Challenges in Digital Forensics for the Internet of Things
By David Begg on March 28, 2024
Introduction
The continued growth and development of the Internet of Things (IoT) has led to its usage and application across an increasingly broad range of situations to facilitate services. With this increased usage comes an increased incidence of their involvement in digital forensic investigations, and an attendant increase in the issues and challenges involved with extracting useful and valid digital evidence from them. This report seeks to explore the current challenges facing digital forensic investigators with regards to IoT devices and networks, and potential future actions needed to address them.
Expanding usage of IoT
As IoT devices increase in both number and sophistication, so do their potential uses in a variety of situations and fields beyond the individual home and business. The expansion of IoT into industrial settings has become known as the Industrial Internet of Things (IIoT), where IoT devices are used to carry out or facilitate a variety of industrial tasks such as monitoring, control, production, etc. [3]. The rising phenomenon of smart cities utilizes a broad range of IoT devices to enable city infrastructure, monitor and control things such as traffic flow and building functions, as well as automate and deliver services such as healthcare, Internet, and power to city inhabitants [1]. Smart devices are also available for military use in warfare situations, known collectively as the Internet of Military/Battlefield Things (IoMT/IoBT) [4]. These different situations, as well as the increasing diversity and number of IoT devices being utilized poses many issues with regards to implementation, maintenance, and security that IT and cybersecurity personnel will have to work through.
Digital forensics and IoT
Unfortunately, while IoT devices have become increasingly complex, diverse, and sophisticated, the field of digital forensics as applied to IoT devices has yet to catch up in many aspects, and this poses many challenges for investigators and cybersecurity personnel. There is a general lack of forensic tools are compatible with IoT devices, especially newer ones, and there are even fewer that reliably work across a broad range of IoT devices, due in large part to the wide diversity of technologies utilized among the multitude of IoT devices [3,4]. IoT devices often utilize volatile memory, which can limit the timespan within which useful data can be extracted from the device itself [2,3,4]. IoT devices also often use cloud storage to hold their associated data in the long term, which introduces the potential for legal issues such as jurisdictional or regulatory barriers to accessing that data [4]. The volume of data that can be collected by a network of IoT devices or even a single IoT device could be very large, making it potentially difficult and time-consuming to find relevant evidence in that data [3,4]. While standards do exist for digital forensic investigations in general, more still need to be developed, established, and widely agreed upon to cover the increasing range and complexity of such investigations; this is especially the case with regards to IoT devices or the evidence derived from them over the course of an investigation, where they are currently lacking greatly [2,3,4]. Even more concerning, threat actors seeking to utilize IoT devices in their attacks have a slew of anti-forensic techniques and technologies at their disposal to throw off investigators, such as encryption, malware, file tampering, memory manipulation, etc. For example, attackers could potentially hide their data in the volatile memory of an IoT device, making it very difficult if not impossible for investigators to retrieve that data [2,4]. This is by no means an exhaustive list, but a small selection of example issues that digital forensic investigators and cybersecurity personnel will eventually have to address and overcome.
Courses of Action
For the field of digital forensics to reliably conduct successful investigations into incidents involving IoT devices, multiple courses of action are necessary. There is need for broad expansion of education in digital forensics [2,4], personnel and investigators specially trained and experienced with digital forensics [4], an increase in general awareness among relevant industries and organizations of the nature of digital forensics to establish preparedness for facilitating investigations [2,4], and countermeasures for anti-forensic activity [4], among others.
Conclusion
The burgeoning realm of IoT poses a great many challenges to cybersecurity personnel, especially digital forensic investigators, as it continues to expand and establish itself in more situations and industries. As it stands, the field of digital forensics needs to be adapted and expanded to properly capture and handle digital evidence derived from IoT devices and networks. To achieve this end, actions such as increasing digital forensic education, developing specialized techniques and technologies, and creation of comprehensive and widely acceptable standards for digital forensics, among others, must be taken.
References
[1] Baig, Z. A., Szewczyk, P., Valli, C., Rabadia, P., Hannay, P., Chernyshev, M., … & Peacock, M. , “Future challenges for smart cities: Cyber-security and digital forensics,” 2017 https://www.sciencedirect.com/science/article/pii/S1742287617300579
[2] Casino, F., Dasaklis, T. K., Spathoulas, G. P., Anagnostopoulos, M., Ghosal, A., Borocz, I., Solanas, A., Conti, M., & Patsakis, C. “Research Trends, Challenges, and Emerging Topics in Digital Forensics: A Review of Reviews,” 2022 https://ieeexplore.ieee.org/document/9720948
[3] Kebande, V. R., & Awad, A. I., “Industrial Internet of Things Ecosystems Security and Digital Forensics: Achievements, Open Challenges, and Future Directions,” 2024 https://dl.acm.org/doi/10.1145/3635030
[4] Yaacoub, J.-P. A., Noura, H. N., Salman, O., & Chehab, A., Advanced digital forensics and anti-digital forensics for IoT systems: Techniques, limitations and recommendations,” 2022 https://www.sciencedirect.com/science/article/pii/S2542660522000464