Volatile Data Collection Procedures

There are a number of key points to remember when collecting volatile evidence from a router or switch, as outlined in the following lists. Depending on the situation, it may be necessary to disconnect selected interfaces or attached devices, but always attempt to minimize any changes to the device.

DO:

▪ Access the device through the console where possible.

▪ Record your entire console session, starting before you connect to the device.

▪ Run show commands from a script.

▪ Record the actual time and the router's time; take screenshots.

▪ Record the volatile information.

DON'T:

▪ Reboot the router ( ever!).

▪ Access the router through the network unless it is isolated.

▪ Run configuration commands.

▪ Rely only on persistent ...

Get Cisco Router and Switch Forensics now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Cisco Router and Switch Forensics by Dale Liu

Volatile Data Collection Procedures

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly