API-Based Cloud Data Acquisition and Analysis from Smart Home IoT Environments.
Master's thesis, Hallym University.
API-based cloud data acquisition Amazon Alexa forensics Cloud forensics Google Assistant forensics IoT forensics SmartThings forensics cloud acquisition tool
The increasing number of IoT devices used in different application domains is changing the digital forensics landscape by providing a variety of potential data and data sources. However, Current forensic tools and techniques have been slow to adapt to new challenges and demands of collecting and analyzing IoT environment artifacts. Like the traditional forensics, data acquisition is possible from the client-side, network or cloud service in the IoT ecosystem. However, unlike computer forensics, IoT forensics does not normally contain much data on the client-side; since the device's storage is usually limited, the client devices may not save much data except some cache and configuration files. In this case, their cloud service could normally be a great source of potential evidence. Investigators access cloud service data in different ways. They can either attempt to access the cloud service data themselves by authenticating as a user or collaborate with the Cloud Service Provider to collect data. In this thesis, we studied the acquisition and analysis of cloud data from IoT environments to addresses the limitation of client-side acquisition. Specifically, we introduce an acquisition procedure for IoT-related cloud services using Application Programming Interfaces (APIs). Some IoT devices and its cloud services provide APIs for programmers and user while others not. We use both official APIs given by cloud providers and unofficial APIs in which we used different research methods to uncover it. There are previous works that showed and used these official and unofficial APIs for data acquisition purposes. However, every IoT devices and cloud providers have their own API type and structure. Hence, we used the three most popular IoT-related cloud providers - Amazon Alexa, Google Home and SmartThings - to show how to use APIs to acquire cloud-native artifacts from their respective backend cloud service. Using the APIs, we can obtain cloud-centric data from each selected case study cloud services. User command history, user activities, audio files and other additional data obtained from Amazon Alexa cloud. It is also possible to download user activity data, including command issued to the device from Google cloud related to Google Home. From SmartThings cloud, we able to download information, including each device events or action performed on the sensors, user-created locations, Hubs, account detail, rooms information, etc. To help investigators in automating the acquisition process, we designed and developed a python application that connects and retrieve every possible information stored in their respective cloud services. The application is a user interface-based tool with an option to select different filtration parameters, authentication option, data parsing. The tool also provides logging every action and documenting all the downloaded file metadata, including the calculated hash. Further, to evaluate the completeness of the acquired cloud data, we generated data in a controlled environment with specific set of actions and scripts, then compare the API-based acquired data with the generated data.