Friday, 21 December 2012

Are you interested in studying in america?

philadelphiaAre you interested in studying in america? There is a very useful website for you to check, for further details visit: http://americanstudentblog.com/

Merry Christmas from Cyber Information Communication Technology Services


With Love from Cyber Information Communication Technology Services we wish our clients a virus free and a hack free Christmas. Remember while you shop either online or in shops take security precaution. Have a fulfilling 2013.





Thursday, 20 December 2012

DETECTING BACKDOORS



DETECTING BACKDOORS
A good number of backdoors are implemented by a type of malicious code called a Trojan horse. In fact many rootkits contain “Trojanized” versions of commonly used programs and system utilities. Two popular Trojan horse applications are BackOrifice and SubSeven, with both operating as a server on the system they infect. This server opens a backdoor, making access from the outside possible, and this permits the infected system to be accessed by hackers who can then do virtually anything on a system, including stealing or deleting files. Some of the capabilities possessed by backdoor Trojans are listed here:
  •  Upload or download files
  •  Move, copy, rename, or delete files
  •  Erase hard drives and other data disks
  •  Execute programs
  •  See your screen as you see it
  •  Log key presses (even the entry of hidden passwords)
  •  Open, close, and move windows
  •  Move the mouse cursor
  •  See all open connections to and from your computer
  •  Close connections


There are numerous backdoor Trojans circulating in the wild. While most are detected by antivirus products, it proves helpful to know a little about each of them. Following is a short list of backdoor Trojans:
  • BackOrifice/BackOrifice 2000(BO2K). Back Orifice (or BO2K) is probably the most advanced Trojan in circulation and requires a steep learning curve, making it the most difficult to put in place.
  •  Back Construction. This very rare backdoor lets the hacker have access to a system’s hard disks. It always runs on port 5400, so it is advised that users simply block that port on their firewalls.
  • Barok. This Trojan gathers dialup passwords and sends them to the hacker. The simple way to defend against the Barok: Don’t select the option “Always remember my password” in password boxes.
  • Blade Runner. This sophisticated Trojan is geared more toward the abilities of savvy system crackers as it contains components that are beyond the skills of average hackers.
  • Cyn. This particular Trojan is similar in form and features to the SubSeven; however it includes an additional feature that allows a hacker to reset the system CMOS.
  •  Deepthroat. Deepthroat is a simple-to-use Trojan and has almost as many options as the SubSeven.
  •  Girlfriend. There isn’t much to distinguish this Trojan, as it contains the standard features common to most Trojan backdoors. Most respectable firewalls can block Girlfriend.
  • Hack’a’Tack. This easy-to-use and colorful remote-control Trojan is actually quite rare. Since this Trojan always runs on port 31787, it is relatively easy to defend against by just blocking access to port 31787 at the firewall.
  •  SchoolBus. This common Trojan is powerful despite its simplicity. It even boasts a builtin scanner and operates using port 54321 by default.
  • SubSeven (a.k.a. Backdoor-G). With its small learning curve and numerous features, SubSeven is probably the most popular (from the hacker’s standpoint) and powerful Trojan horse. The SubSeven Trojan can be configured to inform someone when the computer it has infected connects to the Internet. The hacker (who infected the system with the SubSeven) is then provided with information he or she may use against the system or organization.
  • Given that backdoors are accessed from a remote location outside an organization’s network, detecting them is achieved by monitoring connections to various system ports. Since firewalls are supposed to monitor and limit port activities, they are the natural choice for detecting the presence of a backdoor. However, since Trojan horse applications often masquerade as legitimate applications, using a firewall does not guarantee that the presence of a backdoor will be detected.

DETECTING BACKDOORS WITH THE NETSTAT COMMAND
The netstat command is a useful tool for checking network configuration and activity. By using netstat, you can find out which ports on your computer are open, which in turn helps determine if your computer has been infected by a Trojan horse. The netstat command lists all the open connections to and from your PC. Unix, Linux, and Windows all support the netstat command. To use it under Windows, open a command (DOS) prompt and enter the command netstat –a, which lists all open connections going to and from your PC. If you discover any connection that you don’t recognize, you need to track down the process that is using that connection. You can use a handy freeware program
called TCPView to do this. TCPView is a Windows program that provides detailed listings of all TCP and UDP endpoints (for example, clients, servers, and so on) on your system, including the local and remote addresses and the state of TCP connections.

Removing Rootkits and Trojans
Once it’s been discovered that a computer is infected by a rootkit or backdoor Trojan, removal of the offending program is the next logical step. Due to the flood of rootkits and backdoor Trojans in the wild, it is impossible to list the removal procedures for them all; however, the general guidelines for removal are as follows. The steps necessary for removing a Trojan:
  • Identify the Trojan horse file on your system hard disk.
  • Find out how it is being initiated (for example, via Registry, Startup Folder, and so on) and take the action(s) necessary to prevent it from being restarted after a reboot.
  • Reboot your machine and delete the Trojan horse.
  • The basic steps involved in recovering from a rootkit are: 
  1. Isolate the affected machine. (Disconnect it from the network and/or Internet.)
  2. Determine the severity of the compromise. (Are other networked computers also infected?)
  3. Begin the cleanup by reinstalling the operating system and applications from a trusted (clean) backup.

Tuesday, 18 December 2012

six-step methodology for volatile data collection

Methodology for volatile data collection

Step 1: Incident Response Preparation.
Step 2: Incident Documentation.
Step 3: Policy Verification.
Step 4: Volatile Data Collection Strategy.
Step 5: Volatile Data Collection Setup.
Step 6: Volatile Data Collection Process.
These steps are designed to be used by an investigator to investigate intrusion cases common to larger networks. For purposes of this document, our focus is on Step 6. Steps in the Volatile Data Collection Process Step 6, Volatile Data Collection Process, involves the following five steps:
  1. Collect uptime, date, time, and command history for the security incident.
  2. As you execute each forensic tool or command, generate the date and time to establish an audit trail.
  3.  Begin a command history that will document all forensic collection activities.
  4. Collect all types of volatile system and network information.
  5. End the forensic collection with date, time, and command history.
A Methodology for the Law Enforcement Collection of Digital Evidence from a Running Computer. Some of the currently used tools include Helix, a bootable CD that is a collection of incident response tools, and “dd,” a tool written by George Garner to capture RAM . With the understanding that computer systems contain potential evidence that could be destroyed if traditional computer evidence collection methods are employed, investigators can use the following basic steps when collecting volatile evidence:
  •  Maintain a log of all actions conducted on a running machine.
  • Photograph the screen of the running system to document its state.
  •  Identify the operating system running on the suspect machine.
  •  Note date and time, if shown on screen, and record with the current actual time.
  • Dump the RAM from the system to a removable storage device.
  •  Check the system for the use of whole disk or file encryption.
  • Collect other volatile operating system data and save to a removable storage device.
  • Determine evidence seizure method (of hardware and any additional artifacts on the hard drive that may be determined to be of evidentiary value).
  • Complete a full report documenting all steps and actions taken.
These basic steps allow the on-scene investigator to collect data that was previously overlooked as unnecessary or simply lost out of ignorance. Open source and commercial tools are currently available that easily allow for this methodology to be followed on a running system. The RAM is dumped first to capture the greatest amount of evidence available. It must be noted that inserting any device into the running system (flash drive, removable drive, or CD) will make minor changes to the system, albeit very small changes. The proper use of these tools does not add evidence or contraband to the system. Running a program to dump the RAM requires that a very small amount of RAM be occupied by the tool to conduct the RAM dump. Inserting a removable drive into a USB port adds an entry to the Microsoft Registry. All of these changes have no effect on the overall state of the evidence and can be further documented at a later time by a traditional forensic examination. Some small changes are made during the process of using some of the available tools that require interaction with the Windows operating system. These changes however, occur to the operating system files only and do not fundamentally change the content of the data saved on the system.

  • Step 1: Incident Response Preparation.
  • Step 2: Incident Documentation.
  • Step 3: Policy Verification.
  • Step 4: Volatile Data Collection Strategy.
  • Step 5: Volatile Data Collection Setup.
  • Step 6: Volatile Data Collection Process.
These steps are designed to be used by an investigator to investigate intrusion cases common to larger networks. For purposes of this document, our focus is on Step 6. Steps in the Volatile Data Collection Process Step 6, Volatile Data Collection Process, involves the following five steps:
  1. Collect uptime, date, time, and command history for the security incident.
  2. As you execute each forensic tool or command, generate the date and time to establish an audit trail.
  3. Begin a command history that will document all forensic collection activities.
  4. Collect all types of volatile system and network information.
  5. End the forensic collection with date, time, and command history.
A Methodology for the Law Enforcement Collection of Digital Evidence from a Running Computer. Some of the currently used tools include Helix, a bootable CD that is a collection of incident response tools, and “dd,” a tool written by George Garner to capture RAM . With the understanding that computer systems contain potential evidence that could be destroyed if traditional computer evidence collection methods are employed, investigators can use the following basic steps when collecting volatile evidence:
  1.  Maintain a log of all actions conducted on a running machine.
  2.  Photograph the screen of the running system to document its state.
  3. Identify the operating system running on the suspect machine.
  4. Note date and time, if shown on screen, and record with the current actual time.
  5. Dump the RAM from the system to a removable storage device.
  6. Check the system for the use of whole disk or file encryption.
  7. Collect other volatile operating system data and save to a removable storage device.
  8. 8.   Determine evidence seizure method (of hardware and any additional artifacts on the hard drive that may be determined to be of evidentiary value).
  9. Complete a full report documenting all steps and actions taken.
These basic steps allow the on-scene investigator to collect data that was previously overlooked as unnecessary or simply lost out of ignorance. Open source and commercial tools are currently available that easily allow for this methodology to be followed on a running system. The RAM is dumped first to capture the greatest amount of evidence available. It must be noted that inserting any device into the running system (flash drive, removable drive, or CD) will make minor changes to the system, albeit very small changes. The proper use of these tools does not add evidence or contraband to the system. Running a program to dump the RAM requires that a very small amount of RAM be occupied by the tool to conduct the RAM dump. Inserting a removable drive into a USB port adds an entry to the Microsoft Registry. All of these changes have no effect on the overall state of the evidence and can be further documented at a later time by a traditional forensic examination. Some small changes are made during the process of using some of the available tools that require interaction with the Windows operating system. These changes however, occur to the operating system files only and do not fundamentally change the content of the data saved on the system.

Hacker News


Israeli Musical Act Magazine hacked
Anonymous member with twitter handle @OsamaTheGod leaked a huge database from server of Israeli Musical Act Magazine (act.co.il). The leaked database posted on public note website and includes users ID, username, password in clear text, IP address and phone numbers. Hacker posted data of about 10000 users from the site. Reason of hack yet not mentioned anywhere, but because hacker use #OpIsrael hash in his tweets, so this could be an attack against Israel in fight of Anonymous vs Israel.


NEW DELHI: The Bharat Sanchar Nigam Limited (BSNL) website, www.bsnl.co.in, was hacked and defaced on Thursday afternoon. A message on the home page said the attack was carried out by the hacktivist group, Anonymous India, as a protest against section 66 A of the IT Act and in support of cartoonist Aseem Trivedi, on an indefinite hunger strike at Jantar Mantar since Dec 8 for the same. The website was restored around 7 pm. .
Trivedi said he had received a call from Anonymous around 1.30 in the afternoon informing him that the website has been defaced. On being asked if such a form of protest was valid, Trivedi said, "When the government doesn't pay heed to people's protests against its laws and arrests innocent people for Facebook posts, then such a protest is absolutely valid."
For most of the afternoon and early evening, the BSNL website wasn't available directly. A cached version of the BSNL home page showed an image of cartoonist Trivedi with text that read "Hacked by Anonymous India. support Aseem trivedi (cartoonist) and alok dixit on the hunger strike. remove IT Act 66a databases of all 250 bsnl site has been d Hacked by Anonymous India (sic)". While this message was repeated over and over on the page, it ended with the line "Proof are (sic) here" followed by a link to a page containing the passwords to BSNL databases. BSNL officials were unaware of the attack until Thursday evening.
Late in the evening, Anonymous India tweeted from their account @opindia_revenge: "BSNL Websites hacked, passwords and database leaked... Anonymous India demands withdrawal of Sec 66A of IT Act."
In an open letter to the Government of India posted on alternate media website Kafila in June this year, Anonymous had explained they only carried out Distributed Denial of Service (DDoS) attacks on Indian government websites, which is different from the act of hacking per se.
Contrary views too exist. Sunil Abraham, executive director, Centre for Internet and Society, says the attack was unwarranted. "Speech regulation in India is not a lost cause, the Minister is holding consultations, MPs are raising the issue in Parliament, courts have been approached and there is massive public outcry on social media. Therefore I would request Anonymous India to desist from defacing websites," said Abraham. A group of MPs, including Baijayant Jay Panda from Odisha, are scheduled to present a motion in Parliament on Friday morning for the amendment of section 66A of the IT Act.
Last month, two young girls were arrested in Palghar, Maharashtra, for criticizing on Facebook the bandh that followed the death of Shiv Sena supremo Balasaheb Thackeray. Before that, Karti Chidambaram, son of finance minister P Chidambaram, took a man to court for commenting on his financial assets on Twitter. In both cases, the complainant 'used' section 66 A of the IT Act. The section and the Act have since come in for wide debate regarding freedom of speech.

SCADA


In what industries are SCADA systems used?
SCADA systems can be used to monitor and control any kind of equipment, process, or operation. Most commonly, they automate complicated industrial processes where manual monitoring and control by human operators just isn't feasible. This includes:
  • electric power generation, transmission, and distribution 
  • water and sewage
  • buildings, facilities, and environments
  • manufacturing
  • mass transit
  • traffic signals.
These are only a few common examples, however. SCADA systems are a global reality.
How does monitoring and controlling in real time increase my efficiency and maximize my profitability?
Here's a short list of the tasks you can perform using SCADA systems:
  • You can pull up numerical measurements of critical process values (both the current value and trends over time).
  • You can identify and solve problems before they even start.
  • You can keep your eye on long-term trends and threats.
  • You can identify and attack bottlenecks and inefficiencies throughout the enterprise
  • You can effectively manage bigger and more complicated processes with a smaller and less trained staff.
SCADA systems enable you to keep a very close eye on your operations. You can deploy sensors and control relays at important places to get a highly detailed "birds eye view" of your revenue-generating activities. With SCADA, you will incur less cost while doing more.

You can divide the functions of SCADA systems into four major categories:
1.    Data acquisition
2.    Data communication
3.    Data presentation
4.    Control

1 - Data Acquisition
SCADA systems have to monitor hundreds or perhaps thousands of individual sensors. Some sensors are put in place to measure inputs into the system, while others measure outputs.
Some sensors (known as discrete sensors) are used to monitor very simple "binary" events. These events are either "on" or "off". For example, every time a particular piece of production equipment in a manufacturing plant completes a process, it may output an electrical signal via a contact closure. A discrete sensor will detect this electrical signal and report it back to you at the control console of your SCADA system.
Other sensors measure more complicated values where it's critical to know the exact value. These are called analog sensors, and they measure continuous changes within a possible range of values.
A simple mercury thermometer is a great example of an analog sensor - whereas a simple thermostat is the discrete form of temperature sensor. With the mercury thermometer, you know exactly what the temperature is (within a specific degree of accuracy, of course). With the thermostat, you only know that the temperature is either above or below the value that you preset.
Obviously, analog measurement is important in SCADA systems where you need to keep track of fluid levels in water and fuel tanks, voltages of batteries, temperature, humidity, and other values that are most appropriately measured with a continuous range "analog" sensor.
To make it simpler for a human operator to interact with analog sensors, the best SCADA systems allow you to define a normal range for an analog value. For instance, you might specify that the temperature in your server room should remain between 60 and 79 degrees Fahrenheit. If the temperature in the server room goes outside this range, your SCADA system will provide an automated alert - either at a control console or directly to you via cell phone or e-mail.

2 - Data Communication
SCADA systems involve monitoring multiple processes and pieces of equipment from a single location. To do this, you have to have a communications network to bring remotely collected data to your screen.
Data in modern SCADA systems is typically transported via ethernet or IP over SONET. It is important, however, to keep SCADA traffic off of the public Internet. This is an important security measure against both the real and perceived threats of terrorism. Public infrastructure and utilities and manufacturing facilities are valuable targets for disruptive attacks. This makes it very important to take at least basic security precautions.
Fortunately, the trend in SCADA systems today is toward open protocols and data formats. While older systems locked you into a single manufacturer to maintain compatibility, today you have many options based on DNP3 and MODBUS Protocols. If you buy a piece of DNP3 MODBUS equipment today, you can buy compatible equipment tomorrow from one of many other manufacturers. This protects you from the trap of only having a single source for expanding your SCADA system.
In order for your central SCADA console to receive information from sensors, which are very simple devices, you need to install an RTU (Remote Telemetry Unit) at each monitored location. An RTU collects data from sensors and converts the readings into a protocol, such as MODBUS or DNP3, that can be transported across your communications network and back to you.
The same communication works in reverse (from you to your RTU) for control commands. In this scenario, you would issue a command from your central SCADA console. That command would be encoded into the SCADA protocol you are using and sent out across your network. The appropriate RTU would receive and decode your command, then respond by latching a control relay. This command process tells the equipment that you have wired into your RTU to perform a specific action.
Issuing commands remotely provides the substantial benefit of not having to drive out to distant sites every time you receive a SCADA alarm or other alert. In many cases (if you prepared appropriately during your installations), you can skip the drive time and simply issue a remote command.

3 - Data Presentation

As a human being, you can't just sit down to read SCADA data in its raw format (at least, you'd never want to). In order to provide at-a-glance status information and make it easier to train new SCADA operators, SCADA systems display information in human readable format at central consoles and via remote alerts.
The central computer in SCADA systems is known as a master station, a HMI (Human-Machine Interface), or in HCI (Human-Computer Interface), depending on who you're talking to. All of these terms mean the same thing: a computer console that aggregates and summarizes data from your SCADA system and offers the ability to issue controls.
Part of aggregating and summarizing the status of your operations and processes is filtering alarms that operator doesn't need to see. In any operation of substantial size, you run the risk of overloading your operators with frequent, meaningless alerts that they'll quickly learn to ignore. The first time a "real" alarm comes in, it's likely to be missed in the noise of unimportant alarms.
That's exactly why quality SCADA systems allow you to choose which alarms your operators should see. You can filter on location, severity, or the amount of time alarm condition has existed. Just a few carefully designed filters will hide unimportant "nuisance" Alarms from view. All the data is still there, but the operator you hired last week won't be overloaded with worthless information.
After filtering alarms, SCADA systems have to present the data that remains. This can come in all sorts of formats, but the best systems have graphical interfaces that are easy to see and interpret. Ideally, you want a system that offers multiple display options, including geographic maps, blueprints and floor plans, photographs of rack-mounted and other equipment.
Also, if you don't want to be stuck at a central console all the time, you need to choose a SCADA master station that can be accessed by multiple users via remote network connection.
Choose SCADA systems that can send out automatic e-mail and pager/cell phone alerts. This also helps increase your mobility. These updates also provide faster notification of emerging problems that you can tackle from the field without returning to your central office.

4 - Control
As mentioned earlier in our discussion of RTU's, one key function of SCADA systems is to control equipment remotely (and sometimes automatically). It's just not efficient to go to the site of the problem every time you get an alarm. In SCADA, if it seems like there must be a better way, there probably is.
When it comes to controlling equipment remotely, that better way is control relay commands issued from your SCADA master station and transmitted to your RTU's via your network. In this way, you can control equipment as if you were there - without actually wasting any time traveling.
Even better, advanced SCADA systems allow you to pre-specify responses to specific alarms, combinations of alarms, or predefined scenarios. Once you've completed this preliminary databasing, your SCADA system will respond automatically within seconds when automatic control condition is triggered. This is an excellent way to switch to a backup system in the event of a primary system failure, especially in public safety, telecom, transit, and manufacturing environments.

How do I find the right SCADA systems for my needs?

SCADA systems are major B2B purchases that your company will be using for perhaps 10 or 15 years. You don't want to make a mistake.
Even though the goal of SCADA is to improve your operations, making a hasty decision that turns out to being correct can hurt you in many ways. You could end up spending a fortune on band-aid fixes for a system you didn't fully planned out beforehand. You might also find that you've totally exceeded your budget without coming close to the original specifications. There's also the chance that you'll make a mistake you won't detect until a few years down the line -building a system that isn't flexible enough to grow as your company does.
To make sure that you pick the right SCADA systems during your evaluation period, make sure that any system you select meets the criteria discussed in the next few sections:
What do I look for in a SCADA RTU?
You need to choose RTU that can communicate with all of your equipment and simply survive in the harsh industrial conditions at your sites. Here are some key criteria look for:
You need to choose an RTU that has sufficient capacity. With that said, you don't want to purchase way more capacity than you'll ever need. That's just as wasteful as not planning enough capacity. Take a survey of your monitoring needs before you select an RTU so you'll know what capacity to look for. Also, look for a SCADA systems vendor who has a wide range of models available. This helps to reduce purchasing hassles later because you only need to deal with one SCADA supplier.
Also, you should look for industrial-grade construction. An RTU in a plastic chassis just isn't going to cut it in your environment. Look for powder-coated metal, high resistance to electromagnetic interference, and an industrial temperature rating (if required).
RTU's with redundant power supplies are equipped to handle the fairly common failure of their embedded power supplies. SCADA systems are 24/7 operations that you can't afford to have fail.
You should also look for RTU's that have nonvolatile memory that can be accessed via LAN. This allows for settings and upgraded firmware to be stored and preserved during power loss. Remote accessibility via LAN enables you to upgrade all the RTU's in your SCADA system from your desk - instead of performing unnecessary site visits.
Control relays are also important features for RTU's. Otherwise, they can only notify you of problems and will not provide a way to remotely respond. It's also a good idea to choose RTU that can automatically latch its relays in response to prespecified events.
Embedded real-time clock allows an RTU to accurately date-and-timestamp it alarm messages. This is useful both for real-time and historical reporting.
What do I look for in a SCADA master?
In order for your SCADA master display data effectively, it must have a few key features.
Look for a system that lets you program responses to complex events. This helps to reduce training required for new operators of your SCADA system - and the chance of a costly human error.
Also, you should seriously consider all SCADA systems that support 24/7 e-mail and cell phone notifications. These notification methods send alarms to people who may not be at the central master station at the time. An intelligent SCADA master should allow you to set filters for which alarms should be forwarded to e-mail or cell phone.
Quality SCADA systems include a master that describes alarm in plain English - without technical jargon that only one person at your company has a hope of understanding. To increase ease-of-use, the SCADA master should also filter nonessential alarms that do not need to be displayed.
Make sure your SCADA master supports expansion at a later time. SCADA systems are long-term investments, and you want to make sure you get your money's worth.
Finally, and most importantly, choose a SCADA master that supports multiple protocols (like DNP3 and MODBUS) and equipment types (like RTU's, servers, switches, generators, and manufacturing equipment). You never want to have to split your alarms into multiple SCADA systems because you can't achieve compatibility any other way. That multiplies the amount of manpower required to manage your operations effectively, while increasing the chance that you'll miss an important alarm and have a major problem. Also, look for sensible pricing/licensing when you're looking at offerings from different vendors. Avoid any pricing model that requires you to pay a fee every time you add a new monitored device. You shouldn't have to pay extra just to use the SCADA system you already bought.


Monday, 17 December 2012

Programmable Logic Controller PLC , SCADA Supervisory Control and Data Acquisition

Programmable Logic Controllers (PLC)
A programmable logic controller (PLC) is a microprocessor based device used for automation processes, such as control of machinery on factory assembly line, or control of boxing machines and conveyor lines. A key feature of a PLC is the facility for input/output (I/O) which connect to sensors and actuators. Through these I/Os, a PLC can read limit switches, analog process variables (such as temperature and pressure), and the positions of complex positioning systems. A PLC can operate electric motors, magnetic relays or solenoids, pneumatic or hydraulic cylinders or analog outputs.
They are one of the most versatile and common device used for industrial automation.
They monitor the inputs, solve logic of a user program and control the outputs.

Data & Communications
A PLC has a wealth of information inside. Information such as math calculations or input state of a device are stored in PLC's data area. Data areas are internal memory registers of a PLC, each with it's own memory address. These data are accessible from external systems via communication ports built in a PLC. Usually, a PLC will have a 9-Pin serial RS232 port with Modbus included as one of the communications protocols. Optionally, they may have Ethernet ports or various filed buses such DeviceNet or Profibus. Example:the running state of a motor is available to the PLC via input 1. Depending on the make of
the PLCs, this input 1 may be addressed by the Modbus address 10001.

PLC & IntegraXor
IntegraXor is a tool to develop HMI/SCADA applications. IntegraXor has the communication drivers to exchange data directly with a PLC via it's communication port.  Apart from PLCs, IntegraXor can also communicate with various other devices such as robots and drives that has the supported communication protocol and port.

SCADA Supervisory Control and Data Acquisition
It generally refers to industrial control systems : a computer system monitoring and controlling a process. The process can be industrial, in infrastructure or facility -based  as described below:

Industrial processes include those of manufacturing , production, power generation, fabrication , and refining and may run in continuous batch, repetitive or discrete modes
Infrastructure processes maybe be public or private which includes water treatment and distribution, water collection and treatment , oil and gas pipeline , electrical power transmission and distribution, wind farms, civil defense siren systems, and large communication systems

Facility processes occur both in public facilities and private ones , including buildings, airports, ships, and space stations. They monitor and control HVAC , access, and energy consumption
Scada system consists of :
  • A human machine interface HMI , this presents process data to a human operator, the human operator monitor and controls the process.
  • A supervisory (computer) system for gathering and acquiring data on the process ans sending commands(controls) to the process
  • Remote Terminal Units RTUs connecting to sensors in the process, converting sensor signals to digital data and sending data to the supervisory system.
  • Programmable Logic controller PLCs used as field devices because they are more economical , versatile, flexible and configurable than special -purpose RTUs

Communication infrastructure connecting the supervisory system t the remote Terminal units

SUB systems of SCADA
SCADA / EMS subsystem
Inter-site Communication ICCP subsystem
Web Subsystem and the security Infrastructure
ISR subsystem HIS
Archve subsystem
Network managements subsystems
video projection systems VPS
Development subsystem
User Interface UI subsystem
GPS Time & Frequency subsystem
WAN subsystem
LAN subsystem
Peripheral Devices

Indepth of Digital Forensics



Computer forensics is simply the application of computer investigation and analysis techniques in the interests of determining potential legal evidence. Evidence might be sought in a wide range of computer crime or misuse, including but not limited to theft of trade secrets, theft of or destruction of intellectual property, and fraud. Since forensic science is the application of a scientific discipline to the law, the essence of all forensic disciplines concerns the principles applied to the detection, collection, preservation, and analysis of evidence to ensure its admissibility in legal proceedings. Computer forensics refers to the tools and techniques to recover, preserve, and examine data stored or transmitted in binary form.

. The computer forensics specialist must approach the retrieval process in a very detailed and methodical manner since any or all evidence discovered can then be used or help during discovery, depositions, or actual litigation. Ryan Purita, one of the leading computer forensic experts in private practice in Canada, and states, “In order for results to hold up in court, the file system under investigation must remain unaltered. If a single file has a time stamp later than the date and time that the file system was surrendered as evidence, an opposing lawyer can call the entire investigation into question. "You screw one little thing up," Purita explains, "and everything else is gone" in the case. Erin Kenneally echoes the importance of “evidence” collection and how meticulous and calculated steps should be taken during the retrieval of such evidence., “Whereas DNA analysis is performed on the original blood evidence, maintaining the sanctity of original evidence is a tenet of computer forensics, and analysis must be conducted on a copy of the original media (with a few, notable exceptions where circumstances preclude a copy being made)“ “Regardless of whether the discipline is computer forensics or fingerprinting, the driving question is not whether evidence exists but, rather, can investigators uncover and contextualize the evidence. Therefore, the challenges are: Where to look? What techniques will make the evidence apparent? And is the evidence admissible?
Though  in many organizations, incident response team already performs some activities of evidence collection, the need for collecting those evidence and preserving it in a systematic proactive approach is still an open issue. In order to investigate anti-forensics, organizations need to decide early what information to collect and preserve in a forensically sound manner.  Live (proactive) forensic investigations are hindered by lack of definitions of live forensics and standard procedures in live investigations. In addition, the authors suggested the automation and activation of evidence-collection tools in live investigations. This automation should involve minimal user intervention to improve the integrity of the evidence. Thus, a multi-component view of the digital forensics investigation process has been proposed. However, it is a high-level view of the investigation and, as such, cannot directly be operationalized to create automated tools. Additionally, the process described contains phases, such as service restoration, that lie outside the scope of the investigation.
It would be unwise to depend upon “audit trails and internal logs” in digital forensics investigation. In addition, note that a future digital forensics investigation process will only be possible if future tools and techniques make a proactive effort at evidence collection and preservation. The quality and availability of the evidence collected in the reactive stage of the investigation is more time consuming to investigate. Conversely, the proactive stage collects only potential evidence, which is less time consuming to investigate. In addition, a high-level proactive forensics system is proposed as ideal.