FORENSIC SCIENCE

— The application of science and technology to investigate and establish facts of interest
to criminal or civil courts of law. For example
o DNA analysis
o Trace evidence analysis
— Implies the use of scientific methodology to collect and analyse evidence. e.g.
o Statistics
o Logical reasoning
o Experiments
— Fictional character developed by author Sir Arthur Conan Doyle
— First to apply forensic techniques, e.g., serology, fingerprinting, firearm identification,
and questioned document examination
— All of this – from fiction – before accepted by real-life criminal investigations
DIGITAL FORENSICS
— A branch of the traditional forensics science
— Include the recovery and investigation of material found in digital devices, often in
relation to computer crime
— Originally used as a synonym for computer forensics but has expanded to cover
investigation of all devices capable of storing digital data
— Aim to deal with the identification, collection, recovery, analysis and preservation
of digital evidence, found on various types of electronic devices
DIGITAL FORENSICS VS TRADITIONAL FORENSICS SCIENCE

FORENSIC INVESTIGATION PROCESS

DIGITAL FORENSIC INVESTIGATION PROCESS
— Collection: identify and collect all relevant digital evidences
— Examination: extract information from the collected evidences
— Analysis: analyse the results obtained from the examination
— Reporting: report all relevant information obtained from all previous steps
CASE STUDY: WEARABLE SENSORS
— Scenario: Connie Dabate was murdered in her home in 2015
— According to his arrest warrant, her husband Richard provided an elaborate explanation
of the day’s events, claiming that he returned home after receiving an alarm alert.
— Richard went on to claim that, upon entering his house, he was immobilized and
tortured by an intruder.
— He told police that the intruder then shot and killed Connie when she returned home
from the gym.
— Relying on evidence collected from Connie’s Fitbit, police were able to show that she
had been in the house at the time Richard said she was at the gym.
— According to the Fitbit’s data, Connie stopped moving one minute before the home
alarm went off.
DIGITAL FORENSIC INVESTIGATION PROCESS
— Collection: Fitbit
— Examination: Extract information from the Fitbit, e.g., GPS, distance travelled, steps
taken, sleep time and heart rate, etc.
— Analysis: Analyse the information obtained from the examination, e.g., when she
arrived home? when she stopped moving? etc.
— Reporting: Report all relevant information, e.g., device, extracted information, and
analysis results.
CASE STUDY: WEARABLE SENSORS
— Digital Forensic: Wearable devices like Fitbits monitor location via GPS and activities
like distance travelled, steps taken, sleep time and heart rate.
— The devices are configured to synchronize data to applications on smartphones and
personal computers or to cloud or social media sites.
 — Evidentiary collections can be made from either of these sources using standard digital
forensics tools and techniques.
IoT FORENSIC
— A branch of Digital Forensics which focuses on dealing with criminal incidents in IoT
infrastructure.
— Typically, a IoT forensic can be considered to be a combination of three digital
forensics schemes: device level forensic, network forensic and cloud forensic.

IoT FORENSIC: A CASE STUDY

— Alice is suffering from high blood sugar and she always wears a blood sugar monitor
device.
— At her home, there are other smart devices, such as heating system, television,
refrigerator, intelligent medicine dispenser, car, etc.
— All of these devices are connected with the Internet and are controllable from Alice’s
mobile device.
— Alice also works in a hospital, where there are thousands of health care related IoT
devices and the hospital allows its employees to connect their smart devices with the
hospital’s network.
— Mallory creates an intelligent malware to collect data from the smart health care
devices.
— First, it infects Alice’s smart refrigerator, gets connected with the Alice’s blood sugar
monitor through the shared network, and finally, infects the blood sugar monitor.
— Later, when Alice goes to the hospital for work, the malware searches for other devices
which shares the same network as the blood sugar monitor.
— In this way, Mallory is able to infect hundreds of smart health care devices located in
the hospital and steals confidential electronic medical records (EMR).
— When the data breach gets identified, Bob, a forensics investigator is assigned to
investigate the case.
 — The number and variety of IoT devices available at the hospital will make Bob’s
investigation very challenging.
— Bob needs to execute device level forensics for all the available devices.
— Later, he needs to investigate network logs for all the devices to identify the source of
infection.
— This will not only includes the smart health care devices but also the smart mobile
device that the health care professionals generally bring everyday.

IoT FORENSIC CHALLENGES

— Data Location
— Device Type
— Data Extraction
— Data Format
— Data Loss
IoT FORENSIC CHALLENGES – DATA LOCATION
— Data Location: IoT Data could spread across different location.
o IoT data could be stored in the cloud, smart devices and even stored in a third
party.
o The data might be stored in different regions, countries and mixed with the data
of others which can invoke different countries regulation.
o Thus, identification of all the evidence location of considered to be one of the
biggest challenge investigations face.
IoT FORENSIC CHALLENGES – DATA TYPE
— Data Type: In the traditional digital forensics, investigators usually identify a computer
system or appliance as a source to acquire evidence but in the IoT forensics, evidence
sources could vary across all devices.
o It could be a smart television or a smart refrigerator, which could lead to
challenges when it comes to identifying and finding the IoT device to acquire
from in a crime scene.
o Some of this device could be very tiny and mistakenly overlooked or it could be
very large, carrying such large device to the lab for acquisition could be another
challenge for the investigators in terms of creating space
IoT FORENSIC CHALLENGES – DATA EXTRACTION
— Data Extraction: In traditional forensic, most devices adopted similar operation
system, hardware etc. However, in IoT forensics, most device manufacturers use
different platforms, operating system, and hardware
o Extracting evidence from this device could be another challenge for the
investigators
IoT FORENSIC CHALLENGES – DATA FORMAT
— Data Format: IoT forensic, the data are usually of different formats, the data
generated by the IoT device might be different from what is stored in the cloud
 o In order to have a standardized analysis, the data needs to be returned to its
original format before analysis can be carried out.
o Due to the limited security in IoT devices, evidence could be modified or
deleted. Which could make the evidence not admissive to the court.
IoT FORENSIC CHALLENGES – DATA LOSS
— Data Loss: Due to the limitation of storage in IoT devices, the lifespan of data is short,
and data could be easily overwritten. Which could result to the possibility of evidences
being lost.
o Transferring the data to another device such as the local gateway or cloud could
be an easy solution to this challenge, but it presents a challenge of its own,
which involves securing a chain of custody and proving that the evidences was
not modified during transfer
IoT FORENSIC CHALLENGES – CASE STUDY
— Alice is suffering from high blood sugar and she always wears a blood sugar monitor
device.
— At her home, there are other smart devices, such as heating system, television,
refrigerator, intelligent medicine dispenser, car, etc.
— All of these devices are connected with the Internet and are controllable from Alice’s
mobile device.
— Alice also works in a hospital, where there are thousands of health care related IoT
devices and the hospital allows its employees to connect their smart devices with the
hospital’s network.

CLASSIFICATION OF IoT ATTACKS

IoT FORENSIC APPROACHES
— 1-2-3 Zones approach [1]
— FAIoT: Forensic-aware approach [2]
— DFIF-IoT: Digital Forensic Investigation Framework for IoT [3]
1-2-3 ZONES APPROACH
 — Advantages:
o Reduce complexity of investigation in IoT environments, especially in very
large IoT networks
o Investigators can work in parallel to speed up the investigation process.
— Disadvantages:
o Diverse, no structure, lack of consistence and focus

THE NEXT-BEST-THINGS TRIAGE MODEL

— This model was introduced to assist in determining the potential sources of evidence.
— This is a process of examining problems in order to decide which ones are the most
serious and must be dealt with first.
— In addition, devices (and any original evidence stored on them) could become
unavailable, compromised due to theft, destruction, moving or tampering.
— This model allows investigators to recognize other elements of the IoT ecosystem that
are related to original device in question.
FAIoT: FORENSIC-AWARE APPROACH
— Since the IoT infrastructure is highly distributed and there is no standardization among
the devices, we propose a centralized trusted evidence repository in the FAIoT to ease
the process of evidence collection and analysis.
— The evidence repository will also apply the secure logging scheme to ensure the
reliability of the evidence
— Secure Evidence Preservation Module: This module will constantly monitor all the
registered IoT devices and store evidence securely in the evidence repository.
— Secure Provenance Module: This module ensures the proper chain of custody of the
evidence by preserving the access history of the evidence.
— Access to Evidence Through API: Proposed to provide secure read - only APIs to law
enforcement agencies.

— Key idea: using a centralized trusted evidence repository that incorporates a Secure
Evidence Preservation Module, a Secure Provenance Module and a read-only API for
the investigators to access.
— In this model, the acquisition of evidence is performed live (in real time) as part of the
normal operation of a collection of IoT devices.
— Advantage: Potential ability to correlate multiple types of evidence from different
zones using the centralized data store.
— Limitation: This is a research model that has not yet tested in practice
DFIF-IoT
— DFIF-IoT: Digital Forensic Investigation Framework for IoT
— Provides a holistic approach that covers proactive (readiness) and reactive
(investigation) processes in line with international standards.
— Advantage:
o Improving readiness
o Comply with international standards
o Promote standardisation

CONCEPTUAL DIGITAL FORENSIC PROCESS MODELS FOR IoT

IoT FORENSIC TOOLS
— Computer Aided Investigative Environment (CAINE): a professional open source
forensic platform that integrates software tools as modules along with powerful scripts
in a graphical interface environment.
— Its operational environment was designed with the intent to provide the forensic
professional all the tools required to perform the digital forensic investigate process
(preservation, collection, examination and analysis).

— EnCase is the shared technology within a suite of digital investigations products by

Guidance Software (now acquired by OpenText).
— The software comes in several products designed for forensic, cyber security, security
analytics, and e-discovery use.
— Encase is traditionally used in forensics to recover evidence from seized hard drives.
— Encase allows the investigator to conduct in depth analysis of user files to collect
evidence such as documents, pictures, internet history and Windows Registry
information.

— Wireshark: mostly used for network forensics analysis. But, the limitation is that it
does not work well with the large network data.
— Bulk Extractor: helps to scan extract information, e.g., card numbers, email addresses,
web addresses, and telephone numbers from the disk images and directory files.
— NUIX: is used to scan a massive amount of data and processes which leads to extract
the useful information later on used for the analysis purposes
— RegRipper: is mainly utilized to scan the Windows registry files.
 — Magnet IEF: is used to scan the Internet history, chat history, and operating systems.
— NetAnalysis: helps to scan the forensic images and data associate with the Internet
history
— Pajek64: helps to analyse a large amount of network-related data.
EnCase FORENSIC IMAGER BUFFER OVERFLOW VULNERABILITY

IoT FORESNIC MARKETS

— FireEye is the leading company that provides hardware, software, and services to
malware.
— Exploit specific IoT devices including smart home systems and industrial control
systems.
— In 2014, FireEye acquired Mandiant, a prominent cyber forensic company
— After this acquisition, FireEye started providing digital forensics investigation and
incident response as a service.
DIGITAL FORENSIC EXAMINER – JOBS
OTHER COMPANIES
— CYFOR (cyfor.co.uk): a service company based on the UK, well-known for mobile
forensic.
— Guidance Software (guidancesoftware.com): leading company in developing software
on digital forensics.
— AccessData (accessdata.com): leading company in providing forensic software.
— Cellebrite (cellebrite.com): develop devices that perform data extraction, transfer, and
analysis for mobile platforms.
— Oxygen Forensics Detective (oxygen-forensic.com): provide digital investigations on
Amazon Alexa, Google Home and extract GPS locations from drones.
— Paraben Corporation (paraben.com): provide IoT forensic training, software forensics
and many digital forensic hardware
— MSAB (msab.com): extract, decode, and view data from leading drone models.
 — Magnet (magnetforensics.com): provides all services related to analyse smartphones,
cloud and IoT services.
DFRWS
— Digital Forensic Research Workshop (DFRWS): this is a non-profit organization that
provides many useful information related to digital forensics worldwide such as
conferences, blogs, opportunities, etc
SUMMARY
— Forensic Science
— Digital Forensic
o Digital Forensic Process
o Digital Forensic Approaches
o Digital Forensic Tools
o Digital Forensic Market