A Digital Forensic Taxonomy For Programmable Logic Controller Data Artefacts

The growing complexity of industrial control systems (ICS) and increasing cyber attacks targeting critical infrastructures demand bespoke forensics techniques for Programmable Logic Controllers (PLCs). As they control their critical physical processes, PLCs form the backbone of many ICS. However, due to their unique characteristics and constraints, which include heterogeneous architectures, proprietary technologies and stringent real-time operational requirements, traditional digital forensic techniques may not be directly applicable.PLCs are intricate embedded devices with numerous distinct internal data artefacts, ranging from proprietary firmware to logic codes, safety logs, and process I/O values. Therefore, those tasked with PLC investigation must understand these intricacies and their underlying implications to effectively answer the forensic questions in the aftermath of an incident.To address this need, our paper presents the first tailored taxonomy for digital forensics on PLCs, systematically categorizing the various characteristics, forensic processes and considerations based on the stages involved in a forensic investigation. Furthermore, we employ our developed taxonomy to establish mappings between identified PLC data artefacts and their corresponding attributes, offering a contextualised interrelationships between these artefacts and the PLC forensic investigation steps.