Skip to main content
OSTI.GOVU.S. Department of Energy Office of Scientific and Technical Information
U.S. Department of Energy
Office of Scientific and Technical Information
 

Towards generic memory forensic framework for programmable logic controllers

Journal Article · · Forensic Science International: Digital Investigation
 [1];  [2];  [3];  [2];  [1]
  1. Oak Ridge National Lab. (ORNL), Oak Ridge, TN (United States)
  2. Virginia Commonwealth Univ., Richmond, VA (United States)
  3. Tennessee Technological Univ., Cookeville, TN (United States)
+ Show Author Affiliations

A Programmable Logic Controller (PLC) is a microprocessor-based controller that is used to automate physical processes in critical infrastructure and various other industries and manufacturing sectors. Initially, PLCs were completely isolated from the Internet, and cyber security was not incorporated at the time of development. The introduction of industry 4.0 and the evolution of ICS systems to communicate over public IP addresses from the Internet enhanced productivity and efficiency, but Internet connectivity exposed the systems and their vulnerabilities, which led to an increase in cyber attacks. When a system is sabotaged/compromised, security analysts need to get to the root cause of the attack as quickly as possible to recover the system. To do so, memory forensic analysis is critical to provide a unique insight into the run-time memory activities and extract a reliable source of evidence. In this paper, we analyze the memory structure of the Schneider Electric Modicon M221 PLC. To build a memory profile, we reverse engineer the communication protocol and conduct differential analysis to gain knowledge about the structure of the memory and the low-level representation of control logic instructions. We then identify dynamic and static memory regions by modifying different project fields and conducting differential analysis, which allows us to identify boundaries of critical memory structures and extract important forensic artifacts that can be found in the memory. The Python implementation of the memory profile can help reduce the time and effort required for manual analysis in case of cyber incident or system failure.

Research Organization:
Oak Ridge National Laboratory (ORNL), Oak Ridge, TN (United States)
Sponsoring Organization:
USDOE
Grant/Contract Number:
AC05-00OR22725
OSTI ID:
1965252
Journal Information:
Forensic Science International: Digital Investigation, Journal Name: Forensic Science International: Digital Investigation Vol. 44; ISSN 2666-2817
Publisher:
ElsevierCopyright Statement
Country of Publication:
United States
Language:
English

References (9)

A malware detection method using satisfiability modulo theory model checking for the programmable logic controller system journal March 2020
Leveraging the SRTP protocol for over-the-network memory acquisition of a GE Fanuc Series 90-30 journal August 2017
SCADA network forensics of the PCCC protocol journal August 2017
Leveraging relocations in ELF-binaries for Linux kernel version identification journal July 2018
Firmware modification attacks on programmable logic controllers journal June 2013
A methodology for determining the image base of ARM-based industrial control system firmware journal March 2017
SCADA Systems: Challenges for Forensic Investigators journal December 2012
Detecting Industrial Control Malware Using Automated PLC Code Analytics journal November 2014
Programmable Logic Controller Forensics journal November 2017

Figures / Tables (18)

Fig. 1(p. 2)figure Fig. 1
Fig. 2(p. 4)figure Fig. 2
Fig. 3(p. 4)figure Fig. 3
Fig. 4(p. 5)figure Fig. 4
Fig. 5(p. 5)figure Fig. 5
Fig. 6(p. 5)figure Fig. 6
Fig. 7(p. 5)figure Fig. 7
Table 1(p. 5)table Table 1
Fig. 8(p. 6)figure Fig. 8
Fig. 9(p. 6)figure Fig. 9
Fig. 10(p. 7)figure Fig. 10
Fig. 11(p. 8)figure Fig. 11
Fig. 12(p. 8)figure Fig. 12
Fig. 13(p. 9)figure Fig. 13
Fig. 14(p. 9)figure Fig. 14
Fig. 15(p. 10)figure Fig. 15
Fig. 16(p. 10)figure Fig. 16
Fig. 17(p. 11)figure Fig. 17

Similar Records

Related Subjects

97 MATHEMATICS AND COMPUTING
CPS forensics
Embedded devices
ICS
JTAG
Memory forensics
PLC
SCADA