- Identification and Preparation:- Identify the potential sources of evidence, including the systems, the network and connected devices.
- Identifying data sources: Identify the type of systems to be investigated including; operating system, manufacturer, serial numbers and model of PLCs, and network design and implementation
- Volatility Assessment, Contamination Impact Analysis and Preservation, Prioritizing and Collection: Assess the volatility of the identified resource immediately after identification in order to drive the priority list used in Preservation, Prioritization and Collection. Document the level of volatility and the impact on the reproducibility of the investigation results. Ensure highly volatile data is forensically captured and stored to maintain integrity.
- Examination: Forensic examination of collected evidence by specialist trained forensic examiners is an important part of the process with the goal to provide answers to questions raised before the investigation.
- Analysis: Finding relationships between the recovered forensic artefacts and piecing the evidential data together to develop a timeline of the incident and its impact on the control environments.
- Reviewing results: For clarity the results and findings should be reviewed to ensure validation and that all forensic ‘chain of custody’ for information has been met.