Looking at ICS Forensics Artifacts - Paiet/Capstone GitHub Wiki

  1. Log Files: ICS systems generate log files that can be used to identify security events, system errors, and operational issues. Log files are useful for tracking activity, identifying breaches, and determining the extent of an attack.

  2. Network Traffic: Network traffic can reveal a lot about the communication between ICS devices and systems. It can be used to identify malicious activity, such as unauthorized access attempts, data exfiltration, and network scanning.

  3. Configuration Files: Configuration files contain information about how the ICS system is set up and configured. They can be used to identify vulnerabilities in the system, such as weak passwords or unsecured network ports.

  4. System Images: System images are snapshots of the ICS system at a particular point in time. They can be used to identify changes that were made to the system, such as the installation of new software or the modification of system settings.

  5. User Accounts: User accounts are used to access the ICS system and can be used to identify who was using the system at the time of an incident. They can also identify unauthorized access attempts and determine the extent of a breach.

  6. System Memory: System memory contains information about the current state of the ICS system. It can be used to identify malware that may be running on the system and to recover data that may have been lost due to a system crash or other event.

  7. Firmware: Firmware is the software embedded in an ICS device's hardware. It can identify vulnerabilities in the device and recover data that may have been lost due to a system crash or other event.

  8. Event Logs: Event logs are generated by ICS devices and systems to record significant events, such as alarms, warnings, and errors. They can be used to identify an incident's root cause and potential system failures.

  9. Control Logic: Control logic is the software that controls the operation of an ICS device or system. It can be used to identify system vulnerabilities and determine the extent of an attack.

  10. Communication Protocols: Communication protocols facilitate communication between ICS devices and systems. They can be used to identify unauthorized access attempts and potential system failures.