IoT forensics



IoT forensics is a branch of digital forensics that has the goal of identifying and extracting digital information from devices belonging to the Internet of things field, using a forensically sound and legally acceptable process.

Overview
Unlike traditional digital forensics approaches, IoT forensics is characterized by a wider range of potential source of evidence: with respect to the traditional analysis of servers, computers and smartphones, IoT forensics is extracting the information directly from smart environment data including monitoring systems, traffic lights, medical implants, smart home devices and more IoT scenarios.

Moreover, IoT forensics potential source of evidence can be very different in nature with respect to digital forensics common use cases: network traffic, cloud data, devices logs and more information can be extracted and used as source of evidence if extracted successfully and processed in the correct way.

IoT forensics can be identified as a combination of three separate digital forensics schemes:
 * IoT device level forensics: Process of extracting evidence from the IoT devices (i.e. in the device memory). A lot of devices can be included in this process: examples are sensors, health implants, smart meters, smart home appliances, smart cameras, networked vehicles, RFIDs, and drones. Being the devices differ in hardware and functionalities, device level evidence identification and acquisition is often challenging and not always feasible.
 * Network forensics: Process of identifying and extracting evidence from network log, devices traffic traces and communication patterns. With respect to the traditional network investigations, IoT network forensics branch includes additional network models such as body area network or personal area network (i.e. Bluetooth or ZigBee devices). For each type of network, there needs to be appropriate forensic methods for the investigations, involving different tools and appropriate network protocol analysis.
 * Cloud forensics: Process of extrapolating information in the cloud used by the devices. Since IoT devices are usually limited in memory, most of the information is stored in proprietary cloud applications that may contain a massive amount of potential evidences (i.e. devices activities). Given the amount of information that can be recovered from the different entities involved in the cloud, cloud forensics plays an important role in the IoT forensics domain: system logs, access logs, chat logs, sessions, cookies, user authentication and application data are examples of the information that can be retrieved from cloud services related to each IoT device.

IoT forensics process
An IoT forensics investigation process should be conducted using the standard guidelines so that the collected evidence can be admissible on the court. The process is analogous to digital forensics process, but faces challenges caused by the peculiarities of the IoT devices. The full process can be split temporally into six different phases: Evidence identification, evidence collection, evidence preservation, evidence analysis, attack and deficit attribution, and evidence presentation. Each of the different phases of the forensic process may introduce several challenges when applied to the limitations of the IoT devices.

Evidence identification and collection
Evidence identification and its subsequent collection are the first phases for investigators during forensic processes. Search and seizure is an important step in any forensic examination: in the particular case of the IoT forensics, detecting presence of IoT systems is not always immediate considering that these devices are usually of small dimensions and are designed to work passively and autonomously.

Most of the information on IoT devices is usually sent to cloud servers, considering the very limited physical memory of the device itself. This brings new challenges for the forensic investigators that sometimes can not even know where the data is located, as it is distributed among many servers in multiple data centers. Moreover, after the identification step, cloud evidence collection is not always feasible given the different jurisdictions under which the data could be located. Data center locations of cloud service providers are usually distributed in order to reduce costs and increase service efficiency. For this reason a forensic investigator often faces multi-jurisdiction issues during the data collection when the information is stored in the cloud.

In the case of network forensics some of the evidence can be collected from network devices like routers or firewalls, but most of the network potential sources of evidence exists only in flight. For example, network traffic can be captured only at the time it passes through a device processing it. There are devices and procedures for storing network traffic as raw data but it is impractical to capture and save all network data due to its volume. The question of privacy and legal issues of data acquisition in network forensics is even larger than in the cloud forensics case, as the network data might include a lot of information that is not related to the legal case in question. Current research in IoT network forensics is working on the development of tools based on the most popular network traffic softwares (e.g. tcpdump, Wireshark) to extract information from network devices (i.e. Wi-Fi access points), in order to avoid the storage of the full traffic still maintaining potential evidence for forensic investigation.

At the device level, once the IoT device in question has been identified, the evidence should be extracted in its physical memory. Digital forensics traditional process guidelines suggest to turn off the evidentiary devices in order to prevent the alteration of data. Given the cloud services almost substituting the storage (ROM) of the IoT devices, most of the physical information is nevertheless located in volatile memory like RAM. The creation of an evidence copy of such memory must be done without powering down the device, which goes against traditional best-practices and is not always feasible since most of the devices have limited energy capabilities. Moreover, unplugged IoT devices may become unaccessible and need proper reconfiguration before the use, hence modifying system logs information causing loss of potential evidences. For these reasons the approach to follow when dealing with IoT device level forensics is performing live forensics data acquisition.

Recent research in IoT forensics presents several frameworks and useful tools that can be used by forensics investigator for the identification and collection of evidences. The majority of the existing tools however require a proactive process (i.e. installing the software) and is thus not always usable for forensic investigations, unless they have been set up before the crime occurs.

Evidencepreservation
After the evidence identification and its subsequent collection, the forensic investigator should preserve the gathered data and guarantee its integrity during the full process from right after the collection to the final presentation.

While the preservation of data using proper techniques (i.e. hashing) is feasible in traditional digital forensics, it represents a hard challenge and needs particular attention in IoT environments. Autonomous interactions between the different devices introduce challenges to identify scope of a compromise and the boundaries of a crime scene.

IoT forensics evidence preservation requires modern and distributed techniques to preserve and avoid the corruption of the collected evidence. For this reason the current research focuses on applying proper blockchain solutions to the evidence preservation phase, so to store the evidence in distributed nodes in the network avoiding possible attacks to its integrity.

Evidence analysis and attack attribution
This phase involves all the analysis steps required by the investigators that should process and connect all the collected evidences in order to reach an outcome for the investigation. In the case of IoT evidence, the big volume of data that are usually collected in the acquisition phase make it almost impossible to provide an end-to-end analysis of the evidences. Moreover, the majority of IoT devices in the network do not store any metadata including temporal information such as creation or modification times. This makes even harder to verify the provenance and to ensure the integrity of the collected data.

In the particular case of IoT device physical memory analysis, several tools can be used by electronically connecting to the devices.

The trends in the current research in the network forensics field in the particular case of IoT forensics involves the application of artificial intelligence and machine learning techniques to deal with the massive amount of data that can be extracted from devices network traffic traces.

In the attack and deficit attribution phase, the evidence collected and analysed are summarized to lead to the final outcome of the investigation. In traditional digital forensics the involved source of evidence are usually extracted from personal devices and hence lead to a restricted number of suspects. The same does not hold for IoT forensics evidence that, if moreover extracted from the cloud, can be located in physical servers accessed by multiple users at the same time.

Evidence presentation
The last phase of any forensic investigation process is the final presentation of the collected and analysed evidences in front of the jury court. IoT forensics evidence presentation is not as simple as traditional forensic cases, in particular for finding a proper human readable representation of the evidence itself that is usually under abstract forms. Depending on legal systems it could be needed to present the collected evidence in front of the jurors in the courtroom, most probably having a very restricted knowledge of network/cloud forensics, based often on their personal experience with IoT devices. This introduces challenges for the investigator organizing the evidences in order to produce an evidence report to be easily understandable for non-experts. The investigator should moreover pay particular attention in the processing phase, especially when using analytic functions, because the procedure could modify the structure of the data and alter its meaning, hence invalidating the full process.

IoT forensics vs. security
IoT forensics should not be confused with IoT security. IoT forensics takes care of finding evidences for forensics purposes: the evidences are not always related to IoT devices attacks or to their security, but can be used for proving/disproving a traditional forensic crime (i.e. a person detected in a room from IoT devices evidence). In the other side, IoT security takes care of the risks related to the presence of IoT devices and of attacks that may target them: it protects the devices from external attacks and prevents the devices to perform attacks to other entities.