Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

Cisco Releases Guides for Analyzing Compromised Devices

Cisco has released new guides to help first responders collect forensic evidence from potentially compromised or tampered with IOS, IOS XE, ASA, and Firepower Threat Defense (FTD) devices.

Cisco has released new guides to help first responders collect forensic evidence from potentially compromised or tampered with IOS, IOS XE, ASA, and Firepower Threat Defense (FTD) devices.

The new Forensic Investigation Procedures for First Responders guides are available in the Tactical Resources section of Cisco’s Security Portal.

There are four separate guides for ASA 5500-X series devices, ASA devices running FTD software, IOS devices, and IOS XE devices. The documents are meant to provide step-by-step instructions for collecting information that can be used to conduct a forensic analysis of devices that may have been tampered with or compromised.

First responders can use the guides to learn how to collect data on platform configuration and runtime state, analyzing image hashes for inconsistencies, examining ROM monitor configurations for signs of images being remotely loaded, obtaining crashinfo and core files, checking the integrity of images and configurations, and various other procedures that may be specific to each product.

For example, the guide for ASA devices describes a procedure for verifying the integrity of the webvpn configuration for deployments implementing SSL VPN, and the guide for IOS tells first responders about how they can analyze images if a core dump cannot be performed. The IOS XE guide contains information on exporting the text memory segment for verifying the runtime integrity of the IOSd process.

The guides instruct first responders to isolate devices that might have been compromised before starting the forensic investigation.

“This may prevent remote unloading of any implants or malware installed on the device and will prevent an adversary from monitoring commands entered on the device under investigation,” Cisco says.

Related: Cisco Patches Critical Flaws in Network Switches

Related: Cisco Warns of Zero-Day Vulnerability in Security Appliances

Related: Cisco Patches Router Vulnerabilities Targeted in Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.