Hi All
We recently carried out a survey on establishing a definition on IoT forensics, based on the responses we proposed the following definition
“IoT forensics is a sub-domain of digital forensics and involves the collection, preservation, analysis and presentation of data obtained from IoT devices. It consists of various domains / skills including networking, embedded device, cloud, mobile, host based forensics and reverse engineering. For the purpose of collating historical data of interactions from IoT device(s) to reconstruct criminal events or obtaining
remnants of data that indicates a malicious act or exploitation of an IoT device.
Could you please provide your feedback and thoughts on the above definition.
Regards
Tina
IoT forensics is a sub-domain of digital forensics and involves the collection, preservation, analysis and presentation of data obtained from IoT devices.
Nothing IoT specific there except in the last two words, which probably should be the subject of additional definition. Start with "IoT devices are …" whatever they are, and how you identify them (of course, you may already have that covered somewhere else). You don't want different readers have different ideas or misconceptions of what they are; you need to tell them that. (I presume; if you don't need to tell them, you may need to rethink the actual need for this definition.)
I object to 'data obtained from IoT devices' as data may be sent to a application specific servers. IoT devices used for home security, alarms etc usually do things that way send collected images to central servers, where they are processed and accessed further. A good IoT device would not retain such data locally. The next sentence sort of addresses that, but … it's a bit too late.
It consists of various domains / skills including networking, embedded device, cloud, mobile, host based forensics and reverse engineering.
Not sure about reverse engineering – you probably need to define that term as well. To me it's an engineering practice, with the purpose of creating a specification of the examined product, but that does not make sense in forensics. You probably mean something closer to 'code disassembly', and so need to ensure that whatever dictionary you're relying on here is documented, and says what you mean.
For the purpose of collating historical data of interactions from IoT device(s) to reconstruct criminal events or obtaining
remnants of data that indicates a malicious act or exploitation of an IoT device.
Something bad happened to the syntax of that statement. Should probably have been "…, for the purpose of …" and be a part of the immediately preceding sentence.
It may also help if you explained who this definition is intended for. I mean, who will get the 'aha, now I see!' experience from it? No forensic analyst will, as far as I can see. And people like lawyers and judges will get cross-eyed as soon as you mention IoT, unless you also add what use IoT forensics is what information can *definitely* be obtained from the devices.
So perhaps you also need to say that it isn't really a thing yet, on par with Windows forensics or Android forensics, and collection of evidence and analysis is very much unwritten pages, and cannot be relied on. And that in particular that that historical data you mention being collected from IoT device may not at all be present in IoT devices.
I very strongly object to the implication that IoT forensics is for criminal events, or data that indicate malicious acts or exploitations that can and will be misinterpreted that only prosecution can have any interest in IoT forensics. I assume you don't want that. IoT forensics can just as well be used for evidence that supposed criminal events or malicious acts actually did not happen. Just as all other forms of forensic analysis, whether they have with computers to do or not.
Unless the definition is not intended to be neutral, of course.
(Added As I'm rather in the dark about the role of this definition, and how it is intended to work, I've listed all issues I could identify. In any particular scenario, only a subset of them may be valid, of course. But I'm just not in the position to know that …)
Seemingly athulin both hit the nail right on the head and drove it as the last one on the coffin of that definition.
And I cannot but agree fully with him ) .
IoT digital forensics is simply digital forensics applied on IoT devices.
The scopes are not at all different and it IMHO boils down to "extract as much data as possible from the *whatever* examined to recreate as accurately as possible what happened".
Digital forensics anyway includes what you listed
networking, embedded device, cloud, mobile, host based forensics and reverse engineering
So it would make more sense to me to first define digital forensics and then specify how the IoT subset is (due to the field being very new and to the infinite number of devices, embedded or not embedded software) a rather experimental field with very few (if any) consolidated third party tools, documentation, previous (meaningful) literature, etc.
jaclaz
Trying to view the question from the other side …
IoT digital forensics is simply digital forensics applied on IoT devices.
That seems to be the crux of the matter what *are* IoT devices? How do we identify one? (There are still companies out there who call a NAS a 'personal cloud', missing a major point of what a cloud is. That messes up 'cloud forensics' if you don't already know what it means, and if you trust that these manufacturers are authoritative on 'cloud' things – other than marketing.)
My impression is that IoT, from a forensic perspective, cannot easily be separated from devices we already have today. The IoT – always connected, more or less – may lead to new, 'cloudy' services, which in turn may lead to interesting data being collected in ways that may be easy to access. (How is car forensics different from IoT forensics, for example? Does always-connected make a difference from a forensic point of view?)
But many, possibly most, basic forensic questions – such as 'can we trust the data we extract device X to answer these questions? Has it been manipulated or faked?' etc. – remain the same. And it still will require platform expertise + basic forensic competence.
Is there something that is unique to IoT world? I've only experimented with two different home security devices, so I'm probably biased from that limited exposure. It seems to lead to more embedded system, more data extraction. After that it's still the fundamental competence/expertise of what that platform can tell us related to forensic issues. Entirely new hardware platforms are not entirely likely (unless Intel or ARM starts pushing systems-on-a-chip for IoT), though they will happen on a small scale, new software platforms are almost certain, so expertise on those platforms is likely to be needed.
Perhaps it's a widening of the 'digital forensics' of today to such platforms, and the requirement for competence/expertise/tool support for the data storage mechanisms and media they in particular use that is the basic thing.
But I'm biased. I'd want to talk to forensic-aware developers in the IoT industry, as well as embedded systems experts for answers.
Trying to view the question from the other side …
IoT digital forensics is simply digital forensics applied on IoT devices.
That seems to be the crux of the matter what *are* IoT devices? How do we identify one? (There are still companies out there who call a NAS a 'personal cloud', missing a major point of what a cloud is. That messes up 'cloud forensics' if you don't already know what it means, and if you trust that these manufacturers are authoritative on 'cloud' things – other than marketing.)
My impression is that IoT, from a forensic perspective, cannot easily be separated from devices we already have today. The IoT – always connected, more or less – may lead to new, 'cloudy' services, which in turn may lead to interesting data being collected in ways that may be easy to access. (How is car forensics different from IoT forensics, for example? Does always-connected make a difference from a forensic point of view?)
Yep, a definition is needed for IoT devices.
Still I don't think it is "easy" to separate or categorize them.
As a counterexample(or counter-counterexample), what is a "smart TV"?
Observations
1) when you switch it on it boots a "firmware" and an OS (usually a bastardized Linux)
2) it contains a processor, some minimal amount of storage (I presume some form of flash)
3) it automagically connects to the Internet (I hope only when it is on)
4) it allows (depending on models) to browse the web, install apps and unistall them (with quite a few limitations BTW)
To me it is to all effects a (castrated) computer (with a very large screen) AND an IoT device.
And what is an IP camera?
I just installed one at a friends' house (el-cheapo Chinese one, paid around 130 Euro, but not too shabby).
That model has
1) Network connectivity (in the form of a RJ45 connector), with a lot of options, including uploading periodically to FTP, sending e-mail alerts, etc.
2) Quite a few settings for its functioning (resolution, frame rate, type of stream, etc.)
3) Motion detection and possibility to trigger an alarm (local) or sending e-mails
4) Zoom and (horizontal) movement that can be programmed as cycles
5) possibility to insert a SD card as recording media
6) A connection to a service (on the cloud) that allows from your smartphone to see the stream, but also to command its movements and zoom
7) and when you power it up it does take a little time to "boot"
Is it not as well an embedded (and limited) computer AND an IoT device?
jaclaz
