SANS Digital Forensics and Incident Response Blog

Cisco Router Forensics

The basics of router forensics are collecting data from the device that can act as evidence. The standard process involves using issuing the "show" commands and collecting data such as logs and network activity data. Some of this information is detailed below.

Show Commands

Most of the required information to be collected from the router will be obtained using the Cisco "show" commands. The main commands that you need to become familiar with are:

  • show clock detail
  • show version
  • show running-config
  • show startup-config
  • show reload
  • show ip route
  • show ip arp
  • show users
  • show logging
  • show ip interface
  • show interfaces
  • show tcp brief all
  • show ip sockets
  • show ip nat translations verbose
  • show ip cache flow
  • show ip cef
  • show snmp user
  • show snmp group
  • show clock detail

Show audit

The Router Security Audit Logs feature allows for the creation of audit trails. If these are configured, they may be used to track changes that have been made to a router that is running Cisco IOS software.

The "show audit" command displays the contents of an audit file. The syntax of the command is:

show audit [filestat]

The option, "filestat" is used to displays the rollover counter for the circular buffer and the number of messages that are received. The rollover counter, which indicates the number of times circular buffer has been overwritten, is reset when the audit filesize is changed (via the audit filesize command). This command runs from the privileged exec mode. This command will create a hash of the information from the "show version" command.

Show Clock Detail

Timeline entanglement is import to forensic investigations. This command is used to display the time of day and the status of the SNTP server (if one is configured) that is used by the router.




Figure 1 Router Times are often not configured correctly.

Show Version

The "show version" command is a powerful tool. It can display:

  • the version of the IOS on the router
  • the version of the ROM bootstrap
  • the version of the boot loader
  • how the router was last powered on (i.e. warm reboot or a system panic.)
  • the time and date when the system was last started
  • the "uptime" (i.e. how long the router has been running from the last power-on)
  • the image file that the device last started
  • how much RAM the device has and other hardware information such as:
    • the processor board ID can be used to determine the version of the router's motherboard
    • the number and type of each interface on the router
    • the number of terminal lines on the router and if asynchronous serial lines are used
    • the amount of nonvolatile RAM (NVRAM) used to hold the SAVED version of the configuration file or startup-config
    • The size and type of Flash memory on the router
  • The configuration register on the device
  • The hostname of the device

Show Access Lists

This command displays the content of all access lists (or one specified access list) on the router.

show access-lists [access-list-name] [applied]

The access-list-name keyword is used to display a specified access list and the show access-lists applied command is used to show the ACLs that are currently being applied to an interface and the configured behavior per interface.

Show Users

This command will Show or list which users are logged into a Cisco router.

Show Routing Table

This command will display the routing table used by the router. This will aid in determining if an attacker has:

  • Injected routing information (e.g. RIP poisoning attacks)
  • Deleted routes (i.e. to remove the path to a logging server)

Show Banners

This will display any banners that are configured on the router.

Show ARP & Show IP Arp

This command displays ARP statistics associated with the router interfaces. It can be set to display a specified interface, a specified host, a specified IP address, or a specified MAC hardware address. This command will aid in determining hardware address information (the MAC Address) of locally connected hosts and if MAC spoofing has occurred.

Show TCP

The commands show ip sockets, show udp and show tcp are used to display traffic passing through the router, display statistics about the protocols and to see which ports the router is listening on.

Show tech-support

As of Cisco IOS Software Release 11.2, the command "show tech-support" has allowed for the collection of multiple sources of information concerning the router in a single command. This one command will output the same as running all of the following commands:

  • show version
  • show running-config
  • show stacks
  • show interface
  • show controller
  • show process cpu
  • show process memory
  • show buffers

By limiting the number of commands run, we can limit the changes to the system.

Show Stacks

The "show stacks" command EXEC command is used to monitor the stack usage of processes and interrupt routines. The show stacks output is one of the most indispensable sources of information to collect when the router crashes. It is also one of the most detailed commands for the analysis of the routers memory and is useful in analyzing router compromises.

Advanced Data Collection

The most effective way to capture and analyze the router involves the creation of a core dump. A core dump will contain the complete memory image of the router at the time it was created.

Cisco has included an IOS command to test or trigger a core dump:

#write core

Use this command in privileged exec mode (enable mode). This command will cause a crash, and the content of the memory will be dumped accordingly. When a core dump is generated, the entire setup and config can be reviewed forensically.

A core dump can be saved to:

  • An FTP server
    • ip ftp usename username
    • ip ftp password password
    • exception protocol ftp
    • exception dump a.b.c.d
  • A TFTP server (exception dump a.b.c.d)
  • Using RCP
    • exception protocol rcp
    • exception dump a.b.c.d
  • To a Flash disk (exception flash <procmem|iomem|all> <device_name[:partition_number]> <erase | no_erase>)

The best option will depend on the individual device and situation.

Core Analysis

The analysis of a Cisco router core dump is not a simple task. It has been made easier with the introduction of a free service from CIR (http://cir.recurity.com/cir/). In the event that loading a file to the Internet is not an option, there is a commercial product as well.

Figure 2 CIR Online allows network engineers and digital forensics experts to analyze Cisco IOS memory dumps

Cisco routers are essentially one single ELF binary that runs as a large, statically linked UNIX Program that is loaded by ROMMON. Written in C, the IOS dump can be reversed in order to analyze the system. A Cisco IOS core dump contains a complete image of the router's:

  • main memory,
  • IO memory, and
  • the PCI memory (if used).

Core dumps are useful as they contain the complete image of the Cisco device at an instant. They can even be used to extract network traffic from IO memory into a PCAP file for analysis.
Craig Wright, GFCA Gold #0265, is an author, auditor and forensic analyst. He has nearly 30 GIAC certifications, several post-graduate degrees and is one of a very small number of people who have successfully completed the GSE exam.

2 Comments

Posted November 26, 2008 at 1:09 AM | Permalink | Reply

tigerprawn

Nice article! A few typos, but still good.
I would like to point out that your verbiage in the Show TCP section doesn't sound quite right. The "show tcp command" is for showing information about tcp connections to and from the router (for example, if someone is Telnetted in). The "show udp" and "show ip socket" commands are also for cases where a connection ends at the router. So, I suggest that you remove this from your article: "The commands show ip sockets, show udp and show tcp are used to display traffic passing through the router." They aren't for traffic "passing through" the router, but, rather for packets destined to the router (or from the router).
The commands aren't as useful for forensics as they would be if they really did show info about packets going through the router.
Otherwise, this is a good article, especially the part about core analysis.

Posted November 27, 2008 at 8:13 AM | Permalink | Reply

actusec

Have a look at this presentation, 5 years old now but still kinda up-to-date:
Cisco Router Forensics
http://www.securite.org/presentations/secip/