Vol. 8, No.

1 | Jan – June 2025

IoT Forensics: Addressing Challenges and Establishing

a Framework for Exploring Digital Forensics
Shauban Ali Solangi1∗
1
Department of Information Technology, Faculty of Engineering & Technology (FET),
University of Sindh, Jamshoro, Pakistan. (76080).

Abstract:
IoT forensics is a form of digital forensics that focuses specifically on the investigation of
security incident detection and the accumulation and analysis of evidence to eliminate future
attacks upon IoT networks. It is differentiated from other kinds of digital forensics due to several
unique characteristics present in IoT equipment, such as low processing capacities and
connectivity features. The science is rapidly transforming, and reviewing the entire activity to
keep it abreast of new threats and best practices should be done very often. This paper reviews
the present state of IoT forensics and outlines the challenges investigators face. Also, a
framework is devised to mitigate these issues and help in a smooth process of data analysis. For
this, relevant reviews are analyzed to find key issues and significant obstacles in the field. Many
problems emerge in the collection and preparation of evidence, largely because of counter-
analysis techniques and challenges in data gathering from devices and the cloud. The analysis
also highlights procedural issues concerning preparedness, reporting, and ethical considerations.
We have identified the challenges of the existing research, which will help guide future studies
and, thus our contribution to the IoT forensics field.

Keywords: IoT, digital forensics, cloud forensic, proactive and reactive forensics, digital
evidence.
1. Introduction
The Internet of Things, or more commonly
referred to as IoT, is a group of devices
equipped with electronics and software along
with sensors that can share data and
communicate with each other. It helps
automate processes and enables cooperation
among different industries, such as healthcare,
agriculture, transportation, and manufacturing
[1], [2]. Nevertheless, several issues need to be
fixed, such as security problems, lack of
standard rules, and risks of hacking. These
problems need to be solved in order to fully
unleash the benefits of IoT and to protect
privacy and data. There is also an increasing
demand for IoT forensics with the growing use
SJCMS | P-ISSN: 2520-0755| E-ISSN: 2522-3003 | Vol. 8 No. 1 Jan – Jun 2025
43
of IoT devices in our lives, including their
misuse in criminal activities [3]. IoT forensics
involves the collection, analysis, and
preservation of digital evidence from these
devices for legal cases or incident
investigations. Critical areas of focus in this
field are: Extracting evidence from IoT
devices, Analyzing network communications,
Designing special tools and methodologies for
the unique challenges posed by various IoT
devices, Enhancement of reliability of forensic
evidence, and Setting standards for IoT
forensics practices [4].
Most application domains give a clear view
of the IoT, including cloud computing,
agriculture, smart homes, manufacturing,
supply chains, and smart cities, all connected
 Solangi, S. A., IoT Forensics: Addressing Challenges and Establishing a Framework for Exploring Digital Forensics
through the Internet. IoT technology has
enabled remarkable advancements, allowing
for the interconnection of uniquely identifiable
physical devices [5]. This includes sensors,
Radio Frequency Identification (RFID) tags,
and sensor networks that monitor greenhouse
systems. These sensor networks are the
backbone of managing agricultural processes
and water distribution in smart cities [6-9]. The
integration of IoT into life has brought many
benefits through its applications, but this also
generates a large amount of data on a daily
basis, thus creating new paradigms and
security issues concerning evidence-based
information. Recent developments in
Information and Communication Technology
(ICT) have sparked a dramatic increase in
connectivity and use of IoT devices.
According to IDC, connected IoT devices
would reach more than 41.6 billion by 2025,"
and "IoT utilization worldwide was estimated
at USD 772.5 billion in 2018 with a growth of
14.6% in IoT consumption during 2017."
According to IDC and Gartner, the CAGR in
IoT device consumption will jump to 1.1
trillion by the end of 2021, and over and above
everything, the interest in these devices is
going to spread out across a myriad of sectors,
indicating tremendous opportunities for
growth till the year 2028 [10], [11].
As envisioned by Gartner, installation in
2019 was projected at 26.66 billion while in
2020 was expected to rise at 30.73 billion with
an exponential rate of 35.82 billion in 2021.
Total IoT installed devices are predicted to
reach a considerable number close to 75.44
billion with the curve demonstrated in Fig. 1
[12], [13]. However, the large amount of data
generated by IoT requires the need for IoT
forensics and investigations, along with
privacy concerns about data usage. Security
and privacy are undoubtedly paramount,
especially as IoT-driven productivity increases
across businesses, governments, and top
management levels. Since IoT systems handle
important and sensitive information, any
vulnerability could lead to significant risks and
cyber-crimes.
Sukkur IBA Journal of Computing and Mathematical Science - SJCMS | Vol. 8 No. 1 Jan – Jun 2025
44
(pp. 43-55)
Fig 1: Worldwide IoT devices connections [13]
IoT connectivity intertwines and integrates
nearly every system, device, standard, and
protocol of ICT networks, presenting a high
degree of heterogeneity, thereby increasing
challenges in the area of security and privacy.
Hence, any loophole in security can be
determined and exploited by attackers. An
expert cyber-criminal can strategize an attack
using public or open networks or private
networks and sources, like smart homes,
smartphone, or smart cars. Therefore, all those
malicious actions related to data theft of
personal or organizational information can be
seen as a huge threat to people and the business
integrity [11], [14].
IoT forensics represents one of the most
powerful tools in the spectrum of key
applications: criminal investigations, incident
response, and litigation. It is a beacon in the
criminal investigation approach: the extraction
of critical digital evidence from the IoT device
illuminates the possible route to justice. It
unravels, in the context of incident responses,
the origin and scope of security breaches
involving connected devices, thus keeping
organizations in control [14]. The legal
processes rely on the integrity of IoT forensics
to gather and safeguard data that can stand
strong in court as evidence, preserving truth
and accountability. This multi-phased journey
of IoT forensics consists of critical steps,
starting with the careful seizure and protection
of IoT devices to uphold their integrity. It
progresses through both volatile and non-
volatile extraction of data and then into
profound analysis of communication on the
network and data, which delivers significant
and relevant information and connections. It
culminates with analytical results speaking to
the facts. Researchers, each with their own
 Solangi, S. A., IoT Forensics: Addressing Challenges and Establishing a Framework for Exploring Digital Forensics
courage in facing the multi-faceted challenges
they come across with IoT, manage operating
systems, storage systems, data formats, and
bridge them up by creating solutions. It follows
on to reliability and consistency in forensic
evidence gathering and the establishment of
strong standards for IoT forensics [15-17].
Network communication analysis delves into
the intricacies of network traffic and
interaction records, which are used to
determine the behavior of devices and their
interconnections, thereby improving our
understanding of this dynamic realm.
IoT devices generate data with such
complexity and high volumes that digital
forensic investigations become much more
complicated. Most information is stored in
IoT-based clouds, making data acquisition and
retrieval very difficult due to SLAs and data
volatility. Effective digital forensics, therefore,
require systematic research in IoT areas as the
infrastructure is changing rapidly [17]. No
matter whether it is virtualized or traditional
computing, proper procedures must be
followed along with legal analysis of evidence.
Some of the major challenges include a lack of
forensic tools, heterogeneous data, ambiguous
locations of data, and information volatility.
The collection of data from the distributed IoT
network poses technical and legal obstacles
due to limited storage and integrity issues
among devices. Additionally, they need
reliable forensic tools and secure custody
chains. Identifying these primary research
design challenges is crucial for advancing
digital and IoT forensic investigations.
This research article comprises five
sections. Section I provides a succinct
introduction to the IoT and digital forensics
and the nature of the research. A literature
review of existing research related to digital
forensics with suggested designs is provided in
Section II. In Section III, an overview of some
of the digital IoT forensics is provided. In
Section IV, key challenges within the existing
forensic research design are provided with the
identification of the research gap.The proposed
framework for the digital forensics is discussed
in Section V. Finally, the conclusion and future
directions are provided in Section VI.
Sukkur IBA Journal of Computing and Mathematical Science - SJCMS | Vol. 8 No. 1 Jan – Jun 2025
45
(pp. 43-55)
2. Background
A digital forensics framework, also known
as a digital forensic process model, is a series
of steps with the related inputs, outputs and
requirements with which assistance is given
toward a successful forensics
investigation[18], [19]. A digital forensics
framework powers forensic investigators as
well as any other related personnel to carry
meaningful investigations and administer
justice by unearthing criminals and bringing
the perpetrators to task. This allows a
structured framework for each investigative
phase, providing for timely actions that are
relevant and effective for the case being
investigated. Implementing these
considerations will allow reconstructing the
time line of all events and pertinent data with
ease. The most critical stage in this regard is
the careful maintenance of evidence chain of
custody because it serves as the guarantee to
win these battles and secure the truth triumph
in court.
Different investigation models, tailored to
specific phases and levels of detail, are
essential for effectively addressing various
types of investigations. In this regard, Kohn et
al. provides an integrated suitability
framework maps a set of requirements derived
from an ongoing investigation to the most
appropriate forensic procedure [20]. Finally,
the authors make use of a graph-based
approach, illustrating the interrelation between
well-known forensic frameworks: number of
phases and their respective content. Notable
frameworks are the Analytical Crime Scene
Procedure Model, abbreviated as ACSPM
[21], the Systematic Digital Forensic
Investigation Model, abbreviated as SRDFIM
[22], and the Advanced Data Acquisition
Model, abbreviated as ADAM [23]. In general,
law enforcement agencies follow their variant
of the guidelines provided by the Association
of Chief Police Officers, ACPO [24]. In
addition, additional forensic guidelines and
models recommended by NIST and
INTERPOL can be found in [25-32].
Table 1 summarizes the most widely
known digital forensic frameworks. In general,
the procedures listed in Table 1 share a
 Solangi, S. A., IoT Forensics: Addressing Challenges and Establishing a Framework for Exploring Digital Forensics
common hierarchical structure [33], [34] that
can be grouped into the steps described in
Table 1. Notice how some of the models detail
finer granularity for a subset of the steps where
the context of the investigation requires it-for
example, particular appliances and constraints
on seizure or acquisition. In the case of chain
of custody and trail of events preservation, a
forensically sound procedure must ensure
features like integrity traceability,
authentication, verifiability and security [35],
[36].
Several authors also identified some
problems in digital investigation processes
during earlier times, that is [37-45] mainly
related to the preservation of chain of custody,
the growth of the data to be processed, and
privacy and ethical issues when collecting such
data. Furthermore, our research methodology
discovered a number of literature reviews
which addressed the challenges and limitations
of forensic frameworks. For example, in [44],
the authors used a graph analysis methodology
for leveraging a summary of digital forensic
frameworks and tools along with their
interrelationships. Moreover, they presented
some challenges and limitations of privacy-
preserving digital investigation models and
proposed some measures to palliate them. In
[45] the authors present a chronological review
of the most well-known forensic frameworks
and their characteristics. The work in [46]
assesses the current frameworks among
European law enforcement agencies,
identifies, and defines elements of robustness
and resilience in the context of sustainable
digital investigation capacity so that
organisations can adapt and overcome
deviations and novel trends. In [43], the
authors identified the need to define specific
models according to the forensic context, such
as in the case of Mobile Forensics [43]. In
addition, the authors provided a specific
forensic framework to enhance the Mobile
Forensics investigation. Additional reviews of
the most widely applied forensic frameworks
and their characteristics are available in [47],
[48]. Table 14 summarizes the key identified
challenges of each literature review in forensic
frameworks.
Sukkur IBA Journal of Computing and Mathematical Science - SJCMS | Vol. 8 No. 1 Jan – Jun 2025
46
(pp. 43-55)
Whereas for forensic guidelines and
frameworks, in parallel, standards are
extremely important to obtain conformance in
addition to inter-compliance geographical and
jurisdiction borders. There already are many
numbers of standards plus established
practices with organizations worldwide being
applied using appropriate methods. On how to
practically go about such a forensic treatment
on a certain investigation, such details vary due
to the particular device. As shown in Table 12,
the phases of electronic evidence analysis are
typically categorized as stated. However, the
exact phases' name may be different because
different forensic models may be used
according to each organization's needs.
The huge amount of information exchange
demands much more attention related to cyber-
security. The IoT forensic and digital forensic
investigation has a lot of research suggestions
in different application domains by numerous
research scholars throughout the world, still
require an effective framework for
consideration concerning the digital forensics.
3. Digital Forensics Challenges
There are certain factors which
significantly affect the IoT forensics process.
First, the explosion of big data which have
created large data, and lack of real-time log
analysis. Second, the varied and numerous
devices, most of them having heterogeneous
functionalities, and resources limitations.
Third, the complexity comes in both forms
namely a huge number of devices or data, and
heterogeneous operating systems as shown in
Fig. 2. Fourth, the data diffusion from multiple
platforms and systems such as data-ware
houses, databases etc. Fifth, different vendors
and different standards are adopted and applied
by proprietary hardware and software
companies. Sixth, the legal process of the data
collection and usage from the indigenous and
or cross-borders perspectives. Seventh, the
varied data formats and storage of capacity of
the data in either phone memory or at the data
centers impose challenges in the digital
forensic processes.
 Solangi, S. A., IoT Forensics: Addressing Challenges and Establishing a Framework for Exploring Digital Forensics
Apart from this, the IoT enables various
devices to connect over networks, creating
significant security problems. Public networks
must be constantly monitored to protect users'
IoT systems from cyber attacks. Weakness in
security provides a chance for attackers to
harm the user and invade his privacy. These
cyber attackers can use DoS, sniffing, data
modification, malware attacks, MiTM attacks,
and Trojan horses among others. Many
organizations have reported significant
damage and losses due to these types of
attacks. Smart tablets, smartphones, and
personal computers will need secure and
reliable settings with strong encryption
protocols. IoT security challenges include
privacy and authentication, device variety, and
policy issues. The current security protocols
still require more research. As the exchange
between devices needs to be confidential. The
requirement increases if devices monitor data
without human oversight. But preserving
confidentiality requires protection against any
unauthorized changes in the data—as
confidentiality demands integrity in addition.
Fig. 2: Digital Forensics Security Stages [source:
the Internet]
Privacy in IoT-based systems demands
excellent security. Consideration from
viewpoints of user's and data point of view -
privacy is absolutely necessary. While IoT
devices observe the environment with their
sensors collect the data sensed, process that
data and submit it to end users for an analysis.
So, users do rely on them. However because of
Sukkur IBA Journal of Computing and Mathematical Science - SJCMS | Vol. 8 No. 1 Jan – Jun 2025
47
(pp. 43-55)
nature IoT, in turn, is complex to ensure those
are authenticable to users always. Users can
create trust by using dependable services and
key sharing for the transmission of data. Key
management and encryption facilitate trust in
the incoming and outgoing information.
4. Investigations related to Digital
Forensics and existing frameworks
In Digital Forensics (DF), the investigation
process for the information related to security
can be revealed through how, when, where,
and what incident has taken the place. In other
words,. Digital Forensic is the process of
identification, collection, examination, and
analysis of digital evidence found in the digital
devices under criminal investigation. The
collected evidence present in the court of law
for legal proceedings. Therefore, emerging IoT
devices proliferation made it a bit difficult for
examiners to carry out satisfying results. Most
of the organization, on the other hand, are
reluctant to ponder about cyber-security issues.
Even though cyber-security demands focused
consideration.
However, the traditional method for the
digital evidence investigation is not applicable
to the IoT forensic due to the huge amounts of
IoT data, Integration of IoT and the Cloud,
legal, and technical issues.. The traditional
method for the investigation can be both the
evidence collection from the primary sources
namely PCs (Personal Computers), main
servers, laptops, mobile phones, and gateways,
or IoT devices such as home appliances,
medical devices, sensors, and many other
smart IoT devices. Consequently, the digital
forensics and related investigation is still
impromptu and requires a comprehensive
framework for the investigators in a volatile
digital forensic environment.
In the investigation process of DF, the
technical areas are supposed to require deep
and comprehensive research. Also, the
ownership and jurisdictional issues are the
same from the legal perspective. Because
forensics tools are incapable to delve into the
investigation process due to different IoT
 Solangi, S. A., IoT Forensics: Addressing Challenges and Establishing a Framework for Exploring Digital Forensics
devices and their proprietary designs and
ambiguous data storage places and network
approaches [35]. On the other hand, some
traditional approaches in the DF are relatively
involved to carry out the desired results based
on the standardization processes. Traditional
processes mainly focus upon the information
sources namely, Random Access Memory
(RAM), HDDs (Hard Drives), logs, histories,
and any connected storage source.
Interestingly, the traditional method of
investigation comprises a range of malicious
network activity detection. In this detection
method, the data traffic passing through the
network is closely analyzed and stored. When
it comes to mobile cellphone crimes, the DF
investigation method leverage significant
challenges for the preservation of the evidence
and the encryption techniques for a volatile
environment. The data collection and analysis
from both the legal perspective and technical
perspective is with all supporting facts
presented before the court for further actions.
Therefore, the legal and technical issues with
data representation for necessary proceedings
in the courts require the traditional and state of
the art digital forensics investigation expertise
to disclose the real facts about the crime [36].
In the last one and a half decades,
various research contributions have suggested
different solutions and frameworks in the
fields of DF. The suggested research studies
not only contributed to the information and
communication technologies but also in
improved frameworks and models.
A digital forensics framework consists of
the stages of digital forensics that are given
below:
1. Identification:
In this stage, incident location and
unknown crime location are focused.
Assurance of service manageability, service
availability, and flexibility is affected by CSPs.
SLA guidelines mostly focused upon security
needs than forensic needs as illustrated in Fig
3. SLA specifications and log framework on
both physical machines and data centers are
permissible for the creation, storage, and
Sukkur IBA Journal of Computing and Mathematical Science - SJCMS | Vol. 8 No. 1 Jan – Jun 2025
48
(pp. 43-55)
process of the data, whereas the data storage is
likely to be replicated [37-40].
2. Understanding:
At this level, the help of tools and
technology is needed for the support of
evidence, and authorization is required for
monitoring and accessing the overall system. It
resolves the complex tasks in CC platforms
through the recovery of deleted data from
Backups, Repositories, Snapshots, Mobiles as
shown in Fig 3. Examining the partial
evidence is a real risk because partial or
incomplete evidence may be inadmissible in
court [41-43].
3. Reporting:
Reporting comprises the approaches
to formulate a dynamic technological question
that strongly supports the evidence and reflects
the potential impact on witnesses. It requires
the reconstruction of the crime scene as shown
in Fig 3. It needs state-of-the-art digital
forensic related valid tools and process and
guidelines, and evidence. Due to the
complexity of the IoT environment sometimes
it is difficult to make understanding the jury
about the crime scene as depicted in Fig 3.
Fig 3: Main challenges of the digital forensics.
4. Close
It ensures the digital and physical
properties of the returning of the evidence. So,
this stage advocated the return of evidence and
secure the deletion of the data. Legal training
 Solangi, S. A., IoT Forensics: Addressing Challenges and Establishing a Framework for Exploring Digital Forensics
and legal advice are required as shown in Fig
4.
5. Examination
The examination comprises insightful and
valid systemic research for the evidence.
Creates challenges in the timelining of events
and logs help an investigator to connect the
dots as illustrated in Fig 4.
6. Collection
At this level of digital forensics, the crime
scene evidence collection with all supporting
data to the suspected crime scene is collected
or recorded. Sometimes, a snapshot of virtual
machine or forensic image is a process of
making a clone of a virtual image including the
running system’s memory. It adds to the
complexity of forensics data collection and
easy to seize the hardware as shown in Fig 3.
7. Preservation:
Preservation is based on the data
volatility, data integrity, data isolation, and
valid state of the data whether it is in the form
of digital evidence or physical evidence. So,
state-of-the-art forensic techniques and cloud
provider’s expertise use their crucial
environment. Therefore, having persistent
storage and keeping the storage synchronized
is suggested by researchers to counter the data
volatility issues as shown in Fig 3.
After following all these stages and
completing the requirements the data is further
analyzed for presentation. The data
presentation incorporates all necessary steps to
identify, validate, and support all legal and
technical aspects which strongly support the
suspected crime. The suspected crime scene
reconstruction, no doubt, requires potential
expertise. This relates to the physical and
digital evidence that supports and validates the
case. Due to the prevalence of DF as a complex
infrastructure, forensics investigators confront
new challenges that require comprehensive
and potential knowledge. Thus, the forensics
investigator must be equipped with state-of-
the-art knowledge and possess the expertise to
tackle the challenges.
Sukkur IBA Journal of Computing and Mathematical Science - SJCMS | Vol. 8 No. 1 Jan – Jun 2025
49
(pp. 43-55)
Numerous digital forensics research has
been proposed with different methods for
investigations that rely purely on the types of
cases and investigation areas. For two decades
the research has been carried out by suggesting
frameworks or designs for compromising
results. Therefore, the categories are divided
into seven stages. Each stage is further
categorized into a specific sub-stage or as a
cloud forensic design challenge. In Table 1,
digital forensics design comparisons for a
specific category are given. So, many research
scholars proposed the research designs by their
specific contribution identification of SLA
design, log frameworks, decentralized data,
and CSP based dependency [42], [46-59], [67].
Various research designs have been suggested
for each digital forensics area in the stage of
understanding the cyber-crime namely
recovery of the deleted data from cellphones,
laptops, and others [47] [51-54], [56-64].
Partial returning of the partial evidence and
information related to the cyber-crime [42],
[47-50], [52], [66]. Cryptographic data
recovery in mobile devices namely computers,
laptops, and cellphones in suggested by [27]
[53] [59], [44], [63] as shown in Table 1. Some
research scholars specifically focused upon the
reporting, close or returning of the evidence,
examination and collection the crime- scene
related information and collection all main
supporting points which strengthen the
evidence are suggested in [41-52], [56-74] that
advocated about the crime-related data
gathering and maintaining information. To
validate the evidence, it is essential to maintain
and lining the data with the evidence digital
signatures. Storage data recovery, and fully or
partially deleted data recovery and its
verification regarding the multi-tenancy and
resource sharing also demands a significant
consideration as shown in Table 1. In the data
and evidence preservation stage, various
challenges of the design have been cited with
the corresponding solution in [26] [42] [47]
[48] [52] [53] [50] [43] [59] [46] [56], is the
data integrity and chain of custody. In data
integrity and privacy, and SLAs are those
issues, having almost the same number of
solutions with all the others added up as shown
in Table 1.
 Solangi, S. A., IoT Forensics: Addressing Challenges and Establishing a Framework for Exploring Digital Forensics
(pp. 43-55)
TABLE I: Overview of digital forensics stages mentioned stages and sub-categories possess a
and corresponding challenges quite enriched future for future research as
represented in Table 1.
Forensics
Stages framework References
challenges
5. PROPOSED FRAMEWORK FOR
THE DIGITAL FORENSICS
Not accessible
[30-67]
Identification

location-wise or
Unknown In this section, the proposed digital
Decentralized [43] [42] [46-48] forensics framework includes phase-wise flow
Data [50-69] for an effective process as shown Fig. 4.
[41] [47] [51] [52] Particularly, this framework covers all
CSP based
[53] [54] [55] [56]
Dependency
[57] [58]
essential areas from preparation of the
[47] [52] [51] [41] investigative to the finalization of the evidence
Recovery of collection. But, the devised phases help to
Understanding

[27] [53] [62] [63]

deleted data
[64] [56] maintain a coherent and abstract enhancing
Partial evidence [50] [47] [50] [66] efficient and appropriate investigation.
Furthermore, the data source verification and
[27] [53] [59] [44] the interactive sessions with the digital
Cryptography
[63] forensics administrations or digital forensics
Jurisdiction [41-67] expert from the preparation phase to the
establishment of evidence. Therefore, there are
Reporting

Crime scene
[42-54] four phases for this framework, and each phase
reconstruction
[41] [27] [38] [47] is formalized encompassing important steps.
Complexity of
cloud
[48] [59] [53] [63] Phase 1 deals with the preliminary preparation
[70] of the process for the evidence gathering by
Return of going through the planning for process by
Close

[42-44] [68], [69],

Evidence and
[70] getting official order for the investigation,
Secure Deletion verification of the data source whether it is
Lack of Log
[59], [61], [71-74]
primary data or secondary data, and finally, to
Examination

Framework have clear awareness regarding legal or

[27] [53] [59] [47] organizational ethical issues as shown in Fig.
Encrypted data
[48]
4.
lining [48] [51] [39]
After completion of the Phase 1, the Phase
[26] [28] [48] [51- 2 is started where a strong focus is paid on the
Inaccessibility
53] both aspects of the forensics process namely
Collection

Deleted data [27], [49-57] reactive forensics and proactive forensics as

shown in Fig. 4. The reactive forensics is
Multi-tenancy
and resource
[26] [42] [32] [48- applied when there is the perception of having
68] detected digital crime, in favor of legal
sharing
[26] [42] [47] [48] prosecution. This type of forensic reaction is
Preservation

Data integrity manifested in five steps, which integrate a

[51-70]
Chain of [41] [42] [47] [52] [51] conditional iteration facility for further
custody [61-69] possible forensic examination, which are given
Data volatility [46] [48] [52-66] below:
I. Identification: During this stage, the
Several solutions to the design challenges investigator identifies the available evidence
and access issues are based on previous and determines if it is an internal network or
experience and old-fashioned designs. All the cloud-based. In addition, the investigator
Sukkur IBA Journal of Computing and Mathematical Science - SJCMS | Vol. 8 No. 1 Jan – Jun 2025
50
 Solangi, S. A., IoT Forensics: Addressing Challenges and Establishing a Framework for Exploring Digital Forensics
identifies the tools and techniques needed for
subsequent processes.
II. Acquisition: Acquisition refers to the
process of acquiring digital forensic evidence
by imaging. This process ensures the usability
and admissibility of the evidence in a court of
law while preserving the integrity of the
original materials.
III. Preservation: The first responder
performs preservation, where he or she is
supposed to isolate and secure the original
evidence in a manner that prevents
contamination.
IV. Examination: This is the core
process where facts are discovered through a
systematic approach using forensic tools and
techniques.
V. Analysis: In this last stage, the results
of the examination are carefully analyzed,
evaluated, categorized, and concluded. This is
important for preparing and presenting the
digital forensics report successfully.
Fig 4: Proposed digital forensics framework
having four phases.
On the other hand, proactive forensics
deals with the instant action taken in
safeguarding the evidence in a real
investigation focused on the detection of
incidents or crimes. It also deals with securing
Sukkur IBA Journal of Computing and Mathematical Science - SJCMS | Vol. 8 No. 1 Jan – Jun 2025
51
(pp. 43-55)
evidence in already established crimes. In
addition, to enhance digital forensics and the
pursuit of prosecution through the legal
channel. Also, this process is the systematic
gathering and preservation of physical
evidence that is not limited to DNA and
fingerprints etc. These encompass three
primary processes namely securing the scene,
preservation of the physical environment, and
detection of the incident or the crime.
In the Phase 3, the presentation of the
process is initiated, but this is done having the
documentation and cooperation and
coordination with the digital forensic expert.
Because, the presentation marks the
completion of whole process, delivering the
ultimate results, facts, and findings culled from
the digital forensics processes. The facts and
information shared by the investigator
determine whether the case of crime is being
made in both the legal trial and the decision-
making of the organization. There are four
essential steps for this process which are as
follows:
I. Report: It provides an in-depth
description of the forensics case that outlines
the starting point, readiness for examination,
and the background of the examiner.
II. Reconstruction: the reconstruction
means an in-depth analysis and review of the
findings of the DF examination. It is a crucial
step that determines how certain results were
obtained; it serves different purposes in
investigations.
III. Distribution: It share the valuable
lessons learned from the completed digital
forensics process with concerned investigators
so that they are empowered to conduct future
investigations of a similar kind with greater
efficacy.
IV. Return of Evidence: The last task
undertaken by the investigator is the
systematic return of evidence to its rightful
owner so that integrity and transparency are
maintained in the investigative process.
Once a forensic case has been initiated,
then from the state of preparation to the
presentation stage, it becomes highly
 Solangi, S. A., IoT Forensics: Addressing Challenges and Establishing a Framework for Exploring Digital Forensics
(pp. 43-55)
important. This precious record forms the proposed framework, it becomes essential to
cornerstone upon which the forensic report manage each stage of a forensic case with
will be written that will empower the care, from preparation through to
organizations and courts in deciding the presentation. Thorough documentation is
correct path towards justice. Moreover, all fundamental, as it serves as the foundation for
documentation is preserved by the digital the resultant forensic report, thereby
forensics administration or database. It equipping organizations and judicial
becomes a beacon in future investigations. authorities to make informed decisions
regarding justice. Moreover, all
6. Conclusion documentation is preserved by digital
Digital forensics presents complexities forensics administration or database systems,
due to the heterogeneous nature of the IoT ensuring availability for future investigations.
devices while also offering significant
AUTHOR CONTRIBUTION
advantages. It provides crucial security
measures to users against malicious activities Shauban Ali Solangi: Concept, idea, writing,
and criminal acts. Conducting digital forensics editing, review.
in an IoT environment demands a more
DATA AVAILABILTY STATEMENT
thorough and insightful investigation
compared to traditional digital forensic The data will be made available upon
methodologies. The IoT encompasses a reasonable request.
diverse array of technologies and devices,
including sensors, cloud computing, and radio
CONFLICT OF INTEREST
frequency identification (RFID) systems,
which collectively produce substantial No potential conflict of interest is reported for
volumes of data and create unique security this research.
challenges. Yet, technical as well as
nontechnical challenges arise from the nature
FUNDING
of IoT devices that hinder digital forensic in
the IoT domain. This study focuses on No funding is acquired.
identifying some of the salient challenges
faced in the effective conduct of IoT forensics. ACKNOWLEDGMENT
Moreover, the research identifies important We would like to thank the University of
domains for digital forensic inquisition that Sindh, Jamshoro.
can help in further improvements and inform
the development process. This study conducts
a comprehensive review of the current state of REFERENCES
IoT forensics, outlining the challenges
investigators routinely face. Furthermore, a [1] L. Da Xu, W. He, and S. Li, “Internet of
Things in Industries: A Survey,” IEEE Trans.
framework is developed to address these Ind. Informatics, vol. 10, no. 4, pp. 2233–
challenges and enhance the efficiency of data 2243, Nov. 2014.
analysis processes. Analyzing relevant [2] M. M. Aslam, K. Kalinaki, A. Tufail, A. G. H.
literature reveals significant issues related to Naim, M. Z. Khan, and S. Ali, “Social
the collection and preparation of evidence, Engineering Attacks in Industrial Internet of
Things and Smart Industry,” in Emerging
largely due to counter-analysis techniques and Threats and Countermeasures in
difficulties in data acquisition from devices Cybersecurity, Wiley, 2025, pp. 389–412.
and cloud services. The analysis also 2025.
emphasizes procedural matters concerning [3] A. Dehghantanha, “Internet of Things
investigator preparedness, reporting, and Security and Forensics: Challenges and
ethical considerations. By utilizing the
Sukkur IBA Journal of Computing and Mathematical Science - SJCMS | Vol. 8 No. 1 Jan – Jun 2025
52
 Solangi, S. A., IoT Forensics: Addressing Challenges and Establishing a Framework for Exploring Digital Forensics
Opportunities,” Future Generation Computer
Systems, vol. 78, no. 2, pp. 544-546.2018
[4] H. M. Zangana and M. Omar, “Introduction to
Digital Forensics and Artificial Intelligence,”
2025, pp. 1–30. doi: 10.4018/979-8-3373-
0857-9.ch001.
[5] K. Khoumbati, S. A. Solangi, Z. Bhatti and D.
N. Hakro, "Optimal Route Planning by
Genetic Algorithm for Wireless Sensor
Networks," 2020 International Conference on
Information Science and Communication
Technology (ICISCT), KARACHI, Pakistan,
2020, pp. 1-4, doi:
10.1109/ICISCT49550.2020.9079944.
[6] S. A. Solangi, D. N. Hakro, I. A. Lashari, K.-
R. Khoumbati, Z. A. and Bhutto, and M.
Hameed, “Genetic Algorithm Applications in
Wireless Sensor Networks ( WSN ): A
Review,” Int. J. Manag. Sci. Bus. Res., vol. 1,
no. 4, pp. 152–166, 2017.
[7] S. A. Solangi, K. Khoumbati, and D. N.
Hakro, “Multi-Hop Optimization in Wireless
Sensor Networks using Genetic Algorithm,”
Univ. Sindh J. Inf. Commun. Technol., vol. 3,
no. 4, pp. 193–197, 2019.
[8] S. A. Solangi, “Energy Efficient Strategy for
Wireless Sensor Networks lifetime endurance
using Genetic Algorithm,” Sukkur IBA J.
Emerg. Technol., vol. 7, no. 1, pp. 48–55, Jul.
2024, doi: 10.30537/sjet.v7i1.1430.
[9] N. Nathiya, C. Rajan, and K. Geetha, “A
hybrid optimization and machine learning
based energy-efficient clustering algorithm
with self-diagnosis data fault detection and
prediction for WSN-IoT application,” Peer-to-
Peer Netw. Appl., vol. 18, no. 2, p. 13, Apr.
2025.
[10] V. Hassija, V. Chamola, V. Saxena, D. Jain, P.
Goyal and B.Sikdar, “A Survey on IoT
Security: Application Areas, Security Threats,
and Solution Architectures”, 2019, in IEEE
Access, vol. 7, pp. 82721-82743.
[11] M. Bolatbek, G. Baispay, S. Mussiraliyeva,
and A. Usmanova, “A framework for
detection and mitigation of cyber criminal
activities using university networks in
Kazakhstan,” Radioelectron. Comput. Syst.,
vol. 2024, no. 2, pp. 186–202, Apr. 2024.
[12] R. Qamar and B. A. Zardari, “Introduction to
the Internet of Behavior (IoB),” 2025, pp. 1–
20. doi: 10.4018/979-8-3693-7545-7.ch001.
[13] Global scale of installed IoT devices,
Available online:
https://www.informationmatters.net/internet-
of-things-statistics/.
https://www.statista.com/outlook/tmo/interne
t-of-things/worldwide, (accessed on 27-1-
2025)
Sukkur IBA Journal of Computing and Mathematical Science - SJCMS | Vol. 8 No. 1 Jan – Jun 2025
53
(pp. 43-55)
[14] Panchiwala, Shivani, and Manan Shah. "A
Comprehensive Study on Critical Security
Issues and Challenges of the IoT World."
Journal of Data, Information and Management
(2020): 1-22.
[15] M. Frustaci, P. Pace, G. Aloi, and G. Fortino,
“Evaluating Critical Security Issues of the IoT
World: Present and Future Challenges,” IEEE
Internet Things J., vol. 5, no. 4, pp. 2483–
2495, Aug. 2018.
[16] M. Stoyanova, Y. Nikoloudakis, S.
Panagiotakis, E. Pallis, and E. K. Markakis,
“A Survey on the Internet of Things (IoT)
Forensics: Challenges, Approaches, and Open
Issues,” IEEE Commun. Surv. Tutorials, vol.
22, no. 2, pp. 1191–1221, 2020.
[17] K. Kaushik, M. Ouaissa, and A. Chaudhary,
Advanced Techniques and Applications of
Cybersecurity and Forensics. Boca Raton:
Chapman and Hall/CRC, 2024. doi:
10.1201/9781003386926.
[18] M. Köhn, M. S. Olivier, and J. H. Eloff,
‘‘Framework for a digital forensic
investigation,’’ in Proc. ISSA, 2006, pp. 1–7.
[19] W. Halboob and R. Mahmod, ‘‘State of the art
in trusted computing forensics,’’ in Future
Information Technology, Application, and
Service. Dordrecht, The Netherlands:
Springer, 2012, pp. 249–258.
[20] M. D. Kohn, M. M. Eloff, and J. H. P. Eloff,
‘‘Integrated digital forensic process model,’’
Comput. Secur., vol. 38, pp. 103–115, Oct.
2013.
[21] H. I. Bulbul, H. G. Yavuzcan, and M. Ozel,
‘‘Digital forensics: An analytical crime scene
procedure model (ACSPM),’’ Forensic Sci.
Int., vol. 233, nos. 1–3, pp. 244–256, Dec.
2013.
[22] A. Agarwal, M. Gupta, S. Gupta, and S. C.
Gupta, ‘‘Systematic digital forensic
investigation model,’’ Int. J. Comput. Sci.
Secur., vol. 5, no. 1, pp. 118–131, 2011.
[23] R. Adams, V. Hobbs, and G. Mann, ‘‘The
advanced data acquisition model (Adam): A
process model for digital forensic practice,’’ J.
Digit. Forensics, Secur. Law, vol. 8, no. 4, pp.
25–48, 2013.
[24] J. Williams, ‘‘ACPO good practice guide for
digital evidence,’’ Metrop. Police Service,
Assoc. Chief Police Officers, GB, Tech. Rep.,
2012.
[25] K. Kent, S. Chevalier, T. Grance, and H.
Dang, ‘‘SP 800-86. guide to integrating
forensic techniques into incident response,’’
Nat. Inst. Standards Technol., Gaithersburg,
MD, USA, Tech. Rep., 2006.
[26] W. G. Kruse II and J. G. Heiser, Computer
Forensics: Incident Response Essentials.
London, U.K.: Pearson, 2001.
 Solangi, S. A., IoT Forensics: Addressing Challenges and Establishing a Framework for Exploring Digital Forensics
[27] M. Reith, C. Carr, and G. Gunsch, ‘‘An
examination of digital forensic models,’’ Int.
J. Digit. Evidence, vol. 1, no. 3, pp. 1–12,
2002.
[28] B. Carrier and E. H. Spafford, ‘‘Getting
physical with the investigative process,’’ Int.
J. Digit. Evidence, 2003.
[29] V. Baryamureeba and F. Tushabe, ‘‘The
enhanced digital investigation process
model,’’ Digit. Invest., 2004.
[30] S. O. CiardhuÆin, ‘‘An extended model of
cybercrime investigations,’’ International
Journal of Digital Evidence, vol. 3, no. 1, pp.
1–22, 2004.
[31] I. O, D. Chris, and D. David, ‘‘A new
approach of digital forensic model for digital
forensic investigation,’’ Int. J. Adv. Comput.
Sci. Appl., vol. 2, no. 12, pp. 175–178, 2011.
[32] S. Alharbi, J. Weber-Jahnke and I. Traori,
“The Proactive and Reactive Digital Forensics
Investigation Process: A Systematic Literature
Revoew,” Int. J. Security and Its Applications,
vol. 5, no. 4, pp. 59-72, Oct 2011.
[33] Y. Yusoff, R. Ismail, and Z. Hassan,
‘‘Common phases of computer forensics
investigation models,’’ Int. J. Comput. Sci.
Inf. Technol., vol. 3, no. 3, pp. 17–31, 2011.
[34] K. Kyei, P. Zavarsky, D. Lindskog, and R.
Ruhl, ‘‘A review and comparative study of
digital forensic investigation models,’’ in
Digital Forensics and Cyber Crime, M. Rogers
and K. C. Seigfried-Spellar, Eds. Berlin,
Germany: Springer, 2013, pp. 314–327.
[35] S. Bonomi, M. Casini, and C. Ciccotelli, ‘‘B-
CoC: A blockchain-based chain of custody for
evidences management in digital forensics,’’
2018, arXiv:1807.10359.
[36] Z. Tian, M. Li, M. Qiu, Y. Sun, and S. Su,
‘‘Block-DEF: A secure digital evidence
framework using blockchain,’’ Inf. Sci., vol.
491, pp. 151–165, Jul. 2019.
[37] R. S. Greenfield et al., Cyber Forensics: A
Field Manual for Collecting, Examining, and
Preserving Evidence of Computer Crimes.
Boca Raton, FL, USA: CRC Press, 2002.
[38] D. Reilly, C. Wren, and T. Berry, ‘‘Cloud
computing: Forensic challenges for law
enforcement,’’ in Proc. Int. Conf. Internet
Technol. Secured Trans., Nov. 2010, pp. 1–7.
[39] S. L. Garfinkel, ‘‘Digital forensics research:
The next 10 years,’’ Digital Investigation, vol.
7, pp. S64–S73, Aug. 2010.
[40] A. Guarino, ‘‘Digital forensics as a big data
challenge,’’ in ISSE Securing Electronic
Business Processes. Wiesbaden, Germany:
Springer, 2013, pp. 197–203.
[41] G. Mohay, ‘‘Technical challenges and
directions for digital forensics,’’ in Proc. 1st
Int. Workshop Systematic Approaches to
Sukkur IBA Journal of Computing and Mathematical Science - SJCMS | Vol. 8 No. 1 Jan – Jun 2025
54
(pp. 43-55)
Digit. Forensic Eng. (SADFE), Nov. 2005, pp.
155–161.
[42] Z. Li, Q. A. Chen, R. Yang, Y. Chen, and W.
Ruan, ‘‘Threat detection and investigation
with system-level provenance graphs: A
survey,’’ Comput. Secur., vol. 106, Jul. 2021,
Art. no. 102282.
[43] A. Al-Dhaqm, S. A. Razak, R. A. Ikuesan, V.
R. Kebande, and K. Siddique, ‘‘A review of
mobile forensic investigation process
models,’’ IEEE Access, vol. 8, pp. 173359–
173375, 2020.
[44] M. Abulaish and N. A. H. Haldar, ‘‘Advances
in digital forensics frameworks and tools: A
comparative insight and ranking,’’ Int. J.
Digit. Crime Forensics, vol. 10, no. 2, pp. 95–
119, 2018.
[45] R. Agarwal and S. Kothari, ‘‘Review of digital
forensic investigation frameworks,’’ in
Information Science and Applications
(Lecture Notes in Electrical Engineering), vol.
339. Berlin, Germany: Springer-Verlag, 2015,
pp. 561–571.
[46] P. Amann and J. I. James, ‘‘Designing
robustness and resilience in digital
investigation laboratories,’’ Digit. Invest., vol.
12, pp. S111–S120, Mar. 2015.
[47] R. Montasari, ‘‘An ad hoc detailed review of
digital forensic investigation process
models,’’ Int. J. Electron. Secur. Digit.
Forensics, vol. 8, no. 3, pp. 205–223, 2016.
[48] R. Sabillon, J. Serra-Ruiz, V. Cavaller, and J.
J. Cano, ‘‘Digital forensic analysis of
cybercrimes: Best practices and
methodologies,’’ Int. J. Inf. Secur. Privacy,
vol. 11, no. 2, pp. 25–37, 2017.
[49] D. Desai, “Beyond location: Data Security in
the 21st Century,” Commun. ACM, vol. 56,
no. 1, p. 34, Jan. 2013.
[50] M. Irfan, H. Abbas, Y. Sun, A. Sajid, and M.
Pasha, “A framework for cloud forensics
evidence collection and analysis using
security information and event management,”
in Security and Communication Networks,
John Wiley and Sons Inc., Nov. 2016, pp.
3790–3807. doi: 10.1002/sec.1538.
[51] V. S. Harichandran, F. Breitinger, I. Baggili,
and A. Marrington, “A cyber forensics needs
analysis survey: Revisiting the domain’s
needs a decade later,” Comput. Secur., vol. 57,
pp. 1–13, Mar. 2016, doi:
10.1016/j.cose.2015.10.007.
[52] A. Alenezi, R. K. Hussein, R. J. Walters and
G. B. Wills, “A Framework for Cloud
Forensic Readiness in Organizations,”
presented at the 2017 5th IEEE Int. Conf.
Mobile Cloud Computing, Services and
Engineering, San Francisco, CA, USA, Apr.
6-8, 2017.
 Solangi, S. A., IoT Forensics: Addressing Challenges and Establishing a Framework for Exploring Digital Forensics
[53] M. B. Mukashe, J. L. Sedgwick and D. W.
Hagy, “Electronic Crime Scene Investigation:
A Guide for First Responders,” NIJ.,
Washington, USA, Rep. NCJ 219941, 2001.
[54] G. S. Chhabra, P. Singh, “Distributed Network
Forensics Framework: A Systemetic Review,”
Int. J. Computer Application, vol. 119, no. 19,
pp. 31-35, Jun. 2015.
[55] B. Singh and C. Kaunert, “Intelligent Machine
Learning Solutions for Cybersecurity,” 2024,
pp. 359–386. 2024. doi: 10.4018/979-8-3693-
5380-6.ch014.
[56] M. Ng, J. James, and R. Bull, “‘What you say
in the lab, stays in the lab’: A reflexive
thematic analysis of current challenges and
future directions of digital forensic
investigations in the UK,” Forensic Sci. Int.
Digit. Investig., vol. 51, p. 301839, Dec. 2024,
doi: 10.1016/j.fsidi.2024.301839.
[57] J.-P. A. Yaacoub, H. N. Noura, O. Salman,
and A. Chehab, “Advanced digital forensics
and anti-digital forensics for IoT systems:
Techniques, limitations and
recommendations,” Internet of Things, vol.
19, p. 100544, Aug. 2022, doi:
10.1016/j.iot.2022.100544.
[58] T. Göbel, F. Breitinger, and H. Baier,
“Optimising data set creation in the
cybersecurity landscape with a special focus
on digital forensics: Principles,
characteristics, and use cases,” Forensic Sci.
Int. Digit. Investig., vol. 52, p. 301882, Mar.
2025, doi: 10.1016/j.fsidi.2025.301882.
[59] A. Wickramasekara, F. Breitinger, and M.
Scanlon, “Exploring the potential of large
language models for improving digital
forensic investigation efficiency,” Forensic
Sci. Int. Digit. Investig., vol. 52, p. 301859,
Mar. 2025, doi: 10.1016/j.fsidi.2024.301859.
[60] C. Hargreaves, F. Breitinger, L. Dowthwaite,
H. Webb, and M. Scanlon, “DFPulse: The
2024 digital forensic practitioner survey,”
Forensic Sci. Int. Digit. Investig., vol. 51, p.
301844, Dec. 2024, doi:
10.1016/j.fsidi.2024.301844.
[61] P. Binnar, S. Bhirud, and F. Kazi, “Security
analysis of cyber physical system using digital
forensic incident response,” Cyber Secur.
Appl., vol. 2, p. 100034, 2024, doi:
10.1016/j.csa.2023.100034.
Sukkur IBA Journal of Computing and Mathematical Science - SJCMS | Vol. 8 No. 1 Jan – Jun 2025
55
(pp. 43-55)
[62] S. Friedl and G. Pernul, “IoT Forensics
Readiness - influencing factors,” Forensic Sci.
Int. Digit. Investig., vol. 49, p. 301768, Jun.
2024, doi: 10.1016/j.fsidi.2024.301768.
[63] V. Schmitt and E. Butterfield, “Digital
forensics in healthcare: An analysis of data
associated with a CPAP machine,” Forensic
Sci. Int. Digit. Investig., vol. 48, p. 301661,
Mar. 2024, doi: 10.1016/j.fsidi.2023.301661.
[64] S. Brotsis et al., “Blockchain meets Internet of
Things (IoT) forensics: A unified framework
for IoT ecosystems,” Internet of Things, vol.
24, p. 100968, Dec. 2023, doi:
10.1016/j.iot.2023.100968.
[65] S. Ruiz-Villafranca, J. M. C. Gómez, and J.
Roldán-Gómez, “A forensic tool for the
identification, acquisition and analysis of
sources of evidence in IoT investigations,”
Internet of Things, vol. 27, p. 101308, Oct.
2024, doi: 10.1016/j.iot.2024.101308.
[66] V. R. Kebande, P. P. Mudau, R. A. Ikuesan,
H. S. Venter, and K.-K. R. Choo, “Holistic
digital forensic readiness framework for IoT-
enabled organizations,” Forensic Sci. Int.
Reports, vol. 2, p. 100117, Dec. 2020, doi:
10.1016/j.fsir.2020.100117.
[67] S. Rudrakar and P. Rughani, “IoT based
Agriculture (Ag-IoT): A detailed study on
Architecture, Security and Forensics,” Inf.
Process. Agric., vol. 11, no. 4, pp. 524–541,
Dec. 2024, doi: 10.1016/j.inpa.2023.09.002.
[68] D. Dunsin, M. C. Ghanem, K. Ouazzane, and
V. Vassilev, “A comprehensive analysis of the
role of artificial intelligence and machine
learning in modern digital forensics and
incident response,” Forensic Sci. Int. Digit.
Investig., vol. 48, p. 301675, Mar. 2024, doi:
10.1016/j.fsidi.2023.301675.
[69] S. Khanji, O. Alfandi, L. Ahmad, L. Kakkengal, and
M. Al-kfairy, “A systematic analysis on the
readiness of Blockchain integration in IoT
forensics,” Forensic Sci. Int. Digit. Investig., vol.
42–43, p. 301472, Oct. 2022, doi:
10.1016/j.fsidi.2022.301472.
[70] A. R. Javed, Z. Jalil, W. Zehra, T. R. Gadekallu, D.
Y. Suh, and M. J. Piran, “A comprehensive survey
on digital video forensics: Taxonomy, challenges,
and future directions,” Eng. Appl. Artif. Intell., vol.
106, p. 104456, Nov. 2021, doi:
10.1016/j.engappai.2021.104456.