A Study on Internet of Things (IoT) Forensic.
Ph.D. thesis, Hallym University.
Client-side Acquisition Cloud Acquisition Device Acquisition Internet of things forensic IoT data acquisition IoT Forensic Network Acquisition
There are previous studies about digital forensics in terms of the Internet of Things (IoT) environment, and cases using IoT device data for crime investigations. However, the acquisition and analysis of data in the IoT environment are still a challenge for digital forensic investigators. In addition, there are no accepted practical and comprehensive digital forensic procedures for investigators and law enforcement agencies to perform digital forensic investigations on IoT-based environments. This work proposes a new model for IoT Forensic specifically for the Data Acquisition procedure from the IoT ecosystem. The model is tested using experiments conducted on IoT devices. The experiment includes the research aspect of investigating the actual IoT devices in order to provide a complete picture of the model. The experiment was divided into Cloud, Network, Client (PC, Mobile) and Device/hub side for each IoT device. The results from the experiments showed that data can be extracted from each category of cloud, network, client, and device, and that the data should be collected as soon as possible with the related devices and collected as much as possible. This is because the data available in the device and in the specified categories can vary depending on the storage and processing capabilities. For example, the device side may have data that the cloud side does not have. The data can be key evidence for a crime scene. And the cloud side includes the more complete update and historical data, while the client and device side include cache data that may be incomplete, outdated, or partially overwritten. Through these test results, this paper also presents the IoT investigation procedure. In order to proceed with data collection from all aspects of IoT ecosystem, it is necessary to analyze data obtained from the client side. Information such as device configuration information and connected devices can be obtained by acquiring and analyzing them. By checking the information of the other connected IoT devices, the investigation can go through the identification step again. The proposed procedure will serve as a guideline from where to start to investigate IoT devices and what the next step is. It will also facilitate investigators and researchers in the digital forensics field to facilitate the data acquisition process and develop data collection tools. This procedure should be tested and verified against a variety of IoT devices until a comprehensive procedure for IoT data acquisition.