ICS Forensics


Table of Contents


Organizations, both private and governmental, are trying to build security teams to protect the ICS/SCADA environment. The program was designed comprehensively and professionally to impart the skills and knowledge required to integrate into key positions of the information security world, both in defense and attack teams.

Participants will learn about the security threats that are unique to ICS/SCADA systems and the inherent weaknesses and vulnerabilities in Programmable Logic Controllers (PLCs) and Remote Terminal Units (RTUs) through the use of real-world examples, the frameworks and standards available to help develop an effective ICS/SCADA cyber-security strategy.

How to make the most of this course?

In order to succeed in the course, the following requirements must be met:

  • Participation in all practical laboratories
  • Self-work at home between lessons
  • Repetition of materials, self-learning, performing tasks, etc …

In addition to regular classroom studies, the participant is required to practice at least 10 hours a week in order to gain practical experience in the field.

The participant will also need a good personal computer suitable for running virtual machines, with a broadband Internet connection.

Target audience

The course targets participants with OT and Cyber Security knowledge

  • OT
  • Incident responders
  • Cyber forensics investigators


  • Understand ICS networks on a deep level
    Monitor and analyze user and system activities on the ICS network to recognize patterns of typical attacks
  • Analyze abnormal activity patterns to detect signs of an intrusion
  • Use advanced tools for intrusion detection
  • Analyze log files and log data


  • ThinkCyber Level-1 Courses



During this module, participants will learn the world of cybersecurity in the environment of Industrial Control Systems. Participants will learn how a control system can be attacked from the internet and perform hands-on practice sessions on network discovery techniques.

Technical content

  • ICS Network Architectures
  • Known ICS Protocols
    o Modbus
    o DNP3
    o How to Approach Protocols Research
    o ICS Protocol Fuzzing
  • Security Architecture Overview
    o Host Configuration Overview
    o Wireless Access Overview
    o Remote Access Overview
  • Cyber-security for ICS
    o Network Discovery
    ▪ Passive Discovery
    ▪ Active Discovery
    ▪ Passive Enumeration
    o Using CSET
    o Ladder Logic Overview
    o Using Metasploit Framework
    o Web Hacking Techniques


In this module, we will present participants’ ways to plan, design, and implement an effective program to protect SCADA systems. Participants will gain an understanding of common Industrial Control Systems (ICS) threats, vulnerabilities, and risks.

Technical content

  • ICS Protection Concepts
  • Endpoint Defenses
    o Passive Solutions
    o Agents
  • Update and Patching
  • Hardening Configuration
  • Auditing Log Management
  • Network Fundamentals
    o TCP/IP Protocol Suite
    o ICS Protocols over TCP/IP
  • Firewalls
  • Building an ICS/SCADA Honeypots
  • Securing Wireless in ICS


ICS Network Analysis evolves around the extraction, analysis, and identification of a user’s online activities; the findings include artifacts such as logs and history files, cookies, cached content, and any remnants of the information left in the computer’s volatile memory. During this module, participants will identify different user-behavior patterns, even after they tried to “cover their tracks”. Upon completion of this stage, they will be able to perform a detailed forensic analysis of the network traffic.

Technical content

  • Wireshark Analysis
    o Wireshark Tool Inspection
    o Using Display Filters
    o Advanced Usage
    o The PCAP Format
    o Extracting Files from PCAP Files
    o Reading Encrypted Data with Wireshark
    o Advance Attack Analyzing
  • Advanced Packet Analysis
    o Bro
    o Bro-Cut
    o Open-Source Tools
  • Identifying Attacks
    o Network Scanning
    o MiTM
    o Brute-Force
    o Injections
    o Web Server Attacks
  • Extracting Network Traffic from Memory
    o Dump Memory from Devices
    o Using Volatility
  • Firewall Findings


In this module, participants will learn the world of malware, in which they will create a virtual environment to study different types of malware and see how they operate. We will show how antivirus works and will develop an idea of how to approach a malicious file and where to find it. Tools for performing malware analysis will also be presented during this module.

Technical content

  • Different Behaviors of Malware Types
    o Behavioral Analysis
    o Code Analysis
    o Memory Analysis
    o Malware Behavior Blocking
  • Indicator of Compromise (IOC)
    o Hash
    o Hex Sequence
    o Host-Based Signatures
    o Network-Based Signatures
  • PE Files
  • Sandboxes
  • Windows Libraries and Processes
  • Setting up a Safe Environment for Inspecting Malware
    o Virtual Machine
    o Real Systems
    o Malware Analysis Tools:
    ▪ Process Hacker
    ▪ Process Monitor
    ▪ Regshot
    ▪ API Monitor
    ▪ IDA
  • Malware Hiding Places
    o On Live Systems
    o On Dead Systems
  • Malware on the Network
    o Identifying Malware
    o Carving Malware
    o Analyzing Malicious PCAP Files


The following labs are part of the actual BT223 course:
  • Lab 1 Modbus
  • Lab 2 CSET
  • Lab 3 ICS Protocols
  • Lab 4 Filtering with Bro
  • Lab 5 Log Analysis
  • Lab 6 Static Analysis
  • Lab 7 Dynamic Analysis

Real cases studies

Case study #1 (ICF001)
Iranian hackers were able to gain access to control-system software that could allow them to manipulate oil or gas pipelines in the USA; Security researchers suspect a malware installed on their systems. You were summoned to investigate the incident and identify the source of the attack and to harden the control system.
Case study #2 (ICF002)
Honda Motor Company released a statement this week, saying the company was forced to halt its production for more than 24 hours in one of its Japan-based factories after finding the WannaCry infections in its computer networks. Honda motor company hired you to perform malware analysis on the WannaCry using the tools you mastered.

 Course type

This course is delivered in the following ways:

  • Virtual classroom with proctored labs and scenarios executed in our Cyberium Arena
  • In situe classroom with proctored labs and scenarios executed in our Cyberium Arena

All sessions are recorded and attendees can replay them  during 30 days. All course material is electronically made available to the participant.

 Course Group:


 Hands-on / Theory MiX

The following course incorporates a high level of hands-on labs exercises, as well as real life case studies:

1 %
Case studies

Required EqUIPMENT

Network connection

As this course extensively uses a cloud based Learning Management System, including a lab arena, the attendees need a stable broadband connection to the Internet.

BYOD – Bring Your Own Device

As it is a very practical course, and in order for the participants to make the most of the course, they need a laptop with the following capabilities:

  • Audio and Video
  • 8 GB RAM
  • 200 GB Disk Space
  • Virtualization capabilities ( supporting latest version of Virtualbox or similar virtual machine application)

And also a Good Headset with Mic

More Details