21 - Aug 2023

DFRWS 2023 Challenge

By Elizabeth Schweinsberg

DFRWS 2023 Challenge on Industrial Control System Forensics

“The Troubled Elevator: Forensic Investigation of a Bank’s Elevator Malfunctioning”

Introduction:

The DFRWS 2023 challenge takes a deep dive into the domain of Industrial Control Systems (ICS), specifically focusing on programmable logic controllers (PLC). These systems are increasingly critical for monitoring and controlling industrial processes in various sectors, such as energy, water, transportation, and manufacturing. Despite their importance, advancements in security and forensics have not been adequate. This challenge aims to provide deeper insights into ICS network traffic analysis and device memory in a real-world scenario. 

The scenario for this challenge, “The Troubled Elevator,” involves investigating a mysterious incident in a bank’s executive-only elevator. Participants with different technical skills in forensic investigations are encouraged in this competition, with opportunities for innovative investigative approaches in network, RAM, and embedded systems. 

Scenario: The Troubled Elevator

Kristi Wayne from Wayne Enterprise has recently bought a controversial bank in the city of Richmond.

On June 29, Friday afternoon, during her visit to the bank, she used an executive-only elevator designed to provide a smooth and private commute for the high-ranking officials within the bank. Wayne enters the elevator and presses the button to get to another floor. However, the elevator suddenly starts malfunctioning, trapping Wayne inside. Wayne calls from the elevator for emergency assistance. After an extended episode of patience and misery, she is finally rescued. Due to this high-profile incident, your forensic team has been called for an investigation. Fortunately, the elevator infrastructure is designed to log network traffic and device memory dumps for a certain time period. You acquire them along with CCTV footage of the elevator and the memory dump of Wayne’s new computer in her office at the bank.

Challenge 

Your job is to investigate the entire incident and provide a comprehensive report, including

  • Elevator behaviors during malfunctioning, 
  • Timeline of elevator malfunctioning,
  • Specific cause of malfunctioning,
  • Any evidence of an inside attacker,
  • Any attack evidence on the network, computer, and PLC device

Evaluation Criterion:

The team that covers the incident most comprehensively will win the challenge. 

Challenge Data

  • Memory dump of Kristi Wayne’s computer in the bank
  • Network diagram
  • Network traffic log of the elevator’s PLC
  • PLC device memory dumps 
  • CCTV footage of the elevator
  • Elevator manual
  • PLC control logic 

GitHub repo: https://github.com/dfrws/dfrws2023-challenge

Submission deadline: June 24, 2024

Submission Instructions:

Please use this Google form: https://forms.gle/drLn7mkx5udmiio17

Contact Information: 

ics@dfrws.org

Challenge Organizer: 

Security and Forensics Engineering (SAFE) Lab at Virginia Commonwealth University (VCU), http://people.vcu.edu/~iahmed3/

SAFE Lab Team:

Irfan Ahmed, DFRWS Challenge Chair and Associate Professor at Virginia Commonwealth University

Wooyeon Jo, Postdoctoral Research Fellow at Virginia Commonwealth University

Adeen Ayub,  PhD Candiate at VCU

Dr. Muhammad Haris Rais, Former PhD Student and Alumnus of SAFE Lab; now Assistant Professor at Virginia State University, VA

Hala Ali,  PhD Student at VCU

Nehal Ameen,  PhD Student at VCU

Muhammad Ahsan, PhD Student at VCU

Syed Ali Qasim, Former PhD Student and Alumnus of SAFE Lab; now Assistant Professor at Grand Valley State University, MI