Just for chuckles has anyone done forensic analysis on PLCs or other SCADA related industrial network, or M2M devices? If so, did you use the standard toolkit? I imagine there isn't much of an established procedure for this (I've looked quite a bit). Any info would be helpful.
I was talking to aguy last week that specializes in doing vulnability assessments on SCADA networks and that topic did come up. His background was in building the 'devices' and started doing the security thing afterwards, where I am the exact opposite - so, it was nice to finally talk to an engineer that could explain the innards of these things but knew enough about security to mold his explainations towards what I was asking.
From what I gathered from talking to him
Most PLCs in use in production environments have been there for decades. When they were built the engineers were just happy they had it working and never bothered with anything else. In many cases there aren't even error codes built in to tell you why a PLC failed, let alone something silly like bounds checking to prevent a buffer overflow.
Most PLCs or RTUs aren't going to store much of anything. The server they talk to on the other hand might have all kinds of data on it. Most likely what you'll find isn't all that exciting, though.
There are 'soft PLCs' that are software running on a computer. I doubt they store anything locally, but you never know.
w.r.t SCADA Forensic post, after 15 yrs any new techniques of SCADA/PLC investigation is developed?
Not that I'm aware of. SCADA was way over-hyped 'way back when', but all SCADA is is a bunch of systems running outdated software with little to no patching. There's nothing more magical about it than that.