Iot Ignorance Is Digital Forensics Research Bliss
Total Page:16
File Type:pdf, Size:1020Kb
University of New Haven Digital Commons @ New Haven Electrical & Computer Engineering and Computer Electrical & Computer Engineering and Computer Science Faculty Publications Science 8-2019 IoT Ignorance is Digital Forensics Research Bliss: A Survey to Understand IoT Forensics Definitions, Challenges and Future Research Directions Tina Wu University of Oxford Frank Breitinger University Liechtenstein Ibrahim Baggili University of New Haven, [email protected] Follow this and additional works at: https://digitalcommons.newhaven.edu/ electricalcomputerengineering-facpubs Part of the Computer Engineering Commons, Electrical and Computer Engineering Commons, Forensic Science and Technology Commons, and the Information Security Commons Publisher Citation Wu, T., Breitinger, F., & Baggili, I. (2019, August). IoT Ignorance is Digital Forensics Research Bliss: A Survey to Understand IoT Forensics Definitions, Challenges and Future Research Directions. In Proceedings of the 14th International Conference on Availability, Reliability and Security, ARES '19 (Article no. 46). ACM. Comments Dr. Baggili was appointed to the University of New Haven's Elder Family Endowed Chair in 2015. This is the authors' version of the paper published in ARES '19 Proceedings of the 14th International Conference on Availability, Reliability and Security by ACM. ISBN: 978-1-4503-7164-3. The ap per of record can be found at http://dx.doi.org/10.1145/3339252.3340504 IoT Ignorance is Digital Forensics Research Bliss: A Survey to Understand IoT Forensics Definitions, Challenges and Future Research Directions Tina Wu Frank Breitinger Tina:wu@cs:ox:ac:uk Ibrahim Baggili University of Oxford FBreitinger@newhaven:edu Oxford, UK IBaggili@newhaven:edu University of New Haven West Haven, Connecticut ABSTRACT ACM Reference Format: Interactions with IoT devices generates vast amounts of personal Tina Wu, Frank Breitinger, and Ibrahim Baggili. 2019. IoT Ignorance is data that can be used as a source of evidence in digital investiga- Digital Forensics Research Bliss: A Survey to Understand IoT Forensics Defnitions, Challenges and Future Research Directions. In Proceedings of the tions. Currently, there are many challenges in IoT forensics such as 14th International Conference on Availability, Reliability and Security (ARES the difculty in acquiring and analysing IoT data/devices and the 2019) (ARES ’19), August 26–29, 2019, Canterbury, United Kingdom. ACM, lack IoT forensic tools. Besides technical challenges, there are many New York, NY, USA, 15 pages. https://doi:org/10:1145/3339252:3340504 concepts in IoT forensics that have yet to be explored such as defni- tions, experience and capability in the analysis of IoT data/devices 1 INTRODUCTION and current/future challenges. A deeper understanding of these The Internet of Things (IoT) has enabled the creation of everyday various concepts will help progress the feld. To achieve this goal, objects into smart devices e.g. smart fridges, locks or home assis- we conducted a survey which received 70 responses and provided tants, that connect to online services and platforms. The amount the following results: (1) IoT forensics is a sub-domain of digital of human interactions with these systems creates a new paradigm forensics, but it is undecided what domains are included; (2) practi- of evidential data. However, the tools and technologies in digi- tioners are already having to examine IoT devices even though they tal forensics that are meant for conventional computing are not felt undertrained; (3) requirements for technical training, software fully capable of supporting the IoT infrastructure [39]. Forensic and education are non-existent; (4) high priority on research should practitioners now face challenges such as the lack of tools and be to develop IoT forensic tools, how to preserve volatile data and methodologies for analyzing IoT devices, exponential increase in methods to identify and acquire data from the cloud; (5) improve- data volume, variety of non-standardized IoT devices [16, 23] and ments to forensic tools should be aimed at data acquisition (imaging) datasets for training [13]. Additionally, a comprehensive survey and device disassembly / forensic process; (6) practitioners’ per- efort has not been conducted to understand the reality of these spectives on research direction difer slightly to non-practitioners challenges. in that the focus should be on breaking encryption on IoT devices While there are many technical challenges in IoT and IoT foren- rather than focus on cloud data forensics; (7) future research should sics, there are also non-technical ones. For instance, it has yet to be focus on developing initiatives and strategies to overcome data determined which devices are considered IoT devices, what infor- encryption and trail obfuscation in the cloud and ongoing develop- mation an investigator can get (hope to get) from these devices, or ment of IoT forensic tools. The responses to the survey question how to acquire forensically relevant data [36]. On the other hand, on the defnition of IoT forensics helped us formulate a working there are many unexplored areas in IoT forensics such as the type defnition. This has provided a clearer understanding of the subject, of resources required in education, training or the specialized skills which will help further advance the research area. forensic investigators need to analyze IoT devices, or the type of forensic tools or methods to extract data from these devices. Lastly, KEYWORDS there is no clear understanding of the term IoT forensics. Internet of Things, IoT Devices, IoT Forensics, IoT Challenges, In this paper we present the feedback of 70 respondents to our Cloud, Defnition, Survey 20 question online survey with the intention to gain a better un- Permission to make digital or hard copies of all or part of this work for personal or derstanding of the key issues in IoT and IoT forensics. We aim to classroom use is granted without fee provided that copies are not made or distributed understand concepts such as its defnition as well as current and fu- for proft or commercial advantage and that copies bear this notice and the full citation ture research directions. In detail, this paper provides the following on the frst page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, contributions: to post on servers or to redistribute to lists, requires prior specifc permission and/or a • It outlines the community’s interpretation and views on con- fee. Request permissions from [email protected]. ARES ’19, August 26–29, 2019, Canterbury, United Kingdom cepts such as: IoT in general, IoT devices, and IoT forensics © 2019 Association for Computing Machinery. including types of evidence obtainable from devices. ACM ISBN 978-1-4503-7164-3/19/08...$15.00 https://doi:org/10:1145/3339252:3340504 ARES ’19, August 26–29, 2019, Canterbury, United Kingdom Tina Wu, Frank Breitinger, and Ibrahim Baggili • It exemplifes the investigative experiences and capabilities defnitions exist, IoT forensics is still in the early stages of research of practitioners and that many feel unprepared in IoT foren- and thus there is currently no universally accepted defnition. sics. • It discusses the participants’ view on digital evidence found 2.2 IoT Forensic Frameworks on IoT devices. Given the limited literature on the defnition of IoT forensics, this • It identifes and prioritizes current and future research chal- section focuses on IoT forensic frameworks and the limited number lenges so that eforts can be concentrated on these issues. of practical approaches which will provide a better understanding • Based on our survey results and previous work, we present of the diferent areas that need to be covered in the defnition. a working defnition of IoT forensics in Section 6.1. In early research, several theoretical frameworks were developed The structure of this paper is as follows: frst, we present the to conduct investigations on IoT devices. For instance, [24] devel- related work where we focus on IoT forensics frameworks and oped a model to systematically identify sources (i.e. where to look IoT forensics challenges in Section 2. Next, we outline the survey for evidence) using 3 zones. Zone 1 focuses on the internal network methodology in Section 3 followed by the analysis of the results in (hardware, software and networks (e.g. Bluetooth, Wi-Fi). Zone 2 Section 4. The limitations are outlined in Section 5. The last two targets the periphery devices (between internal and external net- sections provide a discussion (Section 6), conclusion (Section 7) and work e.g. IDS/IPS, Gateway or Firewall). Lastly, Zone 3 “covers all future research. hardware and software that is outside of the network in question" such as cloud or Internet Service Providers. 2 PREVIOUS WORK [25] presented the Forensics Edge Management System (FEMS) For analyzing the previous work, we utilized several repositories to provide an autonomous forensic service. A layering approach is and regular search engines. However, the amount of literature found used, with the network layer used to collect data from the sensors, was rather limited. For instance, searching on Google for “defnition this is then managed by the perception layer and the application of IoT Forensics” (in quotes) revealed only 9 results where some layer is used to interface with the end users. FEMS collects and pointed to the same article on diferent platforms (e.g., [39] can be stores the data only if it goes over a predefned threshold. found on ieeexplore, dl.acm.org and researchgate). Besides providing a defnition (see Section 2.1), [39] also pro- Therefore, the following subsections start by summarizing the posed a Forensic Aware IoT (FAIoT) model. They implemented a few existing defnitions in Section 2.1, followed by research on secure, centralized repository so evidence can easily be collected theoretical IoT forensic frameworks in Section 2.2 and a limited and analysed. Their approach is to constantly monitor registered number of practical approaches (see Section 2.3).