An efficient IoT forensic approach for the evidence acquisition and analysis based on network link

Abstract

Abstract In an Internet of Things (IoT) environment, IoT devices are typically connected through different network media types such as mobile, wireless and wired networks. Due to the pervasive nature of such devices, they are a potential evidence source in both civil litigation and criminal investigations. It is, however, challenging to identify and acquire forensic artefacts from a broad range of devices, which have varying storage and communication capabilities. Hence, in this paper, we first propose an IoT network architecture for the forensic purpose that uses machine learning algorithms to autonomously detect IoT devices. Then we posit the importance of focusing on the links between different IoT devices (e.g. whether one device is controlled or can be accessed from another device in the system), and design an approach to do so. Specifically, our approach adopts a graph for modelling IoT communications’ message flows to facilitate the identification of correlated network traffic based on the direction of the network and the associated attributes. To demonstrate how such an approach can be deployed in practice, we provide a proof of concept using two IoT controllers to generate 480 commands for controlling two IoT devices in a smart home environment and achieve an accuracy rate of 98.3% for detecting the links between devices. We also evaluate the proposed autonomous discovering of IoT devices and their activities in a TCP network by using real-world measurements from a public dataset of a popular off-the-shelf smart home deployed in two different locations. We selected 39 out of 81 different IoT devices for this evaluation.