Cisco Router and Switch Forensics

Author: Dale Liu
Publisher: Syngress, 2009
Pages: 504
ISBN: 978-1597494182
Aimed at: Network administrators
Rating: 2
Pros: CSI-style approach adds interest
Cons: Insufficient technical detail
Reviewed by: Harry Fairhead

So you arrive on the scene with your bag of forensic tools. You tape off the site and begin your investigation. Such is the angle that this book takes to the problem of finding out what is happening in a Cisco based network. It presupposes that you have been parachuted in as some sort of CSI-style expert to find the intruder or whatever is wrong with the system. It even goes as far as discussion the problems and procedures of "communicating with on-scene personnel" and what equipment you need in your scene of crimes bag.

From a technical point of view it is not initially very deep. You are expected to document everything to create a network diagram. The book then goes over the very basics of networking - firewalls, DNS, DHCP, VLANs and network topologies.

By Chapter Six we have moved on to the core material - how to deal with a Cisco router. But first we have to go through the mechanism of how to connect using hyperterminal. After such basics we have an introduction to configuring a router using the command line.

Finally in Chapter Seven we get to some details of what intruders might do and how we might detect them. This is mainly an explanation of basic attack modes and how to use tools such as Nmap and other scanning tools. From this point the subject changes to collecting data from the router to be used in further investigations - complete with long and fairly meaningless listings of the output of such dumps. The final two chapters are on IOS and Cisco switches and how to prepare your final report.

Most of the time the technical level seems to be aimed at the complete beginner and the FAQ sections at the end of each chapter are very basic and/or idiosyncratic.

This is a very strange book that probably will not be of much interest if you are a network administrator because you probably don't want to behave like a network CSI man. On the other hand if you do want to be a network CSI man then I would suggest that start by learning a lot more about network technologies, tools, IOS and Cisco routers in particular before you start to worry about how to communicate with the suspects…

Last Updated ( Tuesday, 18 August 2009 )