Authors: Rima Asmar Awad, Muhammad Haris Rais, Michael Rogers, Irfan Ahmed, Vincent Paquit



A Programmable Logic Controller (PLC) is a microprocessor-based controller that is used to automate physical processes in critical infrastructure and various other industries and manufacturing sectors. Initially, PLCs were completely isolated from the Internet, and cyber security was not incorporated at the time of development. The introduction of industry 4.0 and the evolution of ICS systems to communicate over public IP addresses from the Internet enhanced productivity and efficiency, but Internet connectivity exposed the systems and their vulnerabilities, which led to an increase in cyber attacks. When a system is sabotaged/compromised, security analysts need to get to the root cause of the attack as quickly as possible to recover the system. To do so, memory forensic analysis is critical to provide a unique insight into the run-time memory activities and extract a reliable source of evidence. In this paper, we analyze the memory structure of the Schneider Electric Modicon M221 PLC. To build a memory profile, we reverse engineer the communication protocol and conduct differential analysis to gain knowledge about the structure of the memory and the low-level representation of control logic instructions. We then identify dynamic and static memory regions by modifying different project fields and conducting differential analysis, which allows us to identify boundaries of critical memory structures and extract important forensic artifacts that can be found in the memory. The Python implementation of the memory profile can help reduce the time and effort required for manual analysis in case of cyber incident or system failure.