2017 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom)

and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData)

A Forensic Investigation of the Robot Operating System

Iroshan Abeykoon Xiaohua Feng

Department of Computer Science and Technology Department of Computer Science and Technology
University of Bedfordshire University of Bedfordshire
Luton, UK Luton, UK
[email protected] [email protected]

Abstract — The Robot Operating System (ROS) is a

framework that is mostly used in industrial
applications such as automotive, healthcare and
manufacturing and it is not immune from potential
future hacking. By carrying out various types of
cyber-attacks, hackers can disrupt the normal
operation of a robot. It is easy to get control of
communication between a robot and a human due to
the open communication network after carrying out
malicious attacks to jam the network. As a result,
hackers can change commands which are sent by an
operator to the robot, making usual activities
impossible. For instance, in a case of ROS hacking,
man-in-the-middle attacks, Trojans, backdoor
attacks, and so on, can change the behaviour of robots
to something completely different than expected.
Therefore, forensic analysts require a specific method
to forensically investigate ROS. This is a new area in
the computer forensics field. Therefore, it is proposed
to create an analytical framework to facilitate the
forensic investigation of the Robot Operating System
and methodologies and standards for acquiring
related digital evidence using forensic tools. This
study addresses a formalized and structured
methodology that would assist the forensic
investigation approach.
This research will help to enhance the gathering,
identification and preservation of evidence related to
forensics investigations of the Robot Operating
System. The forensic analysts could adapt the
examination procedure of hacked ROS with a
focused, crime-specific, forensics framework.
Keywords – Robot Operating System, Forensics
Tool Kit, Computer Emergency Response Team,
Association of Chief Police Officers
I. INTRODUCTION
A robot is a machine able to carry out a mosaic
method of actions automatically. At present, robots
have a high demand in fields such as manufacturing,
medicine, construction, and others. The robot system
contains sensors, control systems, manipulators,
power supplies and software all working together to
perform a task. Robots may be operated under
human command, while some use a Linux operating
system based on the Robot Operating System
(ROS). Tele-operated robots communicate with
operators using a communication protocol for
remote operations. These communications could be
carried out through public networks, which may be
accessible to anyone. These communication links
can be formed by low-quality connection to the
internet, which may be wireless.
ROS is an emerging standard for building a new
robotic application in the future, and it is not
immune to hacking. For instance, if ROS is hacked
by the man-in-the-middle attack, hackers can change
the behaviour of robots to something completely
different than expected. Therefore, security experts
need to know how to forensically investigate ROS.
This is a new topic for security experts. As an
example, robots that were designed to perform

978-1-5386-3066-2/17 $31.00 © 2017 IEEE 851

DOI 10.1109/iThings-GreenCom-CPSCom-SmartData.2017.131
Authorized licensed use limited to: J.R.D. Tata Memorial Library Indian Institute of Science Bengaluru. Downloaded on December 12,2024 at 08:36:32 UTC from IEEE Xplore. Restrictions apply.
 surgery are called teleoperated surgical robots.
Despite various efforts, teleoperated surgical robots
can still be hacked. In an extreme case, hackers can
take control of the teleoperated robot during surgery
by exploiting programming routines. They can
modify the default speed of the robotic arms and
prevent procedures from being carried out as
directed.
The evidence collected here could improve security
against such events, and provide output to courts
using FTK (Forensic Toolkit) and open source tools
for data acquisition and analysis.
This paper presents methods for imaging robotic
memory, recovering the ROS and deleted data after
hacking, and methods for carrying out network
forensics and tracing the culprit. Digital forensics is
a process of acquisition, examination, analysis and
reporting of artifacts, also known as evidence. At
present, digital evidence is primarily used in a court
of law, and this digital evidence delivers the
valuable forensic artifacts against the offender.
Digital forensics is a vital and constantly evolving
technology.
II. AIMS AND OBJECTIVES
ROS is a meta-operating system which relies heavily
on a message communication framework among
nodes. The framework is realized by its host
operating system such as Linux. There are many
inherited security holes in the ROS-based robotic
system. However, most of them have not yet been
explored fully. This research mainly focuses on how
to acquire the forensic image of the ROS system.
Messages, log files related to robot behaviours, point
cloud data, databases, cached memory, pictures,
sensor data and GPS locations are the artifacts inside
ROS systems to be examined.
This research will assist in framing knowledge
related to digital forensics, building upon current
research as it reveals structured frameworks in the
forensics field, and creating a group of rules guiding
the forensics investigation of the Robot Operating
System to acquire evidence. This research offers a
governing set of principles to guide an advanced
methodology for the improvement of an
international group of standards for the forensics
investigation that may be used to guarantee
852
Authorized licensed use limited to: J.R.D. Tata Memorial Library Indian Institute of Science Bengaluru. Downloaded on December 12,2024 at 08:36:32 UTC from IEEE Xplore. Restrictions apply.
formalized processes in the acquisition of digital
evidence from the Robot Operating System.
III. FORENSICS CONCEPTS
"Scientific tests or method used in connection with
the detection of a crime", is the definition of
forensics given in the Oxford dictionary. The word
forensics is originally from the Latin word forensics,
and it means the science which is involved in courts
for justice. The term criminalistics is a commonly
used term. The solving of crimes has undergone a
phenomenal change with the development of science
and technology; however, some criminals try to
misuse technology for their own advantage. On the
other hand, forensic investigation is not an easy task
for crime investigators. Forensic investigation is
defined as the art that engages investigative
approaches used for collecting and analysing
evidence relating to a crime.
The last decade saw an overwhelming flow of digital
forensics to be legally dealt with. Digital forensics
has become an authoritative domain. Advances in
technology call for digital evidence where a
computer or cyber-related crimes are involved. It is
imperative that the perpetrators of these crimes are
identified and dealt with accordingly. The procedure
followed to obtain this crucial digital evidence is
defined as digital forensics, with mobile forensics
ingrained. Fraud and the rapid rise in computer
crimes call for new research fields like computer
forensics. Cell site analysts and network computer
forensics are aiming at prompt solutions for
eradicating this menace. The prolonged study has
resulted in forensic science such as DNA
fingerprinting (Watson, 1953). Digital forensics is
lagging behind, comparatively, when taking into
account other forensics domains. Digital forensics
entails the interaction of crime, evidence, science
and law.
In the year 2001 August the work shop of the digital
forensics science had been held at Utica Newyork.It
was used to determined scientifically derived and
proven methods towards the presentation, collection,
validation, identification, analysis, interpretation,
report and presentation of digital evidence derived
from digital evidence for the purpose of facilitating
or furthering reconstruction of events found to be
criminal or helping to anticipate them. Unauthorised
actions are shown to be disruptive to planned
operations (DFRW, 2001). There are two main
purposes involved in Digital Forensic Science as
 related to the above definition. It helps to investigate
activities relating to digital crime to conclude justice
or to identify parties engaged in digital forensic
science. Each party follows various approaches for
investigation, and this depends on their varying
objectives. There are four intertwined constituents,
namely, the crime, evidence, science and law in
digital forensics.
Legal, ethical and other integral elements which are
the crux of the investigations have been relegated to
the bottom rung of the digital forensics field while
highlighting only certain areas of digital evidence.
These neglected areas are indispensable not only
because other forensics sciences have given them
their due place, but also because they have to be
given top priority if digital forensics is to flourish.
Evidence for digital forensics must be robust in all
aspects of the law. Digital forensics is still in its
infancy compared to those of botany or
anthropology.
This tool-centred domain is commercially harnessed
for digital investigations. Consequently, reliability,
verifiability and consistency of the digital evidence
legally put forward, have become questionable as
accepted norms have not been established for the
guidance of digital forensics practitioners.
IV. HISTORY OF COMPUTER FORENSICS
With the proliferation of new technology, digital
devices are released to the market day-by-day, and
our dependency on these digital electronic devices
has given rise to new types of crime that can be
categorised as computer related crimes. Computer
crime is a new wave of crime which has increased
and is rising with significant impacts on
government, business and individuals.
The computer forensics field was initiated in the
United States in response to the requirement for
more extensive access to solve cyber-criminal
activities related to protocols in a computer. The
history of computer forensics goes back up to 1970.
At that time, military investigators mainly focused
on investigating digital crimes related to
computers.
In 1984, the FBI Magnetic Media Program was
launched, and it was the beginning stage of the
history of computer forensics. This program still
exists as the Computer Emergency Response Team
(CERT). Computer forensics has become a major
853
Authorized licensed use limited to: J.R.D. Tata Memorial Library Indian Institute of Science Bengaluru. Downloaded on December 12,2024 at 08:36:32 UTC from IEEE Xplore. Restrictions apply.
topic, and law enforcement is also needed in the
field of cyber-crimes.
What is Computer Forensics?
Computer forensics is described as the science of
obtaining, preserving, and documenting evidence
from digital devices. Digital storage devices are
computers, mobile phones, digital cameras, PDAs
and miscellaneous memory storage devices. The
science of forensics is not only related to the digital
environment. Traditional forensic experts can
examine fingerprints and other physical evidence,
while computer forensic specialists consider digital
evidence. The forensic approach should follow
secured protocols and recognised procedures for
collection of digital evidence. The probative value of
the digital evidence is thus carefully conserved,
helping to guarantee admissibility in a legal
proceeding.
Computer forensics has become an emerging new
research field as a result of requirements such as
combating fraud and the rapidly increasing number
of computer crimes. DNA fingerprinting is another
form of forensic science which emerged as a result
of extended studies and experimentation. Computer
forensics will always be bound with computer
security.
Consider a scenario where the hacker has entered
through a security vulnerability into an
organisation's computer network and stolen sensitive
data such as financial transactions, strategic business
plans, customer information, account numbers,
secret formulae and employee records and reports.
Responsible officers in the organisation should
acquire the support of professional forensic experts
and cooperate fully with them.
Digital evidence must be carefully collected at a
physical crime scene and preserved for court
purposes. Computer hard drives or digital media are
the locations where the digital evidence might be
acquired.
V. GUIDELINES
Evidence must be reliable and admissible at all
stages of a computer forensic investigation. The
need for guidelines is recognised by the British
Association of Chief Police Officers (ACPO). The
ACPO have produced a respected set of principles to
guide the investigator in this area.

The UK – ACPO
The ACPO guidelines are used in United Kingdom
law enforcement, and the main principles are applied
in the computer forensics field. ACPO guidelines
provide four principles for handling evidence
(ACPO, 2012), (1) No action should be taken by law
enforcement agencies or their agents, that could
change data held on a computer or storage media
which may subsequently be relied upon in court; (2)
In exceptional circumstances, where a person finds it
necessary to access original data held on a computer
or storage media, that person must be competent to
do so; (3) An audit trail or another record of all
processes applied to computer-based electronic
evidence should be created and preserved. An
independent third party should be able to examine
those processes and achieve the same result; (4) The
person in charge of the investigation (the case
officer) has overall responsibility for ensuring these
principles are adhered to.
Law enforcement in the United Kingdom can be
defined in six steps as identification, preservation,
collection, examination, analysis and presentation.
VI. FORENSIC ANALYSIS OF HACKED ROS SYSTEM
It is crucial that numerous data are made available
when analysing and evaluating with tools for ROS
forensics. Some of the data extracted may be raw
data. The data for ROS is composed of pictures,
point cloud data, GPS data, databases, and file and
network logs. A forensics examiner seeks maximum
output from ROS, such as current memory dump or
cached files and deleted files or images.
Although a methodology has been prescribed for
computer forensics, a standardised method specific
to ROS is yet to be found. After the FTK imager
tools obtain images from ROS, all the hashes are
verified and isolated to preserve the integrity of the
image. Two methods to acquire the forensics image
are highlighted in the current study.
There are some studies which have been conducted
in the field of computer forensics, and some of these
have outlined a methodology to adopt in the case of
computer forensic as a whole. However, a
standardised method specific to ROS has yet to
come into effect. The method adopted here first
acquires images from the ROS by using the FTK
Imager tool. All the hashes are verified and placed
separately so that the integrity of the image is
854
Authorized licensed use limited to: J.R.D. Tata Memorial Library Indian Institute of Science Bengaluru. Downloaded on December 12,2024 at 08:36:32 UTC from IEEE Xplore. Restrictions apply.
preserved. There are two methods to acquire a
forensic image from ROS. In the case of ROS
hacking by a man-in-the-middle attack, Trojan,
backdoor and so on, this study reveals how robot
forensics can assist in investigations. Through the
intermediary of FTK imager and chip-off forensics,
an ROS can be forensically investigated.
VII. FTK
Forensic Toolkit (FTK) is a developed platform
involved in the field of information security and law
enforcement for digital investigations. It is a free
forensic tool that can be used for the acquisition of
digital media. Filters and the indexing engine are
used in new technologies. FTK helps to reduce the
time consumed in the analysis of relevant evidence
of an investigation. It can be downloaded from the
AccessData official website. Analysis of the data,
information search and volatile data like RAM are
allowed by FTK. It can be used to create bit-for-bit
duplicate images using FTK Imager. This forensic
image contains the file slack and unallocated space
which is an identical copy of the first device. This
forensic evidence image helps to continue the
investigation process, and it preserves the original
device. The analysis of the duplicated image can
generate further information about the investigation
to be included in the final report. A log file is
created by the FTK imager after imaging the
evidence. Log files are included with the MD5 hash
algorithm. This hash value is very important in
computer forensics.
FTK Imager gives a log file after imaging the
evidence, which is very important for computer
forensics because it has hash value.
Why is hash value important for computer
forensics?
A hash value can perform affirmation that a file has
not been tampered with. For instance, an E01 image
file calculates a hash value when copying an exact
byte-for-byte image from a hard drive. A forensics
investigator identifies the integrity of the evidence
using a hash function. A raw image file such as a
.dd image file does not involve the hash function
when copying an exact byte-for-byte image from a
hard drive. Therefore, it cannot verify that the file
has not been tampered with. Ignorable files and alert
files can be found using hash functions. Alert files
are also known as indecent images, and they can be
automatically flagged.

VIII. ANALYSIS AND DATA RECOVERY
FTK and Encase software can be used for this step.
Consider EXT2 as the default file system using
Linux. This can be referred to as a Second Extended
File System. Recently EXT3 has become common.
Linux EXT2 and EXT3 file systems work in
different ways.
The file header is located at the beginning of a file.
Manually, files can be recovered by searching
unallocated space for the file header. If an intruder
deleted a directory of bitmap graphics, you could
search using a sector of BM through unallocated
space. This can be used to recover the file using the
Linux dd command, providing that the file has not
been overwritten and the file is not fragmented. In
this research, the case of several deleted jpg files is
considered. The first sector of the jpg file is
identified by searching as JFIF. (Figure 2)
Let us assume that the file system as EXT2 for the
final recovery method. This is somewhat common
for Linux file systems. The system debugger is used
to recover files in this method. All data of the ROS
system is stored inside Linux, which aids recovery
of the ROS file system. ROS uses two database
systems, namely, SQL and Mango. The Mango DB
is an open source database system, and it is
classified as an NSQL database system. In database
forensics, you can recover deleted data rows and
reconstruct them. Also, you can forensically analyse
mechanisms of DB data writing, data overwriting,
and the internal structure of the data rows and data
geometry. All ROS programs stored in SQL
databases are formatted.
detect evidence after security attacks. It is reordered
by an acquisition of digital evidence that helps to
identify security incidents and identify problems.
Computer forensics researchers have implemented
two approaches for network forensics on a system.
The first method is called a catch. It captures all
network packets, and it requires large storage. The
second method is stopped. In this approach, all
network traffic is monitored.
This method requires a high-performance processor.
Currently, there is no well-developed network
forensics system for academic or educational
institutions. Cybercrimes occur due to ongoing
network packets exchanged with other hosts’
communication on the network. In this research, the
volatile evidence is obtained using tools after
capturing network packets.
In this research, Tcpdump, which is a free software
and depends on BSD license, is used. Tcpdump is
executed in command mode. The Lib-pcap library is
used to extract network packets in a Linux System,
which can help with the analysis of the packet
header and content. This capture tool is implemented
to acquire real-time network packets from a
compromised host.
X. RESULTS
The deleted images of the robot operating system are
available at img/E01/home/ros/.cache/thumbnails.

Figure 1 – Image of the thumbnails inside the ROS

IX. NETWORK FORENSICS

Network Forensics is not a new area of study. It is

the science of capturing, recording and analysing to

855

Authorized licensed use limited to: J.R.D. Tata Memorial Library Indian Institute of Science Bengaluru. Downloaded on December 12,2024 at 08:36:32 UTC from IEEE Xplore. Restrictions apply.
 XI. CONCLUSIONS

Robot usage will rapidly increase in industrial

applications. Cyber crime related to robots may be
reported increasingly in the future. Hackers will start
to hack robots to perform fraudulent activities, and
delete or format their laptop or PC after hacking.

This research mainly focuses on creating a

Figure 2 – Image of recovering the deleted files formalized and analytical framework to acquire
related digital evidence after a forensic investigation
The location of video files in the robot operating of a Robot Operating System. This analytical
system is available at approach will be derived to be supported by
imag/E01/home/ros/turtlebot_videos. practitioners such as computer security analysts,
lawyers and law enforcement officers in the
forensics field when investigating cyber-crimes
including the technology of Robot Operating
Systems. In the future, terrorists may begin to
secretly attack ROS due to the open communication
network which could allow changes to be made in
the manufacturing process used in industrial
applications. As a result, this could cause a huge loss
for the attacked company in a very short timescale.
Therefore, this research will become an essential
topic for security experts. The output will be
Figure 3 – Location of video files in ROS supported by factual evidence gathered from
analysis and data collection to guarantee its
Logs of ROS
relevance to law enforcement. This study will both
This path shows that start time of the ROS and log challenge and offer valuable research in the forensic
out time of the ROS. The commands of the ROS are investigation field.
available in these logs and they are available at
img.E01/home/ros/log
References

[1] Abdulhayoglu, M., Tas, E., Sealskin, I., Lvovskiy, V. & Klimov
system for performing security and vulnerability scans on devices
behind a network security device, V. 2008, Method and.

[2] ACPO., The Association of Chief Police Officers of England,

Wales and Northern Ireland e- Crime strategy (2012) available on: at
HTTP://www.acpo.police.uk/asp/policies/Data/Ecrime%20Strategy%
20Website%20Version. pdf

[3] Allen, L., Heriyanto, T. & Ali, S. 2014, Kali Linux–Assuring

Figure 4 – Master logs of ROS Security by Penetration Testing, Packt Publishing Ltd.

[4] Altheide, C. & Carvey, H. 2011, Digital forensics with open

source tools, Elsevier.

[5] Carrier, B. 2005, File system forensic analysis, Addison-Wesley

Professional.

[6] Choi, B. & Seo, D. 2005, System and method for analyzing
malicious code protocol and generating harmful traffic.

Figure 5 – Commands of ROS

856

Authorized licensed use limited to: J.R.D. Tata Memorial Library Indian Institute of Science Bengaluru. Downloaded on December 12,2024 at 08:36:32 UTC from IEEE Xplore. Restrictions apply.
 [7] DFRWS, "WS1 - A Framework for Digital Forensic Science," in
A Road Map for Digital Forensic Research, G. Palmer, ed., NY,
DFRWS, 2001.

[8] Elder, B. 2012, "Chip-Off and JTAG Analysis for Mobile Device
Forensics", Evidence Technology Magazine, May-June.

[9] Engebretson, P. 2013, The basics of hacking and penetration

testing: ethical hacking and penetration testing made easy, Elsevier.

[10] Garfinkel, S. 2012, "Digital forensics XML and the DFXML

toolset", Digital Investigation, vol. 8, no. 3, pp. 161-174.

[11] Heiderich, M., Heyes, G. & Aranguren-Aznarez, A. 2014,

Systems and methods for client-side vulnerability scanning and
detection.

[12] Hoelz, B.W., Ralha, C.G. & Geeverghese, R. 2009, "Artificial

intelligence applied to computer forensics", Proceedings of the 2009
ACM symposium on Applied ComputingACM, , pp. 883.

[13] Holik, F., Horalek, J., Marik, O., Neradova, S. & Zitta, S. 2014,
"Effective penetration testing with Metasploit framework and
methodologies", Computational Intelligence and Informatics (CINTI),
2014

[14] Joshi, Y., Das, D. & Saha, S. 2009, "Mitigating man in the
middle attack over secure sockets layer", Internet Multimedia Services
Architecture and Applications (IMSAA), 2009 IEEE International
Conference on IEEE, , pp. 1.

[15] Kim, P. 2014, The hacker playbook: Practical guide to

penetration testing, Secure Planet LLC.

[16] Lyon, G.F. 2009, Nmap network scanning: The official Nmap
project guide to network discovery and security scanning, Insecure.

[17] Maynor, D. 2011, Metasploit toolkit for penetration testing,

exploit development, and vulnerability research, Elsevier.

[18] Nance, K., Bishop, M. & Hay, B. 2009, "Investigating the

implications of virtual machine introspection for digital forensics",
Availability, Reliability and Security, 2009. ARES'09. International
Conference on IEEE, , pp. 1024.

[19] Olivier, M.S. 2009, "On metadata context in database forensics",

Digital Investigation, vol. 5, no. 3, pp. 115-123.

[20] Ouafi, K., Overbeck, R. & Vaudenay, S. 2008, "On the security
of HB# against a man-in-the-middle attack", International Conference
on the Theory and Application of Cryptology and Information
Security Springer, pp. 108.

[21] Waton. J, and Crick. F, 1953"Molecular Structure of Nucleic

Acids: A Structure for Deoxyribose Nucleic Acid," Medical Research
Council Unit for the Study of the Molecular Structure of Biological
Systems, Cambridge.

857

Authorized licensed use limited to: J.R.D. Tata Memorial Library Indian Institute of Science Bengaluru. Downloaded on December 12,2024 at 08:36:32 UTC from IEEE Xplore. Restrictions apply.