This document discusses challenges in acquiring forensic evidence from field devices. It notes that field devices often lack standard interfaces, may not support common file systems, and may not have compatible forensic tools. Examples given include routers, switches, home networks, and SCADA systems. The document also describes a case study of analyzing a SCADA system where the analyst had to prepare, log data, test for malware, and remotely control the device. It raises questions about what forensic data can be collected from these devices, how to preserve evidence integrity, and how to safely acquire different types of field devices for forensic analysis.

1. FORENSIC INSIGHT SEMINAR
Discussionyk #1 : Field device
ykei
ykei.egloos.com
@ykx100

2. forensicinsight.org Page 2 / 21
개요
1. Background
2. Problems
3. When I met SCADA
4. Discussion topic

3. forensicinsight.org Page 3 / 21
Background
- What is a field device
- Why we need to care this

4. forensicinsight.org Page 4 / 21
Background
 What is a field device in here?

5. forensicinsight.org Page 5 / 21
Background
Why we need to care this?
 Fxxk the mass-media
 Have to cross check → Be trustworthy
 For find the smoking-bit (specially, manipulate digital evidence)
 no way without this
M a j o r t h r e a t
f o r e n s i c a t o r s

6. forensicinsight.org Page 6 / 21
Problems
- Issues that I met
- Example

7. forensicinsight.org Page 7 / 21
Problems
Issues If
 Interfaces It hasn’t usb, cdrom, display, keyboard, ethernet
 FileSystem Mount Do not support NTFS? or trouble in recognize
 OS Compatibility tools No excutable imaging tool, even DD
 The risk of system failure We have no time for verification situation.
 Capacity / Time Another headache factors
O f c o u r s e , w e h a v e t o k e e p i n t e g r i t y o f e v i d e n c e !
C a n y o u a c c o m p l i s h m e n t t h i s m i s s i o n ?

8. forensicinsight.org Page 8 / 21
Problems
Examples
 Router / Switch
• Telnet, Console Connection
• But No Imaging tools
 Home Router (Wire, Wireless)
• Telnet, Web Admin
• No Imaging tools (but It can be execute static DD binary)
 Home SCADA
• Nothing !! Just opened stupid console

9. forensicinsight.org Page 9 / 21
When I met SCADA
- Case Studyk

10. forensicinsight.org Page 10 / 21
I Thinks… case
Case Studyk

11. forensicinsight.org Page 11 / 21
When I met SCADA
Case Studyk

12. forensicinsight.org Page 12 / 21
When I met SCADA
Case Studyk
 Prepare

13. forensicinsight.org Page 13 / 21
When I met SCADA
Case Studyk
 See pic…
Sorry

14. forensicinsight.org Page 14 / 21
When I met SCADA
Case Studyk
 Log

15. forensicinsight.org Page 15 / 21
When I met SCADA
Case Studyk
 Test

16. forensicinsight.org Page 16 / 21
When I met SCADA
Case Studyk
 Vaccine

17. forensicinsight.org Page 17 / 21
When I met SCADA
Case Studyk
 Un-detect malware

18. forensicinsight.org Page 18 / 21
When I met SCADA
Case Studyk
 detect malwares

19. forensicinsight.org Page 19 / 21
When I met SCADA
Case Studyk
 Remote Control
• RDP, Neturo

20. forensicinsight.org Page 20 / 21
Discussion topic

21. forensicinsight.org Page 21 / 21
Discussion topic
Case Studyk
 What is the data for forensicators?
 Disk / Memory Image? Log files?
 How can we more preserve evidence?
• Imaging is very ideal option.
• FTP? / File copy?
 How can we keep integrity for chain of custody?
• File Hash? / Documents(kind of agreements?) / Burning CD?
 How can we acquire field device?
• Router, Gateway, Switch, Home network device, even SCADA?
• Forensic Acquisition tools? / DD? / file copy? / Cold imaging?