don't have a central authoritative repository of information we can all contribute to and refer to, so we oftenduplicate workalready done others.

"What Programs Do" is a project intended to begin, in a small way at first,to address this need for a central repository of information.When a program is installed on a computer, it makes changes to the registry and adds files to the system. When it is run, it similarly updates the registry and writes files. When it is uninstalled, it removes most of the registry keys and files it installed, but often not all.

This concept and process is trained in detail during the SANS Computer Forensics, Investigation, and Response course on

Cisco Router Forensics

The basics of router forensics are collecting data from the device that can act as evidence. The standard process involves using issuing the "show" commands and collecting data such as logs and network activity data. Some of this information is detailed below.

Show Commands

Most of the required information to be collected from the router will be obtained using the Cisco "show" commands. The main commands that you need to become familiar with are:

  • show clock detail
  • show version
  • show running-config