Internet of Things Forensics: Challenges and Case Study
Internet of Things Forensics: Challenges and Case Study
Abstract Today is the era of Internet of Things (IoT), millions of machines such
as cars, smoke detectors, watches, glasses, webcams, etc. are being con-
nected to the Internet. The number of machines that possess the ability
of remote access to monitor and collect data is continuously increasing.
This development makes, on one hand, the human life more comfort-
able, convenient, but it also raises on other hand issues on security and
privacy. However, this development also raises challenges for the digital
investigator when IoT devices involve in criminal scenes. Indeed, cur-
rent research in the literature focuses on security and privacy for IoT
environments rather than methods or techniques of forensic acquisition
and analysis for IoT devices. Therefore, in this paper, we discuss firstly
different aspects related to IoT forensics and then focus on the cur-
rent challenges. We also describe forensic approaches for a IoT device
- smartwatch as a case study. We analyze forensic artifacts retrieved
from smartwatch devices and discuss on evidence found aligned with
challenges in IoT forensics.
1. Introduction
Internet of things (IoT) is a new revolution of technology that enables
small devices to act as smart objects. These devices are connected with
each other by different network media types, and the result of these
communications is to return to the sensors by appropriate decision. The
goal of IoT is to make lives more convenient and dynamic. For instance,
cars can drive alone, the smart light turned off when there is no one in
the room, air conditioner turned on when room temperature goes be-
2
the real world application, it causes some challenges for forensics exam-
iner including but not limited to the location of data and heterogeneous
nature of IoT devices such as differences in operating systems and com-
munication standards [6]. Current research in literature focuses on IoT
security and privacy, however, some important aspects such as Incident
response and forensic investigations, have not been covered efficiently.
Therefore, this paper will spot the light on these aspects. In this paper,
we discuss on IoT forensics and how is different from traditional foren-
sics and following with what are the challenges of IoT forensics. We also
describe the forensic acquisition of smartwatch, an IoT device as a case
study. The rest of paper is organized as follows: Section 2 shows the
difference between the traditional forensics vs. IoT forensics. We then
discuss on IoT forensics challenges in Section 3. We present our forensics
acquisition and analysis of Apple Smart Watch in Section 4. Finally, we
conclude and show future work in Section 5.
3. IoT Forensics
IoT technology is a combination of many technology zones: IoT zone,
Network zone and Cloud zone. These zones can be the source of IoT
4
tifying and finding the IoT devices in crime scene. It could the device
terned off because it run out of battery, which make the chance to be
found is so difficult especially if the IoT devices is very small, in hidden
place or look likes a traditional device. Carrying the device to the lab
and finding a space could be anther challenge that investigator could face
in terms of device type. In addition, extracting the evidences form these
devices is considered as anther IoT challenges as most of manufacturer
adopts different platforms, operating systems and hardwares. One of the
examples is the CCTV forensics [20] where the CCTV’s manufacturers
applied different file system format in their devices. Retrieving properly
artifacts from CCTV’s storage devices is still a challenges. We also show
in [21] a new approach to carve the deleted video footprint a proprietary
designed file storage system.
Data Format The format of the data that generated by IoT devices is
not matching to what is saved in the Cloud. In addition, user have no di-
rect access to his/her data and the data presents in deferent format than
that in witch it is stored. Moreover, Data could be process using ana-
lytic functions in different places before be stored in the Could. Hence,
in order to be accepted in a law court, data form should be returned to
original format before performing analysis[7].
to find a method to work around barriers and come up with a new tool
for IoT investigation, that can be approved by law court and achieve of
investigators goals [12].
Nike Plus GPS: The Nike Plus GPS app contains a folder com.apple.watchconnectivity.
The path is /Applictions/com.nike.nikeplus-gps/Documents/inbox/. There
is a folder named 71F6BCC0-56BD-4B4s-A74A-C1BA900719FB. This
indicates the use of an Apple Watch. The main database in the Nike Plus
GPS application is activityStore.db in Path /Applications/com.nike.nikeplus-
gps/Documents/. ActivityStore.db contains an activity overview, last-
ContiguosActivity, metrics, summaryMetrics and tags, which are highly
relevant for the investigation.
GPS Data: The GPS data found in the tables metrics and tags is
shown in detail below. Longitudes and latitudes are generated by the
Nike Plus application and saved into the tables with a related timestamp.
Alabdulsalam, et al. 9
Alabdulsdam, et d. 9
Based on this information, we can create map with the GPS data in
Google maps (2).
Email Reading e-mails on the watch works in the same way as reading
iMessages and text messages. When the iPhone is powered off, mails can
be received, opened and sent simply and independently from the iPhone.
After putting the Apple Watch in flight mode, as can be seen from the
plane icon, mails can still be read.
Contacts and Phone Contacts are also saved on the watch indepen-
dent of the status of the iPhone. The phone can be turned off and the
watch can be disconnected from all networks, but contacts remain on
the watch. All contacts can be displayed with all contact details saved
on the iPhone. The phone application also contains a call log and the
favorites list. Although the iPhone is powered off and the watch is in
flight mode, the investigator has the possibility to see all voicemails and
listen to them. Additionally, the phone number origin and the date and
Alabdulsalam, et al. 11
time of the incoming voicemail are displayed. After clicking the play
button, the voicemail is played.
References
takes-down-east-coast-netflix-spotify-twitter/92507806/ [Accessed
August 2017]
[4] FDA (2017), Safety Communications - Cybersecurity Vulnerabil-
ities Identified in St. Jude Medicals Implantable Cardiac Devices
and Merlin@home Transmitter: FDA Safety Communication, 2017
[5] Popken, B. (2017), Hacked Home Devices Can Spy On
You - NBC News, OCT 26 2017, 2017. [Online]. Available:
https://www.nbcnews.com/tech/security/hacked-home-devices-
can-spy-you-n814671.
[6] Perumal, S., Norwawi, N. M., & Raman, V. (2015). Internet of
Things (IoT) digital forensic investigation model: Top-down foren-
sic approach methodology. In 2015 Fifth International Conference
on Digital Information Processing and Communications (ICDIPC)
(pp. 1923). IEEE. https://doi.org/10.1109/ICDIPC.2015.7323000
[7] Oriwoh, E., Jazani, D., Epiphaniou, G., & Sant, P. (2013a). In-
ternet of Things Forensics: Challenges and Approaches. In Pro-
ceedings of the 9th IEEE International Conference on Collabora-
tive Computing: Networking, Applications and Worksharing. ICST.
https://doi.org/10.4108/icst.collaboratecom.2013.254159
[8] Ruan K., Carthy J., Kechadi T., Crosbie M. (2011). Cloud Foren-
sics. In: Peterson G., Shenoi S. (eds) Advances in Digital Forensics
VII, Volume 361 of the series IFIP Advances in Information and
Communication Technology, Springer, Berlin, Heidelberg
[9] Edington Alex, R. M., & Kishore, R. (2017). Forensics framework
for Cloud computing. Computers and Electrical Engineering, 60,
193205. https://doi.org/10.1016/j.compeleceng.2017.02.006
[10] Dykstra, J., & Sherman, A. T. (2011). Understanding issues in
Cloud Forensics: Two Hypothetical Case Studies . Proceedings of
the Conference on Digital Forensics, Security and Law, 2011, p.45-
54
[11] Joshi, R.C., Pilli, Emmanuel S. (2016). Fundamentals of Network
Forensics, Springer-Verlag London 2016
[12] Kebande & Ray, 2004, Network traffic as a source of evidence: tool
strengths, weaknesses, and future needs, Digital Investigation, vol.
1, pp. 28-43, 2004
[13] Morrison L., Read H., Xynos K., Sutherland I. (2017) Forensic Eval-
uation of an Amazon Fire TV Stick. In: Peterson G., Shenoi S. (eds)
Advances in Digital Forensics XIII. Volume 511 of the series IFIP
Advances in Information and Communication Technology pp. 63-
379, Springer, Berlin, Heidelberg
Alabdulsalam, et al. 13
[14] Liu C., Singhal A., Wijesekera D. (2017) Identifying Evidence for
Cloud Forensic Analysis. In: Peterson G., Shenoi S. (eds) Advances
in Digital Forensics XIII. 410 of the series IFIP Advances in In-
formation and Communication Technology pp. 111-130, Springer,
Berlin, Heidelberg
[15] Edward, E. (2017), US supreme court to hear appeal in Microsoft
warrant case, The IRISH TIMES, 2017. [Online]. Available:
https://www.irishtimes.com/business/technology/us-supreme-
court-to-hear-appeal-in-microsoft-warrant-case-1.3257825.
[16] Hegarty, R. C., Lamb, D. J., & Attwood, A. (2014). Digital Evidence
Challenges in the Internet of Things. Proceedings of the Tenth In-
ternational Network Conference (INC 2014), 163172
[17] OShaughnessy S., Keane A. (2013) Impact of Cloud Computing
on Digital Forensic Investigations. In: Peterson G., Shenoi S. (eds)
Advances in Digital Forensics IX. Volume 410 of the series IFIP
Advances in Information and Communication Technology pp. 291-
303, Springer, Berlin, Heidelberg
[18] Ryder, S., Le-Khac, N-A. (2016), The End of effective Law En-
forcement in the Cloud? To encrypt, or not to encrypt, 9th IEEE
International Conference on Cloud Computing, San Francisco, CA,
USA, June 2016
[19] Lillis, D., Becker, B., OSullivan, T., & Scanlon, M. (2016). Current
Challenges and Future Research Areas for Digital Forensic Investi-
gation. Retrieved from http://arxiv.org/abs/1604.03850 [Accessed
August 2017]
[20] Ariffin, A., Slay, J., Choo, K-K. (2013), Data Recovery from Pro-
prietary Formatted CCTV Hard Disks Digital Forensics, Chapter
in Peterson G., Shenoi S. (eds) Advances in Digital Forensics IX,
Volume 410 of the series IFIP Advances in Information and Com-
munication Technology pp. 213-223, Springer, Berlin, Heidelberg
[21] Richard, G., Le-Khac, N-A., Scanlon M., Kechadi M-T., (2016),
Analytical Approach to the Recovery of Data from CCTV File Sys-
tems, The 15th European Conference on Cyber Warfare and Secu-
rity, Munich, Germany, July 2016
[22] MacRumors, Juli Clover, 2015, https://www.macrumors.com/2015/04/23/applewatch-
diagnostic-port-confirmed/ [Accessed August 2017]