Smart/IoT Devices as Evidence Sources

By David Begg on April 16, 2024

Introduction

The increasingly pervasive presence of smart and Internet-of-Things (IoT) devices across multiple environments such as home, office, and public places means that they are in a position to be associated with a crime or other adverse incident, either as a vector of attack or as a collection point of potential evidence associated with such incidents. Even if a smart/IoT device is not directly affected or utilized by a threat actor, many such devices contain sensors such as cameras, thermometers, and heart rate monitors, among others, that can record valuable information about an incident. As such, collecting evidence from these devices is critical. This report will cover a few of the situations in which smart/IoT devices can be useful sources of evidence.

IoT device evidence in fire/arson cases

IoT devices with sensors can be in an excellent position to capture evidence regarding fires. Many such devices, especially those made for home and/or office use, tend to be equipped with thermometers, cameras, microphones, and other sensors that can detect the presence of people or environmental changes, and thus traces of important evidence can potentially be collected and utilized by investigators [2]. Though the devices may be damaged or destroyed by the fire rendering the onboard storage useless, many of them utilize cloud storage of collected data or may communicate with other potentially undamaged devices such as a user’s smartphone, allowing data to be retrieved from those sources instead, though they may be subject to jurisdictional and other legal issues [2]. However, the information that can be acquired from these devices is subject to issues such as data availability, validity, time accuracy between the device and the real world, and the heterogeneity of devices which could render such evidence less useful or difficult to access [2].

Medical devices with smartphone apps

Medical and other devices, along with the apps used to facilitate their use, are not only a potential target or vector for a cyber attack, but also a potentially useful source of evidence that investigators can explore for both cyber and real-world incidents. Situations in which these devices and their accompanying apps can provide valuable evidence for digital forensic investigators include suspicious deaths, medical malpractice, medical trial auditing, and medical technology abuse [1]. It is possible to retrieve information such as device metadata and user identifying data from apps such as Kardia, iHealth MyVItals, and Health Mate, across both Android and iOS platforms/devices; medical specifics such as blood pressure, temperature and humidity, heart rate, and oxygen levels, along with metadata specifics such as names, user registration emails, connected devices, and even account passwords were found, sometimes in an unencrypted state, on the devices the apps were installed on [1]. Aside from making these devices and apps an important consideration for investigators, these apps, devices, and the data stored on them raises critical security, privacy, and legal concerns for both users and companies [1].

In-vehicle infotainment systems

As more and more vehicles include in-vehicle infotainment (IVI) systems that can interface with smartphones and other devices, the probability of IVI involvement in a cyber or real-world incident grows, and so does their relevance and importance in the sphere of digital forensic investigation. IVI systems can transmit driver and/or passenger relevant data between the vehicle and a smart device such as a smartphone or tablet, and thus either device can potentially store incident-relevant information [3]. After connecting and communicating with a smartphone or tablet, both the smart device and the IVI can transmit and store such information as driver origin and destination, mobile device contact information, incoming/outgoing caller names and numbers, and lists of paired devices, some of which may be in an unencrypted state; artifacts containing this information could prove to be useful evidence in incidents involving smart communications devices and vehicles with IVI, and can also be used for cross-validation purposes between the devices and the systems [3].

Conclusion

The increasing commonness of smart and IoT devices in any sort of situation or environment, from home, office, or vehicle, means that they inevitably will play an increasingly frequent role in digital forensic investigations. These devices, as well as other devices which communicate with them, can become valuable sources of data and therefore evidence when they are associated with an incident. Information like environmental temperature and human activity gathered from a smart home device could help clarify the nature of a fire that took place in a home or office. Biological and physiological indicators monitored by medical devices and stored on smartphones via apps could possibly elucidate the circumstances of a medical event or a suspicious death. IVI systems can transmit and store information such as trip origins and destinations, phone contacts, and calls made or received to and from a smartphone, potentially making them a valuable source of evidence in the absence of the associated smartphone. These are only a few examples of situations where a smart/IoT device could be a source of important evidence, and this illustrates the importance of considering them whenever they are associated with, or even merely present at the location of, an incident.

References

[1] Grispos, G., Choo, K.-K. R., & Glisson, W. B., “Sickly Apps: A Forensic Analysis of Medical Device Smartphone Applications on Android and iOS Devices,” 2022 https://link.springer.com/article/10.1007/s11036-022-02049-8

[2] Servida, F., Fischer, M., Delémont, O., & Souvignet, T. R., “Ok Google, Start a Fire. IoT devices as witnesses and actors in fire investigations,” 2023 https://pubmed.ncbi.nlm.nih.gov/37055332/

[3] Shin, Y., Kim, S., Jo, W., & Shon, T., “Digital Forensic Case Studies for In-Vehicle Infotainment Systems Using Android Auto and Apple CarPlay,” 2022 https://pubmed.ncbi.nlm.nih.gov/36236293/