Asanka Sayakkara,Nhien-An Le-Khac,Mark Scanlon

DOI: https://doi.org/10.48550/arXiv.1904.02089

2019-04-04

Abstract:Internet of Things (IoT) devices have expanded the horizon of digital forensic investigations by providing a rich set of new evidence sources. IoT devices includes health implants, sports wearables, smart burglary alarms, smart thermostats, smart electrical appliances, and many more. Digital evidence from these IoT devices is often extracted from third party sources, e.g., paired smartphone applications or the devices' back-end cloud services. However vital digital evidence can still reside solely on the IoT device itself. The specifics of the IoT device's hardware is a black-box in many cases due to the lack of proven, established techniques to inspect IoT devices. This paper presents a novel methodology to inspect the internal software activities of IoT devices through their electromagnetic radiation emissions during live device investigation. When a running IoT device is identified at a crime scene, forensically important software activities can be revealed through an electromagnetic side-channel analysis (EM-SCA) attack. By using two representative IoT hardware platforms, this work demonstrates that cryptographic algorithms running on high-end IoT devices can be detected with over 82% accuracy, while minor software code differences in low-end IoT devices could be detected over 90% accuracy using a neural network-based classifier. Furthermore, it was experimentally demonstrated that malicious modification of the stock firmware of an IoT device can be detected through machine learning-assisted EM-SCA techniques. These techniques provide a new investigative vector for digital forensic investigators to inspect IoT devices.

Cryptography and Security

Asanka Sayakkara,Nhien-An Le-Khac,Mark Scanlon

DOI: https://doi.org/10.1016/j.diin.2019.03.002

2019-03-19

Abstract:The increasing prevalence of Internet of Things (IoT) devices has made it inevitable that their pertinence to digital forensic investigations will increase into the foreseeable future. These devices produced by various vendors often posses limited standard interfaces for communication, such as USB ports or WiFi/Bluetooth wireless interfaces. Meanwhile, with an increasing mainstream focus on the security and privacy of user data, built-in encryption is becoming commonplace in consumer-level computing devices, and IoT devices are no exception. Under these circumstances, a significant challenge is presented to digital forensic investigations where data from IoT devices needs to be analysed. This work explores the electromagnetic (EM) side-channel analysis literature for the purpose of assisting digital forensic investigations on IoT devices. EM side-channel analysis is a technique where unintentional electromagnetic emissions are used for eavesdropping on the operations and data handling of computing devices. The non-intrusive nature of EM side-channel approaches makes it a viable option to assist digital forensic investigations as these attacks require, and must result in, no modification to the target device. The literature on various EM side-channel analysis attack techniques are discussed - selected on the basis of their applicability in IoT device investigation scenarios. The insight gained from the background study is used to identify promising future applications of the technique for digital forensic analysis on IoT devices - potentially progressing a wide variety of currently hindered digital investigations.

Cryptography and Security

Snehal Sathwara,Nitul Dutta,Emil Pricop

DOI: https://doi.org/10.1109/ECAI.2018.8679017

2019-09-06

Abstract:Security issues, threats, and attacks in relation with the IoT have been identified as promising and challenging area of research. Eventually, the need for a forensics methodology for investigating IoT-related crime is therefore essential. However, the IoT poses many challenges for forensics investigators. These include the wide range and variety of information, the unclear lines of differentiation between networks, for example private networks increasingly fading into public networks. Further, integration of a large number of objects in IoT forensic interest, along with the relevance of identified and collected devices makes forensic of IoT devices more complicated. The scope of this paper is to present a framework for IoT forensic. We aimed at the study and development of the link to support digital investigations of IoT devices and tackle emerging challenges in digital forensics. We emphasize on various steps for digital forensic with respect to IoT devices.

Networking and Internet Architecture,Cryptography and Security

Abdulghani Ali Ahmed,Khalid Farhan,Waheb A Jabbar,Abdulaleem Al-Othmani,Abdullahi Gara Abdulrahman

DOI: https://doi.org/10.3390/s24165210

2024-08-12

Abstract:The Internet of Things forensics is a specialised field within digital forensics that focuses on the identification of security incidents, as well as the collection and analysis of evidence with the aim of preventing future attacks on IoT networks. IoT forensics differs from other digital forensic fields due to the unique characteristics of IoT devices, such as limited processing power and connectivity. Although numerous studies are available on IoT forensics, the field is rapidly evolving, and comprehensive surveys are needed to keep up with new developments, emerging threats, and evolving best practices. In this respect, this paper aims to review the state of the art in IoT forensics and discuss the challenges in current investigation techniques. A qualitative analysis of related reviews in the field of IoT forensics has been conducted, identifying key issues and assessing primary obstacles. Despite the variety of topics and approaches, common issues emerge. The majority of these issues are related to the collection and pre-processing of evidence because of the counter-analysis techniques and challenges associated with gathering data from devices and the cloud. Our analysis extends beyond technological problems; it further identifies the procedural problems with preparedness, reporting, and presentation as well as ethical issues. In particular, it provides insights into emerging threats and challenges in IoT forensics, increases awareness and understanding of the importance of IoT forensics in preventing cybercrimes, and ensures the security and privacy of IoT devices and networks. Our findings make a substantial contribution to the field of IoT forensics, as they not only involve a critical analysis of the challenges presented in existing works but also identify numerous problems. These insights will greatly assist researchers in identifying appropriate directions for their future research.

Tanveer Zia,Peng Liu,Weili Han

DOI: https://doi.org/10.1145/3098954.3104052

2017-01-01

Abstract:Besides its enormous benefits to the industry and community the Internet of Things (IoT) has introduced unique security challenges to its enablers and adopters. As the trend in cybersecurity threats continue to grow, it is likely to influence IoT deployments. Therefore it is eminent that besides strengthening the security of IoT systems we develop effective digital forensics techniques that when breaches occur we can track the sources of attacks and bring perpetrators to the due process with reliable digital evidence. The biggest challenge in this regard is the heterogeneous nature of devices in IoT systems and lack of unified standards. In this paper we investigate digital forensics from IoT perspectives. We argue that besides traditional digital forensics practices it is important to have application-specific forensics in place to ensure collection of evidence in context of specific IoT applications. We consider top three IoT applications and introduce a model which deals with not just traditional forensics but is applicable in digital as well as application-specific forensics process. We believe that the proposed model will enable collection, examination, analysis and reporting of forensically sound evidence in an IoT application-specific digital forensics investigation.

George Grispos,Frank Tursi,Raymond Choo,William Mahoney,William Bradley Glisson

DOI: https://doi.org/10.48550/arXiv.2109.05518

2021-09-12

Abstract:The introduction of Internet of Things (IoT) ecosystems into personal homes and businesses prompts the idea that such ecosystems contain residual data, which can be used as digital evidence in court proceedings. However, the forensic examination of IoT ecosystems introduces a number of investigative problems for the digital forensics community. One of these problems is the limited availability of practical processes and techniques to guide the preservation and analysis of residual data from these ecosystems. Focusing on a detailed case study of the iHealth Smart Scale ecosystem, we present an empirical demonstration of practical techniques to recover residual data from different evidence sources within a smart scale ecosystem. We also document the artifacts that can be recovered from a smart scale ecosystem, which could inform a digital (forensic) investigation. The findings in this research provides a foundation for future studies regarding the development of processes and techniques suitable for extracting and examining residual data from IoT ecosystems.

Cryptography and Security,Computers and Society

Haroon Mahmood,Maliha Arshad,Irfan Ahmed,Sana Fatima,Hafeez ur Rehman

DOI: https://doi.org/10.1016/j.fsidi.2024.301748

IF: 1.805

2024-04-06

Forensic Science International Digital Investigation

Abstract:Internet of Things (IoT) systems often consist of heterogeneous, resource-constrained devices that generate massive amounts of data. This data is important for assessments, behaviour analysis, and decision-making. However, IoT devices are also susceptible to cyber-attacks, such as information theft, personal device intervention, and privacy invasion. In case of an incident, these devices are subject to digital forensic investigation to identify and analyze crimes and misuse. Over the years, several forensic frameworks and techniques have been proposed to facilitate the investigation of IoT networks and devices, but finding a perfect solution that covers the diversity of IoT devices and networks is still a research challenge. In this study, we present a comparative analysis of existing forensic investigation frameworks and identify their strengths and weaknesses in handling forensic challenges of IoT devices. The study uses evaluation metrics of ten important parameters, including heterogeneity, scalability, and chain of custody, to thoroughly audit the effectiveness of these models. Our analysis concludes that the existing investigation frameworks do not cater to all requirements and aspects of IoT forensics. It further highlights the need for standard mechanisms to acquire and analyze digital artifacts in IoT devices.

computer science, information systems, interdisciplinary applications

Jeffrey Fairbanks,Md Mashrur Arifin,Sadia Afreen,Alex Curtis

2024-07-02

Abstract:The main goal of this research project is to evaluate the effectiveness and speed of open-source forensic tools for digital evidence collecting from various Internet-of-Things (IoT) devices. The project will create and configure many IoT environments, across popular IoT operating systems, and run common forensics tasks in order to accomplish this goal. To validate these forensic analysis operations, a variety of open-source forensic tools covering four standard digital forensics tasks. These tasks will be utilized across each sample IoT operating system and will have its time spent on record carefully tracked down and examined, allowing for a thorough evaluation of the effectiveness and speed for performing forensics on each type of IoT device. The research also aims to offer recommendations to IoT security experts and digital forensic practitioners about the most efficient open-source tools for forensic investigations with IoT devices while maintaining the integrity of gathered evidence and identifying challenges that exist with these new device types. The results will be shared widely and well-documented in order to provide significant contributions to the field of internet-of-things device makers and digital forensics.

Cryptography and Security

Umit Karabiyik,Kemal Akkaya

DOI: https://doi.org/10.48550/arXiv.1811.09239

2018-11-23

Abstract:In the last decade, wireless sensor networks (WSNs) and Internet-of-Things (IoT) devices are proliferated in many domains including critical infrastructures such as energy, transportation and manufacturing. Consequently, most of the daily operations now rely on the data coming from wireless sensors or IoT devices and their actions. In addition, personal IoT devices are heavily used for social media applications, which connect people as well as all critical infrastructures to each other under the cyber domain. However, this connectedness also comes with the risk of increasing number of cyber attacks through WSNs and/or IoT. While a significant research has been dedicated to secure WSN/IoT, this still indicates that there needs to be forensics mechanisms to be able to conduct investigations and analysis. In particular, understanding what has happened after a failure is crucial to many businesses, which rely on WSN/IoT applications. Therefore, there is a great interest and need for understanding digital forensics applications in WSN and IoT realms. This chapter fills this gap by providing an overview and classification of digital forensics research and applications in these emerging domains in a comprehensive manner. In addition to analyzing the technical challenges, the chapter provides a survey of the existing efforts from the device level to network level while also pointing out future research opportunities.

Cryptography and Security

Tharindu Lakshan Yasarathna,Lojenaa Navanesan,Simon Barque,Assanka Sayakkara,Nhien-An Le-Khac

2023-10-05

Abstract:IoT (Internet of Things) refers to the network of interconnected physical devices, vehicles, home appliances, and other items embedded with sensors, software, and connectivity, enabling them to collect and exchange data. IoT Forensics is collecting and analyzing digital evidence from IoT devices to investigate cybercrimes, security breaches, and other malicious activities that may have taken place on these connected devices. In particular, EM-SCA has become an essential tool for IoT forensics due to its ability to reveal confidential information about the internal workings of IoT devices without interfering these devices or wiretapping their networks. However, the accuracy and reliability of EM-SCA results can be limited by device variability, environmental factors, and data collection and processing methods. Besides, there is very few research on these limitations that affects significantly the accuracy of EM-SCA approaches for the crossed-IoT device portability as well as limited research on the possible solutions to address such challenge. Therefore, this empirical study examines the impact of device variability on the accuracy and reliability of EM-SCA approaches, in particular machine-learning (ML) based approaches for EM-SCA. We firstly presents the background, basic concepts and techniques used to evaluate the limitations of current EM-SCA approaches and datasets. Our study then addresses one of the most important limitation, which is caused by the multi-core architecture of the processors (SoC). We present an approach to collect the EM-SCA datasets and demonstrate the feasibility of using transfer learning to obtain more meaningful and reliable results from EM-SCA in IoT forensics of crossed-IoT devices. Our study moreover contributes a new dataset for using deep learning models in analysing Electromagnetic Side-Channel data with regards to the cross-device portability matter.

Machine Learning,Cryptography and Security

Siraj Uddin Qureshi,Jingsha He,Saima Tunio,Nafei Zhu,Ahsan Nazir,Ahsan Wajahat,Faheem Ullah,Abdul Wadud

DOI: https://doi.org/10.1016/j.jksuci.2024.102164

IF: 9.006

2024-08-29

Journal of King Saud University - Computer and Information Sciences

Abstract:The swift proliferation of Internet of Things (IoT) devices has presented considerable challenges in maintaining cybersecurity. As IoT ecosystems expand, they increasingly attract malware attacks, necessitating advanced detection and forensic analysis methods. This systematic review explores the application of deep learning techniques for malware detection and forensic analysis within IoT environments. The literature is organized into four distinct categories: IoT Security, Malware Forensics, Deep Learning, and Anti-Forensics. Each group was analyzed individually to identify common methodologies, techniques, and outcomes. Conducted a combined analysis to synthesize the findings across these categories, highlighting overarching trends and insights.This systematic review identifies several research gaps, including the need for comprehensive IoT-specific datasets, the integration of interdisciplinary methods, scalable real-time detection solutions, and advanced countermeasures against anti-forensic techniques. The primary issue addressed is the complexity of IoT malware and the limitations of current forensic methodologies. Through a robust methodological framework, this review synthesizes findings across these categories, highlighting common methodologies and outcomes. Identifying critical areas for future investigation, this review contributes to the advancement of cybersecurity in IoT environments, offering a comprehensive framework to guide future research and practice in developing more robust and effective security solutions.

computer science, information systems

Adedayo M. Balogun,Shao Ying Zhu

DOI: https://doi.org/10.48550/arXiv.1312.3183

2013-12-11

Abstract:Owing to a number of reasons, the deployment of encryption solutions are beginning to be ubiquitous at both organizational and individual levels. The most emphasized reason is the necessity to ensure confidentiality of privileged information. Unfortunately, it is also popular as cyber-criminals' escape route from the grasp of digital forensic investigations. The direct encryption of data or indirect encryption of storage devices, more often than not, prevents access to such information contained therein. This consequently leaves the forensics investigation team, and subsequently the prosecution, little or no evidence to work with, in sixty percent of such cases. However, it is unthinkable to jeopardize the successes brought by encryption technology to information security, in favour of digital forensics technology. This paper examines what data encryption contributes to information security, and then highlights its contributions to digital forensics of disk drives. The paper also discusses the available ways and tools, in digital forensics, to get around the problems constituted by encryption. A particular attention is paid to the Truecrypt encryption solution to illustrate ideas being discussed. It then compares encryption's contributions in both realms, to justify the need for introduction of new technologies to forensically defeat data encryption as the only solution, whilst maintaining the privacy goal of users.

Cryptography and Security

Farkhund Iqbal,Aasia Jaffri,Zainab Khalid,Aine MacDermott,Qazi Ejaz Ali,Patrick C. K. Hung

DOI: https://doi.org/10.3389/frcmn.2023.1212743

2023-07-26

Frontiers in Communications and Networks

Abstract:Small-scale digital devices like smartphones, smart toys, drones, gaming consoles, tablets, and other personal data assistants have now become ingrained constituents in our daily lives. These devices store massive amounts of data related to individual traits of users, their routine operations, medical histories, and financial information. At the same time, with continuously evolving technology, the diversity in operating systems, client storage localities, remote/cloud storages and backups, and encryption practices renders the forensic analysis task multi-faceted. This makes forensic investigators having to deal with an array of novel challenges. This study reviews the forensic frameworks and procedures used in investigating small-scale digital devices. While highlighting the challenges faced by digital forensics, we explore how cutting-edge technologies like Blockchain, Artificial Intelligence, Machine Learning, and Data Science may play a role in remedying concerns. The review aims to accumulate state-of-the-art and identify a futuristic approach for investigating SSDDs.

Shancang Li,Kim-Kwang Raymond Choo,Qindong Sun,William J. Buchanan,Jiuxin Cao

DOI: https://doi.org/10.1109/jiot.2019.2906946

IF: 10.6

2019-01-01

IEEE Internet of Things Journal

Abstract:Internet of Things (IoT) are increasingly common in our society, and can be found in civilian settings as well as sensitive applications, such as battlefields and national security. Given the potential of these devices to be targeted by attackers, they are a valuable source in digital forensic investigations. In addition, incriminating evidence may be stored on an IoT device (e.g., Amazon Echo in a home environment and Fitbit worn by the victim or an accused person). In comparison to IoT security and privacy literature, IoT forensics is relatively under-studied. IoT forensics is also challenging in practice, particularly due to the complexity, diversity, and heterogeneity of IoT devices and ecosystems. In this paper, we present an IoT-based forensic model that supports the identification, acquisition, analysis, and presentation of potential artifacts of forensic interest from IoT devices and the underpinning infrastructure. Specifically, we use the popular Amazon Echo as a use case to demonstrate how our proposed model can be used to guide forensics analysis of IoT devices.

P. Mohamed Shakeel,S. Baskar,Hassan Fouad,Gunasekaran Manogaran,Vijayalakshmi Saravanan,Carlos Enrique Montenegro-Marin

DOI: https://doi.org/10.1016/j.future.2020.10.001

IF: 7.307

2021-02-01

Future Generation Computer Systems

Abstract:In this paper, we proposed the blockchain-assisted shared audit framework (BSAF) to analyze digital forensic data in the IoT platform. The proposed framework was designed to detect the source/cause of data scavenging attacks in virtualized resources (VR). The proposed framework implements blockchain technology for access log and control management. Access log information is analyzed for its consistency of adversary event detection using logistic regression (LR) machine learning and cross-validation. An adversary event detected by LR is filtered using cross-validation to retain the precision of data analysis for varying user density and VRs. Experimental results prove the consistency of the proposed method by improving the data analysis, as well as reducing analysis time and the adversary event rate.

Muhammad Rusyaidi Zunaidi,Asanka Sayakkara,Mark Scanlon

2024-02-15

Abstract:Cryptography is vital for data security, but cryptographic algorithms can still be vulnerable to side-channel attacks (SCAs), physical assaults exploiting power consumption and EM radiation. SCAs pose a significant threat to cryptographic integrity, compromising device keys. While literature on SCAs focuses on real-world devices, the rise of sophisticated devices necessitates fresh approaches. Electromagnetic side-channel analysis (EM-SCA) gathers information by monitoring EM radiation, capable of retrieving encryption keys and detecting malicious activity. This study evaluates EM-SCA's impact on encryption across scenarios and explores its role in digital forensics and law enforcement. Addressing encryption susceptibility to EM-SCA can empower forensic investigators in overcoming encryption challenges, maintaining their crucial role in law enforcement. Additionally, the paper defines EM-SCA's current state in attacking encryption, highlighting vulnerable and resistant encryption algorithms and devices, and promising EM-SCA approaches. This study offers a comprehensive analysis of EM-SCA in law enforcement and digital forensics, suggesting avenues for further research.

Cryptography and Security

Deepti Rani,Nasib Singh Gill,Preeti Gulia

DOI: https://doi.org/10.1016/j.jii.2024.100568

IF: 11.718

2024-02-03

Journal of Industrial Information Integration

Abstract:The extensive growth of Industrial Internet of Things (IIoT) has prompted cyber attackers to commence a variety of attacks which need to be identified to maintain the security of industrial data and services. Digital forensics is an extravagant need to detect cyber attacks and to identify cybercriminals. While conducting criminal investigation using digital forensics, there is high probability of leakage of collected digital evidence. Hence, the need for a secure and lightweight cryptosystem arises to protect it from cyber-attacks. In the present paper, authors aim to design a novel forensic framework for digital evidence administration using advanced encryption and preservation mechanisms. Authors focus to encrypt and preserve only digital image evidence but can be deployed on other types of multimedia data like video frames. Three types of Chaos-map algorithms namely 4D hyperchaotic map, 2D Arnold Cat map (ACM) and Henon Map have been utilized to encrypty and decrypt digital image evidence which enable high sensitivity and dependency on initial conditions, quasi-randomness, and ergodicity to digital content. The proposed approaches have been analyzed on different groups of images of different size and validated using various security parameters such as unified average changing intensity (UACI), correlation coefficient, and the number of pixels changing rate (NPCR). Image transformation and compression has been performed after encryption process using Fast Fourier Transformation (FFT). The proposed work has been analyzed using histogram and auto-correlation. Experimentations have provided the values of the correlation coefficient of plain images near 1 and the value of adjacent cipher images near zero which show a strong correlation. The evaluated results for UACI are more than 33 % for every considered images. The value for NPCR should be near 100 % and here the calculated results for each image are above 99 %. The complexity of the proposed encryption algorithm is O(n) due to key generation using a cryptographically secure pseudo-random number generator (CSPRNG). The compressed and transformed image evidence have been stored into decentralized blockchain to ensure the integrity and confidentiality. Decentralized blockchain has been used as a reliable and promising solution to preserve digital evidence due to its distinct features like secure peer to peer communication, improved trust and transparency among participants, integrity, confidentiality, immutability, without risk of single point-of-failure. The proposed digital forensic model is able to prevent various threats and security challenges which can contaminate or tamper off digital pieces of evidence and assures improved digital evidence administration and defensibility. In the proposed scheme, the encryption process takes only 2–3 s to perform the encryption of each size of image.

computer science, interdisciplinary applications,engineering, industrial

Yan Jie Zhang,Lei Zhang,Feng Yang,Siting Gu

DOI: https://doi.org/10.1145/3512576.3512628

2021-01-01

Abstract:In order to improve the identification efficiency of devices in the perception layer of the Internet of Things, reduce the cost of calculation and protect data privacy, a device fingerprint extraction method based on lightweight national secret algorithm is proposed. Firstly, the feature information of embedded module is introduced to construct a comprehensive feature set, and the reasonable feature subset is determined based on the feature selection strategy of expert information weighting mechanism; Secondly, the lightweight cipher algorithm with high security is selected to transform the feature subset data into device fingerprint; Finally, based on the electric energy acquisition equipment in the power Internet of things, the fingerprint value extracted meets the requirements of uniqueness and unforgeability, and has the characteristics of fast response, which verifies the feasibility of the method.

Juan Manuel Castelo Gómez,Javier Carrillo-Mondéjar,José Luis Martínez Martínez,Jorge Navarro García,Juan Manuel Castelo Gómez,Javier Carrillo-Mondéjar,José Luis Martínez Martínez,Jorge Navarro García

DOI: https://doi.org/10.1016/j.fsidi.2022.301451

2022-09-01

Abstract:Forensic investigations in the Internet of Things (IoT) are becoming ever more important as the number of cyberincidents that occur in it continues to rise. As a result, it has become necessary to determine how to proceed in performing examinations in this environment, as its novelty and new characteristics demand the development of new forensic solutions that can guarantee a complete and efficient analysis. The approach followed until now by the research community has been to examine the most popular IoT devices and systems with the aim of gaining an insight into what data can be extracted from them, how to extract these data, and what limitations an investigator may encounter in the process. Following this idea, this article, apart from studying the state of the art of IoT forensic investigations, details the examination process for the “Xiaomi Mi Smart Sensor Set” smart home kit, emphasizing the acquisition and analysis of the three main types of forensic evidence: non-volatile memory, volatile memory and network traffic. In particular, we extract and list the useful forensic artifacts that can be obtained from this kit, describing their purpose and location.

computer science, information systems, interdisciplinary applications

Xuanyu Liu,Xiao Fu,Xiaojiang Du,Bin Luo,Mohsen Guizani

DOI: https://doi.org/10.1109/tnsm.2022.3224863

2023-01-01

IEEE Transactions on Network and Service Management

Abstract:Security and privacy concerns keep growing with the successful development of Internet of Things (IoT) and the booming deployment of smart homes. IoT devices are utilized cooperatively to enable the interactions between home surroundings and users’ daily lives, containing forensically-valuable information about what happens in smart homes, which can help introduce digital forensics into smart homes to alleviate the growing concerns. However, current IoT devices, apps, and platforms usually do not provide built-in capabilities for digital forensics. To overcome this limitation, we propose a non-intrusive solution (i.e., bringing no modification to IoT devices, apps, and platforms) of digital forensic service to provide Forensics-as-a-Service (FaaS) for smart homes. First, it leverages side-channel analysis on sniffed network traffic to monitor commands, actions, and states of IoT devices. Then, it introduces provenance graphs (i.e., causal graphs) for smart home modeling to provide a holistic and overall explanation of smart homes. Machine learning (ML) techniques are applied to overcome the deficiency of a non-intrusive solution as it suffers from challenges in data collection and smart home modeling. Finally, it conducts forensic analysis based on scalable, reusable policies that are designed for graph-based smart home modeling. We implement a prototype of our forensic service and evaluate it in a real-world smart home. The evaluation results show that our forensic service can effectively collect forensic data for smart home modeling and conduct forensic analysis to explain security risks in smart homes.