The Incident
Once on the scene, we first gathered the non-volatile information. Now we progress to the volatile information. What is in the router's memory? What changes occurred between the startup config and the running config? We will also look at the syslog messages sent from the router to the machines recording these messages. As noted in the configuration, two machines were collecting syslog messages, so we can compare and contrast the two machines and note any discrepancies.
The first things we get are the startup and running configs, and we see how they differ (if they differ):
!
version 12.4
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Instructor_rtr
!
boot-start-marker
boot-end-marker
!
no ...
Get Cisco Router and Switch Forensics now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
