The forensic_model_functions.pdf features a forensic model in compliance with the Industrial Internet Reference Architecture.
It includes the activites, task and its function together with their inputs and outputs.
We also provide the entity-relationship diagram of the IIRA compliant forensic model to outline the relations. Please note that the data category and its type is
for future work and currently not included in our model.
Below you can find the referenced papers used as well as a description of the table fields.
| Field | Description |
|---|---|
| Index | Index of the function. First number is the index of the activity, second number is the index of the task, third number is the index of the function |
| Activity | Activity of the forensic model |
| Task | Task of the activity. Workflow corresponds to the order of the tasks |
| lnput | Input of the function or functional component |
| Output-Of index | Indicates the index of an output of a function which serves as input for the specific function |
| Function | Specific function assigned to the task |
| Output | Specific output of the function |
| Reference | Cited paper if applies |
[1] E. Cornelius and M. Fabro, “Recommended Practice: Creating CyberForensics Plans for Control Systems,” Jan. 2008.
[2] A. J. Marcella, “Operational technology, industrial control systems and cyber forensics,” in, 1st ed., ser. 5. Boca Rota, USA: CRC PRess. Jul. 2021, vol. 4, ch. 6, pp. 211–267."
[3] Bundesamt für Sicherheit in der Informationstechnik (BSI), “LeitfadenIT-Forensik,” Tech. Rep., 2011.
[4] Asmar, Rima & Beztchi, Saeed & Smith, Jared & Lyles, Bryan & Prowell, Stacy. (2018). Tools, Techniques, and Methodologies: A Survey of Digital Forensics for SCADA Systems.
[5] Basnight, Z. & Butts, J. & Lopez, J. & Dube, T.. (2013). Analysis of programmable logic controller firmware for threat assessment and forensic investigation. 8th International Conference on Information Warfare and Security, ICIW 2013. 9-15.
[6] Wu, T., Ferdinand, J., Disso, P., Jones, K., & Campos, A. (2013). Towards a SCADA Forensics Architecture.
[7] Matoušek, P., & Schmiedecker, M. (2017). Digital Forensics and Cyber Crime. http://www.springer.com/series/8197.
[8] J. Cosic, C. Schlehuber, and D. Morog, “Digital Forensic Investigation Process in Railway Environment,” Apr. 2021, pp. 1–6.
[9] J. Stirland, K. Jones, H. Janicke, and T. Wu, “Developing CyberForensics for SCADA Industrial Control Systems,” Oct. 2014.
[10] Krotofil, Marina & Gollmann, Dieter. (2013). Industrial control systems security: What is happening?. IEEE International Conference on Industrial Informatics (INDIN). 664-669. 10.1109/INDIN.2013.6622963.
[11] Cook, M., Stavrou, I., Johnson, C., & Dimmock, S. (2020). Introducing a forensics data type taxonomy of acquirable artefacts from programmable logic controllers. In 2020 International Conference on Cyber Security and Protection of Digital Services (Cyber Security).
[12] R. Asmar, J. Lopez, and M. Rogers, “Volatile Memory Extraction-Based Approach for Level 0-1 CPS Forensics,” Nov. 2019, pp. 1–6.
[13] Rondeau, C. M., Temple, M. A., & Lopez, J. (2019). Industrial IoT cross‐layer forensic investigation. WIREs Forensic Science, 1(1). https://doi.org/10.1002/wfs2.1322
[14] Ahmed, I., Obermeier, S., Sudhakaran, S., & Roussev, V. (2017). Programmable Logic Controller Forensics. IEEE Security and Privacy, 15(6), 18–24. https://doi.org/10.1109/MSP.2017.4251102
[15] Rrushi, J., & Nelson, P. A. (2015). Big Data Computing for Digital Forensics on Industrial Control Systems. Proceedings - 2015 IEEE 16th International Conference on Information Reuse and Integration, IRI 2015, 593–608. https://doi.org/10.1109/IRI.2015.94
[16] Chang, Tianyou & Wei, Qiang & Geng, Yangyang & Zhang, Hongwei. (2018). Constructing PLC Binary Program Model for Detection Purposes. Journal of Physics: Conference Series.
[17] Krotofil, Marina & Gollmann, Dieter. (2013). Industrial control systems security: What is happening?. IEEE International Conference on Industrial Informatics (INDIN).