Network Appliance Forensic Toolkit

The Network Appliance Forensic Toolkit will grow to a set of tools to help with forensics of network appliances.

Network Device Forensics published in ISSA Journal December 2012.

Here is a demo video:

NAFT_V0_0_9.zip (https)
MD5: FEBBDB892D631275A95A0FEA59F8519F
SHA256: 95F42F109623F2BA6D8A9FFB013CBB0B5E995F02E5EB35F8E83A62B8CA8B86D0

From readme.pdf:

When using YARA, option –decoders can be used to decode the content of the blocks.
Decords are Python programs like decoder_add1, decoder_rol1 and decoder_xor1.
Example:
naft-icd.py -y IOS_canary.yara –decoders decoder_xor1 heap r870-core
Address Bytes Prev Next Ref PrevF NextF Alloc PC what
83A125C4 0000016388 83A10E20 83A165F8 001 ——– ——– 81284F40 82471FDC
YARA rule (decoder: XOR 1 byte key 0x5C): IOS_canary
83AB9498 0000004100 83AB9444 83ABA4CC 001 ——– ——– 80B5CC7C 8253709C
YARA rule: IOS_canary
Option –D dumps all blocks to a separate file.
naft-icd.py frames r870-core r870-coreiomem r870-coreiomem.pcap
Command frames extract frames from r870-coreiomem to PCAP file r870-
coreiomem.pcap. Unlike naft-gfe.py, this command uses data found in the heap (*Packet
Header* ) to locate frames in iomem.
Example:
Address Bytes Prev Next Ref PrevF NextF Alloc PC what
82FD4248 0000000884 82FD40BC 82FD45EC 001 ——– ——– 8030CA24 *Packet
Header*
07400BCA: A1 8E 00 1F 6C D0 21 AF 81 00 00 01 08 00 45 00 ….l.!…….E.
07400BDA: 00 38 07 14 00 00 FF 01 30 FB C0 A8 01 64 C0 A8 .8……0….d..
07400BEA: 01 01 03 01 BE 09 00 00 00 00 45 00 00 39 0D F5 ……….E..9..
07400BFA: 00 00 7F 11 BC F3 C0 A8 01 01 D0 43 .. ……..C
naft-icd.py processes r870-core
Command processes extracts the Process Array blocks to show the running processes.
Example:
1 Cwe 80049B5C 0 3 0 5552/6000 0 Chunk Manager
2 Csp 80371B90 8 341 23 2640/3000 0 Load Meter
3 Mwe 8118AB24 4 1725 2 5300/6000 0 Spanning Tree
4 Lst 80046D90 14780 841 17574 5484/6000 0 Check heaps
5 Cwe 8004F930 0 1 0 5672/6000 0 Pool Manager
6 Mst 808278AC 0 2 0 5596/6000 0 Timers
Option –d dumps the Process block.
naft-icd.py integritycheck r870-core
Command integritycheck checks the integrity of the heap.
Example:
Check start magic:
OK
Check end magic:
OK
Check previous block:
OK
Check next block:
OK
naft-icd.py checktext r870-core c880data-universalk9-mz.150-1.M5.bin
Command checktext compares the instructions in the code region of the core dump with
the instructions in the code section of the image. These should be identical. Differences
indicate changes in memory.
Example:
CW_SYSDESCR are equivalent:
Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version
15.0(1)M5, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Wed 23-Feb-11 19:52 by prod_rel_team
text region and section are identical
naft-icd.py events r870-core
The events command dumps the events found in the coredump.
Example:
*Nov 30 07:52:19.011: %LINEPROTO-5-UPDOWN: Line protocol on Interface ATM0,
changed state to down
*Nov 30 15:58:08.293: %LINK-3-UPDOWN: Interface ATM0, changed state to up
*Nov 30 15:58:08.293: %LINK-3-UPDOWN: Interface ATM0, changed state to up
*Nov 30 15:58:09.293: %LINEPROTO-5-UPDOWN: Line protocol on Interface ATM0,
changed state to up
*Nov 30 15:58:16.689: %DIALER-6-BIND: Interface Vi2 bound to profile Di1
*Nov 30 15:58:16.689: %LINK-3-UPDOWN: Interface Virtual-Access2, changed
state to up
*Nov 30 15:58:16.689: %LINK-3-UPDOWN: Interface Virtual-Access2, changed
state to up
*Nov 30 15:58:17.617: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Virtual-Access2, changed state to up
naft-icd.py history r870-core
The history command dumps the history log found in the coredump.
Example:
22:07:40 UTC Tue Nov 29 2011: show region
22:08:01 UTC Tue Nov 29 2011: show memory 0x800200E4
22:08:04 UTC Tue Nov 29 2011: show memory
22:08:18 UTC Tue Nov 29 2011: exit
23:08:38 UTC Tue Nov 22 2011: show region
23:09:35 UTC Tue Nov 22 2011: show memory
23:09:46 UTC Tue Nov 22 2011: show memory io
23:10:38 UTC Tue Nov 22 2011: exit
naft-ii.py: Network Appliance Forensic Toolkit – IOS Image
This tool analyses IOS image files, like this:
naft-ii.py -v c870-advipservicesk9-mz.124-6.T5.bin
CW_VERSION: 12.4(6)T5
CW_FAMILY: C870
CW_FEATURE: IP|FIREWALL|VOICE|PLUS|SSH|3DES
CW_IMAGE: C870-ADVIPSERVICESK9-MZ
CW_SYSDESCR: Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M
Z), Version 12.4(6)T5, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Sat 07-Oct-06 01:08 by kellythw
Entry point: 0x80020000
Number of sections: 6
Embedded MD5: 4e684ef5df1284652ef03b80b1058fab
Compressed size: 15961881
Checksum compressed: 0xA5B9F319
Calculated checksum: 0xA5B9F319 (identical)
Uncompressed size: 46957376
Image name: C870-ADV.BIN
Checksum uncompressed: 0xBE713840
Calculated checksum: 0xBE713840 (identical)
0 0 0 00000000 0 ”
11 .text 1 7 00000144 13428 ‘\x94!\xff\xf8|\x08\x02\xa6’
17 .rodata 1 2 000035B8 2080 ‘\nError :’
33 .data 1 3 00003DD8 952 ‘\x00\x00\x00\x00\x00\x00\x00\x00’
0 7 0 00F3D0C0 52 ‘\x00\x00\x00\r\x00\x00\x00\x18’
33 .data 1 3 00004190 15961904 ‘\xfe\xed\xfa\xce\x02\xcc\x83@’
The tools accepts these options:
Options:
–version show program’s version number and exit
-h, –help show this help message and exit
-v, –verbose verbose output
-x, –extract extract the compressed image
-i, –idapro extract the compressed image and patch it for IDA Pro
-s, –scan scan a set of images
-r, –recurse recursive scan
-e RESUME, –resume=RESUME
resume an interrupted scan
-m MD5DB, –md5db=MD5DB
compare md5 hash with provided CSV db
-l LOG, –log=LOG write scan result to log file
-m uses Cisco’s MD5 database found here:
http://www.cisco.com/c/en/us/support/docs/csr/cisco-sr-20080516-rootkits.html

Comments (38)

38 Comments »

[…] can find a first release of my Network Appliance Forensic Toolkit here. This first release contains a tool for generic network appliances, but also works on memory dumps […]

Pingback by NAFT Release « Didier Stevens — Monday 12 March 2012 @ 19:42
I applaud the innitiative – good job!
The existing donwload link has the following files:
naft-gfe.py, naft_pfef.py and naft_uf.py – the GFE is the one that works right now but not the other 2.
The readme.pdf files reference these other 2 files:
naft-icd.py and naft-ii.py for IOS analysis.

QUESTION: Are you planning on synchronizing the PDF info and the files facilitate in the download?
Looking forward to using the tool!
Thanks again!

Comment by userN — Friday 16 March 2012 @ 19:44
@userN In the readme.pdf I explain that all naft_*.py files are Python modules. You don’t run modules directly, they are used by other Python programs.

And regarding naft-icd.py and naft-ii.py, I left that in the readme to give you a preview. It will be released soon.

Comment by Didier Stevens — Friday 16 March 2012 @ 20:22
how do you calculate if the file is too large to fit in memory or not? volatility can work with any size image files yet naft seems to have issue working with the same files as volatility. What’s the recommended memory size for analyzing a 1GB memory image (xp)?

Comment by Alexander Sverdlov — Wednesday 15 May 2013 @ 6:37
@Alexander It’s a problem I have to solve, but there is a workaround by using 64-bit Python. And you don’t often get the problem with RAM dumps from network devices, most have less RAM than modern PCs.

Comment by Didier Stevens — Wednesday 15 May 2013 @ 13:46
[…] NAFT video […]

Pingback by “Network Device Forensics” Talk | Didier Stevens — Wednesday 26 March 2014 @ 10:28
[…] NAFT software […]

Pingback by Recorded “Network Device Forensics” Talk | Didier Stevens — Thursday 27 March 2014 @ 0:27
Have you benchmarked your tool against CapLoader’s PCAP carver?
http://netresec.com/?b=143B7EE

It would be interesting to see a comparison of performance and extraction precision!

Comment by Erik — Friday 4 April 2014 @ 18:30
@Erik No, I’ll put it on my todo list.

Comment by Didier Stevens — Friday 4 April 2014 @ 21:28
An updated link with Cisco IOS MD5 Hashes:
http://www.cisco.com/c/dam/assets/about/security/resources/ioshashes.zip.

Comment by Anonymous — Thursday 3 July 2014 @ 16:09
[…] developed a framework to perform forensic investigations on Cisco routers. His framework is called NAFT (“Network Appliance Forensic Tooklit”). It is written in Python and provides a good toolbox to […]

Pingback by Online Router Forensics Lab | /dev/random — Tuesday 30 September 2014 @ 14:38
Is it possible to provide support for new IOS firmware files which starts with “MZIP” magic header?

Comment by Anonymous — Thursday 4 December 2014 @ 16:51
Can you give me an example of the file name of such files?

Comment by Didier Stevens — Thursday 4 December 2014 @ 23:31
yes, file name is “c2960-lanlitek9-mz.122-55.SE5.bin” belongs to WS-C2960-24-S cisco switch.

Comment by Anonymous — Monday 8 December 2014 @ 9:36
This image is not compressed with MZIP, but with ZIP. The mz in the filename means that the image is loaded in RAM (m) and that it is compressed with ZIP (z). If it is compressed with MZIP, it would be an x. Like this: c2960-lanlitek9-mx.122-55.SE5.bin
http://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/01_understanding_ios.htm

Comment by Didier Stevens — Monday 8 December 2014 @ 12:12
Forgot to mention that I was inspecting the file with a hex editor and that the 0x71 byte from the beginning of file has a “BZ” magic header which is a bzip2 file.
I then removed the first 70 bytes and was able to decompress the firmware but the decompressed version don’t have valid ELF header as other firmware have.

Comment by Anonymous — Monday 8 December 2014 @ 13:09
Ah, OK. Does the file start with MZIP? Then it is MZIP and you found the way to decompress it. But it has no ELF structure. AFAIK, it’s a raw code file.

Comment by Didier Stevens — Monday 8 December 2014 @ 13:51
yeah, seems to be raw code but how it is possible to make naft to work on it?

Comment by Anonymous — Monday 8 December 2014 @ 14:09
NAFT does not support MZIP. What did you want to do with this image?

Comment by Didier Stevens — Monday 8 December 2014 @ 14:17
Using it for comparing the text section.

Comment by Anonymous — Tuesday 9 December 2014 @ 15:58
I don’t know if that’s possible with MZIP, as it has no text section. Did you check Cisco’s whitepaper on this procedure?

Comment by Didier Stevens — Tuesday 9 December 2014 @ 19:36
Hi

I’m not familiar with Cisco images but I recently came across with their update, do you have any experience about reading the cisco update for routers ?

Comment by cscfn — Monday 15 December 2014 @ 22:01
To upgrade you replace the image in flash

Comment by Didier Stevens — Monday 15 December 2014 @ 22:03
[…] update to NAFT adds support for YARA. YARA rules can be used to search through the heap, like […]

Pingback by Update: NAFT Version 0.0.9 | Didier Stevens — Wednesday 6 May 2015 @ 13:56
what versions of cisco ios is supported by the NAFT tool?

Comment by omree — Thursday 21 April 2016 @ 11:01
I get a problem when I do command like “python ../naft-icd.py processes dumps”

Traceback (most recent call last):
File “./naft-icd.py”, line 589, in
Main()
File “./naft-icd.py”, line 584, in Main
dCommands[args[0]][1](*(args[1:] + [options]))
File “./naft-icd.py”, line 343, in IOSProcesses
oIOSCoreDumpAnalysis = naft_impf.cIOSCoreDumpAnalysis(coredumpFilename)
File “/home/phaivd/Desktop/work/forensic/NAFT_V0_0_9/naft_impf.py”, line 558, in __init__
if float(countProcessStructureErrors) / float(len(self.processes)) >= 0.95:
ZeroDivisionError: float division by zero

its mean if i has no process, but I am not sure.

please help me!!!

Comment by Phai — Thursday 21 July 2016 @ 18:40
Can you share the memory dump?

Comment by Didier Stevens — Thursday 21 July 2016 @ 19:11
please send me your email to share file

Comment by Phai — Monday 1 August 2016 @ 9:08
My email is on my about page. And you cannot share a memory dump via email, it’s too large. You’ll have to upload it and share the link here.

Comment by Didier Stevens — Wednesday 3 August 2016 @ 9:16
Can i ask,how can you learn about the core dump file structure,i couldnt find any document online anywhere?

Comment by duc — Wednesday 19 October 2016 @ 16:12
It’s not documented, Cisco does not publish documents about the format.

Comment by Didier Stevens — Wednesday 19 October 2016 @ 16:13
oh so sad :(,thank u very much

Comment by duc — Wednesday 19 October 2016 @ 16:34
But I think I have some links in my ISSA Journal article to some research published by third parties.

Comment by Didier Stevens — Wednesday 19 October 2016 @ 16:36
i see the header size in heapblock can be 40 or 48 bytes so what are these byte meaning ?

Comment by duc — Friday 4 November 2016 @ 13:19
First in IOS the size was 40, and in later versions it became 48.

Comment by Didier Stevens — Friday 4 November 2016 @ 16:40
i get this warning can you check ?
*** WARNING ***
Unexpected process structure
Please reports these results
Fields determined with heuristics:
Process structure size: 736
addressProcessName : 0x00F0
addressStackBlock : 0x0000
Q : 0x00F4
Ty : 0x0088

Comment by pete — Tuesday 15 November 2016 @ 8:46
Thanks, will take a look.

Comment by Didier Stevens — Wednesday 16 November 2016 @ 21:18
You wouldn’t happen to know where I could find some core dumps to try out NAFT?

Comment by beercow — Friday 2 June 2017 @ 3:16

RSS feed for comments on this post. TrackBack URI

Didier Stevens