Network Device Forensics
Didier Stevens posted a video on his blog about Network Device Forensics.
The main part of the “Network Device Forensics Talk” describes the “Network Appliance Forensic Toolkit”, aka NAFT. NAFT is an open source toolkit, written in Python, with which you can analyze memory dumps and images from network devices.
The Network Appliance Forensic Toolkit consist of the following modules:
- naft-gfe.py: Network Appliance Forensic Toolkit – Generic Frame Extraction. This tool extracts frames from files by searching for ARP frames and IPV4 headers with valid checksums, and stores the extracted frames in a PCAP file.
- naft-icd.py: Network Appliance Forensic Toolkit – IOS Core Dumps This tool analyses IOS core dumps. In this version of the tool, we assume the memory is not corrupted (e.g. heap corruption).
- naft-ii.py: Network Appliance Forensic Toolkit – IOS Image This tool analyses IOS image files.
You can find the “Network Device Forensics Talk” here.
More info about the Network Appliance Forensic Toolkit can be found here.