Cisco Firepower 1000/2100 Series Forensic Data Collection Procedures


Introduction

Prerequisites

Step 1 - Create the Firepower Device Problem Description

Step 2 - Document the Firepower Runtime Environment

Step 3 - Verify the Integrity of FTD System Files

Step 4 - Verify Digitally Signed Image Authenticity

Step 5 - Verify FTD Memory .text Segment Integrity

Step 6 - Obtain Firepower crashinfo/core File

Step 7 - Check ROM Monitor Settings

Related Documentation

Firepower 1000/2100 Series Forensic Data Collection Checklist

Appendix A - Firepower 1000/2100 Series Platform That Is Running ASA Software

Revision History




Introduction

This document provides steps to collect forensic information from Cisco Firepower 1000/2100 Series appliances that are running Cisco Firepower eXtensible Operating System (FXOS) Software when compromise or tampering is suspected. It outlines a number of commands that can be run to gather evidence for an investigation along with the respective output that should be collected upon running these commands. This document also provides information on how to perform integrity checks on Cisco FXOS system and Cisco Firepower Threat Defense (FTD) application images and includes a procedure for collecting a memory dump, a crashinfo file, and a core file from a Cisco Firepower device.

Note: DO NOT REBOOT THE DEVICE. Rebooting a device during the initial stage of an assessment will irrecoverably lose all volatile information that is contained within the device (e.g., RAM contents, Address Resolution Protocol [ARP] and routing tables, Network Address Translations [NATs], access control list [ACL] hit and drop counts).

Note: Cisco highly recommends isolating a device that is suspected of tampering or compromise from the network before conducting an initial forensic examination. This may prevent remote unloading of any implants or malware that are installed on the device and will prevent an attacker from monitoring commands that are entered on the device under investigation.

If you require assistance or have questions regarding the following procedures, contact the Cisco Product Security Incident Response Team (PSIRT).

This document contains seven sections:

1.      Create the Firepower Device Problem Description - Describe why the platform is a candidate for forensic examination.

2.      Document the Firepower Runtime Environment - Collect platform configuration and runtime state.

3.      Verify the Integrity of FTD System Files - Examine system file image hashes for inconsistencies.

4.      Verify Digitally Signed Image Authenticity - Examine the Cisco FXOS operating system for proper signing characteristics.

5.      Verify FTD .text Memory Segment Integrity - Retrieve and calculate a hash of the Cisco FTD .text segment.

6.      Firepower crashinfo/core File - Obtain crashinfo and core files from the running Cisco FTD application.

7.      Check ROM Monitor Settings - Examine ROM monitor settings for remote system image loading.


Prerequisites

The procedures that are outlined in this document assume that the reader has a basic understanding of Cisco FXOS Software, Cisco FTD Software, and Linux command syntax.

A valid cisco.com account is required to view individual Cisco FXOS Software and FTD Software file hashes for software file integrity checking. For customers without a cisco.com account, a publicly available comprehensive list of file hashes (Bulk Hash File) can be downloaded from https://www.cisco.com/c/en/us/about/trust-center/downloads.html.

Note: The examples that are used in this document are based on Cisco FXOS Software Release 2.12.0 and Cisco FTD Software Release 7.2.5 command syntax. The output that is produced by a command may vary depending on the software release that is deployed and/or the features that are supported or configured on the device. Not all commands that are used in these procedures may be supported on earlier releases of the software.

Note: Collection steps 2 through 7 contain examples of the commands that should be executed along with the expected output toward the end of each step.


Step 1 – Create the Firepower Device Problem Description

Describe in as much detail as possible why the device is a candidate for forensic examination. Are there configuration changes that cannot be explained? Is there unusual traffic originating from or terminating on the device? Are there anomalous entries in the device logs or in syslog messages? Is the device exhibiting odd behavior that cannot be attributed to a misconfiguration or a software/hardware defect? Are any typical device administration commands now returning unusual output or no output at all?

Use the Cisco Software Checker to search for Cisco Security Advisories that apply to specific releases of Cisco Adaptive Security Appliance (ASA) Software, Firepower Management Center (FMC) Software, FTD Software, FXOS Software, IOS Software, IOS XE Software, NX-OS Software, and NX-OS Software in ACI Mode.

Record any results that are returned by the tool that may explain the anomalous behavior that is being observed. It is considered a best practice to keep software up to date to take advantage of the latest security fixes and enhancements.

Note: This tool does not provide information about Cisco IOS XR Software or interim software builds. Also note that for Cisco ASA Software, FMC Software, FTD Software, and FXOS Software, the tool contains only vulnerability information for Cisco Security Advisories first published from January 2022 onward, and for NX-OS Software and NX-OS Software in ACI Mode from July 2019 onward.

Submit the problem description and any relevant results that were obtained from the Cisco Software Checker to the relevant TAC SR and proceed to the next section of this document.


Step 2 – Document the Firepower Runtime Environment

The initial stage of forensic information gathering is completed by using show tech-support commands in the Cisco FXOS and Firepower CLIs, and some of the output may vary depending on the Cisco FTD Software release and/or features that are supported or configured on the device.

Note: For Cisco Firepower 1000/2100 Series appliances, the default command shell will vary depending on the method that is used to access the platform. If SSH is used, the user will be placed into the Cisco FTD CLI. If a console connection is used, the user will be placed into the Cisco FXOS CLI. Use the connect ftd command to access the Cisco FTD CLI from the FXOS CLI and the connect fxos command to access the Cisco FXOS CLI from the FTD CLI.

Execute the following commands from the Cisco FXOS CLI prompt:

connect local-mgmt
show tech-support fprm detail
copy workspace:/techsupport/<file_name> <destination>

Note: The copy command supports the FTP, HTTP, HTTPS, SCP, SFTP, and TFTP protocols.

Next, connect to the Cisco Firepower module CLI and collect the output of show tech-support detail by using the following series of commands:


connect ftd
system support diagnostic-cli
enable
terminal pager 0
show tech-support detail
exit
exit

The output of show tech-support detail may also be redirected to a file server using the FTP, SCP, SMB, or TFTP protocols. The following example depicts the required syntax using the FTP protocol:

show tech-support file ftp://10.10.10.1/tech-support-details.txt detail

An example of this entire procedure follows:


firepower# connect local-mgmt 
firepower(local-mgmt)# show tech-support fprm detail
 firepower_FPRM
The showtechsupport file will be located at workspace:/techsupport/ 20240118150424_firepower_FPRM.tar.gz
Initiating tech-support information task on FABRIC A ...
WARNING: *** /mnt/disk0/smart-log/ is missing ***
WARNING: *** /tmp/sed_env_info.xml is missing ***
WARNING: *** /tmp/softraid_env.xml is missing ***
WARNING: *** /tmp/nvme_build.log is missing ***
WARNING: *** /tmp/sed_build.log is missing ***
WARNING: *** /tmp/sr_build.log is missing ***
WARNING: *** /tmp/vpath-cfg-cache is missing ***
Completed initiating tech-support subsystem tasks (Total: 0)

firepower(local-mgmt)#

firepower(local-mgmt)# copy workspace:/techsupport/ 20240118150424_firepower_FPRM.tar.gz ftp://anonymous@10.10.10.1/
Connected to 10.10.10.1.
220 Microsoft FTP Service
331 User name ok, need password
Password: 
230 User logged in
Remote system type is UNIX.
Using binary mode to transfer files.
200 Type set to I.
local: /opt/cisco/csp/workspace/techsupport/20240118150424_firepower_FPRM.tar.gz remote: 
/20240118150424_firepower_FPRM.tar.gz 227 Entering passive mode (10,10,10,1,222,195) 125 Using existing data connection 100% |***********************************| 6649 KiB 60.66 MiB/s 00:00 ETA 226 Closing data connection; File transfer successful. 6808707 bytes sent in 00:00 (43.99 MiB/s) 221 Service closing control connection firepower(local-mgmt)# connect ftd > system support diagnostic-cli Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach. Type help or '?' for a list of available commands. firepower> enable Password: firepower# terminal pager 0 firepower# show tech-support file ftp://10.10.10.1/tech-support-details.txt detail !!! firepower# exit Logoff User enable_1 logged in to firepower Logins over the last 1 days: 2. Last login: 13:10:25 UTC Feb 16 2024 from console Failed logins since the last login: 0. Type help or '?' for a list of available commands. firepower> exit Console connection detached. >

Submit all command output that was collected in this section to the relevant TAC SR and proceed to the next section of this document.


Step 3 – Verify the Integrity of FTD System Files

Connect to the Cisco FTD CLI. This can be accomplished from the Cisco FXOS CLI by using the connect ftd command.

From the Cisco FTD CLI, use the following commands to assume root permissions, run the system file integrity checks, and collect the necessary files for forensic assessment.

Access expert mode and sudo to the root account:


expert
sudo su -

Run the integrity checks:


find /ngfw/var/sf/.icdb/* -name *.icdb.RELEASE.tar | xargs sha512sum
cat /proc/*/smaps > /tmp/all-process-smaps.txt
verify_file_integ.sh -f

Note: The Linux which command can be used to quickly locate the shell scripts in the next step. See the following example for more details.

Locate and retrieve copies of the following files:


verify_file_integ.sh
verify_signed_db.sh
db_manage.sh
/ngfw/etc/certs/*.crt
/ngfw/var/log/sf/verify_file_integ.log
/ngfw/var/tmp/merged-db/master.db

Create an archive of the preceding list of files and copy the archive off the platform.


tar -cvf SR-<sr_number>.tar
sha512sum SR-<sr_number>.tar
ftp or scp

An example of this procedure follows:


firepower# connect ftd
> expert
admin@firepower:~$ sudo su -
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.
Password:
root@firepower:~# find /ngfw/var/sf/.icdb/* -name *.icdb.RELEASE.tar | xargs sha512sum
480fd0602e527c156880543b7f0e8f87428f54c0692d217829633846316fc07a11d8ea1a90c6eeb9b80176c0a26223fee0390d02b72bc4d74aa360e8ba976077  
/ngfw/var/sf/.icdb/lsp/lsp.icdb.RELEASE.tar a4e48d6505e724d73b4037632988d5b24172afec1eeba2e37c986d496017563ff1ab012a787c65b61b17b9e50d569124469e6b61fa55078f2abb23673bf0e491
/ngfw/var/sf/.icdb/vdb/vdb.icdb.RELEASE.tar ec1b5a2ac31a05a85c57880ec8fe781b2f449020454ccfe2eaada99aff4a4f5e5fde0ec9f43ea92be98425be13f034175ee77ddca3a712daa121994455411088
/ngfw/var/sf/.icdb/vdb/vdb.navl.icdb.RELEASE.tar # # Note: the file names, number of files, and hash values may vary dependent on
# the version of software running on the appliance and whether any software
# updates have been applied. It is important that the output (including file
# names and hashes) generated by the command above be submitted to the TAC SR. # root@firepower:~# cat /proc/*/smaps > /tmp/all-process-smaps.txt root@firepower:~# verify_file_integ.sh -f Running file integrity checks... Successfully verified file integrity # # Identify the location of the system integrity scripts with the “which”
# command: # root@firepower:~# which verify_file_integ.sh /ngfw/usr/local/sf/bin/verify_file_integ.sh root@firepower:~# which verify_signed_db.sh /ngfw/usr/local/sf/bin/verify_signed_db.sh root@firepower:~# which db_manage.sh /ngfw/usr/local/sf/bin/db_manage.sh # # Archive a copy of these scripts, along with all certificates found in
# /ngfw/etc/certs/, and the files /ngfw/var/log/sf/verify_file_integ.log and # /ngfw/var/tmp/merged-db/master.db # root@firepower:~# tar -cvf SR-1234567890.tar /ngfw/usr/local/sf/bin/verify_file_integ.sh /ngfw/usr/local/sf/bin/verify_signed_db.sh /ngfw/usr/local/sf/bin/db_manage.sh /ngfw/etc/certs/*.crt /ngfw/var/log/sf/verify_file_integ.log /ngfw/var/tmp/merged-db/master.db /tmp/all-process-smaps.txt tar: Removing leading `/' from member names /ngfw/usr/local/sf/bin/verify_file_integ.sh /ngfw/usr/local/sf/bin/verify_signed_db.sh /ngfw/usr/local/sf/bin/db_manage.sh /ngfw/etc/certs/SRU_rel.crt /ngfw/etc/certs/rel.crt /ngfw/var/log/sf/verify_file_integ.log /ngfw/var/tmp/merged-db/master.db /ngfw/etc/certs/rewhich db_manage.sh /tmp/all-process-smaps.txt # # Create a hash of the tar file: # root@firepower:~# sha512sum SR-1234567890.tar 8833409f7affbae6ab19cdd8ca11153252f1176e147b3d4c373a7195e261da5ca72a3260a5aa1a5f991b12c1f6ac070d4ece31765e413f0e5e4afd6c95cf6ea5
SR-1234567890.tar root@firepower:~# # # Copy the tar file off the platform using FTP or SCP: # root@firepower:0.1 Connected to 10.10.10.1. 220 Microsoft FTP Service Name (10.10.10.1:admin): anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. Password: 230 User logged in. Remote system type is Windows_NT. ftp> bin 200 Type set to I. ftp> put SR-1234567890.tar local: SR-1234567890.tar remote: SR-1234567890.tar 229 Entering Extended Passive Mode (|||59418|) 125 Data connection already open; Transfer starting. 100% |***********************************| 1990 KiB 104.76 MiB/s 00:00 ETA 226 Transfer complete. 2037760 bytes sent in 00:00 (100.48 MiB/s) ftp> quit 221 Goodbye.

Submit all command output and the files that were gathered in this step to the relevant TAC SR and proceed to the next section of this document.


Step 4 – Verify Digitally Signed Image Authenticity

Cisco FXOS Software implements digitally signed system images on most platforms. Digitally signed Cisco FXOS Software uses asymmetric (public key) cryptography, which increases the security posture of Cisco Firepower devices by ensuring that the system image has not been altered.

Certain platforms that are running FXOS software, such as Cisco Firepower 1000 Series platforms, also support Cisco Secure Boot technologies. Cisco Secure Boot is a secure startup process that a Cisco device performs each time it boots up. Beginning with the initial power-on, a special-purpose hardware device known as the Trust Anchor module verifies the integrity of the ROM monitor code and the Cisco FXOS image using digital signatures as they are each loaded. If any failures are detected, the user is notified of the error, and the device will wait for the operator to correct the error. This prevents the network device from executing tainted network software.

For additional information, see Trust Anchor Technology.

Note: The show software authenticity set of commands are only supported on Cisco Firepower platforms that incorporate Cisco Secure Boot technologies.

The authenticity and integrity of a system image file can be verified by using the following commands from the Cisco FXOS CLI:

	
connect local-mgmt
cd bootflash:/
show file .boot_string
show software authenticity file <path/filename>
verify signature <path/filename>
show software authenticity running
show software authenticity keys

	

An example of this procedure follows:


firepower# connect local-mgmt
firepower(local-mgmt)# cd bootflash:/
firepower(local-mgmt)# show file .boot_string
disk0:installables/switch/fxos-k8-fp1k-lfbff.2.12.0.530.SPA
firepower(local-mgmt)# show software authenticity file /installables/switch/fxos-k8-fp1k-lfbff.2.12.0.530.SPA
: File /mnt/boot//installables/switch/fxos-k8-fp1k-lfbff.2.12.0.530.SPA size 199156688
File Name                     : <local>/fxos-k8-fp1k-lfbff.2.12.0.530.SPA
Image type                    : Release
    Signer Information
        Common Name           : abraxas
        Organization Unit     : FXOS
        Organization Name     : CiscoSystems
    Certificate Serial Number : 65313942
    Hash Algorithm            : SHA2 512
    Signature Algorithm       : 2048-bit RSA
    Key Version               : A

The Organization Unit, Organization Name, and Certificate Serial Number values (highlighted in the preceding output) can be viewed to verify that the system image signature is valid.

Next, calculate a hash for the Cisco FXOS system image and verify the digital signature by using the following command:

verify signature <path/filename>

An example of this procedure follows:


firepower(local-mgmt)# verify signature /installables/switch/fxos-k8-fp1k-lfbff.2.12.0.530.SPA
: File /mnt/boot//installables/switch/fxos-k8-fp1k-lfbff.2.12.0.530.SPA size 199156688
Done!
Computed Hash   SHA2: e94ca6457ed9c0411a42cfa1a747d438
                      033c79ca4309aa8a556aa7efb5e98801
                      8f4be4bffdcbcdc9dfbd184eb6bbb5ac
                      af0e6f76bc534c709233e8cb0e757fc3
                      
Embedded Hash   SHA2: e94ca6457ed9c0411a42cfa1a747d438
                      033c79ca4309aa8a556aa7efb5e98801
                      8f4be4bffdcbcdc9dfbd184eb6bbb5ac
                      af0e6f76bc534c709233e8cb0e757fc3         
The digital signature of the file: fxos-k8-fp1k-lfbff.2.12.0.530.SPA verified successfully

It is also important to verify the authenticity and integrity of the running system image, and this can be accomplished with the following command:

show software authenticity running

An example of this procedure follows:

	
firepower(local-mgmt)# show software authenticity running
File Name                     : <local>/fxos-k8-fp1k-lfbff.2.12.0.530.SPA
Image type                    : Release
    Signer Information
        Common Name           : abraxas
        Organization Unit     : FXOS
        Organization Name     : CiscoSystems
    Certificate Serial Number : 65313942
    Hash Algorithm            : SHA2 512
    Signature Algorithm       : 2048-bit RSA
    Key Version               : A
	
	

The Organization Unit, Organization Name, and Certificate Serial Number values (highlighted in the preceding output) can be viewed to verify that the system image signature is valid, and the certificate serial number should be the same as the value obtained from the show software authenticity file command. In the preceding examples, the authenticity checks of the Cisco FXOS Software image on bootflash: and the authenticity check of the running image both produce a value of 65313942.

Lastly, obtain a copy of the public keys with the following command:

show software authenticity keys

An example of this procedure follows:


firepower(local-mgmt)# show software authenticity keys
Public Key #1 Information
--------------------------
Key Type              : Release (Primary)
Public Key Algorithm  : 2048-bit RSA
Modulus :
        B6:B9:BC:D3:C8:A1:BE:3A:B5:04:0F:21:6C:AA:AB:D6:
        CC:FE:7A:AD:CF:97:1B:57:FC:9A:1D:4B:5A:6D:D4:B0:
        7D:DB:77:FB:3F:A4:57:1A:08:4F:C1:6E:3F:CB:BF:E0:
        3C:99:9C:EE:F5:DD:3C:FC:C6:8D:98:49:29:00:B9:9B:
        DF:22:7E:73:83:FB:B5:78:68:4E:48:1A:5B:EE:83:81:
        B6:3B:2E:35:5B:C2:D0:B8:46:D6:45:13:23:21:44:DA:
        36:55:F9:09:5B:B1:88:8B:9A:28:0B:DA:44:DE:D2:F8:
        8B:17:CF:99:64:BE:2F:80:EF:13:6B:BC:A4:3E:DE:99:
        33:EF:E8:30:56:4C:DA:D5:D3:89:55:CC:BF:A2:22:1A:
        B7:64:FD:14:3A:7D:4F:00:DC:86:B5:35:18:C3:F3:FC:
        93:D4:BF:5E:FD:85:8C:28:4B:96:0F:B1:6D:1E:96:E7:
        05:1C:39:B7:1F:C7:F9:52:47:60:9C:96:FB:00:E2:2D:
        D9:08:2E:3A:87:0C:4F:3E:39:77:C7:FE:AC:D7:2D:23:
        AA:63:EB:2A:4D:13:98:C7:6A:B4:06:F9:1E:2D:B6:F8:
        10:80:EA:F4:E3:BF:C4:49:63:D0:5D:93:9F:96:54:76:
        BF:4D:83:7B:9D:CD:72:61:CC:EC:47:EA:91:EF:34:0B
Exponent              : 65537
Key Version           : A
Product Name          : FXOS
Public Key #2 Information
--------------------------
Key Type              : Release (Backup)
Public Key Algorithm  : 2048-bit RSA
Modulus :
        B6:B9:BC:D3:C8:A1:BE:3A:B5:04:0F:21:6C:AA:AB:D6:
        CC:FE:7A:AD:CF:97:1B:57:FC:9A:1D:4B:5A:6D:D4:B0:
        7D:DB:77:FB:3F:A4:57:1A:08:4F:C1:6E:3F:CB:BF:E0:
        3C:99:9C:EE:F5:DD:3C:FC:C6:8D:98:49:29:00:B9:9B:
        DF:22:7E:73:83:FB:B5:78:68:4E:48:1A:5B:EE:83:81:
        B6:3B:2E:35:5B:C2:D0:B8:46:D6:45:13:23:21:44:DA:
        36:55:F9:09:5B:B1:88:8B:9A:28:0B:DA:44:DE:D2:F8:
        8B:17:CF:99:64:BE:2F:80:EF:13:6B:BC:A4:3E:DE:99:
        33:EF:E8:30:56:4C:DA:D5:D3:89:55:CC:BF:A2:22:1A:
        B7:64:FD:14:3A:7D:4F:00:DC:86:B5:35:18:C3:F3:FC:
        93:D4:BF:5E:FD:85:8C:28:4B:96:0F:B1:6D:1E:96:E7:
        05:1C:39:B7:1F:C7:F9:52:47:60:9C:96:FB:00:E2:2D:
        D9:08:2E:3A:87:0C:4F:3E:39:77:C7:FE:AC:D7:2D:23:
        AA:63:EB:2A:4D:13:98:C7:6A:B4:06:F9:1E:2D:B6:F8:
        10:80:EA:F4:E3:BF:C4:49:63:D0:5D:93:9F:96:54:76:
        BF:4D:83:7B:9D:CD:72:61:CC:EC:47:EA:91:EF:34:0B
Exponent              : 65537
Key Version           : A
Product Name          : FXOS
Public Key #3 Information
--------------------------
Key Type              : Release (FEATURE KEY STORAGE)
Public Key Algorithm  : 2048-bit RSA
Modulus :
        C3:9E:B2:42:93:F2:F5:8A:E7:BA:8A:20:13:23:4A:24:
        39:93:C1:9E:83:32:D5:C7:87:38:54:14:1F:BC:66:8A:
        1A:F5:BA:B5:44:6A:5A:D0:B8:22:B2:3D:66:3D:34:A4:
        13:DF:3C:EB:02:34:97:D3:59:37:BE:86:D1:5C:40:F8:
        4B:F8:C0:7C:C8:92:0E:8F:C0:9B:49:88:8E:EE:31:B4:
        86:4A:3B:D6:D9:34:9F:CB:16:5F:1C:84:47:5A:9C:07:
        9A:12:F3:33:A2:EE:EB:76:8D:B3:C5:29:D2:D3:C4:ED:
        47:7C:70:E0:D3:80:00:36:C5:C1:BC:B0:45:EF:78:D5:
        62:02:5C:B4:35:0F:E9:D9:AD:5F:FF:F9:92:69:0C:01:
        5C:19:7F:E2:FE:0F:6B:8F:58:71:DB:E1:D7:F8:43:2F:
        AF:C1:80:F9:84:D0:AD:CA:A3:EC:C8:C4:C7:BE:48:53:
        EA:D5:31:44:63:B2:F8:3D:F4:C4:66:93:76:83:20:C0:
        1C:F4:B9:9A:3B:8A:FB:8A:D6:EC:9E:D8:35:B1:E1:F0:
        48:16:4C:49:16:65:05:60:8E:77:B4:AA:7A:E9:3F:E7:
        11:89:3E:98:4A:97:82:6E:09:18:4C:7C:8F:5B:45:89:
        78:16:C2:37:8F:3E:40:AE:35:09:D2:91:E6:7F:3C:FB
Exponent              : 65537
Key Version           : A
Product Name          : FXOS-CID

Submit all command output and any system images that were collected in this section to the relevant TAC SR and proceed to the next section of this document.


Step 5 – Verify FTD Memory .text Segment Integrityy

Execute the following commands from the Cisco FTD CLI prompt:

  
system support diagnostic-cli
enable
  
  

Then calculate a hash value for the .text memory segment and retrieve a copy of it by executing the following commands:


verify /sha-512 system:memory/text
copy system:memory/text ftp

An example of this procedure follows:

	
> system support diagnostic-cli
Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.
firepower> enable
Password: 
firepower# verify /sha-512 system:memory/text !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! [output truncated] !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!Done! verify /SHA-512 (system:memory/text) = 2289796c12ee7d909ccac135e1b2075bc54d5c7a38300265dda95d5eb66
5a51b3f45b4fcdc8c17b69c7baa735972aac1a62d2a79530daad67d2aac3dec043b37 firepower# copy system:memory/text ftp Source filename [memory/text]? Address or name of remote host []? 10.10.10.1 Destination filename [text]? system.memory.text.bin !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! INFO: No digital signature found 74031104 bytes copied in 1.990 secs (74031104 bytes/sec)

Cisco highly recommends calculating a hash value on the copied memory segment file and comparing it to the hash value that was obtained on the recipient platform to ensure no errors were introduced during the file transfer process.

The following example utilizes the sha512sum utility, which is included with most Linux distributions:

		
root@ftp-server:~# sha512sum system.memory.text.bin
2289796c12ee7d909ccac135e1b2075bc54d5c7a38300265dda95d5eb665a51b3f45b4fcdc8c17b69c7baa735972aac1a62d2a79530daad
67d2aac3dec043b37 system.memory.text.bin root@ftp-server:~#

Note that the Cisco FTD verify command and the sha512sum utility both produce a SHA-512 hash value of 2289796c12ee7d909ccac135e1b2075bc54d5c7a38300265dda95d5eb665a51b3f45b4fcdc8c17 b69c7baa735972aac1a62d2a79530daad67d2aac3dec043b37 for the system.memory.text.bin file.

Submit all command output (including all computed hash values) and any system images that were collected in this section to the relevant TAC SR and proceed to the next section of this document.


Step 6 – Obtain Firepower crashinfo/core File

WARNING: Executing the tasks in this section will trigger a reload of the FXOS platform.

Cisco recommends performing this task during a maintenance window. Cisco does not recommend performing this task if additional forensic information needs to be collected as a reload of the device may cause the loss of information that is vital to a forensic investigation. Customers should ensure that they have a copy of the original device configuration and the appropriate authorization to initiate a reload of the platform in question before proceeding with this procedure.

This procedure outlines how to obtain a crashinfo file and a core dump from a Cisco FXOS device.

The crashinfo file is saved in the root of the Cisco FXOS file system by default, and the core dump may be placed in the underlying FTD file system or the coredumpfsys filesystem depending on the software release that is running on the system. The storage space that is required may vary from several hundred megabytes to several gigabytes, depending on the device model. Please ensure that there is enough space on the destination flash or disk file system to accommodate the crashinfo file and core dump file.

To initiate the crashinfo dump process, execute the following commands from the Cisco FTD CLI:


system support diagnostic-cli
enable
crashinfo force page-fault

An example of this procedure follows:


> system support diagnostic-cli
Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.
firepower> enable
Password: 
firepower# crashinfo force page-fault
WARNING: This command will force a crash and cause a
         reboot. Do you wish to proceed? [confirm]: 
:Saved Crash
Process Name: lina
Signal No.: 11
Thread id: 1363
Register dump from crashing thread
R00: 0x0000000000000000
R01: 0x0000000000000001
R02: 0x0000002009499f80
R03: 0x0000000000000059
R04: 0x000000000000000a
R05: 0xfffffffffffffffd
R06: 0x0000000000000000
R07: 0x0000000000000000
R08: 0x000000ffd12f2da8
R09: 0x000000ffd12fa3a0
[output truncated]

Show tech-support output is captured and saved.
Crashinfo file created: /mnt/disk0/crashinfo_lina.1359.20200217.163743
Rebooting... (status 0x8b)

When the crashinfo process is complete, the Cisco Firepower platform will reboot.

Once the platform has rebooted, connect to the Cisco FTD CLI, enter expert mode, calculate a hash value for the core and crashinfo files, and copy the files off the platform by executing the following commands:


expert
sudo su – 
cd /var/data/cores
sha512sum
cd /mnt/disk0
sha512sum
ftp or scp
exit

Note: The sudo su - command must be executed after entering expert mode to ensure the correct privileges are obtained to copy the core file from one disk partition to another.

An example of this procedure follows:


> expert
admin@firepower:~$ sudo su -
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.
Password: 

root@firepower:~# cd /var/data/cores
root@firepower:cores# ls -l | grep -i core                                 
-rw-r--r-- 1 root root 105519353 Jan 18 19:39 core.lina.11.21374.1705606756.gz

root@firepower:cores# sha512sum core.lina.11.21374.1705606756.gz
b69d37ace5fd07fff3aba0c1a918eaf9e1c0b206188014d738c7da8df571c56de31fcbf1e084d5e5a494cea481052c84330c0a847c6d64eb37898d12414b50e0  
core.lina.11.21374.1705606756.gz root@firepower:cores# mv core.lina.11.21374.1705606756.gz /mnt/disk0/. root@firepower:cores# cd /mnt/disk0 root@firepower:disk0# ls -l | grep -i crash -rwxr-xr-x 1 root root 687725 Jan 18 19:39 crashinfo_20240118_193916_UTC root@firepower:disk0# sha512sum crashinfo_20240118_193916_UTC ad52c5ee166ca9c0c6830d914bd0dcaffa331efe1b9d722e13b9e2442015c647c8744d0c5d6bb2c79716f882637211ebdd991c9d930fd5abf17536c5117a795c
crashinfo_20240118_193916_UTC root@firepower:disk0# exit logout admin@firepower:~$ exit logout > system support diagnostic-cli Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach. Type help or '?' for a list of available commands. firepower> enable Password: firepower# copy core.lina.11.21374.1705606756.gz ftp: Source filename [core.lina.11.21374.1705606756.gz]? Address or name of remote host []? 10.10.10.1 Destination filename [core.lina.11.21374.1705606756.gz]? !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 105519353 bytes copied in 2.880 secs (52759676 bytes/sec) firepower# copy crashinfo_20240118_193916_UTC ftp: Source filename [crashinfo_20240118_193916_UTC]? Address or name of remote host []? 10.10.10.1 Destination filename [crashinfo_20240118_193916_UTC]? ! 687725 bytes copied in 0.130 secs firepower# exit Logoff User enable_1 logged in to firepower Logins over the last 1 days: 3. Last login: 20:51:38 UTC Jan 18 2024 from console Failed logins since the last login: 0. Type help or '?' for a list of available commands. firepower> exit Console connection detached. >

Submit all command output, hash values, and crashinfo and core files that were collected in this section to the relevant TAC SR and proceed to the next section of this document.


Step 7 – Check ROM Monitor Settings

The ROM monitor firmware of the Cisco Firepower platform is executed when the appliance is powered up or reset. The firmware initializes the platform hardware and boots the Cisco FXOS operating system software. Because the ROM monitor settings are persistent if they have been synced to NVRAM, information about the ROM monitor variable values could indicate an attempt to influence the FXOS boot sequence. The set command can be used while in the ROM monitor prompt to see the value of the ROM monitor variables.

Note: This procedure must be executed from the appliance console.

Access ROM monitor mode by rebooting the Cisco Firepower appliance and pressing the Break or Esc key during the reload process when prompted, as shown in the following example:


firepower# connect local-mgmt 
firepower(local-mgmt)# reboot
Before rebooting, please take a configuration backup.
Do you still want to reboot? (yes/no):yes
Broadcast message from admin@firepower (Thu Jan 18 21:12:11 2024):

All shells being terminated due to system /sbin/reboot
Broadcast message from admin@firepower (Thu Jan 18 21:12:12 2024):
 Reboot requested by the user.
<13>Jan 18 21:12:13 admin: FXOS shutdown log started: pid = 29785 cmdline = /bin/sh/sbin/fxos_log_shutdown ####
[output truncated]

Rebooting... [ 5382.871024] reboot: Restarting system
******************************************************************************
Cisco System ROMMON, Version 1.0.18, RELEASE SOFTWARE
Copyright (c) 1994-2023  by Cisco Systems, Inc.
Compiled Thu 03/23/2023 16:16:11.64 by builder
******************************************************************************
Current image running: Boot ROM1
Last reset cause: ResetRequest (0x00001000)
DIMM0 : Present

Platform FPR-1120 with 16384 MBytes of main memory
Detected Nic devid(0) 15398086
bus: 3 dev: 0 func: 0
BIOS has been successfully locked !!
MAC Address: 6c:03:b5:27:e8:00

Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot interrupted.  
rommon 1 > 

The following example shows the output of the ROM monitor set command on a Cisco Firepower platform:

	
rommon 1 > set
    ADDRESS=
    NETMASK=
    GATEWAY=
    SERVER=
    IMAGE=
    CONFIG=
    PS1="rommon ! > "
	
	

The preceding example depicts a platform where the ROM monitor values are at their default values and have not been altered.

To return the Cisco Firepower platform to normal operation, use the boot command at the ROM monitor prompt, as shown in the following example:

	
rommon 2 > boot
Located .boot_string 
Image size 60 inode num 15, bks cnt 1 blk size 8*512

Located installables/switch/fxos-k8-fp1k-lfbff.2.12.0.530.SPA 
Image size 199156688 inode num 65163, bks cnt 48623 blk size 8*512
##############################################################################################################
############################################## [output truncated]

Submit all command output that was obtained in this section to the relevant TAC SR.


Related Documentation

For additional information about Cisco Software Integrity Assurance, as well as forensic investigation procedures for other platforms, see the following link:

Cisco Security Tactical Resources

https://tools.cisco.com/security/center/tacticalresources.x


Firepower 1000/2100 Series Forensic Data Collection Checklist


Step 1 – Create the Firepower Device Problem Description

     Device problem description uploaded to SR

Step 2 – Document FTD Runtime Environment

     Output of Cisco FXOS show tech-support uploaded to SR

     Output of Cisco Firepower module show tech-support uploaded to SR

Step 3 – Verify FTD System File Integrity

     Output of find /ngfw/var/sf/.icdb/* and hashes uploaded to SR

     Output of which executed on shell scripts uploaded to SR

     Shell scripts, certificates, log file, and hash database added to .tar file

     .tar file and its associated hash value uploaded to SR

Step 4 – Verify Digitally Signed Image Authenticity

     Output of show software authenticity file uploaded to SR

     Output of show software authenticity running uploaded to SR

     Output of show software authenticity keys uploaded to SR

Step 5 – Verify FTD .text Memory Segment Integrity

     Output of verify on memory text segment uploaded to SR

     Copy of memory text segment uploaded to SR

Step 6 – Obtain Firepower crashinfo/core File

     Output of crashinfo uploaded to SR

     crashinfo file uploaded to SR

     core file uploaded to SR

     Hash values of crashinfo and core files uploaded to SR

Step 7 – Check ROM Monitor Settings

     Output of set command uploaded to SR


Appendix A – Firepower 1000/2100 Series Platform That Is Running ASA Software

Note: Only execute the commands in Appendix A if Cisco ASA Software is running on a Cisco Firepower 1000/2100 Series appliance.

Execute the following commands from the Cisco ASA CLI prompt:


enable
show tech-support detail
dir /recursive all-filesystems
verify /sha-512 system:/text
copy system:/text ftp:

The output of show tech-support detail may also be redirected to a file server using either the FTP, SCP, SMB, or TFTP protocols. The following example depicts the required syntax if the FTP protocol is used:

show tech-support detail | redirect ftp://anonymous@10.10.10.1/tech-support-details.txt

An example of this entire procedure follows:


ciscoasa# show tech-support detail | redirect ftp://anonymous@10.10.10.1/show-tech-support.txt

ciscoasa# dir /recursive all-filesystems
Directory of disk0:/*
274941988  -rw-  116406136    19:20:38 Sep 12 2023  asdm.bin
268440446  -rw-  0            13:08:21 Mar 17 2024  coredumpfsysimage.bin
268439875  -rw-  1109         13:36:35 Mar 17 2024  asa-cmd-server.log
271838408  -rw-  39           13:36:34 Mar 17 2024  snortpacketinfo.conf
147407  -rw-  1901         13:08:20 Mar 17 2024  cspCfg.xml
Directory of disk0:/log
805367049  -rw-  2141         13:36:38 Mar 17 2024  lina_monitor.log
805367054  -rw-  0            13:36:33 Mar 17 2024  stdout_offload_app.log
805367055  -rwx  372361       17:17:23 Mar 17 2024  asa-miovif.log
805367058  -rw-  749          13:36:34 Mar 17 2024  lcore.log
805367060  -rwx  119861       13:39:57 Mar 17 2024  asa-appagent.log
805367061  -r--  3572         13:36:35 Mar 17 2024  asa_snmp.log
805367063  -rwx  108556       17:24:21 Mar 17 2024  asa-ssp_ntp.log
805367064  -rwx  0            13:09:15 Mar 17 2024  asa-fxos_xml.log
[output truncated]

ciscoasa# verify /sha-512 system:/text
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[output truncated]
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Done!
verify /SHA-512 (system:/text) = efc7164423606abce9a67ca5d4202ffd2c14342c4639596acee526d37c2b4a7d2aa
4061629534557c122dbfb528935fdd79fabd9e855c8d6d58e936f6563f8c2 ciscoasa# copy system:/text ftp: Source filename [text]? Address or name of remote host []? 10.10.10.1 Destination filename [text]? system.memory.text.bin 73990144 bytes copied in 2.850 secs (36995072 bytes/sec) ciscoasa#

Cisco highly recommends calculating a hash value on the copied memory segment file and comparing it to the hash value that was obtained on the recipient platform to ensure no errors were introduced during the file transfer process.

The following example utilizes the sha512sum utility, which is included with most Linux distributions:


root@ftp-server:~# sha512sum system.memory.text.bin
efc7164423606abce9a67ca5d4202ffd2c14342c4639596acee526d37c2b4a7d2aa406162953
4557c122dbfb528935fdd79fabd9e855c8d6d58e936f6563f8c2 system.memory.text.bin root@ftp-server:~#

Note that the Cisco ASA verify command and the sha512sum utility both produce a SHA-512 hash value of efc7164423606abce9a67ca5d4202ffd2c14342c4639596acee526d37c2b4a7d2aa4061629534557 c122dbfb528935fdd79fabd9e855c8d6d58e936f6563f8c2 for the system.memory.text.bin file.

Submit all command output (including all computed hash values) and a copy of the system:/text memory segment that was collected in this section to the relevant TAC SR.

Revision History

Version Date Author Comments
1.0 4/5/2024 Dan Maunz Initial public release.
1.1 8/27/2024 Dan Maunz Integrated 2100 Series.
       

 


This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.

This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.


Back to Top