Didier Stevens

Wednesday 16 January 2013

ISSA Journal Article ; HITB PDF Training

Filed under: Announcement,Forensics,Hacking,Networking,PDF — Didier Stevens @ 8:39

The ISSA Journal featured my article on Network Device Forensics, making it available to everyone.

And I’m giving a 2-day training on PDF at Hack In The Box Amsterdam 2013.


  1. Hello!

    regarding CoreDump: Is the Dump-Routine implemented in ROM and triggered directly from Hardware? Otherwise what would the compromized OS stop from not dumping itself?


    Comment by Anonymous — Wednesday 16 January 2013 @ 15:01

  2. @Anonymous No, this is part of IOS itself. However, if you have reason not to trust the dump routine, there is another way.
    Connect via the serial console and break into ROMmon. Then issue commands to inspect memory, capture the output and convert the HEX dump to binary.

    But you do need to configure your router beforehand to be able to break into ROMmon from IOS at any moment. And when you are in ROMmon, IOS is no longer running, hence your router is not handling traffic anymore.
    And you need to protect access to your serial console, because once this is configured, anyone with access to the serial console can break into ROMmon.

    Comment by Didier Stevens — Wednesday 16 January 2013 @ 15:18

  3. Ok. Not that I have a concrete case where I need this, but I was just courious about it. Thank you!

    Comment by Anonymous — Thursday 17 January 2013 @ 9:19

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.