What is Forensics?
Forensics (digital forensic analysis) is the process of collecting, examining and analysing data from systems to determine the cause, scope and impact of a cyber incident.
In OT environments, forensics helps with reconstructing attacks, fault analysis and sabotage investigations, often in production environments where availability is critical.
🧠 How does Forensics work?
- Data acquisition – securely copying relevant systems, memory, network sessions or log files without altering the original data
- Analysis – searching for traces of:
- Malware or unknown processes
- Suspicious network activity (e.g. ARP poisoning, command-and-control)
- Logins outside business hours, configuration changes, code updates
- Correlation – identifying connections between events across multiple systems or layers (IT ↔ OT)
- Reporting – producing an overview of the attack — who/where/when/how — and providing recommendations for remediation
Forensics uses tooling such as Wireshark, FTK, EnCase, Volatility, and SIEM logs.
🏭 Application of Forensics in industrial networks
- Analysis of sabotage or erroneous downloads to a PLC or HMI
- Investigation of unauthorised code changes on an Engineering Station
- Capturing network traffic between OT components during an incident
- Detection of persistence via backdoors in SCADA systems
- Recording forensic evidence following ransomware in the OT zone
In OT, forensic investigation must be non-invasive to avoid disrupting production.
🔍 Forensics vs. Incident Response
| Aspect | Forensics | Incident Response |
|---|---|---|
| Goal | Analyse, reconstruct, gather evidence | Stop the attack, limit damage, recover |
| Timing | Often after the incident | During and shortly after the incident |
| Output | Detailed report, potentially admissible as legal evidence | Operational recommendations, lessons learned |
| OT application | Root-cause analysis without affecting operations | Suppression of further disruption |
🔐 Security aspects
- Preserving integrity and chain of custody is crucial (legal evidence)
- OT forensics requires knowledge of industrial protocols (such as Modbus, OPC UA, GOOSE)
- Combine with Threat Intelligence, TTPs and MITRE ATT&CK for ICS for context
- Integrate with SIEM, SOAR, and Incident Response processes
- Tools must operate read-only or passively in OT networks
Forensics in OT requires close collaboration between IT, OT and security teams.
📌 In summary
Forensics is essential for reconstructing and understanding cyber incidents in OT environments, and forms the basis for improvements to your security strategy. By applying forensic techniques wisely, you uncover root causes, prevent recurrence and strengthen your defences.