Developments in Cisco IOS Forensics

Cisco System’s routers running Cisco IOS are still the prevalent routing platform on the Internet and corporate networks. Their huge population, architectural deficiencies and hugely diverse version distribution make them a valuable target that gains importance as common operating system platforms are closed down and secured. This paper takes the position that the currently used, well accepted practices for monitoring, debugging and post mortem crash analysis are insufficient to deal with the threat of compromised IOS devices. It sets forth a different method that reduces the requirement for constant logging, favoring ondemand in-depth analysis in case of suspicion or actual device crashes. The paper concludes by presenting the current state in the development of software supporting the proposed method and requesting feedback from the community on the software’s future directions.