Exploring The Use Of PLC Debugging Tools For Digital Forensic Investigations On SCADA Systems

The Stuxnet malware attack has provided strong evidence for the development of a forensic capability to aid in thorough post-incident investigations. Current live forensic tools are typically used to acquire and examine memory from computers running either Windows or Unix. This makes them incompatible with embedded devices found on SCADA systems that have their own bespoke operating system. Currently, only a limited number of forensics tools have been developed for SCADA systems, with no development of tools to acquire the program code from PLCs. In this paper, we explore this problem with two main hypotheses in mind. Our first hypothesis was that the program code is an important forensic artefact that can be used to determine an attacker's intentions. Our second hypothesis was that PLC debugging tools can be used for forensics to facilitate the acquisition and analysis of the program code from PLCs. With direct access to the memory addresses of the PLC, PLC debugging tools have promising functionalities as a forensic tool, such as the "Snapshot" function that allows users to directly take values from the memory addresses of the PLC, without vendor specific software. As a case example we will focus on PLC Logger as a forensic tool to acquire and analyse the program code on a PLC. Using these two hypotheses we developed two experiments. The results from Experiment 1 provided evidence to indicate that it is possible to acquire the program code using PLC Logger and to identify the attacker's intention, therefore our hypothesis was accepted. In Experiment 2, we used an existing Computer Forensics Tool Testing (CFTT) framework by NIST to test PLC Logger's suitability as a forensic tool to analyse and acquire the program code. Based on the experiment's results, this hypothesis was rejected as PLC Logger had failed half of the tests. This suggests that PLC Logger in its current state has limited suitability as a forensic tool, unless the shortcomings are addressed.

[1]  William J Buchanan,et al.  Evaluating Digital Forensic Tools (DFTs). , 2014 .

[2]  Oliver Popov,et al.  Testing Framework for Mobile Device Forensics Tools , 2014, J. Digit. Forensics Secur. Law.

[3]  Timothy M. Vidas,et al.  The Acquisition and Analysis of Random Access Memory , 2007, J. Digit. Forensic Pract..

[4]  Robert Radvanovsky,et al.  Handbook of SCADA/control systems security , 2013 .

[5]  Ryan Jones Safer live forensic acquisition , 2007 .

[6]  Sujeet Shenoi,et al.  An Architecture for SCADA Network Forensics , 2006, IFIP Int. Conf. Digital Forensics.

[7]  Stephen E. McLaughlin On Dynamic Malware Payloads Aimed at Programmable Logic Controllers , 2011, HotSec.

[8]  Brian D. Carrier Defining Digital Forensic Examination and Analysis Tool Using Abstraction Layers , 2003, Int. J. Digit. EVid..

[9]  D7.1 Preliminary report on forensic analysis for industrial systems , 2015 .

[10]  Nl Clarke,et al.  Proceedings of the 6th International Workshop on Digital Forensics and Incident Analysis , 2009 .

[11]  John H R May,et al.  Can we learn from SCADA security Incidents , 2013 .

[12]  Richard P. Ayers,et al.  Guidelines on Mobile Device Forensics , 2014 .

[13]  S. Shankar Sastry,et al.  A Taxonomy of Cyber Attacks on SCADA Systems , 2011, 2011 International Conference on Internet of Things and 4th International Conference on Cyber, Physical and Social Computing.

[14]  Ronald M. van der Knijff,et al.  Control systems/SCADA forensics, what's the difference? , 2014, Digit. Investig..

[15]  Zachary H. Basnight Firmware Counterfeiting and Modification Attacks on Programmable Logic Controllers , 2013 .

[16]  N Pedro Taveras,et al.  SCADA LIVE FORENSICS: REAL TIME DATA ACQUISITION PROCESS TO DETECT, PREVENT OR EVALUATE CRITICAL SITUATIONS , 2013 .

[17]  Golden G. Richard,et al.  SCADA Systems: Challenges for Forensic Investigators , 2012, Computer.

[18]  Alvaro A. Cárdenas,et al.  Cyber-Physical Systems Attestation , 2014, 2014 IEEE International Conference on Distributed Computing in Sensor Systems.