 This is a demo of my network appliance for INSIC toolkit that was featured in the ISSA Journal of December 2012. All commands start with NAFT. You have one for generic frame extraction, one for iOS core dumps and one for iOS images. I will be demoing those three commands. Here I have a couple of dumps to work on from routers, from a Windows laptop and from a Mac machine. Here I have a couple of images for the routers of Cisco. Let's start with the generic frame extraction. This command will look into a file for IPv4 frames and extract them to a pcap file. We will store the frames in test.pcap and I will be first of all extracting them from this dump. Now you can see that it extracted IPv4 packets and ARP 800 frames. We found 213 frames and one packet and in total we have 194 frames inside the pcap file. The smaller number is due to the fact that the generic frame extraction tool will eliminate duplicates. Now let's do the same for the Windows XP image. This is a mini image of 500 megabytes so it takes a bit longer to analyze. This is a bit of patience here. It takes some time to look to 500 megabytes. We have 2054 frames in the pcap file. You can have a look at that file with Wireshark. Here you can see all kinds of frames, DNS, HTTP, all packets that were found in the RAM dump of that Windows XP machine. The OSX memory dump that I have is 2 gigabytes and you will see that this is too large to load into the Python interpreter here. Again the same command with the Mac Mountain line image. There we get a Maloch error. There is not enough memory to fit this file into memory. The thing to do here is to work with buffered input. There is an option, minus B, buffer, that will read the file in blocks of 100 megabytes with a 1 megabyte overlap buffer. So that's what we are going to do here. Since this file of 2 gigabytes doesn't fit into memory, we use option minus B to proceed with the buffered read. You can see here 101 megabytes was read and is now being searched through and then the next one. This will handle the complete file. So let's fast forward here. We are almost at the end here. 184 frames inside the pcap file. The second command I want to look at is specific for iOS. Cisco iOS Codems. It's to analyze Codems from Cisco iOS routers. So NAFT, ICD, iOS Codems. And here you have the different commands that you can issue. There is also command to extract frames. But this is specific for iOS. It's not generic. So this one knows about the structure of frames inside iOS Codems, ICD. So frames. I provide it with the Codem and the IOMem Codem of the router. And we store it in test.pcap. That's where the output will be stored, the frames that are extracted from memory. And you can see that we look into the memory for packet headers and then we extract this and look for the packets in IOMem. Maybe you know the show region command that shows the region of memories that are mapped into your iOS router. You can also issue this command with ICD. So regions, dump. And here you have the different memory regions that are found in this dump. Another command is CW strings. So Cisco iOS images and Cisco iOS Codems contain strings that start with CW strings. And these strings contain the identification of the image. So you can run this command on a Codem like this. And then you can see which version of iOS and on which device it was running. You can look into the heap and this command will dump all the memory that is being assigned in the heap. Just like you would use show command to view this. Here you have all the chunks in the heap. Now these usually have a name. And you can view that name by resolving minus R. This will resolve the names. And then you can see here the different chunks of the heap that have been assigned for different processes. For example, this one here is for SSH. You can also search into the heap. So heap. And now I'm going to filter for all chunks in the heap that contain TTY data. And these here are all chunks into the heap that contain TTY data. Now you can dump the strings that are contained into those chunks in the heap by using option minus S to dump the strings. So I filter for TTY data and I do minus S to search for the strings. And then you have all the strings that you can find in those pieces of memory in the heap manager. For example, this one here is the password that I used to log on to this router. You can also look into the memory of the init process. So let's filter for init. I want to dump all the strings of the init heap manager chunks. But then I'm also going to grep. And I'm going to grep for strings that contain commands. So cmd, like this. And then you can see all kind of command messages that were issued here by this router. This command also allows you to view the processes with the processes command. And here you have all the running processes on that router when the dump was made. You can also view the history, the command line history. Here are all the different commands in the history. Those are, for example here, you can see the command that I issued to write the core. And show region command. And this command here actually comes from the config file. Other interesting information you can extract from this memory dump are the events. Different events that can be sent to syslog. And last command I want to show you is check text. This command will compare an iOS image stored in a file, the iOS image itself. It will compare it with what it finds in memory. Because the iOS image is loaded and decompressed into memory. So what you find in that image file you should also find it in memory. If there is a difference then it can mean two things. You're not looking at the right iOS file or the iOS image has been modified in memory on the router. So it has been tampered with. So check text. I provided a core dump now from a different router here. And then I also provided an image. This is the image. So now the command is extracting the code from the image. And extracting the code from the memory dump and comparing it. And we can see now that there is a small difference. So the CW string are equivalent. It's the same description. So it's the same version of iOS. This version here. But there is a small difference in the text. 48 bytes are different. And this is actually because the dump that I took off that router is not actually from this image, but from a slightly modified image that I made so that the canary value is different. So let's issue this command again. Now with this version, this is the actual version of iOS that was running on the router. So it is extracting that code from the image and also extracting the code from the dump and comparing it strings are equivalent. And now we know that the text is identical. So the code in the image and the code in memory is identical. It's the same. And what we have a look at is an EFT command to analyze Cisco iOS image files. It's NAFTII. This is the command. So you provide it an image file. This one here. And now it will unpack that image file and analyze it and report back. You have the CW strings and then all kinds of information, like the entry point number of sections, embedded MD5, and the different checks I'm telling of if they are identical or not. You can also extract the code and you can extract it in a way that you can then load it in IDA Pro for third analysis and you do that with the IDA Pro option. Like this. So this is the name of the image file and you can find it here. I've been a slight number of modifications made to that file so that IDA Pro will recognize the correct processor and start to disassemble this image.