Router Marshal How-To
advertisement
Patrick Leahy Center for Digital Investigation (LCDI) Router Marshal How-To Written & Researched by Maegan Katz 175 Lakeside Ave, Room 300A Phone: 802/865-5744 Fax: 802/865-6446 http://www.lcdi.champlin.edu July 2013 Router Marshal How-To Page 1 of 14 Patrick Leahy Center for Digital Investigation (LCDI) Disclaimer: This document contains information based on research that has been gathered by employee(s) of The Senator Patrick Leahy Center for Digital Investigation (LCDI). The data contained in this project is submitted voluntarily and is unaudited. Every effort has been made by LCDI to assure the accuracy and reliability of the data contained in this report. However, LCDI nor any of our employees make no representation, warranty or guarantee in connection with this report and hereby expressly disclaims any liability or responsibility for loss or damage resulting from use of this data. Information in this report can be downloaded and redistributed by any person or persons. Any redistribution must maintain the LCDI logo and any references from this report must be properly annotated. Router Marshal How-To Page 2 of 14 Patrick Leahy Center for Digital Investigation (LCDI) 1 Introduction Router Marshal Version 1.0.1 is a digital forensic tool developed by ATC-NY for law enforcement that is used to “automatically acquire digital forensic evidence from network devices such as routers and wireless access points. An investigator can use the Router Marshal software in the field to identify a network device, automatically acquire volatile forensic evidence from the device, and view and interpret this evidence.”1 The software also maintains detailed logs of all activities and communications it performs with a target device. 2 Installing 1) Double-click RouterMarshal_Setup and run it through the installer. Make sure to install WinPcap and nmap (http://nmap.org/download.html) to ensure that Router Marshal will run correctly. WinPcap will be downloaded with nmap, but it will still need to be installed. Once all of the components are installed, run Router Marshal. If the host computer is connected to the internet, you can register the software with the product key. Otherwise, choose the option to manually register via email. 1 Router Marshal™ Digital Forensic Software. (2010, December 22). Router Marshal™ Digital Forensic Software. Retrieved from http://routermarshal.com/ Router Marshal How-To Page 3 of 14 Patrick Leahy Center for Digital Investigation (LCDI) 3 Acquisition 1) A new acquisition can be started by selecting the magnifying glass icon in the upper left corner, in the icon bar. Additionally, an old case can be opened by selecting the folder icon to the right. Router Marshal How-To Page 4 of 14 Patrick Leahy Center for Digital Investigation (LCDI) 2) After selecting a new acquisition, you will be prompted to enter acquisition information such as: acquisition name/ID, case number, the name of the investigator, and the save to location. Click Next. Router Marshal How-To Page 5 of 14 Patrick Leahy Center for Digital Investigation (LCDI) 3) The next step is to select the target. Select the IP/Ethernet option. The program will attempt to automatically detect the IP and MAC address of available devices. If the program doesn’t automatically detect the available devices, select one of the detected devices or type in the target IP address. Click Finish. 4) The acquisition should take no more than a few minutes. Router Marshal How-To Page 6 of 14 Patrick Leahy Center for Digital Investigation (LCDI) 5) If Router Marshal is unable to detect what kind of device the router is, a window with a list of supported devices will pop up. Select the appropriate device from the list and then click OK. If a device does not appear on the list, Router Marshal does not have a script to acquire the device. It is possible to expand the list of supported routers by writing custom scripts for an unsupported router. Router Marshal How-To Page 7 of 14 Patrick Leahy Center for Digital Investigation (LCDI) 6) Once a device is selected, Router Marshal may require authentication. This is the same information that is entered when accessing the router’s web interface. The default username and password for the device will automatically be filled in. If the defaults have been changed, the user will need to know the new username and password in order to access the router. Click OK. 7) When the acquisition is finished, the results will automatically appear. The detection tab shows the tools used to identify the device. This will most likely be an NMAP scan. The evidence tab shows the commands used to acquire data, and the analysis tab puts all the results into easy to read charts. Router Marshal How-To Page 8 of 14 Patrick Leahy Center for Digital Investigation (LCDI) 8) Right clicking a selection in evidence gives the option to “Go To Referenced URL,” which will bring up a visual of the page for that particular router setting. Router Marshal How-To Page 9 of 14 Patrick Leahy Center for Digital Investigation (LCDI) 9) The following chart is a breakdown of types of evidence found using Router Marshal. It may vary from router to router. Command /WLG_adv.htm /DEV_device.htm /BAS_ether.htm /BAS_pppoe.htm /BAS_pptp.htm /BKS_keyword.htm /BKS_service.htm /UPG_upgrade.htm /DNS_ddns.htm /RST_st_dhcp.htm /FW_email.htm /LAN_lan.htm /RST_st_poe.htm /RST_status.htm /FW_pt.htm /FW_remote.htm /LAN_lan.htm Router Marshal How-To Action Advanced Wireless Variables Attached Devices Basic Internet Settings Basic Internet Settings Basic Internet Settings Blocked Keywords Blocked Services Check for Firmware Updates on Startup DDNS Settings DHCP Settings Email Variables LAN Variables POE Connection Status Port Information Port Triggering Remote Management Settings Reserved IP Addresses Comments IP Address, Device Name, MAC Address Ethernet Point-to-Point Protocol Over Ethernet Point-to-Point Tunneling Protocol Checked/ Unchecked IP, Subnet Mask, DHCP Start/End, Etc. Connected/Disconnected Port, Start/End IP, Enables/Disabled Page 10 of 14 Patrick Leahy Center for Digital Investigation (LCDI) /FW_log.htm Router Log Activity log for the router** /STR_stattbl.htm Router Status Statistics Uptime, Packets, Etc. /FW_schedule.htm Schedule Variables Time Data /STR_routes.htm Static Routes /BKS_keyword.htm Trusted IP for Blocked Sites /UPNP_upnp.htm UPnP Portmap Table Active/Unactive, Protocol, IP Address, Etc. /RST_status.htm Version Information /WAN_wan.htm WAN Variables /WLG_acl.htm Wireless Card Access List /RST_status.htm Wireless Port Information /WLG_wireless2.htm Wireless2 Settings Variables /WLG_wireless3.htm Wireless3 Settings Variables ** The router log will get accessed sites if the “Keyword Blocking” option in the router is always on. This means that the router is allowing or denying sites (it won’t deny anything if there is nothing on the blocked list). If the setting is not turned on, visited sites will not show up in the log. 4. Report 1) To begin creating a report, select the clipboard icon at the top of the Router Marshal Window. Router Marshal How-To Page 11 of 14 Patrick Leahy Center for Digital Investigation (LCDI) 2) The generate report window will popup. Here, you will enter the report name, comments, or an optional header or custom logo. Select Next. 3) Select the sections of data to include in the report. Each selection correlates to the tabs from the acquisition results. The “Include audit log” option will include the log of all communication that Router Marshal had with the router in the report. Select Next. Router Marshal How-To Page 12 of 14 Patrick Leahy Center for Digital Investigation (LCDI) 4) Select the output type for the report and the report location. Select Finish. Router Marshal How-To Page 13 of 14 Patrick Leahy Center for Digital Investigation (LCDI) 5) The report will output in the chosen format. 6) At this point, you have successfully acquired data from a router and created a report with Router Marshal. Router Marshal How-To Page 14 of 14
