Muhammed Saleh,Siti Hajar Othman,Maha Driss,Arafat Al-dhaqm,Abdulalem Ali,Wael M. S. Yafooz,Abdel-Hamid M. Emara

DOI: https://doi.org/10.3390/electronics12030524

IF: 2.9

2023-01-20

Electronics

Abstract:The Internet of Things (IoT) Investigation of Forensics (IoTFI) is one of the subdomains of Digital Forensics that aims to record and evaluate incidents involving the Internet of Things (IoT). Because of the many different standards, operating systems, and infrastructure-based aspects that make up the Internet of Things industry, this sector is extremely varied, ambiguate, and complicated. Many distinct IoTFI models and frameworks were developed, each one based on a unique set of investigation procedures and activities tailored to a particular IoT scenario. Because of these models, the domain becomes increasingly complicated and disorganized among those who perform domain forensics. As a result, the IoTFI domain does not have a general model for managing, sharing, and reusing the processes and activities that it offers. With the use of the metamodeling development process, this work aims to create an Internet of Things Forensic Investigation Metamodel (IoTFIM) for the IoTFI domain. Utilizing the metamodeling development process allows for the construction and validation of a metamodel and the verification that the metamodel is both comprehensive and consistent. The IoTFIM is divided into two phases: the first phase identifies the problem, and the second phase develops the IoTFIM. It is utilized to structure and organize IoTFI domain knowledge, which makes it easier for domain forensic practitioners to manage, organize, share, and reuse IoTFI domain knowledge. The purpose of this is to detect, recognize, extract, and match various IoTFI processes, concepts, activities, and tasks from various IoTFI models in an IoTFIM that was established, facilitating the process of deriving and instantiating solution models for domain practitioners. Utilizing several metamodeling methodologies, we were able to validate the generated IoTFMI's consistency as well as its applicability (comparison against other models, frequency-based selection). Based on the findings, it can be concluded that the built IoTFIM is consistent and coherent. This makes it possible for domain forensic practitioners to simply instantiate new solution models by picking and combining concept elements (attribute and operations) based on the requirements of their models.

engineering, electrical & electronic,computer science, information systems,physics, applied

Tanveer Zia,Peng Liu,Weili Han

DOI: https://doi.org/10.1145/3098954.3104052

2017-01-01

Abstract:Besides its enormous benefits to the industry and community the Internet of Things (IoT) has introduced unique security challenges to its enablers and adopters. As the trend in cybersecurity threats continue to grow, it is likely to influence IoT deployments. Therefore it is eminent that besides strengthening the security of IoT systems we develop effective digital forensics techniques that when breaches occur we can track the sources of attacks and bring perpetrators to the due process with reliable digital evidence. The biggest challenge in this regard is the heterogeneous nature of devices in IoT systems and lack of unified standards. In this paper we investigate digital forensics from IoT perspectives. We argue that besides traditional digital forensics practices it is important to have application-specific forensics in place to ensure collection of evidence in context of specific IoT applications. We consider top three IoT applications and introduce a model which deals with not just traditional forensics but is applicable in digital as well as application-specific forensics process. We believe that the proposed model will enable collection, examination, analysis and reporting of forensically sound evidence in an IoT application-specific digital forensics investigation.

Haroon Mahmood,Maliha Arshad,Irfan Ahmed,Sana Fatima,Hafeez ur Rehman

DOI: https://doi.org/10.1016/j.fsidi.2024.301748

IF: 1.805

2024-04-06

Forensic Science International Digital Investigation

Abstract:Internet of Things (IoT) systems often consist of heterogeneous, resource-constrained devices that generate massive amounts of data. This data is important for assessments, behaviour analysis, and decision-making. However, IoT devices are also susceptible to cyber-attacks, such as information theft, personal device intervention, and privacy invasion. In case of an incident, these devices are subject to digital forensic investigation to identify and analyze crimes and misuse. Over the years, several forensic frameworks and techniques have been proposed to facilitate the investigation of IoT networks and devices, but finding a perfect solution that covers the diversity of IoT devices and networks is still a research challenge. In this study, we present a comparative analysis of existing forensic investigation frameworks and identify their strengths and weaknesses in handling forensic challenges of IoT devices. The study uses evaluation metrics of ten important parameters, including heterogeneity, scalability, and chain of custody, to thoroughly audit the effectiveness of these models. Our analysis concludes that the existing investigation frameworks do not cater to all requirements and aspects of IoT forensics. It further highlights the need for standard mechanisms to acquire and analyze digital artifacts in IoT devices.

computer science, information systems, interdisciplinary applications

Ibrahim Alfadli,Fahad M Ghabban,Omair Ameerbakhsh,Amer Nizar AbuAli,Arafat Al-Dhaqm,Mahmoud Ahmad Al-Khasawneh

DOI: https://doi.org/10.48550/arXiv.2108.05571

2021-08-12

Abstract:Database Forensics (DBF) domain is a branch of digital forensics, concerned with the identification, collection, reconstruction, analysis, and documentation of database crimes. Different researchers have introduced several identification models to handle database crimes. Majority of proposed models are not specific and are redundant, which makes these models a problem because of the multidimensional nature and high diversity of database systems. Accordingly, using the metamodeling approach, the current study is aimed at proposing a unified identification model applicable to the database forensic field. The model integrates and harmonizes all exiting identification processes into a single abstract model, called Common Identification Process Model (CIPM). The model comprises six phases: 1) notifying an incident, 2) responding to the incident, 3) identification of the incident source, 4) verification of the incident, 5) isolation of the database server and 6) provision of an investigation environment. CIMP was found capable of helping the practitioners and newcomers to the forensics domain to control database crimes.

Cryptography and Security

Abdulghani Ali Ahmed,Khalid Farhan,Waheb A Jabbar,Abdulaleem Al-Othmani,Abdullahi Gara Abdulrahman

DOI: https://doi.org/10.3390/s24165210

2024-08-12

Abstract:The Internet of Things forensics is a specialised field within digital forensics that focuses on the identification of security incidents, as well as the collection and analysis of evidence with the aim of preventing future attacks on IoT networks. IoT forensics differs from other digital forensic fields due to the unique characteristics of IoT devices, such as limited processing power and connectivity. Although numerous studies are available on IoT forensics, the field is rapidly evolving, and comprehensive surveys are needed to keep up with new developments, emerging threats, and evolving best practices. In this respect, this paper aims to review the state of the art in IoT forensics and discuss the challenges in current investigation techniques. A qualitative analysis of related reviews in the field of IoT forensics has been conducted, identifying key issues and assessing primary obstacles. Despite the variety of topics and approaches, common issues emerge. The majority of these issues are related to the collection and pre-processing of evidence because of the counter-analysis techniques and challenges associated with gathering data from devices and the cloud. Our analysis extends beyond technological problems; it further identifies the procedural problems with preparedness, reporting, and presentation as well as ethical issues. In particular, it provides insights into emerging threats and challenges in IoT forensics, increases awareness and understanding of the importance of IoT forensics in preventing cybercrimes, and ensures the security and privacy of IoT devices and networks. Our findings make a substantial contribution to the field of IoT forensics, as they not only involve a critical analysis of the challenges presented in existing works but also identify numerous problems. These insights will greatly assist researchers in identifying appropriate directions for their future research.

Snehal Sathwara,Nitul Dutta,Emil Pricop

DOI: https://doi.org/10.1109/ECAI.2018.8679017

2019-09-06

Abstract:Security issues, threats, and attacks in relation with the IoT have been identified as promising and challenging area of research. Eventually, the need for a forensics methodology for investigating IoT-related crime is therefore essential. However, the IoT poses many challenges for forensics investigators. These include the wide range and variety of information, the unclear lines of differentiation between networks, for example private networks increasingly fading into public networks. Further, integration of a large number of objects in IoT forensic interest, along with the relevance of identified and collected devices makes forensic of IoT devices more complicated. The scope of this paper is to present a framework for IoT forensic. We aimed at the study and development of the link to support digital investigations of IoT devices and tackle emerging challenges in digital forensics. We emphasize on various steps for digital forensic with respect to IoT devices.

Networking and Internet Architecture,Cryptography and Security

Iman S. Alansari

DOI: https://doi.org/10.48084/etasr.6316

2023-10-13

Abstract:Investigation in the field of network forensics involves examining network traffic to identify, capture, preserve, reconstruct, analyze, and document network crimes. Although there are different perspectives on the practical and technical aspects of network forensics, there is still a lack of fundamental guidelines. This paper proposes a new detection and investigation model for capturing and analyzing network crimes, using design science research. The proposed model involves six processes: identification, verification, gathering, preservation, examination, analysis, and documentation. Each process is associated with several activities that provide the investigation team with a clear picture of exactly what needs to be performed. In addition, the proposed model has a unique activity, namely reporting. As a result, this model represents a comprehensive approach to network forensics investigations. It is designed to work in conjunction with established forensic techniques to ensure that forensic evidence from the network is collected and analyzed efficiently and effectively following accepted forensic procedures. The proposed model was compared with existing models in terms of completeness, showing that it is complete and can be adapted to any type of network and legal framework.

Jeffrey Fairbanks,Md Mashrur Arifin,Sadia Afreen,Alex Curtis

2024-07-02

Abstract:The main goal of this research project is to evaluate the effectiveness and speed of open-source forensic tools for digital evidence collecting from various Internet-of-Things (IoT) devices. The project will create and configure many IoT environments, across popular IoT operating systems, and run common forensics tasks in order to accomplish this goal. To validate these forensic analysis operations, a variety of open-source forensic tools covering four standard digital forensics tasks. These tasks will be utilized across each sample IoT operating system and will have its time spent on record carefully tracked down and examined, allowing for a thorough evaluation of the effectiveness and speed for performing forensics on each type of IoT device. The research also aims to offer recommendations to IoT security experts and digital forensic practitioners about the most efficient open-source tools for forensic investigations with IoT devices while maintaining the integrity of gathered evidence and identifying challenges that exist with these new device types. The results will be shared widely and well-documented in order to provide significant contributions to the field of internet-of-things device makers and digital forensics.

Cryptography and Security

Antonio Boiano,Alessandro Enrico Cesare Redondi,Matteo Cesana

2023-10-05

Abstract:The widespread deployment of Consumer Internet of Things devices in proximity to human activities makes them digital observers of our daily actions. This has led to a new field of digital forensics, known as IoT Forensics, where digital traces generated by IoT devices can serve as key evidence for forensic investigations. Thus, there is a need to develop tools that can efficiently acquire and store network traces from IoT ecosystems. This paper presents IoTScent, an open-source IoT forensic tool that enables IoT gateways and Home Automation platforms to perform IoT traffic capture and analysis. Unlike other works focusing on IP-based protocols, IoTScent is specifically designed to operate over IEEE 802.15.4-based traffic, which is the basis for many IoT-specific protocols such as Zigbee, 6LoWPAN and Thread. IoTScent offers live traffic capture and feature extraction capabilities, providing a framework for forensic data collection that simplifies the task of setting up a data collection pipeline, automating the data collection process, and providing ready-made features that can be used for forensic evidence extraction. This work provides a comprehensive description of the IoTScent tool, including a practical use case that demonstrates the use of the tool to perform device identification from Zigbee traffic. The study presented here significantly contributes to the ongoing research in IoT Forensics by addressing the challenges faced in the field and publicly releasing the IoTScent tool.

Cryptography and Security,Networking and Internet Architecture,Social and Information Networks

Fabio Palmese,Alessandro E. C. Redondi

2023-05-18

Abstract:The Internet of Things (IoT) has boomed in recent years, with an ever-growing number of connected devices and a corresponding exponential increase in network traffic. As a result, IoT devices have become potential witnesses of the surrounding environment and people living in it, creating a vast new source of forensic evidence. To address this need, a new field called IoT Forensics has emerged. In this paper, we present \textit{CSI Sniffer}, a tool that integrates the collection and management of Channel State Information (CSI) in Wi-Fi Access Points. CSI is a physical layer indicator that enables human sensing, including occupancy monitoring and activity recognition. After a description of the tool architecture and implementation, we demonstrate its capabilities through two application scenarios that use binary classification techniques to classify user behavior based on CSI features extracted from IoT traffic. Our results show that the proposed tool can enhance the capabilities of forensic investigations by providing additional sources of evidence. Wi-Fi Access Points integrated with \textit{CSI Sniffer} can be used by ISP or network managers to facilitate the collection of information from IoT devices and the surrounding environment. We conclude the work by analyzing the storage requirements of CSI sample collection and discussing the impact of lossy compression techniques on classification performance.

Networking and Internet Architecture,Signal Processing

Weiping Ding,Mohamed Abdel-Basset,Ahmed M. Ali,Nour Moustafa

DOI: https://doi.org/10.1016/j.engappai.2024.109451

2024-01-01

Abstract:Digital forensics is a proven method for collecting, preserving, reporting, analyzing, identifying, and presenting digital evidence from the original data, and it helps find evidence of cybercrimes. Intelligent multimedia forensics is a type of digital forensics and is essential because it is used to identify fake multimedia, including images, videos, audio, and text. This paper conducted a comprehensive survey for intelligent multimedia forensics, categorized into 3 classes: deep learning forensics, multimedia forensics, and network and Internet of Things forensics. In the first class, we provided a survey of the multiple attacks breaking the DL models, such as attacks in the training step, and the testing step, and crafted. In the craft attacks, we survey the three attacks: white box, gray box, and black box. We also provided some defense methods against DL attacks, training step attacks, and testing step attacks. In the second class, we offered a survey of multimedia forensics, including passive and active manipulation. In the third class, we provide a survey of network/IoT forensics, including the attacks in five layers: physical, data link, transport, application, and network. We also provided network/IoT attack detection in the third class using deep learning models. We applied AI models in various datasets and obtained higher accuracy and performance on the datasets from various used models. Finally, we offered the challenges and future direction for the researcher in this scope.

Sabrina Friedl,Günther Pernul

DOI: https://doi.org/10.1016/j.fsidi.2024.301768

IF: 1.805

2024-05-16

Forensic Science International Digital Investigation

Abstract:The Internet of Things (IoT) is increasingly becoming a part of people's lives and is progressively revolutionizing our lives and businesses. From a Digital Forensics (DF) point of view, this connection turns an IoT environment into a valuable source of evidence containing diverse artifacts that could significantly aid DF investigations. Therefore, DF must adapt to the characteristics of IoT Forensics (IoTF). With the increasing deployment of IoT, organizations are compelled to revise their approaches to planning, developing, and implementing Information Technology (IT) security strategies. The IoT presents new business opportunities but also simultaneously creates various challenges related to cyber-attacks and their resolution. For optimal preparedness in the face of future incidents, companies should consider implementing Forensics Readiness (FR). This paper thus examines the factors that influence IoT-FR within organizations. By systematically analyzing research efforts from 2010 to 2023, we identified the following factors influencing IoT-FR: (1) Legal Aspect, (2) Standardization Approach, (3) Technological Resource and Technique, (4) Management Process and (5) Human Factor. Furthermore, these influencing factors are not only considered individually but also in terms of the dependencies between them. This results in the creation of a holistic model including the interdependencies and influences of the factors to provide a novel overview and enhance the integrated perspective on IoT-FR. The knowledge of factors influencing the integration of IoT-FR into organizations is valuable. It thus can be of enormous importance, as it can save time and money in the event of a subsequent incident. Additionally, alongside these factors, various challenges, techniques, models, and frameworks are highlighted to offer profound insights into the relatively novel subject of IoT-FR and to inspire future research.

computer science, information systems, interdisciplinary applications

Mohamed Abdel‐Basset,Nour Moustafa,Hossam Hawash,Weiping Ding

DOI: https://doi.org/10.1007/978-3-030-89025-4_4

2021-01-01

Abstract:As IoT technology becomes an integral part of everyday life, enhancing productivity for businesses through automation, it should come as no surprise that attackers would seek to exploit these systems and the services they provide for profit.

Shams Forruque Ahmed,Shanjana Shuravi,Afsana Bhuyian,Shaila Afrin,Aanushka Mehjabin,Sweety Angela Kuldeep,Md. Sakib Bin Alam,Amir H. Gandomi

DOI: https://doi.org/10.48550/arXiv.2309.02707

2023-09-06

Networking and Internet Architecture

Abstract:Given the exponential expansion of the internet, the possibilities of security attacks and cybercrimes have increased accordingly. However, poorly implemented security mechanisms in the Internet of Things (IoT) devices make them susceptible to cyberattacks, which can directly affect users. IoT forensics is thus needed for investigating and mitigating such attacks. While many works have examined IoT applications and challenges, only a few have focused on both the forensic and security issues in IoT. Therefore, this paper reviews forensic and security issues associated with IoT in different fields. Future prospects and challenges in IoT research and development are also highlighted. As demonstrated in the literature, most IoT devices are vulnerable to attacks due to a lack of standardized security measures. Unauthorized users could get access, compromise data, and even benefit from control of critical infrastructure. To fulfil the security-conscious needs of consumers, IoT can be used to develop a smart home system by designing a FLIP-based system that is highly scalable and adaptable. Utilizing a blockchain-based authentication mechanism with a multi-chain structure can provide additional security protection between different trust domains. Deep learning can be utilized to develop a network forensics framework with a high-performing system for detecting and tracking cyberattack incidents. Moreover, researchers should consider limiting the amount of data created and delivered when using big data to develop IoT-based smart systems. The findings of this review will stimulate academics to seek potential solutions for the identified issues, thereby advancing the IoT field.

George Grispos,Frank Tursi,Raymond Choo,William Mahoney,William Bradley Glisson

DOI: https://doi.org/10.48550/arXiv.2109.05518

2021-09-12

Abstract:The introduction of Internet of Things (IoT) ecosystems into personal homes and businesses prompts the idea that such ecosystems contain residual data, which can be used as digital evidence in court proceedings. However, the forensic examination of IoT ecosystems introduces a number of investigative problems for the digital forensics community. One of these problems is the limited availability of practical processes and techniques to guide the preservation and analysis of residual data from these ecosystems. Focusing on a detailed case study of the iHealth Smart Scale ecosystem, we present an empirical demonstration of practical techniques to recover residual data from different evidence sources within a smart scale ecosystem. We also document the artifacts that can be recovered from a smart scale ecosystem, which could inform a digital (forensic) investigation. The findings in this research provides a foundation for future studies regarding the development of processes and techniques suitable for extracting and examining residual data from IoT ecosystems.

Cryptography and Security,Computers and Society

Umit Karabiyik,Kemal Akkaya

DOI: https://doi.org/10.48550/arXiv.1811.09239

2018-11-23

Abstract:In the last decade, wireless sensor networks (WSNs) and Internet-of-Things (IoT) devices are proliferated in many domains including critical infrastructures such as energy, transportation and manufacturing. Consequently, most of the daily operations now rely on the data coming from wireless sensors or IoT devices and their actions. In addition, personal IoT devices are heavily used for social media applications, which connect people as well as all critical infrastructures to each other under the cyber domain. However, this connectedness also comes with the risk of increasing number of cyber attacks through WSNs and/or IoT. While a significant research has been dedicated to secure WSN/IoT, this still indicates that there needs to be forensics mechanisms to be able to conduct investigations and analysis. In particular, understanding what has happened after a failure is crucial to many businesses, which rely on WSN/IoT applications. Therefore, there is a great interest and need for understanding digital forensics applications in WSN and IoT realms. This chapter fills this gap by providing an overview and classification of digital forensics research and applications in these emerging domains in a comprehensive manner. In addition to analyzing the technical challenges, the chapter provides a survey of the existing efforts from the device level to network level while also pointing out future research opportunities.

Cryptography and Security

Mohamed Abdel-Basset,Nour Moustafa,Hossam Hawash,Weiping Ding

DOI: https://doi.org/10.1007/978-3-030-89025-4_1

2021-01-01

Abstract:The Internet of Things (IoT) is a rapidly evolving technology that empowers billions of globally distributed physical things to be interconnected over the internet to capture, collect, exchange, and share a wide variety of vast amounts of data. These physical things incorporate all of the connectable devices ranging from conventional household devices to complex industrial devices (Javed et al. in IEEE Commun. Surv. Tutorials, 2018). The emergence of INDUSTRY 4.0 has revolutionized the industrial domain globally with a large and ever-increasing number of embedded devices, and computerized chips because of the expanding availability, affordability, microprocessors, sensors’ capacity, and omnipresent communication technologies. Connecting such a very large number of heterogeneous objects and implanting sensors to them leads to some degree of digital intelligence at devices that, empowering them to communicate instantaneous data with no human intervention.

Juan Manuel Castelo Gómez,Javier Carrillo-Mondéjar,José Luis Martínez Martínez,Jorge Navarro García,Juan Manuel Castelo Gómez,Javier Carrillo-Mondéjar,José Luis Martínez Martínez,Jorge Navarro García

DOI: https://doi.org/10.1016/j.fsidi.2022.301451

2022-09-01

Abstract:Forensic investigations in the Internet of Things (IoT) are becoming ever more important as the number of cyberincidents that occur in it continues to rise. As a result, it has become necessary to determine how to proceed in performing examinations in this environment, as its novelty and new characteristics demand the development of new forensic solutions that can guarantee a complete and efficient analysis. The approach followed until now by the research community has been to examine the most popular IoT devices and systems with the aim of gaining an insight into what data can be extracted from them, how to extract these data, and what limitations an investigator may encounter in the process. Following this idea, this article, apart from studying the state of the art of IoT forensic investigations, details the examination process for the “Xiaomi Mi Smart Sensor Set” smart home kit, emphasizing the acquisition and analysis of the three main types of forensic evidence: non-volatile memory, volatile memory and network traffic. In particular, we extract and list the useful forensic artifacts that can be obtained from this kit, describing their purpose and location.

computer science, information systems, interdisciplinary applications

Issam Damaj,Safaa Kasbah

DOI: https://doi.org/10.1007/978-3-319-93491-4_1

2020-01-07

Abstract:The Internet-of-Things (IoT) is a revolutionary technology that is rapidly changing the world. IoT systems strive to provide automated solutions for almost every life aspect; traditional devices are becoming connected, ubiquitous, pervasive, wireless, context-aware, smart, controlled through mobile solutions, to name but a few. IoT devices can now be found in our apartments, places of work, cars, buildings, and in almost every aspect of life. In this investigation, we propose an IoT system Development Model (IDM). The proposed IDM enables the development of IoT systems from concept to prototyping. The model comprises concept refinement pyramids, decision trees, realistic constraint lists, architecture and organization diagrams, communication interface patterns, use cases, and menus of analysis metrics and evaluation indicators. The investigation confirms that the proposed model enjoys several properties, such as, clarity, conciseness, thoroughness, productivity, etc. The model is deployed for a variety of systems that belong to heterogeneous areas of application; the model is proven to be effective in application and successful in integrating mobile solutions. This chapter includes the presentation of the IDM submodels, the reasoning about their usefulness, and the technical developments of several systems. The chapter includes thorough discussions, analysis of the model usability and application, and in-depth evaluations.

Signal Processing,Networking and Internet Architecture

Fahad M Ghabban,Ibrahim Alfadli,Omair Ameerbakhsh,Amer Nizar AbuAli,Arafat Al-Dhaqm,Mahmoud Ahmad Al-Khasawneh

DOI: https://doi.org/10.48550/arXiv.2108.05579

2021-08-12

Abstract:Network Forensics (NFs) is a branch of digital forensics which used to detect and capture potential digital crimes over computer networked environments crime. Network Forensic Tools (NFTs) and Network Forensic Processes (NFPs) have abilities to examine networks, collect all normal and abnormal traffic/data, help in network incident analysis, and assist in creating an appropriate incident detection and reaction and also create a forensic hypothesis that can be used in a court of law. Also, it assists in examining the internal incidents and exploitation of assets, attack goals, executes threat evaluation, also by evaluating network performance. According to existing literature, there exist quite a number of NFTs and NTPs that are used for identification, collection, reconstruction, and analysing the chain of incidents that happen on networks. However, they were vary and differ in their roles and functionalities. The main objective of this paper, therefore, is to assess and see the distinction that exist between Network Forensic Tools (NFTs) and Network Forensic Processes (NFPs). Precisely, this paper focuses on comparing among four famous NFTs: Xplico, OmniPeek, NetDetector, and NetIetercept. The outputs of this paper show that the Xplico tool has abilities to identify, collect, reconstruct, and analyse the chain of incidents that happen on networks than other NF tools.

Cryptography and Security