“In OT forensics, if you secure the evidence but trip the plant, you have failed the mission.”
Navigating the delicate balance between preserving digital evidence and maintaining physical safety in live industrial environments
In traditional IT forensics, the playbook is simple: pull the plug, image the drive, analyze offline.
In Operational Technology (OT), that same move can trigger a safety incident—or permanently brick a 20-year-old PLC.
This is the core conflict.
OT forensics demands a fundamentally different mindset:
Safety first.
Availability second.
Evidence third.
Always in that order.
What follows is a practical methodology for Live OT Forensics—a shift away from “dead box” analysis toward process forensics, where investigators study physics, logic, and operational behavior together.
Because in industrial environments, the real crime scene is not just the computer—it’s the running process.
The “Do No Harm” Doctrine: Why OT Forensics Is Different
The Observer Effect
Many legacy controllers run fragile TCP/IP stacks. Active scans or heavy agent-based collection can crash devices that have been operating continuously for decades. Simply looking too hard can cause downtime.
The Volatility Challenge
In IT, RAM is typically the most volatile evidence.
In OT, it’s the process state.
Temperature, pressure, valve positions, and turbine speed can change in seconds—and once gone, that evidence is unrecoverable.
A Specialized OT Order of Volatility
Physical Safety State – Is the process stable right now?
Process State – Historian data, HMI values, sensor readings
Controller Memory – PLC RAM and ladder logic
Engineering Workstation (EWS) – Logs, projects, user activity
Miss the top two, and you may never reconstruct what really happened.
Phase 1: Passive Collection — The “Hands-Off” Layer
This phase is about observing without touching.
Network PCAP
Using RSPAN or network TAPs, traffic is captured without interacting with endpoints.
But you’re not hunting classic malware signatures.
You’re looking for control intent:
Modbus Force Coil
CIP program uploads
Unauthorized write commands
Unexpected engineering sessions
Commands matter more than payloads.
The Historian as a Black Box
Industrial historians—such as OSIsoft PI—are usually built for operations. In forensics, they become flight recorders.
The key technique is cyber–physical correlation:
A remote login at 02:00 AM.
A turbine speed increase at 02:01 AM.
That one-minute delta often tells the whole story.
Syslog Aggregation
Logs are collected from perimeter and safety zones without entering them, preserving segmentation while still building a unified timeline.
Phase 2: The Logic Check — Forensics on the Controller
This is where OT mirrors classic integrity analysis.
Logic Diffing (The OT Equivalent of File Hashing)
You compare:
Master Project File (offline backup)
vs
Running Logic (on the PLC)
Any delta is evidence.
Vendor-native platforms such as Rockwell Automation AssetCentre and Siemens Versiondog help surface:
Unauthorized code edits
Forced setpoints
Hidden rungs inserted into ladder logic
Firmware Integrity
Firmware hashes are validated against vendor releases to detect implants or unauthorized modifications.
Configuration State
Attackers often avoid logic changes entirely, opting for quieter moves:
Adding local HMI users
Disabling alarms
Modifying alert thresholds
These “silent” changes are just as dangerous—and often easier to miss.
Phase 3: The Engineering Workstation — The Bridge
Almost every serious OT incident pivots through the Engineering Workstation (EWS).
It is the bridge between IT and OT—and frequently the smoking gun.
Memory Analysis
RAM acquisition on the EWS exposes:
Fileless malware
Living-off-the-land persistence
In-memory credential theft
This is where attackers stage tooling before touching controllers.
Key Artifacts to Hunt
Project file Last Accessed timestamps
USB insertion history (registry artifacts)
RDP sessions originating from the IT network
These breadcrumbs often reconstruct the attacker’s exact workflow.
Technical Challenges & Practical Workarounds
Proprietary Protocols
Protocols such as S7Comm or GOOSE remain invisible to many standard forensic tools, forcing investigators to rely on protocol-aware parsers and vendor utilities.
Legacy Operating Systems
Some plants still operate critical assets on Windows XP.
Installing new software is not an option.
The workaround is native binaries and living-off-the-land forensics—collecting artifacts using what already exists on the host.
Encryption
Secure Modbus and encrypted industrial channels increasingly hide attacker commands, pushing defenders toward behavioral and process anomaly detection instead of packet inspection.
“The most critical evidence in an industrial cyberattack isn’t always in the malware code—sometimes it’s in a sudden pressure change recorded by the Historian.”