- Forensics Management | 15 | Handbook of SCADA/Control Systems Securi

ABSTRACT

The Threats ............................................................................................................ 147 Initial Steps ............................................................................................................ 148 Make a Record ....................................................................................................... 149 Interview the Point of Contact ............................................................................... 149

Pre-Investigation Tasks ..................................................................................... 149 Document Your Steps ........................................................................................ 151 Volatile Data Collection Procedures ................................................................. 152 Documentation .................................................................................................. 152

SCADA Forensics Means Collecting Volatile Evidence ....................................... 152 Deploying SCADA Forensic Tools ........................................................................ 153 Hex Dumps of the File System .............................................................................. 154 Operating Systems ................................................................................................. 154

Microsoft Windows CE, 95 and 98 (embedded) ............................................... 154 Linux Variants ................................................................................................... 154

Malicious Code and the SCADA System .............................................................. 155 Managing the Environment .................................................................................... 155 Volatility ................................................................................................................. 155 Determining the Event ........................................................................................... 156 Intrusion Detection ................................................................................................. 156 SNORT ................................................................................................................... 156 Incident Handling ................................................................................................... 156

Keeping a Log Book ......................................................................................... 158 Informing the Appropriate People ..................................................................... 158 Follow-Up Analysis ........................................................................................... 158

The Forensic Process ............................................................................................. 158 Components of a SCADA System ......................................................................... 159 Investigative Methods of SCADA Forensics ......................................................... 159

Investigative Methods: Step 1-Examination ................................................... 160 Investigative Methods: Step 2-Identification .................................................. 160 Investigative Methods: Step 3-Collection ....................................................... 161 Investigative Methods: Step 4-Documentation ............................................... 161

SCADA Investigative Tips ..................................................................................... 161 Available Hardware ................................................................................................ 162

New Techniques to Extract Data ....................................................................... 163 Router and Switch Forensics ................................................................................. 164 The Role in SCADA Systems ................................................................................ 164

The forensic process with regard to a supervisory control and data acquisition (SCADA)-based investigation has a few minor differences to many common forensic engagements. Rather than shutting the system down to analyze it, SCADA systems are generally required to remain available. Remember, there is a large amount of volatile evidence that may be collected on a live system (Decker et al., 2011), more; many SCADA systems cannot be shutdown to be imaged and analyzed. The chapter objectives include

• Locating and gathering volatile evidence on a SCADA host • Investigating log files for evidence • Interpreting the memory state and memory dump information • Investigating the system backups • Analyzing Internet trace data and events

Data Capture .......................................................................................................... 165 Code Reviews and Testing Third-Party Software .................................................. 166 Black Box Testing .................................................................................................. 166 White Box Testing ................................................................................................. 167 Testing in Combination .......................................................................................... 167 The Various Levels of Testing ................................................................................ 168

Unit Testing ....................................................................................................... 168 Integration Testing ............................................................................................. 168 Acceptance Testing ........................................................................................... 168 Regression Testing ............................................................................................ 168 Testing Cycles ................................................................................................... 168 Requirements Analysis ...................................................................................... 168 Test Planning ..................................................................................................... 169 Test Development .............................................................................................. 169 Test Execution ................................................................................................... 169 Test Reporting ................................................................................................... 169 Retesting the Defects......................................................................................... 169

UML and Mapping Processes ................................................................................ 169 Unified ............................................................................................................... 170 Model ................................................................................................................ 170 Language ........................................................................................................... 170

UML and Processes ............................................................................................... 171 Further Information about UML ............................................................................ 172 Analyzing Logs, Traffic, and Unstructured Data ................................................... 173 Unstructured Data .................................................................................................. 173

Characters, Words, Terms, and Concepts .......................................................... 173 Algorithmic Classification ..................................................................................... 175 Keyword Network View ......................................................................................... 176

Visualization ...................................................................................................... 177 Summary ................................................................................................................ 177 References .............................................................................................................. 178

The term evidence location refers to the process of investigating and gathering information of a forensic nature and particularly of legal importance (Cardwell, 2011). This evidence aids in the investigation of both criminal investigations and civil suits. As many SCADA* systems are connected to networks, an Internet worm could have the impact of affecting the physical world. Worse, many SCADA systems are connected to the world without people officially knowing.