Prior Publisher

The Association of Digital Forensics, Security and Law (ADFSL)


The Stuxnet malware attack has provided strong evidence for the development of a forensic capability to aid in thorough post-incident investigations. Current live forensic tools are typically used to acquire and examine memory from computers running either Windows or Unix. This makes them incompatible with embedded devices found on SCADA systems that have their own bespoke operating system. Currently, only a limited number of forensics tools have been developed for SCADA systems, with no development of tools to acquire the program code from PLCs. In this paper, we explore this problem with two main hypotheses in mind. Our first hypothesis was that the program code is an important forensic artefact that can be used to determine an attacker's intentions. Our second hypothesis was that PLC debugging tools can be used for forensics to facilitate the acquisition and analysis of the program code from PLCs. With direct access to the memory addresses of the PLC, PLC debugging tools have promising functionalities as a forensic tool, such as the "Snapshot" function that allows users to directly take values from the memory addresses of the PLC, without vendor specific software. As a case example we will focus on PLC Logger as a forensic tool to acquire and analyse the program code on a PLC. Using these two hypotheses we developed two experiments. The results from Experiment 1 provided evidence to indicate that it is possible to acquire the program code using PLC Logger and to identify the attacker's intention, therefore our hypothesis was accepted. In Experiment 2, we used an existing Computer Forensics Tool Testing (CFTT) framework by NIST to test PLC Logger's suitability as a forensic tool to analyse and acquire the program code. Based on the experiment's results, this hypothesis was rejected as PLC Logger had failed half of the tests. This suggests that PLC Logger in its current state has limited suitability as a forensic tool, unless the shortcomings are addressed.


Ahmed, I., Obermeier, S., Naedele, M., & Richard, G. G. (2012). Scada systems: Challenges for forensic investigators. Computer, 45 (12), 44{51.

Anobah, M., Saleem, S., & Popov, O. (2014). Testing framework for mobile device forensics tools. Journal of Digital Forensics, Security and Law, 9 (2), {234.

Basnight, Z. H. (2013). Firmware Counterfeiting and Modication Attacks on Programmable Logic Controllers. Retrieved from http://oai.dtic.mil/oai/ oai?verb=getRecord&metadataPrefix= html&identifier=ADA583401

Carrier, B. (2003). Dening digital forensic examination and analysis tools using abstraction layers. International Journal of digital evidence, 1 (4), 1{12.

Clarke, N., Tryfonas, T., & Dodge, R. (2012). Proceedings of the 7th international workshop on digital forensics and incident analysis WDFIA 2012. University of Plymouth.

ENISA. (2013). Can we learn from scada security incidents? (Tech. Rep.).

Enisa. Falliere, N., Murchu, L. O., & Chien, E. (2011). W32. stuxnet dossier. White paper, Symantec Corp., Security Response.

Flandrin, F., Buchanan, W. J., Macfarlane, R.,Ramsay, B., & Smales, A. (2014). Evaluating digital forensic tools (DFTs).

Jones, R. (2007). Safer live forensic acquisition. University of Kent. Retrieved from https://www.cs.kent.ac.uk/pubs/ug//co620-projects/forensic/report.pdf

Kilpatrick, T., Gonzalez, J., Chandia, R., Papa, M., & Shenoi, S. (2006). An architecture for SCADA network forensics. Advances in Digital Forensics II , 222 , {285nr364. Retrieved from://000240980400022

McLaughlin, S. (2011). On dynamic malware payloads aimed at programmable logic controllers. Proceedings of the 6th USENIX conference on Hot topics in security. HotSec, 11 , 10.

NIST. (2007, December). General test methodology for computer forensic tools.

Patzla, H. (2013). D7.1 preliminary report on forensic analysis for industrial systems (Tech. Rep.). The CRISALIS Consortium.

Radvanovsky, R., & Brodsky, J. (2013). Handbook of SCADA/control systems security. Taylor & Francis. Retrieved from https://books.google.co.uk/


Rick Ayers, W. J., Sam Brothers. (2013, September). Guidelines on mobile device forensics.

Siemens. (2015, January). S7-1200 easy book [Computer software manual].

Taveras, P. (2013). SCADA live forensics: real time data acquisition process to detect, prevent or evaluate critical situations. European Scientic Journal, 9 (21).

Valente, J., Barreto, C., & Cardenas, A. a. (2014). Cyber-Physical Systems Attestation. IEEE International Conference on Distributed Computing in Sensor Systems, 354{357.

Van der Knij, R. M. (2014). Control systems/scada forensics, what's the difference? Digital Investigation. doi: 1016/j.diin.2014.06.007

Vidas, T. (2007). The acquisition and analysis of random access memory. Journal of Digital Forensic Practice, 1 (4), 315{323.

Zhu, B., Joseph, A., & Sastry, S. (2011). A taxonomy of cyber attacks on scada systems. In Proceedings of the 2011 international conference on internet of things and 4th international conference on cyber, physical and social computing (pp. {388).



To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.