The chief aim of digital forensics is to identify, collect, analyze and present digital evidence collected from various media in the case of a criminal incident. IoT forensics is a specialized branch of digital forensics that encompasses investigations using/of connected devices, sensors, data stored on different platforms, etc.
IoT or Internet of Things is a rapidly growing technology, creating countless opportunities and challenges for investigators looking into any type of crime, be it in cyberattacks or physical assaults. IoT environments are connected and dynamic, they can be altered from anywhere without a hitch. IoT devices generally have a sensor or actuator that generates data – could be autonomously or in response to specific manual actions, making them great digital witnesses, considering their capability to capture traces of activities that could be immensely helpful during the course of forensic investigations. The evidence from IoT devices is critical, so far as the investigators can manage the volume of data generated, the number of variety of devices available, the heterogeneity of the protocols used and their distributed nature.
Earlier, researchers had recommended that IoT forensics be done using specific frameworks in which the traces were proactively collected from the devices, and the network needed to be available for study in case an IoT related incident took place. These methods are still valid, but they would make a lot more sense in an industrial IoT environment, since they have the need and the resources required to put the forensic preparedness essential for such situations. However, this would not be the case for most smart homes or even most smartphones. It is important to understand that crime scenes cannot be prepared in advance from a forensic perspective. A helpful approach to deploying IoT in digital forensics would be to try and obtain traces of information that can be obtained from IoT devices at the crime scenes and associated smartphones. This could, in a way, also be an extension of the existing forensic method of examining smartphones.
It was earlier believed that some limited amount of data on specific parameters, such as, movement, location temperature, presence/absence, steps taken, distance walked, amount of time spent in walking, calories burnt, etc. could be obtained from IoT devices during the course of an investigation. However, recent studies have found that it is possible to extract even more data from these devices, such as, system activity logs with details about the events that are recorded by the device sensors, as well as the commands that have been sent out by the users. These pieces of information can give an investigator a better picture about, say, at what time was a door opened, or when the alarm was disabled. Devices such as smoke detectors, carbon monoxide detectors, etc. can be useful for investigators to pinpoint an approximate time when and approximate location where a particular fire started. These connected sensors and linked devices are extremely useful in providing the last status of the device, though there are variabilities involved here too, since not all information may survive a reboot of the device. What’s important is that the traces of information provided by these IoT devices can not only be found on the physical devices but also in their associated smartphones, as well as the cloud. The digital traces of information that can be obtained from smartphone applications include cached image thumbnails, fragments of camera streams, cached events triggered by the sensors, event logs stored n application databases, etc. In the course of an investigation, these bits of information can help investigators better understand what happened, when it happened, which user account sent out which commands to which devices. For instance, the image thumbnails could potentially tell investigators about the number of people that were there in an IoT environment at a particular time, as well as shed some light on their identities. Photographs and videos that get recorded by the IoT devices can help investigators attribute specific physical activities to specific individuals at different points in time. Cloud credentials that can be recovered from smartphone applications can help investigators unravel the data stored in cloud systems.
Now, when there are countless benefits IoT offers in the course of criminal investigations, there are also certain challenges that investigators face in this regard. The first challenge deals with the analysis of the network traffic. There is an increasing amount of encrypted data traffic going around. While this is great for users, it becomes quite a limitation for investigators who would be unable to obtain important traces of information that is being transmitted by and received by the IoT devices. The second important challenge that investigators face is that the traces of information present on the physical devices is by itself limited to the confines of the configuration settings or limited persistence, due to a limited amount of available storage. For most devices, data is stored only until a complete reboot takes place, once the device is rebooted, the data is lost, irrecoverably, sometimes. A lot of procedures for analyzing the IoT data can be quite challenging for the investigators too, such as, using a JTAG or a chip-off to get access to the data.
Interestingly, the very features that make IoT devices excellent digital witnesses to crimes, also become obstacles in the path of forensic investigations. When investigators get about exploring the IoT data, they themselves are stepping into an IoT environment, effectively leaving their own trace, and virtually stepping into digital evidence. Such evidence dynamics can occur in any crime scene after all, though the impact is a lot more pronounced in an IoT environment.
Another major challenge that investigators face while handling IoT data is how to go about establishing a link between the digital traces, and physical activities and entities. While IoT is extremely useful for investigators in establishing a timeline or reconstructing the activities that took place in great detail, one wrong assumption or one overlooked event could completely mangle up the findings, leading to incoherent and incorrect conclusions.
For being able to handle IoT devices properly from a forensic perspective, it is important that criminal investigators be effectively assisted by specialized forensic advisors who specialize in Internet of Things. By doing so, investigators would be able to recognize, preserve and prioritize digital traces at the crime scene. It would be even more beneficial if these specialized advisors have broad-ranging expertise not limited to a particular technology or domain, as it would help cover more ground during a criminal investigation.
One challenge, though, tops all the rest – admissibility of IoT evidence in the court of law. Each trace of information collected from an IoT device or a smartphone or the cloud, needs to be researched thoroughly and presented in a manner that a layman can easily comprehend the value of that evidence in a court of law. It would need to be backed by expert arguments and other evidence as well. However, training the judiciary as well as the investigative agencies in this regard would be highly beneficial for everyone. It would be important for everyone to understand the meaning as well as limitations of these traces. While we consider all this, it is also important to take into account the potential criminal exploitation of IoT devices. A criminal can easily use the information generated by IoT devices to stalk victims, plan attacks, access surveillance data or other IoT systems in the house, or disabling the IoT devices from recording particular events.
The world of Internet of Things is an enchanting and exciting domain of opportunities and challenges. Professionals skilled in working with IoT, understanding IoT and developing IoT solutions are extremely high in demand, considering the very wide range of applications the technology has. You could be one of these professionals and become a sought-after unicorn in the job market too. Cognixia – world’s leading digital talent transformation company is working to deliver world-class training and upskilling solutions in the field of Internet of Things, among others to individuals and enterprises, helping them grow ahead and scale their ambitions. To know more about IoT training programs, reach out to us today!
