Didier Stevens

Friday 6 January 2012

Identifying IOS

Filed under: Forensics,Networking — Didier Stevens @ 10:33

Did you ever had to identify a Cisco IOS image when you couldn’t rely on the filename?

Look for strings starting with CW_ between strings CW_BEGIN and CW_END in the image file, for example like this:

You will find strings like CW_IMAGE, CW_FAMILY, CW_FEATURE, CW_VERSION, CW_MEDIA, CW_SYSDESCR and CW_MAGIC between strings CW_BEGIN and CW_END.

In this example, the IOS version is 12.4(6)T5 (CW_VERSION) and it is designed to run on 870 routers (CW_FAMILY).

The nice thing about these CW_ strings is that you will also find them in a core dump (in the data region), thus allowing you to identify the IOS version that was running on a router when the core dump was produced (provided the image runs from RAM, indicated by a letter m in the filename).

And they are also present in the uncompressed image (compressed image files are identified by a letter z in the filename).

Soon I will release a tool to validate IOS image files, you can use it to extract these CW_ strings too.

Blog at WordPress.com.