On the 15^th of September, 2015, the information security world was shaken by the news that a hack called SYNful knock modified the firmware of some CISCO routers. This allowed the attackers to maintain a persistent presence in the router, thereby exposing the network traffic and enabling the router to act as a listening post for the attacker.

Routers have long been the cornerstone of the Internet. The role of the router has been to connect the networks to the Internet and choose the best path so that the information arrives quickly. In fact, the global trend is that the national network infrastructures are dependent on the routers to handle the network traffic. Therefore, it stands to reason that if routers carry the world's traffic, they would also be privy to all the associated traffic logs:

Seeing the kind of role that routers play, routers are often the target of attacks, especially Denial-of-service (DoS) or disabling the router type of attacks. Router compromise is also known where the router is used to bypass other network security components such as a firewall or an IDS.

Routers store information such as passwords and routing tables as well as information about the network blocks. This makes them intermediate targets. Compromised routers can be used as stepping stones to attack the rest of the network.

Let's take a quick look at the memory storage in routers.

While routers have two types of memory, the actual memory storage available is quite small. The first is the flash or persistent memory. This has the firmware, iOS, and relevant configuration information and is reasonably permanent. The second is the RAM. This is very volatile and the data contained in it can be completely lost if switched off. From an investigation perspective, this data can be very important as it contains the following components:

As we can see, if the router is shutdown prior to gathering all this, valuable information will be lost. However, persistent (flash memory) data will not be affected. For a successful investigation, we need to recover the volatile data on a priority basis as the first step.

In such a case, a physical connection to the router is required before we can acquire the required evidence. A laptop with appropriate cables to connect to the console port will be required. The laptop would need to have the Terminal software loaded on it to enable us to connect to the router directly rather than over the network.

Once connected we need to determine the following:

The logging aspect is also very important. Once connected to the router, it is worth checking to see if buffered logging is turned on. If yes, the show logging command will show us the insides of the router log buffer, the level it is set to, as well as the hosts the logs are sent to. Terminal logging allows non-console sessions for viewing log entries. Syslog logging enables messages to be sent to a specified syslog server. ACL violation logging will produce a large number of interesting logs in the log buffer documenting ACL violations.

In addition to the preceding two sources of evidence (namely volatile memory and logs), the recent CISCO router hack shows that non-volatile flash memory is also vulnerable. The current hack has demonstrated that any modification in firmware remains in the persistent memory and can cause large-scale data leaks.