The Association of Digital Forensics, Security and Law (ADFSL)


Supervisory Control and Data Acquisition (SCADA) system is an industrial control automated system. It is built with multiple Programmable Logic Controllers (PLCs). PLC is a special form of microprocessor-based controller with proprietary operating system. Due to the unique architecture of PLC, traditional digital forensic tools are difficult to be applied. In this paper, we propose a program called Control Program Logic Change Detector (CPLCD), it works with a set of Detection Rules (DRs) to detect and record undesired incidents on interfering normal operations of PLC. In order to prove the feasibility of our solution, we set up two experiments for detecting two common PLC attacks. Moreover, we illustrate how CPLCD and network analyzer Wireshark could work together for performing digital forensic investigation on PLC.


W. Bolton, Programmable Logic Controllers (4th Edition)

Irfan Ahmed, Sebastian Obermeier and Martin Naedele, Golen G. Richard III: SCADA System: Challenges for Forensics Investigations, IEEE Computer, Vol. 45 No. 12, December 2012, pp 44–51, USA

Dillon Beresford, Exploiting Siemens Simatic S7 PLCs, Black Hat USA+2011, July 8, 2011

Alex Sentcha, LibNoDave – exchange data with Siemens PLC, https://alexsentcha.wordpress.com/ Last accessed on 31 May 2015

R.M. van der Knijff, Control systems/SCADA forensics, what's the difference?, Digital Investigation 11 (2014)

Nicolas Falliere, Liam O Murchu, and Eric Chien: W32.Stuxnet Dossier, Version 1.4, Symantec Corporation, February 2011

Davide Nardella, Snap7 http://snap7.sourceforge.net/ Last accessed on 13, June 2015

Davide Nardella, Snap7 Reference manual Rev.5, January 1, 2015

PROFINET, Wikipedia http://en.wikipedia.org/wiki/PROFINET_IO, Last accessed on 18 June 2015

K. Mandia, C. Prosise and M. Pepe, “Incident Response and Computer Forensics”, McGraw-Hill/Osborne, Emeryville, California, 2003

Fabro, M: Recommended Practice: Creating Cyber Forensic Plan for Control Systems, Department of Homeland Security (2008), Idaho National Laboratory (INL), August 2008, USA

SIEMENS SIMATIC S7-1200 Easy Book Manual 01/2015




To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.