GRID - GIAC Response and Industrial Defense ICS Digital Forensics Questions and Answers

Question 1

An incident responder is tasked with collecting forensic evidence from a Programmable Logic Controller (PLC) that is actively controlling a critical industrial process. The highest priority is to preserve evidence of a potential memory-resident attack without halting the physical process. Which of the following is the MOST appropriate initial action?

Accepted Answer

Perform a live memory acquisition of the PLC over the network.

Answer

In an ICS environment, operational availability is paramount, and shutting down a PLC controlling a live process is often not feasible. [32] Live memory acquisition is the preferred method for capturing volatile data, such as evidence of memory-resident malware or modifications to the running control logic, without interrupting the PLC's operation. [20, 26] Powering down the device would result in the loss of all volatile evidence. [13] Isolating the PLC might be a later step, but the initial priority is to capture the ephemeral data. While comparing project files is a valid forensic step, it does not capture the runtime state of the PLC's memory where an attack might be evident. [27]

Question 2

During a forensic investigation of a SCADA system, an analyst is examining data from a Human-Machine Interface (HMI). Which type of evidence is MOST likely to be found on a typical HMI that would indicate unauthorized changes to the process?

Accepted Answer

Records of setpoint changes and operator command inputs in the event logs.

Answer

The primary function of an HMI is to provide a graphical interface for operators to monitor and control the industrial process. [15, 30] As such, its logs are a critical source of evidence for actions taken by operators (or attackers masquerading as them). These logs would typically record events like changes to process setpoints, manual overrides, and other commands sent to controllers like PLCs. [16] Firmware logs would be on the RTU itself, full packet captures would be on a network sensor, and ladder logic source code is typically stored on the engineering workstation, not the HMI. [1]

Question 3

Which of the following presents a unique and significant challenge when performing digital forensics in an ICS environment compared to a traditional IT environment?

Accepted Answer

The use of proprietary protocols and heterogeneous hardware.

Answer

ICS environments are characterized by a wide variety of specialized hardware and proprietary, often undocumented, communication protocols from different vendors. [3, 7] This heterogeneity makes it difficult to use standard IT forensic tools and techniques for data acquisition and analysis, often requiring specialized knowledge and equipment. [4] While chain of custody, disk imaging, and encryption are concerns in both environments, the sheer diversity and proprietary nature of ICS components pose a more fundamental and unique challenge. [27]

Question 4

A forensic investigator is analyzing an engineering workstation (EWS) following a security incident where malicious control logic was downloaded to multiple PLCs. Which artifact on the EWS would be the MOST critical to examine to understand how the logic was modified and deployed?

Accepted Answer

The PLC project files and their version history.

Answer

The engineering workstation is used to create, modify, and download control logic (e.g., ladder logic) to PLCs. [16] The project files contain this logic. Examining these files, their modification timestamps, and any version control history is the most direct way to identify unauthorized changes and understand the timeline of when they were introduced and downloaded to the controllers. [1, 30] While other artifacts like browser history or AV logs can provide context, the project files are the primary source of the malicious logic itself.

Question 5

An incident responder is collecting data from a live ICS environment. According to the forensic principle of 'Order of Volatility', which of the following data sources should generally be collected FIRST?

Accepted Answer

Running processes and RAM from the HMI server.

Answer

The Order of Volatility dictates collecting the most ephemeral data first, as it is the most likely to be lost. [4] Data in RAM and the state of running processes are highly volatile and will be lost upon a reboot or shutdown. [8, 13] Network traffic is also highly volatile, but active processes in RAM can be a source of ongoing malicious activity. Data Historian files and archived project files are stored on non-volatile disk storage and are therefore much more persistent. Thus, collecting RAM and process information from the live HMI server should be the initial priority. [26]

(GRID) GIAC Response and Industrial Defense Practice Test

(GRID) GIAC Response and Industrial Defense Practice Test

GRID - GIAC Response and Industrial Defense ICS Digital Forensics Questions and Answers