Sheer size of information that is gathered by billions of Internet of things devices could contain valuable evidences from crime scenes, these evidences could be used in court to prove that someone is guilty or not and its importance not less physical evidences, regardless of its importance, collecting and analyzing evidences from Internet of Things environment face many legal and technical challenges, this paper will try to summarize the most important challenges that are related to Internet of Things forensics, beside the common approaches that have been developed to solve these challenges.
Index Terms—Internet of Things, IoT forensics, digital forensics.
Billions of intelligent IoT devices connected to internet today, and it is predicted to be 20 billion devices by 20201. these smart, self-decision-making devices collect sheer amount of human and systems activities in order to take actions and make human being life easier and productive.
And since Internet of Things devices record almost everything around us, that make the collected information and devices itself exceptionally important sources for digital forensics practitioners.
Digital forensics is the science that is interested in collected evidences from digital devices and analyses them in a way that is legally admissible in court, it has been evolved over past years to cover new technology and devices like Personal Computers, routers, switches, and many other devices but when it comes to IoT, the nature of technologies that are used in IoT like RFID, seniors, Cloud Computing, mobility , proprietary protocols and others make traditional DFI techniques and tools are insufficient to handle forensics investigation.
In this paper we will try to cover the most well-known challenges in the IoT forensics fields and the approaches that have proposed to handle these challenges, section 2 is a general overview of the IoT architecture, section 3 discuss the IoT challenges, section 4 cover the known approaches for IoT forensics and section 5 is the conclusion.
2. IoT Architecture
The basic design of any IoT system figure (1) consists of the following component: –
I. Sensors: – the main function of sensors in IoT is to monitor the IoT environment for example the temperature in smart home or person’s activities in wearable intelligent devices, and based on the sense mode, the sensor starts collecting measurements and information, these collected information from one sensor or more usually would not be useful in its analog form, so there is a need to be processed and analyzed.
II. Local ProcessingLocal Storage: – after data is received from sensors, microcontrollers and embedded boards are used to process data and stored it locally, a very important aspect of these devices is that it has limited storage unit, especially in Smart Home devices and wearable smart devices,
III. Network and Internet: – collected data is transmitted through Gateways to IoT service provider, protocols could be used at this level (MQTT, CoAp, AMQP …etc.).
IV. IoT Cloud: – data finally is stored in the IoT service provider servers, IoT provider could process the data and usually provide the user with a web interface to access data after processing and analysis.
3. IoT Forensics Challenges
Digital forensics encompasses four stages identification, preservation, analysis and presentation of evidences 2, in this section we will discuss challenges related to each stage separately.
3.1 IoT identification forensics challenges
The first stage of any digital forensic investigation requires the investigator to determine the location of the evidence, what it is format and how it is stored, answer these questions enable the investigator to draw a proper plan for the rest of investigation, following are challenges related to these questions in IoT investigation: –
i. Due to the design and functional nature of IoT infrastructure, evidences could be anywhere, mainly we could divide the location of evidences to two locations the first is IoT devices and/or IoT cloud provider, and in some special cases evidences could be in other’s IoT devices or cloud like when a sensor detects a motion in neighbor’s house then collect and measure that motion, in first scenario where evidences located in IoT devices there could be hundreds of sensors and control devices which make it difficult and time consuming for investigators to identify all evidences 3, and in some cases evidences could be invisible like when sensors are embedded in human body, or when data is read by sensors belong to other parties (Mobility of IoT) , second scenario if the evidences are located in the cloud where evidences could be distributed over multiple location and multiple servers 4, which arise new challenges to the investigator of how to locate and aggregate these evidences.
ii. The generated data from IoT devices comes in many standards, non-standard and mix formats, the source of data would be single or multiple sensors, which force the investigator to deal with multiple formats of data that came from different sources 5, besides that, and during of the data journey from IoT devices to the cloud, data could be processed many times by multiple devices and in different formats some of them could be proprietary and could be duplicated.
iii. Typically, IoT devices have limited storage space, which means data would not be stored there for long time, instead of that data would be transmitted to the cloud service using protocol like (HTTPS, XMAPP, CoAP, MQTT, AMQP) 6 for more analysis and longtime storage this would arise the following challenges: –
1- Evidences could be overwritten in IoT devices if the connection between the IoT devices and cloud service lost for long time 3.
2- Evidences that are stored in cloud could be located in different countries which means different laws and procedures followed in DFI 7, even if there are agreements between the involved countries the time between issuing a traditional warrant and beginning the investigation could be long enough to damage, overwritten or change the consistency of evidences.
3- Evidences stored either in local IoT devices or in the Cloud could be encrypted 8.
3.2 IoT Preservation forensics challenges
Collected evidences from where the crime has been happened should keep it is original state and integrity without any modification, this is a well-known fact in digital investigation and when it comes to courts procedures are important than fact so any changes in facts could make them unacceptable in courts, this would be handled in traditional forensics by using write-blocker, Hash function, forensic image…etc., In IoT domain preserving evidences is more difficult and has more challenges: –
1- Sensors play a vital role in IoT operations, and its known that sensors are very sensitive devices which make them susceptible to false negative and false positive results which is in turn could make the evidences doubtful at court.
2- Once data is sent to the IoT provider cloud, data is subject to further analysis and changes, which means the original stat of evidences that are generated in the crime scene has changed.
3.3 IoT analysis forensics challenges
Once the investigator determines the evidences’ location, format and storing layout, the next step would be to extract evidences from the its location, analysis and interpret them.
1- Most of the current digital forensics software’s are not designed to extract data from IoT devices 9.
2- Some of IoT devices come in proprietary file system and software which add complexity to extract evidences and analyses them. -x
3.4 IoT presentation forensics challenges
the final phase of the digital investigation is to show the collected evidences and findings in the court, the challenge in this phase comes from the variety of Internet of Things devices, while in traditional forensics the sources of evidences and evidences are relatively clear to most jurors members, but when it comes to IoT the heterogeneous and complexity of IoT environment could be difficult for them to understand.
4. IoT Digital Forensics Framework
4.1 1-2-3 Zones and Next-Best-Thing 7
Combining all IoT forensics challenges shows that IoT investigation includes cloud computing, Mobile forensics, RFID, Virtualization and network forensics, which made the IoT investigation process are sort of confusing, beside investigating large number of devices and diverse sorts of formats would be time and resources wasting, so it is important to make the crime
scene as clear as possible, and guarantee that forensics practitioners can focus on each area of the crime scene based on its functional nature. the proposed approach divides the crime scene into three zones, Internal network, Middle, External network Figure ().
1- Internal Zone: – this zone contains all IoT devices that are found in the area of the crime scene, the investigator should determine which devices are related to the crime and start investigate them.
2- Middle zone: – this zone contains all devices that are responsible for support communication between the internal zone and external zone, devices included like Firewall, IDS/IPS should examined and looking for evidences like logs and events.
3- External Zone: – this zones contains all hardware, software and services that are outside the crime scene like IoT cloud service, ISP and Mobile network.
While this approach is great to make the investigation process easier and more effective by allowing the ability to investigate all zones in parallel or determine the most important zone and intensify investigation, it does not provide solutions for IoT investigation like dealing with propriety data formats or judiciary issues.
This approach can be used side by side with 1-2-3 zone approach, by supposing that the Internet of thing device that contains the evidence has been removed from the crime scene or it cannot be accessed, so in situations like this the investigator can look for the next available source related to the evidence, deciding the what is the next best source is subject of further research.
4.2 FAIoT 9
The proposed approach suggests using a secure repository that will store IoT related evidences, the evidences are categorized into three types: device evidences, network evidences, cloud evidences, this categorization would make the investigation steps more easer. this approach contains three models Secure Evidence Module, Secure provenance and Access to collected clues through API module, the first model Secure Evidence Module will keep track of all registered IoT devices, collect and save evidences in the repository, evidences are stored based on its IoT device which enable store evidences from multiple devices, this module use asymmetric encryption to make sure that only authorized people can access evidences, Hadoop is used for the repository, the second model is used to preserve the evidences access, the last model gives the authorized people and law authorization an access to the evidence through a read-only APIs, which enable them to retrieve the evidences.
4.3 FSAIoT 10
in their paper “Forensic state acquisition from internet of things”, they created a general approach that makes the crime scene more clear through acquisition the state of devices, the proposed approach suggests existence of a controller that is used to control and manage IoT devices, beside its ability to acquire data from IoT devices but not change the stat of the device the controller has integrity features and capable to record the data when the stat of the IoT device changed, the controller comes in three mode controller to device, controller to cloud , controller to controller, the authoress stated that there are couple of limitation with this approach like dealing with deleted and data that has ended retention, and there is no approach to access deceives physically which is required in some cases.
4.4 Pre-investigation and real-time approach 11
This approach proposed two phases to make sure that all evidences are acquired and stored in an accepted way, so that investigators can retrieve evidences smoothly, the first phase is the pre-investigation phase which has two sides, the first is from the management perspective and the second is from the technical perspective, the management perspective discuss the procedures that could facilitate the IoT investigation from managerial perspective, like preparing plans and determine the assists needed by investigators, the technical perspective discuss how to interact with the incident and narrow the scope of the evidences and devices included in the investigation by answering the following questions What/How to identify ?, What/How to collect ?, wo to preserve?, the second phase is to monitor the IoT devices in real-time and if there are any abnormal activities are detected then in an automatic way start collecting the data identified in the pre-investigation phase.
While approaches mentioned in sections (4.2, 4.3, 4.4) seem to be effective and solve some mentioned challenges, they are more suitable for large to medium IoT infrastructure, they could be difficult to implement in small IoT infrastructure like smart home because the relative complexity of deployment.
4.5 Top-Down forensics methodology 12
This model is designed to fill the gap existing in current models, started with authorization, planning and warrant, after completing the three fundamental stages the investigator would start to discover the IoT infrastructure, determine and capture the interested IoT devices from the selected zone Figure (), then the investigator can complete the traditional forensics procedures like Chain of custody, analysis proof and defense.
5. conclusion and discussion
our approach is to work side by side with the 1-2-3 zone approach, since the mentioned approach divides the IoT environment to three zones, our approach is to divide the IoT forensics process to three domains, 1) Domain 1 related to IoT endpoint forensic, 2) Domain 2 related to Network forensic, 3) Domain 3 related to Cloud forensic.
We can see that in any IoT environment, events would be noticed by one or more sensors, the main role of sensors is to transmit what has been measured to the IoT controllers which in turn would process the received data and could store it then transmit it to other domain, So, the investigator in this stage would need to use tow forensic domains Domain 1 (IoT endpoint forensic) and domain2 (Network forensic).
Once data has been captured and processed by controller it would be travel toward its final destination which would be the cloud, the medium and devices that would be taken during that journal would belong to the second domain, and since the devices that are involved in this domain would be network devices like firewalls, switches, routers, the forensic science that would mostly be used in this domain is network forensic, the final destination of data as we previously mentioned would be the cloud, in this level of investigation domain 3 (Cloud forensic ) would be used, Domain 2 ( Network Forensic ) and Domain 3 ( Cloud forensic ) have been around for quite some time and many researches and solutions have been developed to cover it. Domain 1 (IoT endpoint forensic) needs more researches and development.
IoT challenges in Domain 1 (Endpoint forensic) can be divided to two categories; Technical challenges and legal challenges, the key legal challenges are represented in the ability to issue a warrant as soon as possible and this challenge cannot be solved traditionally, one idea that would be worth to examine is to make an agreement between the legal authorities and IoT venders, stat that any vendor wants to deploy IoT devices should agree to make it’s cloud data that is related to the IoT devices available when authorities need to investigate it, based on an electronic warrant which in turn speed up investigation process.
Main Technical challenge related to IoT endpoint forensic is the lack of standards, most IoT devices have its own proprietary interfaces, protocols and file system which arise the need to develop tools that can deal with these devices.