APPLICATIONS OF IoT

IoT FOR SMART HOME

TRUE SMART LIFE SMART CITY

IoT PREDICTION BY IT RESEARCH AGENCY

IoT REVENUES

ISSUES IN IoT
IoT CYBERSECURITY MARKET

CYBERSECURITY CONSEQUENCES
— A small flood control dam 20 miles north of New York City was hacked in 2013. The
attacker would have been able to control the sluices but for their being taken off-line for
maintenance.
 — In 2008 through 2010, Stuxnet virus destroyed approximately 20% of Iran’s
centrifuges used to make nuclear materials.
— In 2014 the ‘Energetic Bear’ virus was discovered in over 1,000 energy firms in 84
countries. The virus was used for industrial espionage and, because it infected
industrial control systems in the affected facilities, it could have been used to damage
those facilities, including wind turbines, strategic gas pipeline pressurisation and
transfer stations, LNG port facilities, and electric generation power plants
— An attack on the Ukraine power grid in December 2015. This was a multistage,
multisite attack that disconnected seven 110kV and three 35kV substations and resulted
in a power outage for 80,000 people for three hours
— The Lloyd’s study estimated that a cyberattack on 50 generators in the US Northeast
Electrical Distributors could cut power to 93 million people and result in $243 billion
to $1 trillion USD in economic losses, and $21 billion to $71 billion US in insurance
claims
“SMART” CITY

SECURITY ISSUES IN IoT

— When IoT devices are connected to the cyber world, cybersecurity risks becoming a key
concern due to open systems with IP addresses creating more avenues for cyberattacks
— IoT devices are characterised by low capabilities in terms of both energy and
computing resources, and thus they cannot implement complex schemes supporting
security
— IoT communications mostly are wireless, which are less secure than traditional
computer networks

SOURCES OF THREATS
— Malicious Users: by uncovering the flaws in the system, malicious users are able to
obtain information, sell secrets to third parties, or even attack similar systems
 — Malicious Manufacturers: malicious manufacturers can deliberately make security
holes in their IoT products to be exploited in the future for accessing the user’s data and
exposing it to third parties
— External Adversary: an adversary would try to perform cyberattacks to gain
information about the users of an IoT system for malicious purposes such as causing
financial damage and undermining user’s credibility
BLOOMBERG BUSINESSWEEK
1. A unit designed and manufactured microchips as small as a sharpened pencil tip.
Some of the chips were built to look like signal conditioning couplers, and they
incorporated memory, networking capability, and sufficient processing power for an
attack
2. The microchips were inserted at factories that supplied Supermicro
3. The compromised motherboards were built into servers assembled by Supermicro
4. The sabotaged serves made their way inside data centres operated by dozens of
companies

IoT ARCHITECTURE
PERCEPTION LAYER
— Layer consists of various sensors such as infrared, RFID, ZigBee, and other smart
devices for gathering information about the surrounding like humidity, temperature, pH
level pressure, force, etc

POTENTIAL THREATS AT PERCEPTION LAYER

— Node capture: key nodes are controlled easily by the attackers such as gateway node. It
may leak sensitive information, e.g., passwords, IDs, and locations, then threat security
of entire network
— Fake node and malicious data: the attackers add a malicious node to the system, and
input fake code or data. They stop transmitting real data and consume precious energy
of true nodes, and thus potentially control and/or destroy the entire network
— Denial of service attacks: DoS attack is the most common attack in wireless network
and internet. Can cause serious damage of network resources, and make the service
unavailable
— Side-channel attacks: any attack based on information gained from IoT devices.
Timing information, power consumption, electromagnetic leaks or even sound can
provide an extra source of information, which can be exploited
— Man-in-the-middle attacks (MITM): an attack where the attacker secretly relays and
possibly alters the communication between two parties who believe they are directly
communicating with each other
PERCEPTION LAYER SECURITY MEASURES
— RFID Security Measures
o Access Control
o Data Encryption
o IPSec Security Channel
o Cryptography Technology Scheme
— Wireless Sensor Network Security Measures
o Key Management
o Secret Key Algorithms
o Security Routing Protocol
o Intrusion Detection Technology
o Authentication and Access Control
o Physical Security Design

NETWORK LAYER
— Layer consists of physical components and network communication software which are
responsible for transmitting information acquired from the sensors of the perception
layer to other layers without any intervention

POTENTIAL THREATS AT NETWORK LAYER

— Traditional security problems: general security problems of communication networks
will be a threat to data confidentiality and integrity
— Compatibility problems: the existing internet network security architecture is designed
based on the perspective of person, and does not necessarily apply to communication
between the machines
— Authentication problems: IoT has a huge number of devices. If it uses the existing
mode of authentication to authenticate device, a large amount of data traffic will be
likely to block network
— Privacy disclosure: with the development of the information retrieval technology and
social engineering, hackers can easily collect a large number of the particular user’s
privacy information
NETWORK LAYER SECURITY MEASURES
— For different network architecture, we need to setup the specific authentication cohesive
mechanism, the end-to-end authentication and key agreement mechanism, public key
infrastructure, security routing, and instruction detection
— Cross-domain authentication and cross-network authentication in network layer should
be considered
— Network virtualisation technology can be used to reduce the complexity of network
management and the possibility of wrong operation
 — IPv6 network security mechanism and application of security products can be adopted
APPLICATION LAYER
— IoT has a wide range of application including but not limited to smart home, medical
and healthcare, smart city, energy management, environment monitoring, industrial
internet, and connected vehicles

APPLICATION LAYER SECURITY MESAURES

— Across heterogeneous network authentication and key agreement
— The protection of the private information
— Increasing awareness of safety
— Strengthen information security management
IoT DEVICES

CHALLENGES

HOW TO CONNECT TO THE INTERNET

WHAT IS IP ADDRESS?
— Internet Protocol address is a numerical label assigned to each device connected to a
computer network that uses the Internet Protocol for communications
— An IP address serves two principal functions: host or network interface identification
and location addressing

WHAT IS MY IP ADDRESS?

IPv4 ADDRESS EXHAUSTION

IPv6 LARGER ADDRESS SPACE

 — IPv4 (32 bits) = 4,294,967,296 possible addressable devices
— IPv6 (128 bits) = 4 times the size in bits | 3.4 x 1038 possible addressable devices
IPv6
— An IPv6 address is a numerical label that is used to identify a network interface of a
computer or a network node participating in an IPv6 computer network

HEXADECIMAL NUMBER TO BINARY

IPv6 ADDRESS REPRESENTATION

— 128 bits in length and written as a string of hexadecimal values
— Can be written in either lowercase or uppercase
— A leading zero can be omitted
o 2340:0023:AABA:0A01:0055:5054:9ABC:ABB0
o 2340:23:AABA:A01:55:5054:9ABC:ABB0
— Successive fields of zeros can be represented as two colons (::)
o 2340:0000:0000:0000:0455:0000:AAAB:1121
o 2340::0455:0000:AAAB:1121
IPv6 ADDRESS STRUCTURE

— Site prefix (48 bits): also known as Global Routing Prefix, is the prefix or network
portion of the address assigned by the provider, such as an ISP, to a customer or site
— Subnet ID (16 bits): is used by an organisation to identify subnets within its site
— Interface ID (64 bits): is equivalent to the host of an IPv4 address. It is used because a
single host may have multiple interfaces, each having one or more IPv6 addresses

IPv6 DEVELOPMENT
— Work on specification began in 1990. Currently specified by RFC 2460 through 2466
— Some of the major goals:
1. Support huge number of hosts
2. Reduce the size of routing tables
3. Simplify protocol - > allow for faster packet processing
4. Improve security
5. Allow host roaming without address changing
— In general, IPv6 is not compatible with IPv4, but is compatible with internet control and
transport protocols such as ICMP, OSPF, BGP, TCP, UDP, etc
IPv6 AND IoT
— Which came first: the growth in IPv6 or the IoT
— IoT is driving IPv6 adoption, and IPv6 is enabling growth in the IoT

WHY SHOULD THE IoT CARE ABOUT IPv6?

— Security: IPv6 can run end-to-end encryption. While this technology was retrofitted
into IPv4, it remains an extra option that is not universally used
— Scalability: IPv6 can support up to 3.4x10^38 IP addresses
— Connectability: IPv6 allows IoT products to be uniquely addressable without having to
work around all of the traditional NAT and firewall issues
HOW IPv6 HELP SECURITY FOR IoT
— IPv4 Security Issues:
o DoS attacks
o Man-in-the-middle attacks
o ARP spoofing attacks
o Malware attacks
o Reconnaissance attacks
IPv6 ENHANCEMENT FOR SECURITY
— Unlike IPv4, IPsec security is mandated in the IPv6 protocol specification, allowing
IPv6 packet authentication and/or payload encryption via the Extension Headers
— IPv6 Packet Encryption: IPsec defines cryptography-based security for both IPv4 and
IPv6 in RFC 4301. IPsec support is an optional add-on in IPv4, but is a mandatory part
of IPv6
o Authentication Header: provides connectionless integrity, data-origin
authentication and protection against replay attacks
o Encapsulating Security Payload: provides privacy and confidentiality through
encryption of the payload

CHALLENGES OF IPv6 IN IoT NETWORKS

— Standardisation for IoT
— Limited computing resources on IoT device
— Wireless communication
IoT COMMUNICATIONS
OVERVIEW OF LoWPANs
— LoWPANs (Low-Power Wireless Personal Area Networks) (IEEE 802.15.4)
— A simple low throughput wireless network comprising typically low cost and low
power devices
 — Devices in the network typically work together to connect the physical environment to
real world applications, e.g., wireless sensors networks
— Common topologies include: star, mesh, and combinations of star and mesh
— The physical and MAC layers conform to IEEE 802.15.4-2003 standard
LoWPAN TOPOLOGIES

LoWPAN ARCHITECTURE

TYPICAL APPLICATIONS
— Equipment health monitoring
— Environment monitoring
— Security
— Home
— Building automation
6LoWPAN
— IPv6 Low-Power Wireless Personal Area Networks (6LoWPAN)
— The pervasive nature of IP networks allows use of existing infrastructure
— IP-based technologies already exist, are well-known, and proven to be working
— Open and freely available specification vs. closed proprietary solutions
— Tools for diagnostics, management, and commissioning of IP networks already exist
— IP-based devices can be connected readily to other IP-based networks, without the need
for intermediate entities like translation gateways or proxies
6LoWPAN PROBLEMS
— No method exists to make IP run over LoWPAN networks
— Stacking IP and above layers ‘as is’ may not fit within one 802.15.4 frame
— Not all ad-hoc routing protocols may be immediately suitable for LoWPAN
— Current service discovery methods ‘bulky’ for LoWPAN
— Limited configuration and management necessary
6LoWPAN ADAPTION LAYER
FUNCTIONS OF 6LoWPAN ADAPTIVE LAYER
— Three main functions:
o Header compression: compresses the 40-byte IPv6 and 8-byte UDP headers
by assuming the usage of common fields
o Fragmentation and reassembly: in order to enable the transmission of IPv6
frames over IEEE 802.15.4 radio links, the IPv6 frames need to be divided into
several smaller segments
o Auto configuration: auto configuration is the autonomous generation of a
device’s IPv6 address. The process is essentially different between IPv4 and
IPv6. In IPv6 it allows a device to automatically generate its IPv6 address
without any outside interaction with a DHCP server or such
HEADER COMPRESSION

EXERCISE
— How these functions work?
o Fragmentation and reassembly
o Auto configuration

IoT, IPv6, AND 6LoWPAN

SUMMARY
— IPv6
— IPv6 FOR IoT SECURITY
— 6LoWPAN
EXERCISE
— Why IPv6 is important for IoT security?
— How 6LoWPAN adaptive layer work?
— Reading the specified documents

APPENDIX FOR CONTIKI LABS

TCP/IP PROTOCOL STACK
RPL-UDP COMMUNICATIONS

— RPL is an IPv6 routing protocol for low power and lossy networks (e.g., LoWPAN)
— User Datagram Protocol (UDP) is transmission control protocol, and it is one of the
core members of the internet protocol
RPL
— Low power and lossy networks (LLN) have constraints on processing, memory, and
energy, so conventional routing methods such as OSPF, OLSR, RIP, AODV, DSR, etc.,
may not be practical to deploy
— LLN links have high loss rate, low data rates, instability with dynamic topology
USER DATAGRAM PROTOCOL (UDP)
— With UDP, computer applications can send messages, in this case referred to as
datagrams, to other hosts on an Internet Protocol (IP) network
— UDP provides checksums for data integrity, and port numbers for addressing
different functions at the source and destination of the datagram
— UDP is suitable for purposes where error checking and correction are either not
necessary or are performed in the application
— UDP avoids the overhead of such processing in the protocol stack
TCP VS. UDP
— TCP:
o Slower but reliable transfers
o Typical applications:
 Email
 Web browsing
o Unicast (cast to a single destination)
— UDP:
o Fast but non-guaranteed transfers (“best effort”)
o Typical applications:
 VoLP
 Music streaming
o Unicast (cast to a single destination)
o Multicast (cast to many destinations)
o Broadcast (cast to all destinations)
IoT GATEWAY ADLINK MXE-210 SERIES

DELL EDGE GATEWAY 5000 SERIES

IoT GATEWAY

IoT EDGE GATEWAY

IoT GATEWAY COMPARISON

MAIN ISSUES
— Connectivity (interoperability)
— Security
— Hardware-constrained devices
— Standardisation
AUTHENTICATION METHOD
— Authentication: is a process of verifying the identities of users, typically based on
usernames and passwords
EXAMPLES

CRYPTOGRAPHY
— Cryptography is the science of encrypting and decryption written communication
— Word comes from Greek work ‘kryptos’ meaning ‘hidden’, and ‘graphia’ meaning
‘writing’
— Cryptography is a method of storing and transmitting data in a form that only those it is
intended for can read and process
— Cryptography is an effective way of protecting sensitive information as it is stored on
media or transmitted through network communications
EXAMPLE

PRINCIPLE
CRYPTOGRAPHY ALGORITHMS

SYMMETRIC KEY
ASYMMETRIC KEY
SYMMETRIC VS ASYMMETRIC KEYS

ASYMMETRIC KEYS
MAN-IN-THE-MIDDLE ATTACK

DIGITAL SIGNATURE
— The receiver still does not know who sent the data. It could have been sent by a
hacker
— so the sender needs to let the receiver know that the data is indeed sent by the sender
— this process is called signing
— Signing is done by attaching a small piece of additional data called the signature
— Hashing is a typical way to make digital signature for the receiver
HASHING
— Hashing is a method of cryptography that converts any form of data into a unique
string of text
— Any piece of data can be hashed, no matter its size or type
— A hash is designed to act as a one-way function, i.e. you can put data into a hashing
algorithm and get a unique string, but if you come upon a new hash, you cannot
decipher the input data it represents
— A unique piece of data will always produce the same hash
— Hashing is a mathematical operation that is easy to perform, but extremely difficult to
reverse
 — The difference between hashing and encryption is that encryption can be reversed, or
decrypted, using a specific key
EXAMPLE
— A cryptographic hash function (specifically SHA-1) at work. A small change in the
input (in the word ‘over’) drastically changes the output (digest). This is the so called
avalanche effect

HASHING
— The primary application of hash functions in cryptography is message integrity
— The hash value provides a digital fingerprint of a message’s contents, which ensures
that the message has not been altered by an intruder, virus, or by other means
— Hash algorithms are effective because of the extremely low probability that two
different plaintext messages will yield the same hash value
HOW DIGITAL SIGNATURE WORKS
IoT AUTHENTICATION METHODS
— Public key infrastructure (PKI): a set of roles, policies, and procedures needed to
create, manage, distribute, use, store and revoke digital certificates and manage public-
key encryption
— The purpose of a PKI is to facilitate the secure electronic transfer of information for a
range of network activities such as e-commerce, internet banking, and confidential
email
PUBLIC KEY INFRASTRUCTURE

SUMMARY
— IoT Gateway Solution
— Cryptography
o Symmetric
o Asymmetric keys
o Hashing
— IoT Authentication Methods
o Public key infrastructure
APPLICATION LAYER IN TCP/IP
— Acts as interface between the applications and the underlying network
— Application layer protocols provide rules and formats that determine how data is
treated in the application layer
— The TCP/IP application layer performs the functions of the upper three layers of the
OSI model (Application, Presentation, Session)
— Common application layer protocols include: HTTP, FPT, TFPT, DNS

— Application layer protocols are used by both the source and destination devices
during a communication session
— The application layer protocols implemented on the source and destination host must
match

HYPERTEXT TRANSFER PROTOCOL (HTTP)

HTTP VS HTTPS
— HTTP + SSL (Secure Socket Layer) = HTTPS

APPLICATION LAYERS IN IoT NETWORKS

— Application layer usually employs HTTP to provide web service, but HTTP has high
computation complexity, low data rate, and high energy consumption
— Therefore, several lightweight protocols have been developed for the application layer
of IoT networks
LAYERS IN IoT NETWORK ARCHITECTURE
IoT APPLICATION LAYER PROTOCOLS
— CoAP: Constrained Application Protocol
— MQTT: Messages Queuing Telemetry Transport
— XMPP: Extensible Messaging and Presence Protocol
— RESTful: Representational State Transfer
— AMQP: Advanced Message Queuing Protocol
— WebSocket: Computer Communications Protocol
— DDS: Data Distribution Service
— SMQTT: Secure MQTT
TCP VS UDP

IoT APPLICATION LAYER PROTCOLS

REQUEST/RESPONSE

PUBLISH / SUBSCRIBE

IoT APPLICATION LAYER PROTOCOLS

TLS / SSL
— SSL: Secure Sockets Layer originally developed by Netscape in the mid 1990s
— TLS: Transport Layer Security evolved from SSL 3.0, is a cryptographic protocol that
provides communications security over a computer network

TLS
— TLS is a protocol for establishing secure (Transport Layer) communications between
two parties, usually denoted as a Client and a Server

DTLS
— The Datagram Transport Layer Security (DTLS) is the UDP-based version of TLS,
designed to provide end-to-end security association between two nodes
DISCUSSIONS
— What is the best choice for IoT application layer protocols?
Application Layer Protocols
CONSTRAINED APPLICATION PROTOCOL (CoAP)
— CoAP is an application layer protocol that is intended for use in resource-constrained
devices
— Basically, a CoAP is a Restful web transfer protocol for use with constrained network
— CoAP uses client/server model of approach same as HTTP
— It is designed especially for constrained networks with low overhead and energy
CoAP vs HTTP
— Unlike HTTP based protocols, CoAP operates over UDP instead of using complex
congestion control as in TCP.
— CoAP is based on REST architecture, which is a general design for accessing Internet
resources.
— In order to overcome disadvantage in constrained resource, CoAP need to optimize the
length of datagram and provide reliable communication.
— On one side, CoAP provides REST methods such as GET, POST, PUT, and
DELETE.
— On the other side, based on lightweight UDP protocol, CoAP allows IP multicast,
which satisfies group communication for IoT.
CoAP
— To compensate for the unreliability of UDP protocol, CoAP defines a retransmission
mechanism and provides resource discovery mechanism with resource description.

— CoAP is not just a simply compression of HTTP protocol.

— Considering low processing capability and low power consuming demand of restrained
resource, CoAP redesigned some features of HTTP to accommodate these limitations.
CoAP vs HTTP

FEATURES OF CoAP
— Designed especially for constrained networks
— CoAP operates over UDP
— Asynchronous message exchange
— Low header and parsing complexity
— URI and content-type support
— Simple proxy and caching capacities
— Optional resource discovery
— UPD transport with optional reliability supporting unicast/multicast requests
— Stateless HTTP-CoAP mapping, allowing proxy to provide access to CoAP resources
via HTTP and vice versa
— Security using Datagram Transport Layer Security (DTLS)

CoAP COMMUNICATION METHOD

— CoAP supports the basic methods of GET, POST, PUT, DELETE, which are easily
mapped to HTTP
o GET: The GET method retrieves the information of the resource identified by
the request URI.
o POST: The POST method is used to request the server to create a new
subordinate resource under the requested parent URI.
o PUT: The PUT method requests that the resource identified by the request URI
be updated or created with the enclosed message body.
o DELETE: The DELETE method requests that the resource identified by the
request URI be deleted.
EXAMPLE

MESSAGE LAYER MODEL

— Message Layer supports 4 types message:
o CON (Confirmable)
o NON (Non-confirmable)
o ACK (Acknowledgement)
o RST (Reset)

RELIABLE MESSAGE TRANSPORT

— Keep retransmission until get ACK with the same message ID (like 0x8c56)
— Using default time out and decreasing counting time exponentially when transmitting
CON
— If recipient fail to process message, it responses by replacing ACK with RST

UNRELIABLE MESSAGE TRANSPORT

— Transporting with NON type message
— It does not need to be ACKed, but has to contain message ID for supervising in case of
retransmission
— If recipient fail to process message, server replies RST
MESSAGE FORMAT
— CoAP is based on the exchange of compact messages that, by default, are transmitted
over UDP (i.e., each CoAP message occupies the data section of one UDP datagram)
— Message of CoAP uses simple binary format
— Message= fixed-size 4-byte header plus a variable-length Token plus a sequence of
CoAP options plus payload

— Ver: Version
— T: Message type (CON, NON, ACK, and RES)
— TKL: Token length
— Code: Request method (1-10) or Response Code (40-255)
— Message ID: 16-bit identifier for matching responses
— Token: Optional response matching token
CoAP SECURITY ANALYSIS
— CoAP is now becoming the standard protocol for IoT applications.
— Security is important to protect the communication between devices.
— DTLS is security method used in CoAP.
— There are three main elements when considering security, namely integrity,
authentication, and confidentiality.
— DTLS can achieve all of them.
— Unlike network layer security protocols, DTLS in application layer protect end-to-end
communication
— No end-to-end communication protection will make it easy for attackers to access to all
text data that passes through a compromised node
— DTLS also avoids cryptographic overhead problems that occur in lower layer security
protocols
SECURITY CHALLENGES IN CoAP
— In terms of security, CoAP is still under considerations and development due to several
challenges and debates.
— The biggest challenge is to keep the high performance while maintaining the security
standards and providing protection.
SUMMARY
— Application Layer in TPC/IP
— Application Layer in IoT Networks
— IoT Application Layer Protocols
— Constrained Application Protocol (CoAP)
— CoAP Security Analysis
FORENSIC SCIENCE
— The application of science and technology to investigate and establish facts of interest
to criminal or civil courts of law. For example
o DNA analysis
o Trace evidence analysis
— Implies the use of scientific methodology to collect and analyse evidence. e.g.
o Statistics
o Logical reasoning
o Experiments
— Fictional character developed by author Sir Arthur Conan Doyle
— First to apply forensic techniques, e.g., serology, fingerprinting, firearm identification,
and questioned document examination
— All of this – from fiction – before accepted by real-life criminal investigations
DIGITAL FORENSICS
— A branch of the traditional forensics science
— Include the recovery and investigation of material found in digital devices, often in
relation to computer crime
— Originally used as a synonym for computer forensics but has expanded to cover
investigation of all devices capable of storing digital data
— Aim to deal with the identification, collection, recovery, analysis and preservation
of digital evidence, found on various types of electronic devices
DIGITAL FORENSICS VS TRADITIONAL FORENSICS SCIENCE

FORENSIC INVESTIGATION PROCESS

DIGITAL FORENSIC INVESTIGATION PROCESS
— Collection: identify and collect all relevant digital evidences
— Examination: extract information from the collected evidences
— Analysis: analyse the results obtained from the examination
— Reporting: report all relevant information obtained from all previous steps
CASE STUDY: WEARABLE SENSORS
— Scenario: Connie Dabate was murdered in her home in 2015
— According to his arrest warrant, her husband Richard provided an elaborate explanation
of the day’s events, claiming that he returned home after receiving an alarm alert.
— Richard went on to claim that, upon entering his house, he was immobilized and
tortured by an intruder.
— He told police that the intruder then shot and killed Connie when she returned home
from the gym.
— Relying on evidence collected from Connie’s Fitbit, police were able to show that she
had been in the house at the time Richard said she was at the gym.
— According to the Fitbit’s data, Connie stopped moving one minute before the home
alarm went off.
DIGITAL FORENSIC INVESTIGATION PROCESS
— Collection: Fitbit
— Examination: Extract information from the Fitbit, e.g., GPS, distance travelled, steps
taken, sleep time and heart rate, etc.
— Analysis: Analyse the information obtained from the examination, e.g., when she
arrived home? when she stopped moving? etc.
— Reporting: Report all relevant information, e.g., device, extracted information, and
analysis results.
CASE STUDY: WEARABLE SENSORS
— Digital Forensic: Wearable devices like Fitbits monitor location via GPS and activities
like distance travelled, steps taken, sleep time and heart rate.
— The devices are configured to synchronize data to applications on smartphones and
personal computers or to cloud or social media sites.
 — Evidentiary collections can be made from either of these sources using standard digital
forensics tools and techniques.
IoT FORENSIC
— A branch of Digital Forensics which focuses on dealing with criminal incidents in IoT
infrastructure.
— Typically, a IoT forensic can be considered to be a combination of three digital
forensics schemes: device level forensic, network forensic and cloud forensic.

IoT FORENSIC: A CASE STUDY

— Alice is suffering from high blood sugar and she always wears a blood sugar monitor
device.
— At her home, there are other smart devices, such as heating system, television,
refrigerator, intelligent medicine dispenser, car, etc.
— All of these devices are connected with the Internet and are controllable from Alice’s
mobile device.
— Alice also works in a hospital, where there are thousands of health care related IoT
devices and the hospital allows its employees to connect their smart devices with the
hospital’s network.
— Mallory creates an intelligent malware to collect data from the smart health care
devices.
— First, it infects Alice’s smart refrigerator, gets connected with the Alice’s blood sugar
monitor through the shared network, and finally, infects the blood sugar monitor.
— Later, when Alice goes to the hospital for work, the malware searches for other devices
which shares the same network as the blood sugar monitor.
— In this way, Mallory is able to infect hundreds of smart health care devices located in
the hospital and steals confidential electronic medical records (EMR).
— When the data breach gets identified, Bob, a forensics investigator is assigned to
investigate the case.
 — The number and variety of IoT devices available at the hospital will make Bob’s
investigation very challenging.
— Bob needs to execute device level forensics for all the available devices.
— Later, he needs to investigate network logs for all the devices to identify the source of
infection.
— This will not only includes the smart health care devices but also the smart mobile
device that the health care professionals generally bring everyday.

IoT FORENSIC CHALLENGES

— Data Location
— Device Type
— Data Extraction
— Data Format
— Data Loss
IoT FORENSIC CHALLENGES – DATA LOCATION
— Data Location: IoT Data could spread across different location.
o IoT data could be stored in the cloud, smart devices and even stored in a third
party.
o The data might be stored in different regions, countries and mixed with the data
of others which can invoke different countries regulation.
o Thus, identification of all the evidence location of considered to be one of the
biggest challenge investigations face.
IoT FORENSIC CHALLENGES – DATA TYPE
— Data Type: In the traditional digital forensics, investigators usually identify a computer
system or appliance as a source to acquire evidence but in the IoT forensics, evidence
sources could vary across all devices.
o It could be a smart television or a smart refrigerator, which could lead to
challenges when it comes to identifying and finding the IoT device to acquire
from in a crime scene.
o Some of this device could be very tiny and mistakenly overlooked or it could be
very large, carrying such large device to the lab for acquisition could be another
challenge for the investigators in terms of creating space
IoT FORENSIC CHALLENGES – DATA EXTRACTION
— Data Extraction: In traditional forensic, most devices adopted similar operation
system, hardware etc. However, in IoT forensics, most device manufacturers use
different platforms, operating system, and hardware
o Extracting evidence from this device could be another challenge for the
investigators
IoT FORENSIC CHALLENGES – DATA FORMAT
— Data Format: IoT forensic, the data are usually of different formats, the data
generated by the IoT device might be different from what is stored in the cloud
 o In order to have a standardized analysis, the data needs to be returned to its
original format before analysis can be carried out.
o Due to the limited security in IoT devices, evidence could be modified or
deleted. Which could make the evidence not admissive to the court.
IoT FORENSIC CHALLENGES – DATA LOSS
— Data Loss: Due to the limitation of storage in IoT devices, the lifespan of data is short,
and data could be easily overwritten. Which could result to the possibility of evidences
being lost.
o Transferring the data to another device such as the local gateway or cloud could
be an easy solution to this challenge, but it presents a challenge of its own,
which involves securing a chain of custody and proving that the evidences was
not modified during transfer
IoT FORENSIC CHALLENGES – CASE STUDY
— Alice is suffering from high blood sugar and she always wears a blood sugar monitor
device.
— At her home, there are other smart devices, such as heating system, television,
refrigerator, intelligent medicine dispenser, car, etc.
— All of these devices are connected with the Internet and are controllable from Alice’s
mobile device.
— Alice also works in a hospital, where there are thousands of health care related IoT
devices and the hospital allows its employees to connect their smart devices with the
hospital’s network.

CLASSIFICATION OF IoT ATTACKS

IoT FORENSIC APPROACHES
— 1-2-3 Zones approach [1]
— FAIoT: Forensic-aware approach [2]
— DFIF-IoT: Digital Forensic Investigation Framework for IoT [3]
1-2-3 ZONES APPROACH
 — Advantages:
o Reduce complexity of investigation in IoT environments, especially in very
large IoT networks
o Investigators can work in parallel to speed up the investigation process.
— Disadvantages:
o Diverse, no structure, lack of consistence and focus

THE NEXT-BEST-THINGS TRIAGE MODEL

— This model was introduced to assist in determining the potential sources of evidence.
— This is a process of examining problems in order to decide which ones are the most
serious and must be dealt with first.
— In addition, devices (and any original evidence stored on them) could become
unavailable, compromised due to theft, destruction, moving or tampering.
— This model allows investigators to recognize other elements of the IoT ecosystem that
are related to original device in question.
FAIoT: FORENSIC-AWARE APPROACH
— Since the IoT infrastructure is highly distributed and there is no standardization among
the devices, we propose a centralized trusted evidence repository in the FAIoT to ease
the process of evidence collection and analysis.
— The evidence repository will also apply the secure logging scheme to ensure the
reliability of the evidence
— Secure Evidence Preservation Module: This module will constantly monitor all the
registered IoT devices and store evidence securely in the evidence repository.
— Secure Provenance Module: This module ensures the proper chain of custody of the
evidence by preserving the access history of the evidence.
— Access to Evidence Through API: Proposed to provide secure read - only APIs to law
enforcement agencies.

— Key idea: using a centralized trusted evidence repository that incorporates a Secure
Evidence Preservation Module, a Secure Provenance Module and a read-only API for
the investigators to access.
— In this model, the acquisition of evidence is performed live (in real time) as part of the
normal operation of a collection of IoT devices.
— Advantage: Potential ability to correlate multiple types of evidence from different
zones using the centralized data store.
— Limitation: This is a research model that has not yet tested in practice
DFIF-IoT
— DFIF-IoT: Digital Forensic Investigation Framework for IoT
— Provides a holistic approach that covers proactive (readiness) and reactive
(investigation) processes in line with international standards.
— Advantage:
o Improving readiness
o Comply with international standards
o Promote standardisation

CONCEPTUAL DIGITAL FORENSIC PROCESS MODELS FOR IoT

IoT FORENSIC TOOLS
— Computer Aided Investigative Environment (CAINE): a professional open source
forensic platform that integrates software tools as modules along with powerful scripts
in a graphical interface environment.
— Its operational environment was designed with the intent to provide the forensic
professional all the tools required to perform the digital forensic investigate process
(preservation, collection, examination and analysis).

— EnCase is the shared technology within a suite of digital investigations products by

Guidance Software (now acquired by OpenText).
— The software comes in several products designed for forensic, cyber security, security
analytics, and e-discovery use.
— Encase is traditionally used in forensics to recover evidence from seized hard drives.
— Encase allows the investigator to conduct in depth analysis of user files to collect
evidence such as documents, pictures, internet history and Windows Registry
information.

— Wireshark: mostly used for network forensics analysis. But, the limitation is that it
does not work well with the large network data.
— Bulk Extractor: helps to scan extract information, e.g., card numbers, email addresses,
web addresses, and telephone numbers from the disk images and directory files.
— NUIX: is used to scan a massive amount of data and processes which leads to extract
the useful information later on used for the analysis purposes
— RegRipper: is mainly utilized to scan the Windows registry files.
 — Magnet IEF: is used to scan the Internet history, chat history, and operating systems.
— NetAnalysis: helps to scan the forensic images and data associate with the Internet
history
— Pajek64: helps to analyse a large amount of network-related data.
EnCase FORENSIC IMAGER BUFFER OVERFLOW VULNERABILITY

IoT FORESNIC MARKETS

— FireEye is the leading company that provides hardware, software, and services to
malware.
— Exploit specific IoT devices including smart home systems and industrial control
systems.
— In 2014, FireEye acquired Mandiant, a prominent cyber forensic company
— After this acquisition, FireEye started providing digital forensics investigation and
incident response as a service.
DIGITAL FORENSIC EXAMINER – JOBS
OTHER COMPANIES
— CYFOR (cyfor.co.uk): a service company based on the UK, well-known for mobile
forensic.
— Guidance Software (guidancesoftware.com): leading company in developing software
on digital forensics.
— AccessData (accessdata.com): leading company in providing forensic software.
— Cellebrite (cellebrite.com): develop devices that perform data extraction, transfer, and
analysis for mobile platforms.
— Oxygen Forensics Detective (oxygen-forensic.com): provide digital investigations on
Amazon Alexa, Google Home and extract GPS locations from drones.
— Paraben Corporation (paraben.com): provide IoT forensic training, software forensics
and many digital forensic hardware
— MSAB (msab.com): extract, decode, and view data from leading drone models.
 — Magnet (magnetforensics.com): provides all services related to analyse smartphones,
cloud and IoT services.
DFRWS
— Digital Forensic Research Workshop (DFRWS): this is a non-profit organization that
provides many useful information related to digital forensics worldwide such as
conferences, blogs, opportunities, etc
SUMMARY
— Forensic Science
— Digital Forensic
o Digital Forensic Process
o Digital Forensic Approaches
o Digital Forensic Tools
o Digital Forensic Market