Forensics management

doi:10.1201/b19545-16

ABSTRACT

The threats .................................................................................................................................... 171 Initial steps ................................................................................................................................... 172 Make a record .............................................................................................................................. 172 Interview the point of contact ................................................................................................... 173

Preinvestigation tasks ............................................................................................................ 173 Document your steps ............................................................................................................. 175 Volatile data collection procedures ...................................................................................... 175

Do ......................................................................................................................................... 175 Do not .................................................................................................................................. 175

Documentation ....................................................................................................................... 175 SCADA forensics means collecting volatile evidence ............................................................ 176 Deploying SCADA forensic tools ............................................................................................. 177 Hex dumps of the file system .................................................................................................... 177 Operating systems ...................................................................................................................... 177

Microsoft Windows CE, 95, and 98 (embedded) ............................................................... 177 Linux variants ......................................................................................................................... 177

Malicious code and the SCADA system .................................................................................. 178 Managing the environment ....................................................................................................... 178 Volatility ....................................................................................................................................... 178 Determining the event ................................................................................................................ 179 Intrusion detection ...................................................................................................................... 179 Snort .............................................................................................................................................. 179 Incident handling ........................................................................................................................ 179

Keeping a log book................................................................................................................. 180 Informing the appropriate people ....................................................................................... 181 Follow-up analysis ................................................................................................................. 181

The forensic process .................................................................................................................... 181 Components of a SCADA system ............................................................................................. 182 Investigative methods of SCADA forensics ............................................................................ 182

Investigative methods: Step 1-Examination .................................................................... 182 Investigative methods: Step 2-Identification ................................................................... 183 Investigative methods: Step 3-Collection ......................................................................... 183 Investigative methods: Step 4-Documentation ............................................................... 183

SCADA investigative tips .......................................................................................................... 184 Available hardware ..................................................................................................................... 184

New techniques to extract data ............................................................................................ 185 Router and switch forensics ...................................................................................................... 186

The forensic process with regard to a supervisory control and data acquisition (SCADA)- based investigation has a few minor differences from many common forensic engagements. Systems are usually shut down for analysis, but SCADA systems are generally required to remain available. Remember, there is a large amount of volatile evidence that may be collected on a live system (Decker et al., 2011), and many SCADA systems cannot be shut down to be imaged and analyzed. The topics addressed in this chapter include

• Locating and gathering volatile evidence on a SCADA host • Investigating log files for evidence • Interpreting the memory state and memory dump information • Investigating the system backups • Analyzing Internet trace data and events

The term evidence location refers to the process of investigating and gathering information of a forensic nature and particularly of legal importance (Cardwell, 2011). This

The role in SCADA systems ...................................................................................................... 186 Data capture ................................................................................................................................. 187 Code reviews and testing third-party software ...................................................................... 188 Black-box testing ......................................................................................................................... 188 White-box testing ........................................................................................................................ 188 Testing in combination ............................................................................................................... 189 Various levels of testing ............................................................................................................. 189

Unit testing .............................................................................................................................. 189 Integration testing .................................................................................................................. 189 Acceptance testing ................................................................................................................. 190 Regression testing................................................................................................................... 190 Testing cycles .......................................................................................................................... 190 Requirements analysis ........................................................................................................... 190 Test planning ........................................................................................................................... 190 Test development ................................................................................................................... 190 Test execution .......................................................................................................................... 191 Test reporting .......................................................................................................................... 191 Retesting the defects .............................................................................................................. 191

UML and mapping processes .................................................................................................... 191 Unified ..................................................................................................................................... 191 Model ....................................................................................................................................... 191 Language ................................................................................................................................. 192

UML and processes ..................................................................................................................... 192 Further information about UML ............................................................................................... 194 Analyzing logs, traffic, and unstructured data ....................................................................... 194 Unstructured data ....................................................................................................................... 194

Characters, words, terms, and concepts ............................................................................. 194 Algorithmic classification .......................................................................................................... 196 Keyword network view ............................................................................................................. 197

Visualization ........................................................................................................................... 198 Summary ...................................................................................................................................... 198 References ..................................................................................................................................... 198

evidence aids in the investigation of both criminal investigations and civil suits. As many SCADA* systems are connected to networks, an Internet worm could have the impact of affecting the physical world. Worse, many SCADA systems are connected to the world without people officially knowing.