Abstract
In industrial control systems (ICS), programmable logic controllers (PLCs) are used to automate physical processes such as nuclear plants and power grid stations, and are often subject to cyber attacks. As in conventional IT domain, the memory analysis of the PLCs can help answer important forensic questions about the attack, such as the presence of malicious firmware, injection of modified control logic (the program running on the PLC), and manipulation of I/O devices (e.g., sensors and actuators). Unlike conventional IT domain, PLCs have heterogeneous hardware architecture, proprietary firmware and control software, making it challenging to employ a unified framework for their memory forensics. For merely extracting artifacts of forensic importance, reverse-engineering the firmware is a tedious task, and the effort needs to be repeated for every PLC model. As a community, a step-wise approach to tackle this challenge is to analyze the memory of specific PLCs, and subsequently find a generic framework applicable to all PLCs. Our work is a step forward in this direction. By following a methodology that focuses on the functional layer of PLCs instead of reverse engineering the firmware, we analyze the digital forensic artifacts available in a common PLC, Allen-Bradley ControlLogix 1756-L61. Before diving into the memory dump, we analyze the PLC control software to create a list of important artifacts that are sure to exist in the PLC memory dump. The approach employs a setup where PLC control software RSLogix-5000 is connected to the PLC, and the memory dump can be obtained as and when needed. We create test cases that sequentially highlight each category of artifacts, followed by an examination of the resultant impact on memory. After attaining the listed artifacts, we employ conventional string and known data searches to extract interesting information present in this PLC's memory. The memory analysis profile, presented as a Python library and shared with the community, can help a forensic investigator to readily extract forensic artifacts from the same model's controller. The adopted approach may help researchers in creating memory profile of other PLCs, and ultimately formulating a generic PLC memory analysis framework.
