Digital forensic investigation of IoT devices: tools and methods

<p>Consumer IoT devices are becoming omnipresent in our homes, traces generated by their continuous interactions creating a rich source of evidence, useful to forensic investigations in various types of offences. However, existing research in IoT forensics has mainly focused on theoretical frameworks, as current tools and methods do not support newer IoT devices. In this thesis, we focused on developing practical generic solutions to improve the IoT forensic investigative process.</p> <p>As a first step, we undertook an online survey of the digital forensic community (n = 70) on their interpretation of a definition for IoT forensics and a roadmap for future research. We developed a unified understanding of the various terms used and drew a definite conclusion about the IoT technology and its subdomains in IoT forensics. Participants highlighted that research should focus on IoT forensic tools and data acquisition. As a result, we developed a generic acquisition method for smart healthcare devices and leveraged the use of Bluetooth Low Energy (BLE). We demonstrated the feasibility of this method by acquiring health-related traces from smart healthcare devices and the usefulness of these traces for forensic investigations e.g., establishing a historical profile of the user’s health.</p> <p>We dissected the lack of IoT forensic tool development further, through a systematic literature review of ∼ 800 articles on the shortcomings of research-based digital forensic tools. We found the requirement for an IoT device identification approach. Consequently, we proposed a generic identification approach that used machine learning and unique features extracted from the network packet. This created a unique “fingerprint”, so forensic investigators can uniquely identify the device-type on the network without relying on traditional identifiers. Drawing upon findings from our previous studies, we developed and evaluated an automated IoT network analysis tool. Through a study of 32 IoT consumer devices, we analysed the network traffic metadata and showed its usefulness for forensic investigations. The results showed many devices used encryption, but smart cameras and smart healthcare devices were prone to sending unencrypted content. Finally, we found most IoT traffic was being sent to the U.S.</p> <p>Overall, our research has novelty, in that we developed an identification approach, acquisition method and a network analysis tool that can obtain traces from multiple consumer IoT devices. As the IoT expands, it is crucial we develop tools that can support the new devices coming on the market.</p>