Chapter 8 - Collecting the Non-Volatile Data from a Router

Abstract

This chapter discusses how nonvolatile data from a router can be collected for digital forensic investigation. Performing a forensic analysis on nonvolatile data on a router can reveal valuable information, but one must understand that the nonvolatile data may not represent the actual running configuration that was in operation at the time of the incident. If the router was rebooted since the incident occurred, the running configuration was overwritten by the startup configuration. Before connecting to the Cisco Router, one should interview the POC (Point of Contact) to gain an understanding of the incident, define incident response plan, examine the copies of collected evidence, and analyze them. One can connect to a Cisco router to collect its nonvolatile data through the console or AUX port and over the network using Telnet, Secure Shell (SSH), Hypertext Transfer Protocol (HTTP), or Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS). While collecting nonvolatile data from a router, one should first gather data such as time, file system layout, and version information. An MD5 hash should be created using the router's MD5 command to verify that the copied files are exact duplicates of those that exist on the router. All printed copies should be authenticated with the date, time, and signature. The chapter explains how nonvolatile router data gathered from a Cisco router can be analyzed.