Chapter 16 REMOTE FORENSIC ANALYSIS OF PROCESS CONTROL SYSTEMS

Forensic analysis can help maintain the security of process control systems: identifying the root cause of a system compromise or failure is useful for mitigating current and future threats. However, forensic analysis of control systems is complicated by three factors. First, live analysis must not impact the performance and functionality of a control system. Second, the analysis should be performed remotely as control systems are typically positioned in widely dispersed locations. Third, forensic techniques and tools must accommodate proprietary or specialized control system hardware, software, applications and protocols. This paper explores the use of a popular digital forensic tool, EnCase Enterprise, for conducting remote forensic examinations of process control systems. Test results in a laboratory-scale environment demonstrate the feasibility of conducting remote forensic analyses on live control systems.