Cisco has released new guides to help first responders collect forensic evidence from potentially compromised or tampered with IOS, IOS XE, ASA, and Firepower Threat Defense (FTD) devices.
The new Forensic Investigation Procedures for First Responders guides are available in the Tactical Resources section of Cisco’s Security Portal.
There are four separate guides for ASA 5500-X series devices, ASA devices running FTD software, IOS devices, and IOS XE devices. The documents are meant to provide step-by-step instructions for collecting information that can be used to conduct a forensic analysis of devices that may have been tampered with or compromised.
First responders can use the guides to learn how to collect data on platform configuration and runtime state, analyzing image hashes for inconsistencies, examining ROM monitor configurations for signs of images being remotely loaded, obtaining crashinfo and core files, checking the integrity of images and configurations, and various other procedures that may be specific to each product.
For example, the guide for ASA devices describes a procedure for verifying the integrity of the webvpn configuration for deployments implementing SSL VPN, and the guide for IOS tells first responders about how they can analyze images if a core dump cannot be performed. The IOS XE guide contains information on exporting the text memory segment for verifying the runtime integrity of the IOSd process.
The guides instruct first responders to isolate devices that might have been compromised before starting the forensic investigation.
“This may prevent remote unloading of any implants or malware installed on the device and will prevent an adversary from monitoring commands entered on the device under investigation,” Cisco says.