Exploring The Use Of PLC Debugging Tools For Digital Forensic Investigations On SCADA Systems

Tina Wu, Jason Nurse


The Stuxnet malware attack has provided strong evidence for the development of a forensic capability to aid in thorough post-incident investigations. Current live forensic tools are typically used to acquire and examine memory from computers running either Windows or Unix. This makes them incompatible with embedded devices found on SCADA systems that have their own bespoke operating system. Currently, only a limited number of forensics tools have been developed for SCADA systems, with no development of tools to acquire the program code from PLCs. In this paper, we explore this problem with two main hypotheses in mind. Our first hypothesis was that the program code is an important forensic artefact that can be used to determine an attacker's intentions. Our second hypothesis was that PLC debugging tools can be used for forensics to facilitate the acquisition and analysis of the program code from PLCs. With direct access to the memory addresses of the PLC, PLC debugging tools have promising functionalities as a forensic tool, such as the "Snapshot" function that allows users to directly take values from the memory addresses of the PLC, without vendor specific software. As a case example we will focus on PLC Logger as a forensic tool to acquire and analyse the program code on a PLC. Using these two hypotheses we developed two experiments. The results from Experiment 1 provided evidence to indicate that it is possible to acquire the program code using PLC Logger and to identify the attacker's intention, therefore our hypothesis was accepted. In Experiment 2, we used an existing Computer Forensics Tool Testing (CFTT) framework by NIST to test PLC Logger's suitability as a forensic tool to analyse and acquire the program code. Based on the experiment's results, this hypothesis was rejected as PLC Logger had failed half of the tests. This suggests that PLC Logger in its current state has limited suitability as a forensic tool, unless the shortcomings are addressed.


PLC Debugging; Program Code; SCADA; Digital Forensics; NIST; PLCs; Attackers

Full Text:



Ahmed, I., Obermeier, S., Naedele, M., &

Richard, G. G. (2012). Scada systems:

Challenges for forensic investigators.

Computer, 45 (12), 44{51.

Anobah, M., Saleem, S., & Popov, O. (2014).

Testing framework for mobile device

forensics tools. Journal of Digital

Forensics, Security and Law, 9 (2),


Basnight, Z. H. (2013). Firmware

Counterfeiting and Modication Attacks

on Programmable Logic Controllers.

Retrieved from




Carrier, B. (2003). Dening digital forensic

examination and analysis tools using

abstraction layers. International Journal

of digital evidence, 1 (4), 1{12.

Clarke, N., Tryfonas, T., & Dodge, R. (2012).

Proceedings of the 7th international

workshop on digital forensics and incident

analysis WDFIA 2012. University of


ENISA. (2013). Can we learn from scada

security incidents? (Tech. Rep.). Enisa.

Falliere, N., Murchu, L. O., & Chien, E. (2011).

W32. stuxnet dossier. White paper,

Symantec Corp., Security Response.

Flandrin, F., Buchanan, W. J., Macfarlane, R.,Ramsay, B., & Smales, A. (2014).

Evaluating digital forensic tools (DFTs).

Jones, R. (2007). Safer live forensic acquisition.

University of Kent. Retrieved from




Kilpatrick, T., Gonzalez, J., Chandia, R., Papa,

M., & Shenoi, S. (2006). An architecture

for SCADA network forensics. Advances

in Digital Forensics II , 222 ,

{285nr364. Retrieved from


McLaughlin, S. (2011). On dynamic malware

payloads aimed at programmable logic

controllers. Proceedings of the 6th

USENIX conference on Hot topics in

security. HotSec, 11 , 10.

NIST. (2007, December). General test

methodology for computer forensic tools.

Patzla, H. (2013). D7.1 preliminary report on

forensic analysis for industrial systems

(Tech. Rep.). The CRISALIS


Radvanovsky, R., & Brodsky, J. (2013).

Handbook of SCADA/control systems

security. Taylor & Francis. Retrieved

from https://books.google.co.uk/


Rick Ayers, W. J., Sam Brothers. (2013,

September). Guidelines on mobile device


Siemens. (2015, January). S7-1200 easy book

[Computer software manual].

Taveras, P. (2013). SCADA live forensics: real

time data acquisition process to detect,

prevent or evaluate critical situations.

European Scientic Journal, 9 (21).

Valente, J., Barreto, C., & Cardenas, A. a.

(2014). Cyber-Physical Systems

Attestation. IEEE International

Conference on Distributed Computing in

Sensor Systems, 354{357.

Van der Knij, R. M. (2014). Control

systems/scada forensics, what's the

dierence? Digital Investigation. doi:


Vidas, T. (2007). The acquisition and analysis

of random access memory. Journal of

Digital Forensic Practice, 1 (4), 315{323.

Zhu, B., Joseph, A., & Sastry, S. (2011). A

taxonomy of cyber attacks on scada

systems. In Proceedings of the 2011

international conference on internet of

things and 4th international conference on

cyber, physical and social computing (pp.



  • There are currently no refbacks.

Copyright (c) 2016 Journal of Digital Forensics, Security and Law

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.

(c) 2006-2015 Association of Digital Forensics, Security and Law