Abstract

The understanding of available data artefacts is fundamental to performing digital forensics. There is good understanding of what data artefacts are acquirable from common information technology (IT) systems such as a Windows operating system and what their potential forensic value could be. As a result, IT forensic investigators can make clear predictions about what information the acquired data would yield. The same level of understanding for programmable logic controllers (PLCs) found within industrial control systems (ICS) is limited. Previous research has restricted the discussion of PLC data to generic and common data formats. This makes it challenging to prepare for incidents proactively, develop new forensic capabilities and prioritise the collection of data should an incident occur. Examples of previous cyber incidents such as Stuxnet and Triton have employed ad-hoc methods for forensic the investigation, highlighting the lack of a systematic approach. This paper examines the specific data types stored on a PLC and describes a forensic artefact taxonomy based on the acquirable data. Data acquisition tests were performed primarily using third-party communication libraries that utilise the PLC’s proprietary industrial communications protocol to leverage data stored within memory structures of each of the tested PLCs. Three PLCs, from two different manufacturers were examined. Potential PLC attack scenarios, identified from the literature, were used to guide the evaluation of the acquirable data, categorised into high-level data types, to highlight the potential benefits of acquiring each form of data.