Δαμίρης, Γεώργιος - Παρασκευάς
Damiris, Giorgos - Paraskevas
Network forensics consists of the identification, preservation and extraction of evidence from an event that has occurred over the network. Evidence for that event can be found not only though the monitored network traffic but also from different devices. Router forensics include the techniques used to extract information about an event that occurred on a router. Routers perform the traffic directing functions on the Internet. If a malicious user successfully attacks and gains access to a router or a switch of the network he can then monitor and modify any traffic to and from that network but also making very hard for the end user to find out if the network is compromise or not. In this diploma thesis, the techniques on how evidence can be extracted from a CISCO router are described. There is an analysis of how an investigator can acquire evidence when physical access to the router is available. Also, there is an analysis of how memory dump and remote file extraction can be performed as to not tamper the state of the router and certain data gets lost. Furthermore, through a case study in collaboration with cyber defense department of the Hellenic Army IT Support Center (ΚΕΠΥΕΣ), there is an analysis on how different functionalities of CISCO routers can be exploited to give advantage to a malicious user. To help with the analysis, the volatility framework was studied and used to extract information contained from the memory dump of the router.