I wanted to capture this and maybe inspire someone to build an application for splunk. The basics of router forensics are collecting data from the device that can act as evidence. The final two chapters are on ios and cisco switches and how to prepare your final report. A megabit switch was squeezed in between sender and. Based on the type of router you mentioned, one can infer that it is used in a small business, which likely means, the.
Strengths, weaknesses, and future needs by eoghan casey presented at the digital forensic research conference dfrws 2003 usa cleveland, oh aug 6th 8th dfrws is dedicated to the sharing of knowledge and ideas about digital forensics research. These routers often ful l an important role within the local network architecture and as such contains a lot of information. Because criminals are targeting networks, and network devices. How to secure switches and routers penetration testing. I just came across this list of command to capture the state of a cisco router. The interface number i2 and a hash value of router r1s ip address are marked deterministically in each packet on the attack path. Investigating and analyzing malicious network activity ebook written by dale liu. Dale liu, cisco router and switch forensics, isbn 978. Cfrstcom 660 network forensics spring 2015 read this document in its entirety. The commands arent as useful for forensics as they would be if they really did show info about packets going through the router.
Cisco ios the software that runs the vast majority of cisco routers and all cisco network switches is the dominant routing platform on the. This widespread selection from cisco router and switch forensics book. In 2010 the number of threats targeting adsl routers is continually increasing. The cisco content services css switch product, also known as arrowpoint, has two security vulnerabilities once access to the command line interface cli is granted. The standard process involves using issuing the show commands and collecting data such as logs and network activity data. Router forensics information security stack exchange. Typically it just takes some manual setup, but a capable switch can often offer that kind of interchangeable functionality. Forensic analysis of social networking applications on.
A windowsbased system generally records at least the first and last time that a particular usb device is used on that computer, providing evidence of what devices were used, as well as date restrictions on searches. Network forensics deals with the capture, recording or analysis of network events in order to discover evidential information about the source of security attacks in a court of law 3. The first vulnerability, the switch can be forced into a temporary denial of service by an unprivileged user, this is documented in cisco bug id cscdt08730. Pdf network forensics concerns the identification and preservation of. Cisco router and switch forensics is the first book devoted to criminal attacks, incident response, data collection, and legal testimony on the market leader in network devices, including routers, switches, and wireless access points. Perimeter router security technical implementation guide cisco. Identify computer forensics category requirementsfor each category, describe the technical features or functions a.
For example fail router, a leaky firewall or insecure database 5. If the router goes down, users will not be able to connect with any external applications. Switch a port mirror is a software tap that duplicates packets sent to or from a designated switch port to another switch port. Cisco router and switch forensics by dale liu overdrive.
Finding the needle in the haystack introducing network forensics network forensics defined network forensics is the capture, storage, and analysis of network events. Cisco router and switch forensics by liu, dale ebook. Computer security though computer forensics is often associated with computer security, the two are different. Available data and elements exportspolling needs stored locally flashnvram non volatile dram volatile router dhcpbootp tftp configuration ntp clock sync. Silentrunner, the open source snort intrusion detection system, netwitness by forensics explorers, and even the fbis carnivore internet wiretapping system since renamed dcs. Computer forensics in ip theft litigation and investigations.
The scope of network forensics encompasses the networks, systems. Patryk szewczyk school of computer and security science edith cowan university. If you continue browsing the site, you agree to the use of cookies on this website. It is sometimes also called packet mining, packet forensics, or digital forensics. Pdf including network routers in forensic investigation. Behavior of cisco discovery protocol between routers and. Pdf router and interface marking for network forensics. Store your routers and switches configurations in a. The book considers not only how to uncover information hidden in email messages, web pages and web servers, but also what this reveals about the functioning of the internet and its core protocols. The role of a router routers are found at layer three of the osi model. This is the cisco response to research done by showrun. Cisco router and switch forensics 1st edition elsevier. Cfrstcom 660 network forensics fall 2015 read this document in its entirety. Investigating and analyzing malicious network activity dale liu on.
Computer forensics in ip theft litigation and investigation repositories of protected information. Recently, information security magazine coined the term network forensic analysis tool nfat to. This, in turn, enables the identification of shortcomings and highlights where. As a result of this, the router is a veritable treasure. Adsl router forensics, digital forensics, embedded systems, vulnerability, forensic analysis, data extraction, jtag, network forensics. Sans digital forensics and incident response blog cisco. Forensic analysis of routers and switches it forense. Forensic network analysis tools strengths, weaknesses, and.
Social networking applications on mobile devices by noora al mutawa, ibrahim baggili and andrew marrington from the proceedings of the digital forensic research conference dfrws 2012 usa washington, dc aug 6th 8th dfrws is dedicated to the sharing of knowledge and ideas about digital forensics research. Router interface marking rim mechanisms consider a router in ter face as opposed to the router itself as an atomic unit for traceback. Download it once and read it on your kindle device, pc, phones or tablets. With the rapid growth and use of internet, network forensics has become an integral part of computer forensics. The mirrored trac can then be sent to a platform that performs collection or analysis, such as fullpacket capture or a netflow probe. After the user passes the authentication process, the user is authorized to enter one or more vlans. Purchase cisco router and switch forensics 1st edition. Cisco ios the software that runs the vast majority of cisco routers and all cisco network switches is the dominant routing platform on the internet and corporate networks. It is important to understand where they reside within the osi model. Read cisco router and switch forensics online by dale liu books. Abstract routers are commonplace in modern age and are often the hub of consumer networks. In our study we focused on one router from the cisco 2800 series.
Routing switching ring buffers are grouped by packet size. Establish categories for computer forensics tools group computer forensics software according to categories, such as forensics tools designed to retrieve and trace email. Network forensics concerns the identification and preservation of evidence from an event that has occurred or is likely to occur. Moreover, the generally accepted description of network forensics is given in the digital forensics research workshop dfrws 20011. This chapter examines router and network forensics. Computer forensics is primarily concerned with the proper acquisition, preservation and analysis of digital evidence, t. Investigating and ing malicious network activity dale liu lead author and technical editor james burton thomas millar tony fowlie kevin oshea paul a. To help mitigate these attacks, youre faced with monitoring security appliances, detecting intrusions, assessing. They arent for traffic passing through the router, but, rather for packets destined to the router or from the router. Cisco ios the software that runs the vast majority of cisco routers and all. It would be interesting to build a set of expect scripts that go out and.
Only packets arriving through interfaces i1, i2 and i3 are marked by router r1 because. Read cisco router and switch forensics by dale liu for free with a 30 day free trial. Download for offline reading, highlight, bookmark or take notes while you read cisco router and switch forensics. I cant see anyone in the forensics field willing to give the time of day to perform any forensics work on a soho router the cost of going through the motions of performing a forensicsdata recovery would be very expensive. Vlan can be formed in various forms, such as switch port, mac address, ip address, protocol type, dhcp, 802. Use features like bookmarks, note taking and highlighting while reading cisco router and switch forensics. This requires you to have an understanding of routers and their architecture. In the early days network forensics used for the troubleshooting connection issue and it also help to solve various network security problem. Router and interface marking for network forensics. Cisco ios router configuration commands cheat sheet pdf. Investigating and analyzing malicious network activity.
Cisco router and switch forensics cern document server. This chapter is important as many attacks will require the analyst to look for information in the router or require network forensics. Since these kinds of posts are useful as a reference for many people, i have decided to create also a cisco router commands cheat sheet with the most useful and the most frequently used command line interface cli configuration commands for cisco routers cisco ios routers are probably the most complete. Linux forensics is the most comprehensive and uptodate resource for those wishing to quickly and efficiently perform forensics on linux systems. These can be deployed individually or in combination. This timely textreference presents a detailed introduction to the essential aspects of computer network forensics. Investigating and analyzing malicious network activity kindle edition by liu, dale, dale liu. Inside cisco ios software architecture cisco press. Network forensic analysis the nfa course is a labintensive course designed for technicians involved with incident response, traffic analysis or security auditing. In 2, a network forensics definition is given from the military perspective. It is also a great asset for anyone that would like to better understand linux internals. How to optimize your digital investigation white paper every day your organizations network security comes under attack.
392 1288 416 57 7 1266 1152 1161 911 161 1533 1142 527 1009 657 660 82 806 671 675 1323 328 558 253 999 1448 653 739 351 1022 1444