Major control systems such as ICS/SCADA are currently being used in the key infrastructures of our society, notably in the energy, transportation, and healthcare sectors. The PLC, which is located in the lowest layer of the control system, is directly connected to diverse field devices including sensors and actuators. In the event of a cyber-attack on the PLC, the potential ripple effects, such as a collapse of the national infrastructure, could be very large, making a high level of cyber safety essential. Therefore, it is necessary to apply digital forensic technology to the PLC to respond to cyber-attacks against the control system. However, conventional methods of directly investigating the PLC, such as network and memory forensics, have practical difficulties as they could compromise the availability of the control system. As such, this paper proposes a method of detecting and restoring logic data when the logic data are changed as a result of a cyber-attack, by using the digital forensic technology developed for the Engineering Workstation (EWS), which has been used to develop, manage and set the control system program logic. •We proposed a method of detecting and collecting data for the PLC forensic investigation of the ICS components.•We presented the method of detecting and restoring the alteration attack of TIA Portal Step 7’s project file used to control a PLC from an EWS and developed monitor and control logic.•We suggested a test environment was built to verify the developed tools, and it confirmed the detection of changes to the project file and its restoration in the following two cases: i) alteration of the control block by an authorized user, and ii) direct access to and alteration of the project file.