ICS Forensics Tools: open source forensic toolkit for analyzing Industrial PLC metadata and project files

Microsoft Section52 ICS Forensics Tools

Microsoft Section52 Industrial Control Systems Forensics Tools is an open source forensic toolkit for analyzing Industrial PLC metadata and project files. Microsoft Section52 ICS Forensics Tools enables investigators to identify suspicious artifacts on ICS environment for detection of compromised devices during incident response or manual check. Microsoft Section52 ICS Forensics Tools is open source, which allows investigators to verify the actions of the tool or customize it to specific needs, currently support Siemens S7 via Snap7.

SUPPORTED SCENARIOS

• OB usage
• Block author
• Offline – Online comparison
• Call Graphs
• Timestamps outliers
• Network usage

Install

git clone https://github.com/microsoft/ics-forensics-tools.git
pip install -r requirements.txt

Use

Output:

Depending on the model you choose to investigate, the data presented per model

• Upload project from PLC and parsing status

• Author block names and uniqueness –

  

• Timestamp Outliers Anomalies

  

• Network Logic

• Call graph – program connection base execution graph

  

– OB metadata

– Online <-> Offline Block Comparison

Copyright (c) Microsoft Corporation.

Source: https://github.com/microsoft/