Forensics Book 4:
Investigating Network
Intrusions and
Cybercrime
Chapter 4: Router Forensics
Objectives








Understand router architecture
Understand the use of Routing Information Protocol
(RIP)
List the different types of router attacks
Differentiate router forensics from traditional
forensics
List the steps for investigating router attacks
Conduct an incident response
Read router logs
List various router auditing tools
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Introduction to Router Forensics

Router
 Network-layer
device or software application that
determines the next network point to which a data
packet should be forwarded in a packet-switched
network
 Decides where to send information packets based on
its current understanding of the state of the networks
it is connected to, as well as the network portion of the
Internet Protocol (IP) address

Routers use headers and forwarding tables to
determine the best path for sending data packets
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Functions of a Router

Basic functions of a router:
 Forwarding
packets
 Sharing routing information
 Packet filtering
 Network address translation (NAT)
 Encrypting or decrypting packets in the case of virtual
private networks (VPNs)

Overall, a router:
 Is the
backbone of a network and performs significant
network functions
 Has the additional responsibility of protocol
interpretation
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Functions of a Router (continued)

A router in the OSI model
 Operates
at the network layer of the OSI model
 Relays packets among multiple interconnected
networks
 Forwards the packets to the next router on the path
until the destination is reached
 Generally sends the packets through that particular
route once the best route is identified

Router architecture
 Memory
 Hardware
 IOS
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Functions of a Router (continued)
Figure 4-1 Routers operate in the physical, data link, and network
layers of the OSI model.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Functions of a Router (continued)

The routing table and its components
 Routing
table
 Database
that stores the most efficient routes to
particular network destinations

Components of a routing table
 Address prefix specifying the
address of the final
destination of the packet
 Interface on which the packets corresponding to the
address prefix are transmitted
 Next hop address specifying the address of the router
to which a packet must be delivered en route to its
final destination
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Functions of a Router (continued)

Components of a routing table (continued)
 Preference value for
choosing between several routes
with similar prefixes
 Route duration
 Specification showing whether the route is advertised
in a routing advertisement
 Specification on how the route is aged
 Route type

Routing Information Protocol (RIP)
 Protocol
used to manage router information within a
self-contained network
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Router Vulnerabilities

Common router vulnerabilities are likely avenues for
attack:
 HTTP authentication vulnerability
 NTP
vulnerability
 SNMP parsing vulnerability
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Router Attacks

Intruder that takes control of a router can perform
many different attacks on a network
 Can
gain knowledge of all possible vulnerabilities in a
network once the router has been accessed


Attacker who has gained access to a router can
interrupt communication, disable the router, stop
communication between compromised networks, as
well as observe and record logs on both incoming
and outgoing traffic
By compromising a router, attackers can avoid
firewalls and intrusion detection systems (IDS), and
can transmit any kind of traffic to a chosen network
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Types of Router Attacks

Denial-Of-Service (DoS) attacks
 Render
a router unusable for network traffic by
overloading the router’s resources so that no one can
access it
 Goals: destruction, resource utilization, and
bandwidth consumption

Packet-mistreating attacks
 Compromised
router mishandles or mistreats packets,
resulting in congestion
 Mistreated packet could invoke the following
problems: denial of service, congestion, and lowering
of connection throughput
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Types of Router Attacks (continued)

Routing table poisoning
 One of
the most prominent types of attacks
 When an attacker maliciously alters, or poisons, a
routing table, the routing-data update packets are also
maliciously modified
 Misconfigured packets produce false entries in the
routing table, such as a false destination address

Hit-and-run attacks
 Occur when
an attacker injects a small number of bad
packets into the router to exploit the network
 Similar to a test attack: attacker gains knowledge of
whether the network is online and functioning
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Types of Router Attacks (continued)

Persistent attacks
 Attacker
continuously injects bad packets into the
router and exploits the vulnerabilities that are
revealed during the course of the injection process
 Can cause significant damage because the router can
get flooded with packets and cease functioning due to
the constant injection of packets
 Comparatively easy to detect
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Router Forensics Versus Traditional
Forensics

Router forensics does not differ much from
traditional forensics
 Except in some
particular steps taken during
investigations

During router investigations, the system needs to be
online, whereas in traditional forensic
investigations, the system needs to be powered off
 System
must be online so the forensic investigator can
have exact knowledge of what type of traffic flows
through the router
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Investigating Router Attacks

Guidelines:
 Start
with a security policy and develop a plan that
includes collecting and defining data
 Create a reconnaissance methodology that provides
information about the target
 Perform an analysis check to identify incidents and
review default passwords and default information
 Develop an attack strategy for analyzing commands to
access the network, ACLs, firewalls, and protocols
 Be careful while accessing the router
 Intrusion analysis is vital to identifying the attacker
and preventing the success of future attacks
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Investigation Steps

Seize the router and maintain the chain of custody
 Investigator
should seize the router so that nobody
can change its configuration
 Chain of custody
 Record
of seizure, custody, control, transfer, analysis,
and disposition of physical and electronic evidence

Perform incident response and session recording
 Router
should not be rebooted unless absolutely
necessary
 Record all information and evidence acquired
 No modifications should be made to the information
and evidence acquired
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Investigation Steps (continued)
Figure 4-2 Chain of custody forms document the evidencegathering phase of an investigation.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Investigation Steps (continued)

Incidents that should be handled in specific ways:
 Direct-compromise
incidents
 Routing table manipulation
 Theft of information
 Denial of service

Access the router (guidelines)
 Router
must be accessed through the console
 Record the entire console session
 Record the actual time and the router time
 Only show commands should be executed
 Volatile information must be given priority
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Investigation Steps (continued)
Figure 4-3 Every step an investigator takes must be
recorded.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Investigation Steps (continued)

Gather volatile evidence
 Volatile
evidence: evidence that can easily be lost
during the course of a normal investigation
 Items considered volatile evidence: Current
Configuration, Access list, Time, and Log files
 Methods to collect volatile evidence:
 Direct
access – carried out using show commands
 Indirect access – carried out only if the attacker has
changed the passwords by port-scanning every router
IP
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Investigation Steps (continued)

Identify the router configuration
 Establish
a connection to the router to retrieve the
RAM and NVRAM
 Use the encrypted protocol secure shell to remotely
access the router if a direct connection is not possible
 Log entire session with HyperTerminal
 Capture and save the volatile and nonvolatile router
configurations for documentation purposes

Examine and analyze
 Once the
volatile evidence has been secured and the
configuration has been obtained, the investigator can
begin to analyze the retrieved information
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Investigation Steps (continued)

Router components that should be examined and
analyzed:
 Router
configuration
 Routing table
 Access control list
 Router logs: provide information about the router’s
activities

Types of router logs:
 Syslog
log, log buffer, console lop, terminal log, SNMP
log, and ACL violation log
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Investigation Steps (continued)
Figure 4-4 Router log files can tell an investigator where a
connection originated.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Investigation Steps (continued)
Figure 4-5 The ping command can be used to
find a host name.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Investigation Steps (continued)

NETGEAR router logs
 Can
be used for monitoring network activities for
specific types of attacks and reporting those attacks to
a security monitoring program
 Can be used to perform the following tasks:
 Alert
when someone on a LAN has tried to access a
blocked WAN address
 Alert when someone on the Internet has tried to access
a blocked address in a LAN
 Identify port scans, attacks, and administrative logins
 Collect statistics on outgoing traffic
 Assess whether keyword-blocking rules are excluding
an undesired IP address
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Investigation Steps (continued)
Figure 4-6 NETGEAR router logs allow the user to apply
various firewall rules.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Investigation Steps (continued)
Figure 4-7 Entries indicating suspicious data being dropped
are a possible indication of an attack.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Investigation Steps (continued)

Real-time forensics
 Investigator
should use the router to monitor the
network, after removing or collecting the data from
the compromised router

AAA logging gathers the following information:
 Login time
 Logout
time
 HTTP accesses
 Privilege level changes
 Commands executed
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Investigation Steps (continued)

Generate a report (steps)
 Note
the name of the investigator
 List the router evidence
 Document the evidence and other supporting items
 Provide a list of tools used for the investigation
 List the devices and setup used in the examination
 Give a brief description of the examination steps
 Provide the following details about the findings:
 Information
about the files
 Internet-related evidence
 Data and image analysis
 Provide conclusions
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
for the investigation
Router Audit Tool (RAT)
Figure 4-8 The RAT tool checks devices against settings in a
benchmark.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Link Logger
Figure 4-9 Link Logger allows users to
see and analyze firewall traffic.
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Sawmill
Table 4-1 Sawmill stores these nonnumerical fields in
its Linksys router database
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Summary




A router is a computer networking device that
forwards data packets across networks
A router decides the most effective path for a packet
to reach its final destination
A routing table is a database that stores the most
efficient routes to particular network destinations
The types of router attacks are denial-of-service
attacks, packet-mistreating attacks, routing table
poisoning, hit-and-run attacks, and persistent
attacks
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited
Summary (continued)



RIP sends routing update messages when the
network topology changes
A router log shows whether anyone has been trying
to get into a network
Investigators must be careful while accessing a
router
Copyright © by EC-Council Press
All rights reserved. Reproduction is strictly prohibited