Dfim: a New Digital Forensics Investigation Model for Internet of Things Mohammad Qatawneh 1, Wesam Almobaideen2, Mohammed Khanafseh3, Ibrahim Al Qatawneh 4

ISSN: 1992-8645 www.jatit.org E-ISSN: 1817-3195 DFIM: A NEW DIGITAL FORENSICS INVESTIGATION MODEL FOR INTERNET OF THINGS MOHAMMAD QATAWNEH 1, WESAM ALMOBAIDEEN2, MOHAMMED KHANAFSEH3, IBRAHIM AL QATAWNEH 4

1Professor. The University of Jordan, Department of Computer Science, Jordan 2Professor. The University of Jordan, Department of Computer Science, Jordan 2Professor. Rochester Institute of Technology, UAE 3Ph.D. candidate. The University of Jordan, Department of Computer Science, Jordan 4Professor. Al Ain University of Science and Technology College of Law E-mail: [email protected], [email protected], [email protected], [email protected], 4 [email protected]

ABSTRACT The Internet of Things (IoT) smart devices have been used widely in several applications such as healthcare, education, environment, transportation, smart city, etc. These objects are resource-constrained devices which involve lacks regarding security and may lead to cyber-crime. Therefore, the IoT devices may contain evidence that are considered as an important need to investigators and can be admitted in courts. To tackle this problem most current research focuses on security issues for different IoT architectures rather than approaches and techniques of forensic acquisition and analysis for IoT objects. In this paper, we propose a new Digital Forensics Investigation Model for IoT (DFIM). The DFIM has two main components: The Data Provider Zone (DPZ) which responsible for grouping all data gathered by sensor nodes into a set of groups, where each group contains data or documents related to each other, and the investigation authority which receives the requests from the claimers for investigation, check the validation of the request, and finally select the appropriate investigators. In order to improve the IoT forensics investigation process, the proposed DFIM consists of seven stages and takes into consideration a set of principles such as security, privacy accuracy, performance, data reduction, Openness and transparency. Keywords: The Internet Of Things, IOT Forensics, Investigation Authority, Examination Stage, Investigation Process, Committee Of Investigators.

1. INTRODUCTION

The Internet of Things (IoT) can be viewed as an spaces [27]. The number of IoT devices will information system made up of things, networks, reach or even exceed 75 billion and enables data and services. Such things may be wireless many applications in different fields [32] as sensors, traditional computers, smartphones, shown in figure 1. Among IoT devices, the cameras, humans, tablets, vehicles, home wireless sensors are considered the backbone of appliances etc. that are connected over a the IoT because they are part of our life and used network. These things may gather, process and in several applications such as smart city, smart upload a huge amount of data to the internet and home, transportation, environment, military, used to initiate service. The IoT devices can be healthcare, education etc. divided into four main groups: consumer, commercial, industrial, and infrastructure

Figure 1: Iot Connected Devices From 2015 To 2019 (In Billions)

3850

ISSN: 1992-8645 www.jatit.org E-ISSN: 1817-3195

However, the wireless sensors are resource- Model for supporting forensics investigations, constrained devices which involve where IoT forensics can provide new insights to shortcomings regarding security and privacy determine facts about criminal incidents. The issues thereby rest of this paper is organized as follows: Section II provides the background information leading to cyber-crime. moreover, IoT is not about digital forensics, IoT forensics and their designed with security in mind, as the main challenges, Section III presents the proposed concern was to minimize the cost and size IoT Forensics-Model for supporting forensics consequently, the IoT is been exposed to the investigations, and finally we conclude in cyber threats and attacks. According to [4], three Section VI. main sources of threats in IoT has been identified as the following: - Malicious User: Is the owner or the user 2. THEORETICAL BACKGROUND of the IoT devices with potential to perform This section presents an overview of attacks to learn the secrets of the manufacturer, conventional digital forensics and IoT forensics. in order to sell secrets to third parties, or attack IoT forensics can be defined as one of the digital similar systems. forensics branches where the main investigation process must suit with the IoT infrastructure. - Bad Manufacturer: Is the producer of the 2.1 Convention Digital forensics: device with the ability to exploit and use the The evidence sources in conventional digital technology to gain information about the users forensics could be computers, mobile devices, and revealing it to the outsider. servers or gateways. Different conventional digital forensics models have been proposed. Each model contains a set of stages. Table 1 - External Attacker (Adversary): Known shows different frameworks proposed by many as an outsider entity which is not part of any IoT researchers. system and has no authorized to it. He or she then, try to get the sensitive information for malicious purposes. From the forensics perspective, the IoT devices may contain evidence that is considered as an important need to investigators and courts. Even though IoT has rich sources of evidence, it causes some challenges for forensics investigators including but not limited to the location of data and heterogeneous nature of IoT devices such as differences in operating systems, communication standards, the existing digital forensics tools and approaches which don’t fit with the IoT paradigm. The variety of physical things which get connected with the IoT generate a huge amount of possible evidence bring new challenges to investigators to collect evidence from highly distributed IoT environments [25]. To investigate such evidence a digital IoT forensics is needed because most current research focuses on security issues for different IoT architecture rather than approaches and techniques of forensic acquisition and analysis for IoT objects [37]. Therefore, in this paper, we discuss the IoT forensics challenges, issues, and forensics frameworks. We propose an IoT Forensics-

3851

ISSN: 1992-8645 www.jatit.org E-ISSN: 1817-3195 Table 1: Different Models For Digital Forensics. e g

Framewor Main Comments Framework ks Names And Limitations Contribution Analysis Collection Reduction

Information

Presentation Preservation

Examination Review stage Review

Privacy Aware

Security Aware

Reporting stage Reporting Integrity Aware

Complexity Level

Initialization sta Initialization stage

Documentation Stage

The investigation process can be carried out at

different Generic The IoT levels (Fog Digital framework level and cloud Forensics introduced to level). Framewor enhance the H The framework k For IOT χ χ χ χ χ security and takes security [13] privacy policy into issues. account without any consideration of privacy.

The main Prang drawback of this improvemen model t in DF Digital refers to the fact by exposing Forensics that in the digital

Investigati investigation evidence that

on Model L process there is hidden, χ χ χ χ χ χ χ (DFIM) is no concern but [36] about physical it does not evidence, only concern over about digital physical evidence. evidence.

The weak points of this model is This hybrid Hybrid that it does not model was model for share the introduced digital investigation by handling forensics L report with both physical investigati χ χ χ χ χ χ others and is not evidence and on model aware of privacy logic [35] and security evidence. principles.

3852

ISSN: 1992-8645 www.jatit.org E-ISSN: 1817-3195

The main weak points of this framework is that This

it does not take framework IoT into consideration analyzes the Mobility any policy for evidence Forensic[3 χ χ χ χ χ χ χ M privacy and gathered 0] security through from IoT the investigation devices. process.

IoT Forensic: The authors identificati focus on on founding This framework And enhanced focuses classificati method to χ χ χ χ χ χ χ χ L identification and on of identify the collection stages evidence right in criminal evidence and investigati collect ons [8] the evidence in a secure and efficient.

The idea of this The framework is framework lightweight for is to IoT IoT environment. introduce a forensics The main novel digital framework drawback is that forensics for smart it does not take χ χ χ χ χ χ M framework environme into consideration for smart nt [5] any principles environment for privacy and such as smart security. home, smart office, etc.

From the table 1, we can conclude that many authors includes identification and collections stages. The have defined the process of digital forensics into three second step deals with examination and analysis of steps as shown in figure 2, where the acquisition step evidence acquired from the crime scene to understand

3853

ISSN: 1992-8645 www.jatit.org E-ISSN: 1817-3195 how and by whom the crime was committed. The outcome of the analysis reports including other documentation comprises the presentation step. This step ends with presenting complete analysis re-port in front of the court.

Figure 2: Main Forensics Step

2.2 IoT Forensics transfer evidences from IoT devices and storage centers, and the last component refers to different Internet of Things (IoT) devices communicate with IoT devices that responsible for collecting and each other and interact with users on every day’s sensing different forensic information. Finally, the activity through different sensors for different Last layer is Reactive layer, which responsible for purposes such as monitoring, collection, and others. reactive between previous layers through different These capabilities of IoT devices have also enables stages such as through initialization stage, the concept of a smart environment. The inter-action acquisition stage, and investigation stages. process between IoT devices and users in a smart The framework proposed in [8] focuses on a specific environment generate data with large forensics stages of investigation process such as collection value, as example for these forensics data in smart stage, the authors define main challenges that can environment, the sensors that located at office, the face this stage when implement the investigation presence on sponsors stat during unauthorized hour process on IoT environment. One of the main mean the existence individual inside the smart problems that can face this stage is finding the best office, other example for smart environment forensic evidence and locating hidden devices because data is the data that related to the existence of smoke traditional digital forensic process does not fully fit happening before the fire incident. the IoT environment. Therefore, the authors propose tools and techniques to identify and locate IoT de- Several frameworks have been proposed for IoT vice and the proposed solution for this problem forensics purposes [13][8][30][36][35][27][5]. The consists of five main phases: The identification generic digital forensic framework for IoT that phase, the evidence collection phase with specific proposed in [13] contains many of advantages such enhance tools, the preservation stage, the evidence as, it complies with the ISO/IEC 27043: 2015, other examination and extraction phase, and last phase it supports security technique and incident refers to data analysis and formalization phase. The investigation support. The proposed framework mobility forensics model proposed in [30] deals with comprises three main layers, each layer consists of a tools and techniques that work to- wards forensically set of stages as follow: First layer is the Proactive sound recovery of data and evidence from mobile Process layer, which consists of IoT scenario de-vices. The target of this model is to collect definitions stage, IoT evidence source identification evidence from IoT devices in a smart environment, stage, planning incident detection stage, potential such as smart home to facilitate the investigation digital evidence collection stage, digital preservation process in different crimes such in upper scenarios. stage, and storage for potential evidence. The This mobility forensics model consists of six stages: Second layer which refers to IoT forensics layer, identification, collection, interpretation, which contains different components that needed for preservation, analysis, and presentation [30]. IoT evidence such as cloud server that used as data In [36] the authors proposed a Digital Forensics centers for different evidence collected from IoT devices, Network infrastructure which used to Investigation Model for IoT. The main aim of this model is improving the investigation process by

3854

ISSN: 1992-8645 www.jatit.org E-ISSN: 1817-3195 exposing the hidden digital evidence. How- ever, investigating with hybrid evidence which is joins the this model does not concern over the physical operations related to digital and physical evidence evidence, and this could be a major drawback when collection and examination, taking into implemented in IoT forensics investigation process, consideration the special characteristics of each form due to the fact that physical evidence is the main of evidence. Another IoT framework proposed in [5] concern in all cases of IoT forensics investigation which is a light-weight version that suitable for IoT process. The proposed model in resources. This framework consists of two main [36] consists of the following stages: The components: The modifier which responsible for initialization and preparation stage, Interaction stage initialization and acquisition stage, and the second which contains the acquisition stage, re-construction component is the analyzer, where all remaining stage, and protection stage. Based on the drawbacks stages of digital forensics investigation process falls of this model a new hybrid approach was proposed under these two components. Table 2 shows some to overcome these problems. The main idea of frameworks for IoT forensics environment. hybrid approach is to deal with digital and physical evidence. In [35], the author proposes a model for Table 2. Achieved principles at each stage of DFIM

Stage Principles

Pre-Investigation  Security principle by transferring evidence as encrypted format. Stage  The accuracy is achieved by grouping the evidence by DPZ.  Performance is achieved by selecting a professional investigators related to the crime.  Data reduction is achieved by retrieving a group of data. 

Collection and Evaluation Stage  The accuracy is achieved by collecting only the related evidence.

 The privacy is achieved by searching and viewing only in related clusters.



Preservation Stage  Integrity is achieved by using a one - way hash function.

 Non-repudiation is achieved by using a digital signature.

Examination • Performance and accuracy are achieved dealing with a group of data and Analysis which save time and resources. Stage • Privacy is achieved by dealing with only related evidence.

Information  Accuracy and performance are achieved by requesting other Sharing Stage evidence from external resources.

3855

ISSN: 1992-8645 www.jatit.org E-ISSN: 1817-3195 The table contains the framework name, the main stages of the framework, the main contribution and 3. DIGITAL FORENSICS goals of the proposed framework, and the limitations INVESTIGATION MODEL (DFIM) if found in the proposed model. FOR INTERNET OF THINGS In general, every stage of the IoT forensics frameworks faces challenges as follows: As previously mentioned in section one, an IoT is an  Challenges in the Identification Stage: One information system made up of things, data, of the main challenges in this stage is how networks and services. Such things or objects may to find a specific IoT device, which be sensors, traditional computers, smartphones, responsible for the data collected [34]. cameras, humans, tablets, vehicles, home appliances  Challenges in the Preservation Stage: One etc. These things are a combination of two types of of such challenges refer to volatile nature of systems: sensed data, which require a solution to 1. General Purpose systems such as lap- tops, capture the evidence from its resources desktops and servers. Such systems may run a periodically and transfer it to fog or cloud variety of applications, process, store, and upload zones [34]. data to internet. The data may be audio, video and  Challenges in the Collection Stage: Such conventional files. challenges related to device location, da-ta 2. Special Purpose Systems whose functions location, limitation of IoT devices, and are more limited and whose objective is to deal with available tools needed for this stage. limited computation domains. The special purpose  Challenges in the Analysis Stage: The systems can be classified into two classes: challenges in this stage related to different (a) Handheld Systems: handheld systems data format and time access to the storage include tablets, IPads, PDAs, smartphones, resource. In addition to that the analysis etc. Hand- held data can be. (b) Embedded Systems: Unlike general stage suffers from the problem of interaction purpose systems and handheld systems with the IoT devices which have not graphical user that run a variety of applications, embedded interface [22] [9]. systems are designed for performing Challenges in the Presentation Stage: This stage specific tasks. The embedded systems are faces different challenges such as analytic function found everywhere, from car engines, and that used through analysis stage which can change manufacturing robots to DVDs, home the structure and the meaning of the collected appliances, etc. evidence [34].

The IoT architecture may vary from solution to universally. Different IoT architectures have been solution, based on the type of solution which we proposed by different researchers like intend to build. Therefore, there is no single consensus on IoT architecture which is agreed Three-Layer architecture [23] [21], Five-Layer storage, processing, and energy).2. Fog Zone: The architecture [33], Cloud-based IoT architecture [16] fog is an extension of cloud computing, where the and Fog based IoT architecture [12] [34]. Based on main idea off og computing is to place servers (fogs the different IoT architectures, an IoT platform as mini servers) closer to the perception layer to basically three zones as shown in Figure 3:1. Cloud supports delay sensitive, location-aware and Zone: Cloud zone contains a group of computers and mobility-supported applications. It also provides servers connected together over the internet and have computation, storage, and networking services unlimited capabilities in terms of storage and between end devices and traditional cloud servers.3. processing power. Cloud zone offers a solution to Perception Zone: The perception zone contains IoT address the shortcomings issues of IoT objects. devices such as sensors, traditional computers, Therefore, IoT can benefit from the virtually smartphones, cameras, humans, tablets, vehicles, unlimited capabilities and resources of cloud to home appliances etc. compensate its technological constraints (e.g.,

3856

ISSN: 1992-8645 www.jatit.org E-ISSN: 1817-3195

Figure 3: Source Of Iot Digital Evidence.

The above zones can be the source of the IoT gathered by sensor nodes into a set of groups, where evidence as shown in Figure 3. Therefore, our each group contains data or proposed DFIM model takes into consideration the documents related to each other, the investigation above zones as a crime scene territory, the lo-cation authority which receives the requests from the and the type of devices in order to use and equate claimers for investigation, check the validation of tool to collect the evidence. The components of the the request, and finally select the appropriate proposed DFIM are as follows: The Data Provider investigators as shown in figure 4 Zone which responsible for grouping all data

Figure 4: Main Components Of DFIM.

3857

ISSN: 1992-8645 www.jatit.org E-ISSN: 1817-3195

The Proposed DFIM consists of the following seven evidence are marked as a required group and stages as shown in figure 6: sent back to investigation authority in a cipher 1. Pre-Investigation stage: This stage comprises format to achieve high levels of evidence the following four steps: security and privacy. The next process is the A. Initialization Step: The aim of this step is to evaluation of collected evidence by the collect all needed information related to the investigation authority to make sure that these crime such as location of the crime (zones evidence are fair enough to be accepted in the and devices), and sent a report to court, if the collected evidence are not enough investigation authority to initiate the then the investigators go back to collection investigation process. stage for searching other evidence. B. Validation Step: The function of this step is 3. Preservation Stage: The goal of preservation to validate the incoming re-port/request by stage is to achieve the integrity of collected the investigation authority (not malicious evidence, to make sure that these evidences report) to start the investigation process. cannot be changed through the next stages of C. Selection Step: After validation the investigation process. The preservation incoming request a professional committee process in the proposed DFIM uses a one-way will be selected to deal with the crime hash algorithm to achieve the integrity. D. Preparation the Data Zone Step: The IoT 4. Examination and Analysis Stage: The zones can be the crime scene territory. gathered evidence should be examined and Therefore, preparing devices in different analyzed by using one of the matching zones for data collection is important, this algorithms to define and extract the can be done by the Data Provider Zone appropriate evidence related to the crime. (DPZ) in fog or cloud zones which During this stage the investigators can decide responsible for grouping all data gathered if the they need to search for another evidence by sensor nodes into a set of groups, where or not. If the evidence provided by the DPZ at each group contains data or documents specific zone or device does not provide an related to each other. enough evidence, then the solution is to go 2. Collection and Evaluation Stage: After through the information sharing stage, which preparation the devices in all IoT zones for allows investigators to request help from out evidence collection by DPZ, the investigators sources as dis-cussed in the next stage. can start collecting the evidence from 5. Information Sharing Stage: This stage different groups located in different devices involves remote entities for sharing the by using an appropriate tool which starts evidence between different investigators and searching for a required evidence in a specific data zone providers based on the nature of the group that contains a high level of similarity crime and for a specific purpose and with with the tampered document based on Jaccard limited permission over these evidences as similarity measure. The groups that contain shown in figure 5.

3858

ISSN: 1992-8645 www.jatit.org E-ISSN: 1817-3195

Figure 5: The Process Of Requesting Internal And External Evidence.

evaluation, examination, and analyzing such Report and Documentation Stage: The goal 6. as string searches, recovering erased data, and of this stage is to generate a final forensics finally the conclusion. report related to the crime by the investigators. The final forensics report 7. Final Review Stage: In this stage the should contain information such as these tags investigation authority take a final decision taken during the investigation process, what represents the if the report formatted by the tools were used, how the analysis was done, investigators is ready to submit to the court or short description of phase s taken during the not.

3859

ISSN: 1992-8645 www.jatit.org E-ISSN: 1817-3195

Figure 6: Stages Of DFIM.

4. Evaluation  The investigators will send a request to the this section explains how does DFIM work through DPZ asking for evidence related to the applying its stages by presenting an at-tack scenario tampered file. in a smart environment such as library, hospital, etc.  After approving the request, the DPZ will where a number of IoT devices and different apply the appropriate tools to retrieve the technologies are used to manage and control this evidence related to the tempered file. environment. The administrator of this environment  The collected evidence by the DPZ sends have a so-called Digital Witness Device (DWD), back to the investigation authority applying which capable to detect and sore information security techniques to achieve security initiated by any attack from any neighboring device. principles, usually using digital signature Suppose that the administrator’s digital witness and lightweight encryption algorithm. device detects an attack attempt initiated by a device  The investigation authority evaluates the nearby and stores all information related to this received evidence to make sure that such attack. Consider the administrator decides to request evidence is fair enough to be accepted by an investigation, then the administrator should send the court, if the collected evidence is not the evidence stored in the digital witness device to enough then the investigators go back to the investigation authority to investigate in happened collection stage for searching for another cyber-crime. Applying the DFIM, the investigation evidence. To make sure that the evaluated process is as follows as shown in figure 7 evidence cannot be changed through the  The investigation authority should validate next stages of investigation process, the the received request for starting the preservation process is applied using a one- investigation process. way hash algorithm to achieve the integrity.  Formatting a committee (investigators) for  The evaluated evidence should examine investigation based on the type of the crime. and analyze using different matching

3860

ISSN: 1992-8645 www.jatit.org E-ISSN: 1817-3195 techniques to extract useful information collect other related evidence from DPZ. related to the crime. If the extracted data  The investigator committee generates the cannot be useful or not enough to be final report as mentioned in DFIM. presented to the court, then the information sharing stage in DFIM should be used to

Figure 7: Main Stages For Proposed Model When Applied In A Public Library Scenario.

The proposed DFIM for IoT forensics takes 2. Authentication: This principle can be into consideration the following security and achieved by adding a so called data zone privacy principles based in ISO/IEC provider in fog and cloud layers which acts as 29100:2011 [24] [20] [19], and applies them an authenticator for both investigators and during the lifecycle of investigation process devices in perception layer [3] [2] [31]. as follows: 3. Integrity: Integrity can be achieved 1. Availability: Availability ensures that the through the preservation phase which de- data is available to users at a required range pends on using a signature technique to of performance in any situation [10] [11] ensure the integrity of the evidence in all [28]. The availability in the DFIM can be stages. achieved by grouping the data related to each 4. Authorization: The Investigators do not other in one cluster. start the investigation process unless the legal

3861

ISSN: 1992-8645 www.jatit.org E-ISSN: 1817-3195 authority is obtained from the relevant Confidentiality can be achieved by using a authorities such as the court and investigation lightweight encryption algorithm specified authority. for IoT devices. 5. Non-repudiation: In the proposed DFIM Table 3 shows how the DFIM can achieve the non-repudiation can be achieved via a secure security, privacy and other principles such chain of custody, which uses a digital ac-curacy, performance, data reduction, signature for all documents used in the Openness and transparency at each stage of process of investigation. vi) Confidentiality: DFIM. Table 3: Different frameworks for digital forensics.

Framework Comments Stage1 Stage2 Stage3 Stage4 Stage5 Stage6 Stage7 McKemmish is the first proposed model for digital forensics. This Identificatio

framework does not n Examinatio Presentatio VMcKemmis Preservation maintain the And n n h [18] reduction and Collection reviewing stages for the collected evidence.

The NIST model contains the basic stages of investigation Identificatio process. It does not Examinatio Collection n And Analysis Reporting NIST [14] take into n preservation consideration security and privacy principles.

This framework does not have any stage for evaluation, either at initial stages or at later stages. proposed framework Reporting does not take the Examinatio and privacy of the Identificatio n Martini [17] Preservation Collection Presentati collected evidence n And on into consideration Analysis

because there is no stage or action to give permission for collected data for authorized investigator.

3862

ISSN: 1992-8645 www.jatit.org E-ISSN: 1817-3195 Beebe framework contains the main stages of standard digital forensics with some additional stages such as the preparation stage to prepare the report which contains the request order for investigation. This model does not have any suggestion to enhance the security Preservation Presentatio Incident Beebe [7] for collected Collection Analysis and store n Closer evidence neither on the level of transferring evidence from side to side or on the level of storing evidence. Another weak point of this model is the limitation in the accuracy for investigation process Preparati on Incident Response

The model proposed differs from standard models, starting with the readiness stage, which presents the preparation of operations and infrastructure. Then the next stage refers to the deployment stage that can be part of the readiness IDIP [6] Readiness Deployment Trace-back Dynamite Review stage, this stage of installing all the necessary software and discovering the crime. After that, the main stages of the standard investigation process begin. And the final phase refers to the results of the investigation.

3863

ISSN: 1992-8645 www.jatit.org E-ISSN: 1817-3195

The Cohen model does not take into consideration any of security and privacy principles such Interpre evaluation for the Collection tation collected evidence, Identificatio Transportat Presentat Cohn [15] Collection And Analysis And evaluation for the n ion Storage ion Preservation Attribut selected investigator. es Other comment here is the evaluation for the produced report before presenting to the court This framework consists of the main stages of digital forensics process. One of comments on this model is the needs for an initial evaluation stage for collected evidence before starting the Agrawal examination process, Result Securing and Evidence Preservatio Presenta Framework another comment Preparation Analysis And recognition. Collection n tion [1] refers to achieve the Review security principles either through the transporting for collected evidence or at the place of storing evidence Preparati on Securing and recognition. This framework does not have any evaluation stage to Proof and evaluate collected Identificatio Defense Perumal [26] evidence or Planning Collection Analysis Review n produced report from Result the investigation process. Perumal framework does not set any criteria to collect evidence from the identified device. No Examinatio Device Iden- any action to achieve n Router or Archive tification Lab Perumal [27] the security in this Planning Fog or and T analysis framework. getaways Storage riage There is no any servers suggestion to ensure the conditionality and privacy for the collected evidence. This framework is considered as one of Quick and the strongest Reduction Presenta Choo frameworks in Identify and Evidence Complet Commence Preparation and tion- Framework digital forensics. In collection. analysis. e reviewing. on. [29] addition to standard stages of forensics process, this

3864

ISSN: 1992-8645 www.jatit.org E-ISSN: 1817-3195 framework has a review stage for collected evidence in order to enhance the accuracy and performance for the investigation process.

the proposed solution is made up of two 5. Important questions main components, the data zone provider and the investigation authority, where 5.1 What is new in proposed solution? each component has its own responsibility Proposed idea to investigate in the crimes to improve the investigation process from happened in IoT devices added a lot of new stages the validation and evaluation side, as for evaluation and validation purposes. Such as stated in the previous sections. the pre-investigation stage, the information 5.4 What is the validity of the study? sharing stage, evaluation stage, and final review The aim of this study is to find a stage. Each of these stages is important to enhance comprehensive solution for the the investigation process. investigation of crimes committed in the IoT environment, where the proposed 5.2 What are the points which distinguish solution has added a number of stages to the proposed model from the existing overcome all issues facing the IoT models? investigation framework. The proposed model consists of two main components of The proposed model characterized by the ability the investigation authority and the data to verify and test collected evidence, where the zone provider, each of which has a set of stage of validation of evidence in the proposed responsibilities to enhance and improve the model was implemented in the initial stage before investigation process. The solution beginning the investigation process, which called overcomes many of the issues facing the the pre-investigation stage in the proposed model. The stage which responsible for evaluation for related framework in the IoT forensics file collected evidence was applied through the stage based on the new stages added and the of collection in proposed model, these two stages components used. distinguish the proposed solution from other 6. Conclusion solutions that proposed to investigate in IoT forensics. Another important point distinguishing In this paper, we propose a New Digital Forensics the solution proposed applies to the final review Investigation Model for Internet of Things (DFIM) before sending the final report to the court, which which has two main components: The Data Zone it is important to assess the document to ensure Provider which responsible for grouping all data that the report is approved in court, this point is gathered by sensor nodes into a set of groups, different and evolves over all prior approaches where each group contains data or documents that do not take any strategy to evaluate the related to each other, and the investigation authority investigation report before submitting it to the which receives the requests from the claimers for court. investigation, check the validation of the request, and finally select the appropriate investigators. The 5.3 What is the contribution for the DFIM consists of seven stages and takes into proposed model? consideration a set of principles such as security, privacy and other principles such accuracy, As a summary, the proposed solutions performance, data reduction, Openness and differ from the previous solutions since transparency in order to improve the IoT forensics the proposed solution overcomes all the investigation process. proposed solution achieve shortcomings and issues facing previous the security and privacy through adding a pre- solutions such as the validity of the investigation stage which responsible about evidence gathered, and the validity of the validation for the evidence which will sent back to tools and third parties involved in the the investigation authority. The principle of data investigation process and other points reduction and accuracy other achieved through the listed in the previous question. Moreover, new stages which added through proposed solution

3865

ISSN: 1992-8645 www.jatit.org E-ISSN: 1817-3195 by filtering the evidence collected and evaluation [10] Ahmad Bany Doumi and Mohammad for these evidence if it has a direct relation with the Qatawneh. Performance evaluation of parallel crime or not, and the accuracy achieved from international data encryption algorithm on multi-level of validation for collected evidence. iman1 super computer. Available at SSRN 3350418, 2019. REFERENCES [11] Heba Harahsheh and Mohammad Qatawneh. Performance evaluation of two fish algorithm [1] Ankit Agarwal, Megha Gupta, Saurabh Gupta, on iman1 supercomputer. International Journal and Subhash Chandra Gupta. Sys-tematic of Computer Applications, 179:1–7, 06 2018. digital forensic investigation [12] Pengfei Hu, Sahraoui Dhelim, Huansheng Ning, model.International Journal of Computer and Tie Qiu. Survey on fog computing: Scienceand Security (IJCSS), 5(1):118–131, architecture, key technologies, applications 2011. and open issues. Journal of network and [2] Areej Al-Shorman and Mohammad computer applications, 98:27–42, 2017. Qatawneh. Performance of parallel rsa [13] Victor R Kebande and Indrakshi Ray. Ageneric oniman1 super computer. International Journal digital forensic investigation frame-work for of Computer Applications, 180:31–36,04 internet of things (iot). In2016IEEE 4th 2018. International Conference on Future Internet of [3] Mohammed Alkhanafseh and Mohammad Things and Cloud (Fi-Cloud), pages 356–362. Qatawneh. A parallel chemical reaction IEEE, 2016. optimization algorithm for maxflow prob- [14] Karen Kent, Suzanne Chevalier, Tim Grance, lem.International Journal of ComputerScience and Hung Dang. Guide to integrating and Information Security,, 15:19–32, 06 2017. forensic techniques into incident response. [4] Ahmad W Atamli and Andrew Martin. Threat- NIST Special Publication,10(14):800–86, based security analysis for the inter-net of 2006. things. In2014 International Work-shop on [15] Michael Donovan Kohn, Mariki M Eloff, and Secure Internet of Things, pages35–43. IEEE, Jan HP Eloff. Integrated digital forensic 2014. process model. Computers & Security,38:103– [5] Leonardo Babun, Amit Kumar Sikder, Abbas 115, 2013. Acar, and A Selcuk Uluagac.Iotdots: A [16] Yang Liu, Jonathan E Fieldsend, and Geyong digital forensics frameworkfor smart Min. A framework of fog computing: environments.arXiv Architecture, challenges, and optimization. preprintarXiv:1809.00745, 2018. IEEE Access, 5:25445–25454, 2017. [6] Venansius Baryamureeba and Florence [17] Ben Martini and Kim-Kwang Raymond Choo. Tushabe. The enhanced digital investigation An integrated conceptual digital forensic process model. InProceedings ofthe Fourth framework for cloud computing.Digital Digital Forensic Research Work-shop, pages Investigation, 9(2):71–80, 2012. 1–9, 2004. [18] Rodney McKemmish. What is forensic [7] Nicole Lang Beebe and Jan Guynes Clark. A computing? Australian Institute of hierarchical, objectives-based framework for Criminology Canberra, 1999. the digital investigations process. Digi-tal [19] Alexandra Michota and Sokratis Katsikas. Investigation, 2(2):147–167, 2005. Compliance of the LinkedIn privacy pol-icy [8] François Bouchaud, Gilles Grimaud, and with the principles of the iso 29100:2011 Thomas Vantroys. Iot forensic: identification standard. In International Conference on Web and classification of evidence in criminal Information Systems Engineering, pages 72– investigations. In Proceedings of the13th 83. Springer, 2014. International Conference on Availability, [20] Chris Mitchell. Privacy, compliance and the Reliability and Security, page 60. ACM,2018. cloud. In Guide to Security As surancefor [9] Stephen D Burd, Darrin E Jones, and Alessandro Cloud Computing, pages 3–14. Springer,2015. F Seazzu. Bridging differences in digital [21] Mainak Mukherjee, Isha Adhikary, Surajit forensics for law enforcement and national Mondal, Amit Kumar Mondal, Meen security. In2011 44th Hawaii International akshiPundir, and Vinay Chow dary. A vision Conference on System Sciences, pages 1–6. of iot: Applications, challenges, and IEEE, 2011. opportunities with dehradun perspective. In Proceeding of International Conference on

3866

ISSN: 1992-8645 www.jatit.org E-ISSN: 1817-3195 Intelligent Communication, Control and De- [30] KM Sabidur Rahman, Matt Bishop, and Albert vices, pages 553–559. Springer, 2017. Holt. Internet of things mobilityforensics.de [22] Syed Naqvi, Gautier Dallons, and Christophe Proceedings of the 2016 In-formation Security Ponsard. Applying digital forensics in the Research and Education(INSuRE), 2016. future internet enterprise systems-european [31] Mahmoud Rajallah Asassfeh, Mohammad sme’s perspective. In2010 Fifth IEEE Qatawneh, and Feras Alazzeh. Performance International Workshopon Systematic evaluation of blowfish algorithm on Approaches to DigitalForensic Engineering, supercomputer iman1.International jour-nal of pages 89–93. IEEE,2010. Computer Networks Communications, 10:43– [23] Anne H Ngu, Mario Gutierrez, VangelisMetsis, 53, 03 2018. Surya Nepal, and Quan Z Sheng.Iot [32] Maha Saadeh, Azzam Sleit, Mohammed middleware: A survey on issues andenabling Qatawneh, and Wesam Almobaideen. technologies.IEEE Internet ofThings Journal, Authentication techniques for the internet of 4(1):1–20, 2017. things: A survey. In2016 Cyber security and [24] Nicolás Notario, Alberto Crespo, Yod- Cyber forensics Conference (CCC),pages 28– Samuel Martín, Jose M Del Alamo, DanielLe 34. IEEE, 2016. Métayer, Thibaud Antignac, AntonioKung, [33] Bhagya Nathali Silva, Murad Khan, and Kijun Inga Kroener, and David Wright. Pripare: Han. Internet of things: A comprehensive integrating privacy best practicesinto a privacy review of enabling technologies, architecture, engineering methodology. In2015 IEEE and challenges. IETE Technical review, Security and Privacy Work-shops, pages 151– 35(2):205–220, 2018. 158. IEEE, 2015. [34] Sunu Thomas, KK Sherly, and S Dija. Ex- [25] Edewede Oriwoh, David Jazani, Gregory traction of memory forensic artifacts from Epiphaniou, and Paul Sant. Internet of things windows 7 ram image. In2013 IEEE forensics: Challenges and approaches. In9th Conference on Information & Communication IEEE International Conference on Technologies, pages 937–942. IEEE, 2013. Collaborative computing: networking, [35] Konstantinos Vlachopoulos, Emmanouil Applications and Worksharing, pages 608– Magkos, and Vassileios Chrissikopoulos. A 615. IEEE, 2013. model for hybrid evidence investigation. [26] Sundresan Perumal. Digital forensic model International Journal of Digital Crime and based on Malaysian investigation Forensics (IJDCF), 4(4):47–62, 2012. process.International Journal of Computer [36] Yunus Yusoff, Roslan Ismail, and Zainud-din Scienceand Network Security, 9(8):38–44, Hassan. Common phases of computerforensics 2009. investigation models. International Journal of [27] Sanderson Perumal, Norita Md Norwawi,and Computer Science & In-formation Valliappan Raman. Internet of things(iot) Technology, 3(3):17–31, 2011. digital forensic investigation model: Top- [37] Nurul Huda Nik Zulkipli, Ahmed Alenezi,and down forensic approach methodology. In2015 Gary B Wills. Iot forensic: Bridging the Fifth International Conference on Digital challenges in digital forensic and the internet Information Processing and Communications of things. In International Conference on (ICDIPC), pages 19–23. IEEE,2015. Internet of Things, Big Data and Security, [28] Mais Haj Qasem and Mohammad volume 2, pages 315–324.SCITEPRESS, Qatawneh. Parallel hill cipher encryption 2017. algorithm. International Journal of Computer Applications, 179(19):16–24,2018. [29] Darren Quick and Kim-Kwang Raymond Choo. Data reduction and data mining framework for digital forensic evidence: storage, intelligence, review and archive. Trends & Issues in Crime and Criminal Justice, 480:1–11, 2014.

3867