PLC Forensics Based on Control Program Logic Change Detection

Ken Yau, Kam-Pui Chow


Supervisory Control and Data Acquisition (SCADA) system is an industrial control automated system. It is built with multiple Programmable Logic Controllers (PLCs). PLC is a special form of microprocessor-based controller with proprietary operating system. Due to the unique architecture of PLC, traditional digital forensic tools are difficult to be applied. In this paper, we propose a program called Control Program Logic Change Detector (CPLCD), it works with a set of Detection Rules (DRs) to detect and record undesired incidents on interfering normal operations of PLC. In order to prove the feasibility of our solution, we set up two experiments for detecting two common PLC attacks. Moreover, we illustrate how CPLCD and network analyzer Wireshark could work together for performing digital forensic investigation on PLC.


PLC Forensics, SCADA Security, Ladder Logic Programming

Full Text:



W. Bolton, Programmable Logic Controllers (4th Edition)

Irfan Ahmed, Sebastian Obermeier and Martin Naedele, Golen G. Richard III: SCADA System: Challenges for Forensics Investigations, IEEE Computer, Vol. 45 No. 12, December 2012, pp 44–51, USA

Dillon Beresford, Exploiting Siemens Simatic S7 PLCs, Black Hat USA+2011, July 8, 2011

Alex Sentcha, LibNoDave – exchange data with Siemens PLC, Last accessed on 31 May 2015

R.M. van der Knijff, Control systems/SCADA forensics, what's the difference?, Digital Investigation 11 (2014)

Nicolas Falliere, Liam O Murchu, and Eric Chien: W32.Stuxnet Dossier, Version 1.4, Symantec Corporation, February 2011

Davide Nardella, Snap7 Last accessed on 13, June 2015

Davide Nardella, Snap7 Reference manual Rev.5, January 1, 2015

PROFINET, Wikipedia, Last accessed on 18 June 2015

K. Mandia, C. Prosise and M. Pepe, “Incident Response and Computer Forensics”, McGraw-Hill/Osborne, Emeryville, California, 2003

Fabro, M: Recommended Practice: Creating Cyber Forensic Plan for Control Systems, Department of Homeland Security (2008), Idaho National Laboratory (INL), August 2008, USA

SIEMENS SIMATIC S7-1200 Easy Book Manual 01/2015


  • There are currently no refbacks.

Copyright (c) 2016 Journal of Digital Forensics, Security and Law

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.

(c) 2006-2015 Association of Digital Forensics, Security and Law