Guest

Cisco Security

Cisco IOS XE Software Forensic Investigation Procedures for First Responders


Introduction

Prerequisites

Step One – Cisco IOS XE Device Problem Description

Step Two – Document the Cisco IOS XE Runtime Environment

Step Three – Cisco IOS XE Image File Hash Verification

Image File Hash Verification (.bin file)

Image File Hash Verification (.conf file)

Step Four – Verify Digitally Signed Image Authenticity

Step Five – Text Memory Section Export

Acknowledgments

Related Documentation

Cisco IOS XE Device Forensic Response Checklist

Revision History




Introduction

This document provides guidance for collecting evidence from Cisco IOS XE devices that are suspected of compromise or tampering. It outlines a number of commands that can be run to gather evidence for an investigation along with the respective output that should be collected upon running these commands. This document also provides information on how to perform integrity checks on a device’s Cisco IOS XE images and includes a procedure for collecting the text memory segment so that the run-time integrity of the IOSd process can be ascertained.

Note: It is extremely important when triaging a network device for compromise or tampering that it is not rebooted. Rebooting a device during an initial assessment will irrecoverably lose all volatile information contained within the device (for example, RAM contents, arp and routing tables, NAT translations, ACL hit and drop counts, etc.).

Note: It is highly recommended that a device suspected of tampering or compromise be isolated from the network prior to conducting an initial forensic examination. This may prevent remote unloading of any implants or malware installed on the device and will prevent an adversary from monitoring commands entered on the device under investigation.

If you require assistance or have questions regarding the procedures described in this document, contact the Product Security Incident Response Team (PSIRT).

This document contains five main sections:

  1. Cisco IOS XE Device Problem Description – Describes why the platform is a candidate for forensic examination
  2. Cisco IOS XE Runtime Environment – Collects platform configuration and runtime state
  3. Cisco IOS XE Image File Verification – Examines system image hashes for inconsistencies
  4. Digitally Signed Image Verification – Examines system and running images for proper signing characteristics
  5. Text Memory Section Export – Collects the information necessary to verify the runtime integrity of the IOSd process


Prerequisites

The procedures outlined in this document assume that the reader has a basic understanding of Cisco IOS XE Software command syntax.

A valid cisco.com account is required to view individual Cisco IOS XE file hashes for software file integrity checking. A publicly available comprehensive list of file hashes (Bulk Hash File) can be downloaded from: https://www.cisco.com/c/en/us/about/trust-center/downloads.html

A Cisco Technical Assistance Center (TAC) service request (SR) is required for the device in question as the procedures outlined in this document assume that the information gathered in each step will be uploaded to a TAC SR to be subsequently analyzed by Cisco engineers for indications of compromise or tampering.


Step One – Cisco IOS XE Device Problem Description

Describe in as much detail as possible why the device is a candidate for forensic examination. Are there configuration changes that cannot be explained? Is there unusual traffic originating from or terminating on the device? Are there anomalous entries in the device logs or in syslog messages? Is the device exhibiting odd behavior than cannot be attributed to a misconfiguration or a software/hardware defect?

Submit the problem description collected in this section to the relevant TAC SR and proceed to the next section of this document.


Step Two – Document the Cisco IOS XE Runtime Environment

Complete the initial stage of evidence gathering by issuing a number of show and dir commands. These commands must be executed in enable mode (privileged EXEC mode), and some of the output produced may vary depending on the particular Cisco IOS XE hardware platform, software version, and/or configured features.

Execute each of the following commands in enable mode and record the output:


! display all listening sockets
show tcp brief all numeric
show udp
show ip sctp association list
show ip sockets
show platform software tcpudpport
show platform software kernel tcp brief
show platform software kernel udp brief
show platform software kernel raw brief
! process and integrity information
show platform software authenticity keys
show platform integrity sign nonce 12345
show rom-monitor rp active
show install summary
show platform software process list rp active
show platform hardware authentication status
show platform software process memory rp active name linux_iosd-imag maps
!! IOS-XE switch-specific syntax
show rom-monitor switch active
show platform software process memory switch active r0 name linux_iosd-imag maps
! enumerate file systems and files
show file systems
dir all-filesystems
! system logs – Note:core/tracelogs may exist on flash: bootflash: or harddisk:
show log
show history all
dir harddisk:/core
dir harddisk:/tracelogs

Obtain a copy of any files found under the /tracelogs directory where the filename begins with “system_shell” as these will need to be uploaded to the SR. The following is an example of a shell log file that should be preserved:

3686402  -rw-   2132  Jul 26 2018 06:16:22 +00:00  system_shell_R0.log.20180726055205 

Alternatively, the following Tcl script can be copied and pasted into the command line to collect the output from the commands listed above. Note that some of the commands contained in the script may not execute on all versions of IOS-XE Software and that targets of the dir commands may need modification depending on the hardware platform.


tclsh
##
## Cisco IOS XE Triage1 Script
## v1.0
##
## display all listening sockets
##
exec "terminal length 0"
exec "show tcp brief all numeric"
exec "show udp"
exec "show ip sctp association list"
exec "show ip sockets"
exec "show platform software tcpudpport"
exec "show platform software kernel tcp brief"
exec "show platform software kernel udp brief"
exec "show platform software kernel raw brief"
##
## process and integrity information
##
exec "show platform software authenticity keys"
exec "show platform integrity sign nonce 12345"
exec "show rom-monitor rp active"
exec "show install summary"
exec "show platform software process list rp active"
exec "show platform hardware authentication status"
exec "show platform software process memory rp active name linux_iosd-imag maps"
## IOS-XE switch-specific syntax
exec "show rom-monitor switch active"
exec "show platform software process memory switch active r0 name linux_iosd-imag maps"
##
## enumerate file systems and files
##
exec "show file systems"
exec "dir all-filesystems"
##
## system logs – Note: core/tracelogs may exist on flash: bootflash: or harddisk:
##
exec "show log"
exec "show history all"
exec "dir harddisk:/core"
exec "dir harddisk:/tracelogs"
##
##
##
tclquit

The following list of commands may also be executed to gather additional information relevant to the current operating state of the device. Although the output of these commands is not required to perform a forensic analysis of an IOS-XE platform, they may provide additional information regarding any unauthorized changes made to the device if compromise is suspected.

Execution of the following commands in this section of Step Two is optional.


terminal length 0
show clock detail
show startup-config
show reload
show ip route
show ip eigrp nei
show ip ospf nei
show ip bgp summary
show cdp nei detail
show ip arp
show ip interface
show ip interface brief
show ip nat translations verbose
show ip cache flow
show ip cef
show snmp user
show snmp group
show snmp community
show ipv6 interface brief
show ipv6 route
show processes

Alternatively, the following Tcl script can be copied and pasted into the command line to collect the output from the commands listed above. Note that some of the commands contained in the script may not execute on all versions of IOS-XE Software.


tclsh
##
## Cisco IOS XE Triage2 Script
## v1.0
##
## IOS/ROMMON Configuration & User Info
##
exec "terminal length 0"
exec "show history all"
exec "show clock detail"
exec "show startup-config"
exec "show reload"
##
## Network, SNMP, and ACL Info
##
exec "show ip route"
exec "show ip eigrp nei"
exec "show ip ospf nei"
exec "show ip bgp summary"
exec "show cdp nei detail"
exec "show ip arp"
exec "show ip interface"
exec "show ip interface brief"
exec "show tcp brief all"
exec "show sockets"
exec "show ip nat translations verbose"
exec "show ip cache flow"
exec "show ip cef"
exec "show snmp user"
exec "show snmp group"
exec "show snmp community
exec "show ipv6 interface brief"
exec "show ipv6 route"
##
## Local Logging, Process and Memory Info
##
exec "show logging"
exec "show processes"
##
##
##
tclquit

Submit all command or script output and any system shell logs collected in this section to the relevant TAC SR and proceed to the next section of this document.


Step Three – Cisco IOS XE Image File Hash Verification

Access the command line of the Cisco IOS XE device and issue the following command in enable mode:

show version

If the system image file has a .bin file extension as shown in the following example, execute the steps in the Image File Hash Verification (.bin file) section of this document and omit the steps in the Image File Hash Verification (.conf file) section.

System image file is "bootflash:asr1000rp2-advipservicesk9.03.13.09.S.154-3.S9-ext.bin"

If the system image file has a .conf file extension as shown in the following example, skip the Image File Hash Verification (.bin file) section of this document and execute the steps in the Image File Hash Verification (.conf file) section.

System image file is "bootflash:packages.conf"

Image File Hash Verification (.bin file)

Note the location and filename of the system image file obtained in the beginning of this section and execute the following command:

verify location:filename

An example of this procedure is as follows:

Router1#show version 
Cisco IOS XE Software, Version 03.13.09.S - Extended Support Release
Cisco IOS Software, ASR1000 Software (X86_64_LINUX_IOSD-ADVIPSERVICESK9-M), Version 15.4(3)S9, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Mon 26-Feb-18 08:59 by mcpre

Cisco IOS XE Software, Copyright (c) 2005-2018 by cisco Systems, Inc.
All rights reserved.  Certain components of Cisco IOS XE Software are
licensed under the GNU General Public License ("GPL") Version 2.0.  The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0.  For more details, see the
documentation or "License Notice" file accompanying the IOS XE Software,
or the applicable URL provided on the flyer accompanying the IOS XE
Software.

ROM: IOS-XE ROMMON

Router1 uptime is 1 day, 15 hours, 21 minutes
Uptime for this control processor is 1 day, 15 hours, 22 minutes
System returned to ROM by reload
System image file is "bootflash:asr1000rp2-advipservicesk9.03.13.09.S.154-3.S9-ext.bin"
Last reload reason: Reload Command
[output truncated]

Router1#verify bootflash:asr1000rp2-advipservicesk9.03.13.09.S.154-3.S9-ext.bin
Verifying file integrity of bootflash:asr1000rp2-advipservicesk9.03.13.09.S.154-3.S9-ext.bin
...........................................................................
...........................................................................
Embedded Hash   SHA1 : 7E9EA496349FC44B223C09F6DCC89FA1F5FBA7A8
Computed Hash   SHA1 : 7E9EA496349FC44B223C09F6DCC89FA1F5FBA7A8
Starting image verification
Hash Computation:    100%Done!
Computed Hash   SHA2: 35ea9ab4825f32810def7c10aa23acb4
                      80da7bb0e4903d3e28d3ebec2bd1cd5a
                      9c5cdb6c2faf429c945efe48b78a7920
                      3ceb36bae21324d88963df3ddd6aedda
                      
Embedded Hash   SHA2: 35ea9ab4825f32810def7c10aa23acb4
                      80da7bb0e4903d3e28d3ebec2bd1cd5a
                      9c5cdb6c2faf429c945efe48b78a7920
                      3ceb36bae21324d88963df3ddd6aedda
                      
Digital signature successfully verified in file bootflash:asr1000rp2-advipservicesk9.03.13.09.S.154-3.S9-ext.bin
Embedded hash verification successful.

Note that the embedded hash and computed hash should retun the same SHA1 (160 bit) and SHA2 (256 bit) values.

An SHA-512 hash can be calculated by adding the /sha512 parameter to the verify command as follows:

verify /sha512 location:filename

An MD5 hash can also be calculated by adding the /md5 parameter to the verify command as follows:

verify /md5 location:filename

The SHA-512 or MD5 hashes should match the values listed on CCO or in the Bulk Hash File for that particular image file.

Note: CCO contains only MD5 and SHA-512 hash values for software images.  

Repeat the previous procedure for any other system image file located on the file systems. A comprehensive list of all files can be viewed by executing the following command:

dir all-filesystems

If any of the image file hashes show inconsistencies, copy the image file in question to a secure location if possible.

copy <location>:<system_image_filename.bin> ftp:
Address or name of remote host []? <destination_ip>
Destination filename []? <destination_filename.bin>

It is highly recommended that a hash value be calculated on the copied system image file and compared to the hash value obtained on the platform to ensure that no errors were introduced during the file transfer process.

Submit all command output (including calculated hash values), the running system image, and any other system images tested in this section to the relevant TAC SR and proceed to Step Four.

Image File Hash Verification (.conf file)

Note the location and filename of the system image file obtained in the beginning of this section and execute the following command:

more location:filename

Next, issue the following command for the packages.conf image file and each unique entry listed in the contents of the packages.conf image file:

verify location:filename

An example of this procedure is as follows:

CSR1000v#show version 
Cisco IOS XE Software, Version 16.06.04
Cisco IOS Software [Everest], Virtual XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.6.4, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Sun 08-Jul-18 04:30 by mcpre

Cisco IOS XE Software, Copyright (c) 2005-2018 by cisco Systems, Inc.
All rights reserved.  Certain components of Cisco IOS XE Software are
licensed under the GNU General Public License ("GPL") Version 2.0.  The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0.  For more details, see the
documentation or "License Notice" file accompanying the IOS XE software,
or the applicable URL provided on the flyer accompanying the IOS XE
software.

ROM: IOS-XE ROMMON

CSR1000v uptime is 36 minutes
Uptime for this control processor is 38 minutes
System returned to ROM by reload at 22:14:54 EST Thu Jul 26 2018
System restarted at 22:16:28 EST Thu Jul 26 2018
System image file is "bootflash:packages.conf"
Last reload reason: Reload Command
[output truncated]

CSR1000v#more bootflash:packages.conf
#! /usr/binos/bin/packages_conf.sh
sha1sum: 7ebf483217e3e7071ed796f2a17258fb60b6b2b0
boot  rp 0 0   rp_boot       csr1000v-rpboot.16.06.04.SPA.pkg
iso   rp 0 0   rp_base       csr1000v-mono-universalk9.16.06.04.SPA.pkg
iso   rp 0 1   rp_base       csr1000v-mono-universalk9.16.06.04.SPA.pkg
iso   rp 0 0   rp_daemons    csr1000v-mono-universalk9.16.06.04.SPA.pkg
iso   rp 0 1   rp_daemons    csr1000v-mono-universalk9.16.06.04.SPA.pkg
iso   rp 0 0   rp_iosd       csr1000v-mono-universalk9.16.06.04.SPA.pkg
iso   rp 0 1   rp_iosd       csr1000v-mono-universalk9.16.06.04.SPA.pkg
iso   rp 0 0   rp_security   csr1000v-mono-universalk9.16.06.04.SPA.pkg
iso   rp 0 1   rp_security   csr1000v-mono-universalk9.16.06.04.SPA.pkg
iso   fp 0 0   fp            csr1000v-mono-universalk9.16.06.04.SPA.pkg
iso   fp 0 1   fp            csr1000v-mono-universalk9.16.06.04.SPA.pkg
iso   rp 0 0   rp_webui      csr1000v-mono-universalk9.16.06.04.SPA.pkg
iso   rp 0 1   rp_webui      csr1000v-mono-universalk9.16.06.04.SPA.pkg
boot  rp 1 0   rp_boot       csr1000v-rpboot.16.06.04.SPA.pkg
iso   rp 1 0   rp_base       csr1000v-mono-universalk9.16.06.04.SPA.pkg
iso   rp 1 1   rp_base       csr1000v-mono-universalk9.16.06.04.SPA.pkg
iso   rp 1 0   rp_daemons    csr1000v-mono-universalk9.16.06.04.SPA.pkg
iso   rp 1 1   rp_daemons    csr1000v-mono-universalk9.16.06.04.SPA.pkg
iso   rp 1 0   rp_iosd       csr1000v-mono-universalk9.16.06.04.SPA.pkg
iso   rp 1 1   rp_iosd       csr1000v-mono-universalk9.16.06.04.SPA.pkg
iso   rp 1 0   rp_security   csr1000v-mono-universalk9.16.06.04.SPA.pkg
iso   rp 1 1   rp_security   csr1000v-mono-universalk9.16.06.04.SPA.pkg
iso   fp 1 0   fp            csr1000v-mono-universalk9.16.06.04.SPA.pkg
iso   fp 1 1   fp            csr1000v-mono-universalk9.16.06.04.SPA.pkg
iso   rp 1 0   rp_webui      csr1000v-mono-universalk9.16.06.04.SPA.pkg
iso   rp 1 1   rp_webui      csr1000v-mono-universalk9.16.06.04.SPA.pkg
#
# -start- superpackage .pkginfo
#
# pkginfo: Name: rp_super
# pkginfo: BuildTime: 
# pkginfo: ReleaseDate: Sun-08-Jul-18-07:07
# pkginfo: .BuildArch: x86_64
# pkginfo: BootArchitecture: i686
# pkginfo: .BootArch: i686
# pkginfo: RouteProcessor: ultra
# pkginfo: Platform: CSR1000V
# pkginfo: User: mcpre
# pkginfo: PackageName: universalk9
# pkginfo: Build: 16.06.04
# pkginfo: .SupportedBoards: ultra
# pkginfo: .InstallModel: 
# pkginfo: .PackageRole: rp_super
# pkginfo: .RestartRole: rp_super
# pkginfo: CardTypes: 
# pkginfo: .CardTypes: 
# pkginfo: .BuildPath: /scratch/mcpre/release/BLD-V16_06_04_FC3/binos/linkfarm/stage-ultra/hard/rp_super_universalk9.x86_64
# pkginfo: .Version: 16.6.4.0.3716.1531061508..Everest
# pkginfo: .InstallVersion: 1.0.0
# pkginfo: .InstallCapCommitSupport: yes

CSR1000v#verify bootflash:packages.conf
bootflash:packages.conf is detected as a provisioning file
Verifying file integrity of bootflash:packages.conf.
Embedded Hash   SHA1 : 7EBF483217E3E7071ED796F2A17258FB60B6B2B0
Computed Hash   SHA1 : 7EBF483217E3E7071ED796F2A17258FB60B6B2B0

CSR1000v# verify bootflash:csr1000v-rpboot.16.06.04.SPA.pkg
Verifying file integrity of bootflash:csr1000v-rpboot.16.06.04.SPA.pkg
...........................................................................
...........................................................................
Embedded Hash   SHA1 : 3AEDB29325BB17D02B39D295F15627286A1E2BEA
Computed Hash   SHA1 : 3AEDB29325BB17D02B39D295F15627286A1E2BEA
Starting image verification
Hash Computation:    100%Done!
Computed Hash   SHA2: f2682757e0106b9c3907962d96028608
                      89eb9325e0cb78276b0097219192143a
                      0d35fd011c0610279f0a97c55fe2ea6c
                      2aac24889967ce07344253f79267dcf2
                      
Embedded Hash   SHA2: f2682757e0106b9c3907962d96028608
                      89eb9325e0cb78276b0097219192143a
                      0d35fd011c0610279f0a97c55fe2ea6c
                      2aac24889967ce07344253f79267dcf2
                      
Digital signature successfully verified in file bootflash:csr1000v-rpboot.16.06.04.SPA.pkg

CSR1000v# verify bootflash:csr1000v-mono-universalk9.16.06.04.SPA.pkg
Verifying file integrity of bootflash:csr1000v-mono-universalk9.16.06.04.SPA.pkg
...........................................................................
...........................................................................
Embedded Hash   SHA1 : C5843C05740F1828197F3093DA294F11BA1DE37B
Computed Hash   SHA1 : C5843C05740F1828197F3093DA294F11BA1DE37B
Starting image verification
Hash Computation:    100%Done!
Computed Hash   SHA2: 14354cda30bb20d38e572275c6e1cc2a
                      0cc647459a1a34dd4267282eeaddf799
                      bda3f2048aca419ea49a417fe28fa43b
                      4e1501acb9f54fb521fe5b00e7f8337e
                      
Embedded Hash   SHA2: 14354cda30bb20d38e572275c6e1cc2a
                      0cc647459a1a34dd4267282eeaddf799
                      bda3f2048aca419ea49a417fe28fa43b
                      4e1501acb9f54fb521fe5b00e7f8337e
                      
Digital signature successfully verified in file bootflash:csr1000v-mono-universalPA.pkg

Note that the embedded hash and computed hash should retun the same SHA1 (160 bit) and SHA2 (256 bit) values.

An SHA-512 hash can be calculated by adding the /sha512 parameter to the verify command as follows:


verify /sha512 location:filename

An MD5 hash can also be calculated by adding the /md5 parameter to the verify command as follows:


verify /md5 location:filename

The SHA-512 or MD5 hashes should match the values listed on CCO or in the Bulk Hash File for that particular image file.

Note: CCO contains only MD5 and SHA-512 hash values for software images.

Repeat the above procedure for any other system image file located on the file systems. A comprehensive list of all files can be viewed by executing the following command:


dir all-filesystems

If any of the image file hashes show inconsistencies, copy the image file in question to a secure location if possible.


copy <location>:<system_image_filename.bin> ftp:
Address or name of remote host []? <destination_ip>
Destination filename []? <destination_filename.bin>

It is highly recommended that a hash value be calculated on the copied system image file and compared to the hash value obtained on the platform to ensure that no errors were introduced during the file transfer process.

Submit all command output (including calculated hash values), the running system image, and any other system images tested in this section to the relevant TAC SR, and proceed to step 4 of this document.


Step Four – Verify Digitally Signed Image Authenticity

Cisco IOS XE Software implements digitally signed system images on most platforms. Digitally signed Cisco software uses asymmetric (public-key) cryptography that increases the security posture of Cisco IOS XE devices by ensuring that the software running on the system has not been altered and that the software originates from a trusted source.

The authenticity and integrity of a system image file can be verified by using the following command:


show software authenticity file location:filename

An example of this procedure follows:


Router1#:show software authenticity file bootflash:asr1000rp2-advipservicesk9.03.13.09.S.154-3.S9-ext.bin  
File Name                     : bootflash:asr1000rp2-advipservicesk9.03.13.09.S.154-3.S9-ext.bin
Image type                    : Production
    Signer Information
        Common Name           : CiscoSystems
        Organization Unit     : IOS-XE
        Organization Name     : CiscoSystems
    Certificate Serial Number : 5A94807E
    Hash Algorithm            : SHA512
    Signature Algorithm       : 2048-bit RSA
    Key Version               : A

The Organization Unit, Organization Name, and the Certificate Serial Number values can be viewed to verify that the system image signature is valid.

It is also important to verify the authenticity and integrity of the running system image, and this can be accomplished with the following command:


show software authenticity running

Note: This procedure may not produce command ouput when executed on Cisco IOS XE virtual devices such as the CSR1000V.

An example of this procedure follows:

Router1# show software authenticity running 
SYSTEM IMAGE
------------
Image type                    : Production
    Signer Information
        Common Name           : CiscoSystems
        Organization Unit     : IOS-XE
        Organization Name     : CiscoSystems
    Certificate Serial Number : 5A94807E
    Hash Algorithm            : SHA512
    Signature Algorithm       : 2048-bit RSA
    Key Version               : A

    Verifier Information
        Verifier Name         : ROMMON
        Verifier Version      : System Bootstrap, Version 16.3(2r
Microloader
-----------
Image type                    : Release
    Signer Information
        Common Name           : CiscoSystems
        Organization Name     : CiscoSystems
    Certificate Serial Number : 4143616e6e65642d5348413235362d48
    Hash Algorithm            : HMAC-SHA256
    Verifier Information
        Verifier Name         : Hardware Anchor
        Verifier Version      : ACannedHwAnchorVersionApril2012

The Organization Unit, Organization Name, and the Certificate Serial Number values can be viewed to verify that the system image signature is valid, and the Certificate Serial Number should be the same as the value obtained from the show software authenticity file command. In the examples above, the authenticity check of the IOS-XE Software image on the boot flash and the authenticity check of the running image both produce a value of 5A94807E.

It is also recommended that digital signatures are verified for all other .bin and .pkg files resident on the device’s file systems. This can be accomplished with the following command:

show platform software authenticity verify location:filename

An example follows:

Router1#:show platform software authenticity verify bootflash:asr1000rp2-advipservicesk9.03.13.09.S.154-3.S9-ext.bin

Digital signature successfully verified in file bootflash:asr1000rp2-advipservicesk9.03.13.09.S.154-3.S9-ext.bin

Note: Some Cisco IOS XE platforms may require that service internal be configured prior to issuing the show platform software authenticity verify command.

Submit all command output collected in this section to the relevant TAC SR and proceed to the next section of this document.


Step 5 – Text Memory Section Export

This section outlines the procedure to collect the necessary information to verify the run-time integrity of the IOSd process from a device running Cisco IOS XE Software.

Unlike Cisco IOS Software, Cisco IOS XE Software does not currently support a method to generate a core file from a Cisco IOS XE device. Therefore, the IOSd executable code must be collected manually from the system:memory/text region to verify runtime integrity.

Note: This procedure requires a minimum Cisco IOS XE Software version of 15.5.1 or later. The text region in earlier versions of Cisco IOS XE Software may point to the text section of a library instead of the executable code of the IOSd process.

Access the command line interface of the Cisco IOS XE device and issue the following command in enable mode to view the system:memory/text entry:


dir system:memory

Copy the system:memory/text region to a file server using ftp or scp.


copy system:memory/text ftp:

An example of this procedure follows:


Router1#dir system:memory
Directory of system:/memory/
    8   -r--       26460576     <no date> bss                 
    7   -r--          59584     <no date> data                           
    5   -r--  -    24686336     <no date> heap                              
    4   -r--        6295128     <no date> lsmpi_mem                               
    9   -r--         196608     <no date> stack                                
    6   -r--         303844     <no date> text
                                 
    No space information available

    Router1#copy system:memory/text ftp:
    Address or name of remote host []? 192.168.1.1
    Destination filename [text]? asr1004_main_text
    Writing asr1004_main_text !!!!!! 
    303844 bytes copied in 4.641 secs (65470 bytes/sec)

It is highly recommended that hash values be calculated for the device’s system:memory/text region and for the file that was copied to the file server to ensure that no errors were introduced during the file transfer process.

To calculate a hash value for the system:memory/text region, execute the following command:


verify /md5 system:memory/text

An example of this procedure follows:


Router1#verify /md5 system:memory/text
.....Done!
verify /md5 (system:memory/text) = 53271c3c2baae5f6f9666db3031d478f

Next, calculate a hash value for the file transferred to the file server. This example uses the Microsoft File Checksum Integrity Verifier (FCIV) for Windows operating systems, which can be downloaded here.


C:\temp>dir
 Volume in drive C has no label.
 Volume Serial Number is C21A-84D2

 Directory of C:\temp
 06/15/2018  10:37 AM  <DIR>
 06/15/2018  10:37 AM  <DIR>
 06/15/2018 10:19 AM 303,844 asr1004_main_text 
 1 File(s) 303,844 bytes 
 2 Dir(s) 2,137,176,567,808 bytes free
 
 C:\temp>fciv asr1004_main_text -md5 
 // 
 // File Checksum Integrity Verifier version 2.05.
 // 
 53271c3c2baae5f6f9666db3031d478f asr1004_main_text

Note that the IOS-XE verify command and the fciv utility both produce an MD5 hash value of 53271c3c2baae5f6f9666db3031d478f.

Alternatively, an MD5 hash value can be calculated with the md5sum utility, which is included with most Linux distributions.


root@ftp-server:~# md5sum asr1004_main_text
53271c3c2baae5f6f9666db3031d478f asr1004_main_text
root@ftp-server:~# 

Submit all command output (including calculated hash values) and the file containing the system:memory/text output to the relevant TAC SR.


Acknowledgments

The author would like to thank all members of the Customer Experience Security Programs (CXSP) and Advanced Security Initiatives Group (ASIG) who provided their expertise for this document. A special note of thanks to Xavier Brouckaert of ASIG whose contributions greatly enhanced the efficacy of the forensic procedures contained in this publication.


Cisco IOS XE Device Forensic Response Checklist


Step 1 – Create the Cisco IOS XE Device Problem Description

Device Problem Description uploaded to SR 

Step 2 – Document the Cisco IOS XE Runtime Environment

Output of listening sockets show commands uploaded to SR 

Output of process & integrity show commands uploaded to SR 

Output of file systems show commands uploaded to SR 

Output of system logs show commands uploaded to SR 

All system shell log files uploaded to SR 

Output of other show commands uploaded to SR (Optional) 

Step 3 – Cisco IOS XE Image File Hash Verification

Output of verify on system image files uploaded to SR 

Copy of the running system image file uploaded to SR 

Image files with hash inconsistencies uploaded to SR 

Step 4 – Verify Digitally Signed Image Authenticity

Output of show software authenticity file uploaded to SR 

Output of show software authenticity running uploaded to SR 

 Step 5 – Text Memory Section Export

Output of copy system:memory/text uploaded to SR 

Output of verify /md5 system:memory/text uploaded to SR 


Revision History

Version Date Author Comments
1.0 8/19/2019 Dan Maunz Initial public release.
       
       
       

 


This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.

This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.


Back to Top