Did you ever had to identify a Cisco IOS image when you couldn’t rely on the filename?
Look for strings starting with CW_ between strings CW_BEGIN and CW_END in the image file, for example like this:
You will find strings like CW_IMAGE, CW_FAMILY, CW_FEATURE, CW_VERSION, CW_MEDIA, CW_SYSDESCR and CW_MAGIC between strings CW_BEGIN and CW_END.
In this example, the IOS version is 12.4(6)T5 (CW_VERSION) and it is designed to run on 870 routers (CW_FAMILY).
The nice thing about these CW_ strings is that you will also find them in a core dump (in the data region), thus allowing you to identify the IOS version that was running on a router when the core dump was produced (provided the image runs from RAM, indicated by a letter m in the filename).
And they are also present in the uncompressed image (compressed image files are identified by a letter z in the filename).
Soon I will release a tool to validate IOS image files, you can use it to extract these CW_ strings too.
Just use the md5 to identify it, http://www.cisco.com/web/about/security/intelligence/iosimage.html
Comment by Nicolas — Friday 6 January 2012 @ 10:48
@Nicolas My tool uses MD5 too (both CCO MD5 and embedded MD5, if present), but there are many cases where you can’t use the MD5 method, especially in forensics. Like a core dump. Or an uncompressed image. Or a raw dump of flash memory.
And if an image was modified (by accident or knowingly) or is incomplete, the MD5 will not match.
Comment by Didier Stevens — Friday 6 January 2012 @ 11:20