Visible to the public Hardware-Based Memory Acquisition Procedure for Digital Investigations of Security Incidents in Industrial Control Systems

TitleHardware-Based Memory Acquisition Procedure for Digital Investigations of Security Incidents in Industrial Control Systems
Publication TypeConference Paper
Year of Publication2018
AuthorsSokolov, A. N., Barinov, A. E., Antyasov, I. S., Skurlaev, S. V., Ufimtcev, M. S., Luzhnov, V. S.
Conference Name2018 Global Smart Industry Conference (GloSIC)
Date Publishednov
ISBN Number978-1-5386-7386-7
Keywordsattacked computer, comprehensive solutions, computer security, continuous monitoring systems, control engineering computing, data collection procedure, digital investigations, forensic, guaranteed reliability, hardware-based memory acquisition procedure, ICs, industrial control, industrial control systems, Information security, integrated circuits, invasive software, malicious software functions, Malware, memory contents collecting, operating system, Operating systems, operating systems (computers), production engineering computing, pubcrawl, reliability, reliable code, resilience, Resiliency, resulting contents, Scalability, scalable, security incidents, software methods, volatile memory

The safety of industrial control systems (ICS) depends not only on comprehensive solutions for protecting information, but also on the timing and closure of vulnerabilities in the software of the ICS. The investigation of security incidents in the ICS is often greatly complicated by the fact that malicious software functions only within the computer's volatile memory. Obtaining the contents of the volatile memory of an attacked computer is difficult to perform with a guaranteed reliability, since the data collection procedure must be based on a reliable code (the operating system or applications running in its environment). The paper proposes a new instrumental method for obtaining the contents of volatile memory, general rules for implementing the means of collecting information stored in memory. Unlike software methods, the proposed method has two advantages: firstly, there is no problem in terms of reading the parts of memory, blocked by the operating system, and secondly, the resulting contents are not compromised by such malicious software. The proposed method is relevant for investigating security incidents of ICS and can be used in continuous monitoring systems for the security of ICS.

Citation Keysokolov_hardware-based_2018