Data Provenance and Digital Forensics
As attacks targeting Industrial Control Systems (ICS) are a major threat, there is a requirement to respond and learn from previous and new attacks in order to mitigate them, with digital forensics playing a significant role in this process. This theme of research focuses on understanding the challenges of developing and deploying digital forensics solutions in ICS and wider Operational Technology (OT) environments. For instance, we explore the specific data types stored on a PLC and define a forensic artefact taxonomy based on the acquirable data that can be acquired from PLC memory using third-party tools.
Figure: Provenance graphs linking network packets (nodes) to PLC memory/I/O registers (nodes) via contextual edges. Cluster density reflects register activity under normal operation; emergent clusters or structural deviations signal anomalous behaviour.
Publications
- Cook, M.M., Pezaros, D. " Artefact Provenance Graphs for Anomaly Inference in Industrial Control Systems ". IFIP ICT Systems Security and Privacy Protection. SEC, 2025
- Cook, Marco, et al. "A survey on industrial control system digital forensics: challenges, advances and future directions." IEEE Communications Surveys & Tutorials (2023).
- Marco, C., et al. "Introducing a Forensics Data Type Taxonomy of Acquirable Artefacts from Programmable Logic Controllers." IEEE: New York, NY, USA (2020).