ABSTRACT
The threats .................................................................................................................................... 171 Initial steps ................................................................................................................................... 172 Make a record .............................................................................................................................. 172 Interview the point of contact ................................................................................................... 173
Preinvestigation tasks ............................................................................................................ 173 Document your steps ............................................................................................................. 175 Volatile data collection procedures ...................................................................................... 175
Do ......................................................................................................................................... 175 Do not .................................................................................................................................. 175
Documentation ....................................................................................................................... 175 SCADA forensics means collecting volatile evidence ............................................................ 176 Deploying SCADA forensic tools ............................................................................................. 177 Hex dumps of the file system .................................................................................................... 177 Operating systems ...................................................................................................................... 177
Microsoft Windows CE, 95, and 98 (embedded) ............................................................... 177 Linux variants ......................................................................................................................... 177
Malicious code and the SCADA system .................................................................................. 178 Managing the environment ....................................................................................................... 178 Volatility ....................................................................................................................................... 178 Determining the event ................................................................................................................ 179 Intrusion detection ...................................................................................................................... 179 Snort .............................................................................................................................................. 179 Incident handling ........................................................................................................................ 179
Keeping a log book................................................................................................................. 180 Informing the appropriate people ....................................................................................... 181 Follow-up analysis ................................................................................................................. 181
The forensic process .................................................................................................................... 181 Components of a SCADA system ............................................................................................. 182 Investigative methods of SCADA forensics ............................................................................ 182
Investigative methods: Step 1-Examination .................................................................... 182 Investigative methods: Step 2-Identification ................................................................... 183 Investigative methods: Step 3-Collection ......................................................................... 183 Investigative methods: Step 4-Documentation ............................................................... 183
SCADA investigative tips .......................................................................................................... 184 Available hardware ..................................................................................................................... 184
New techniques to extract data ............................................................................................ 185 Router and switch forensics ...................................................................................................... 186
The forensic process with regard to a supervisory control and data acquisition (SCADA)- based investigation has a few minor differences from many common forensic engagements. Systems are usually shut down for analysis, but SCADA systems are generally required to remain available. Remember, there is a large amount of volatile evidence that may be collected on a live system (Decker et al., 2011), and many SCADA systems cannot be shut down to be imaged and analyzed. The topics addressed in this chapter include
• Locating and gathering volatile evidence on a SCADA host • Investigating log files for evidence • Interpreting the memory state and memory dump information • Investigating the system backups • Analyzing Internet trace data and events
The term evidence location refers to the process of investigating and gathering information of a forensic nature and particularly of legal importance (Cardwell, 2011). This
The role in SCADA systems ...................................................................................................... 186 Data capture ................................................................................................................................. 187 Code reviews and testing third-party software ...................................................................... 188 Black-box testing ......................................................................................................................... 188 White-box testing ........................................................................................................................ 188 Testing in combination ............................................................................................................... 189 Various levels of testing ............................................................................................................. 189
Unit testing .............................................................................................................................. 189 Integration testing .................................................................................................................. 189 Acceptance testing ................................................................................................................. 190 Regression testing................................................................................................................... 190 Testing cycles .......................................................................................................................... 190 Requirements analysis ........................................................................................................... 190 Test planning ........................................................................................................................... 190 Test development ................................................................................................................... 190 Test execution .......................................................................................................................... 191 Test reporting .......................................................................................................................... 191 Retesting the defects .............................................................................................................. 191
UML and mapping processes .................................................................................................... 191 Unified ..................................................................................................................................... 191 Model ....................................................................................................................................... 191 Language ................................................................................................................................. 192
UML and processes ..................................................................................................................... 192 Further information about UML ............................................................................................... 194 Analyzing logs, traffic, and unstructured data ....................................................................... 194 Unstructured data ....................................................................................................................... 194
Characters, words, terms, and concepts ............................................................................. 194 Algorithmic classification .......................................................................................................... 196 Keyword network view ............................................................................................................. 197
Visualization ........................................................................................................................... 198 Summary ...................................................................................................................................... 198 References ..................................................................................................................................... 198
evidence aids in the investigation of both criminal investigations and civil suits. As many SCADA* systems are connected to networks, an Internet worm could have the impact of affecting the physical world. Worse, many SCADA systems are connected to the world without people officially knowing.