Cisco is pleased to announce a new addition to the Forensic Investigation Procedures for First Responders series of documents that will help customers and partners triage Cisco products that are suspected of being tampered with or compromised. These guides provide step-by-step instructions for first responders that can be used to assess platform integrity and collect information that can be used for forensic analysis.
This new document is available on the Cisco.com Security Portal under Tactical Resources, Responding to a Security Incident.
The following is a summary of the new document just released, along with a brief description.
Cisco StarOS Software Forensic Investigation Procedures for First Responders
This document provides steps for assessing the integrity of and collecting forensic information from the Cisco ASR5000 and ASR5500 family of platforms, and Quantum Virtual Packet Core (QVPC) virtual machines running Cisco StarOS Software.
This document contains procedures for collecting platform configuration and runtime state, verifying the hash value of the StarOS system image file, gathering core files from critical system processes, and collecting non-volatile system information and artifacts, including process lists, installed kernel modules, IP tables, and the system startup script.