IoT Forensics Challenges and Approaches: [Essay Example], 2587 words GradesFixer

Haven't found the right essay?

Get an expert to write your essay!


Professional writers and researchers


Sources and citation are provided


3 hour delivery

This essay has been submitted by a student. This is not an example of the work written by professional essay writers.

IoT Forensics Challenges and Approaches

  • Category: Law
  • Topic: Court
  • Pages: 6
  • Words: 2587
  • Published: 16 Jun 2018
  • Downloads: 194
Download Print

Pssst… we can write an original essay just for you.

Any subject. Any type of essay.

We’ll even meet a 3-hour deadline.

Get your price

121 writers online

Download PDF

The sheer amount of data that is collected by billions of IoT devices could contain valuable evidence from crime scenes, this evidence could be used in court to improve that someone is guilty or not and its importance not less physical evidence, regardless of its importance, collecting and analyzing evidence from IoT environment face many legal and technical challenges, this paper will try to summarize the most important challenges that are related to IoT forensics, beside the common approaches that have been developed to solve these challenges.

Billions of intelligent IoT devices connected to the internet today, and it is predicted to be 20 billion devices by 2020[1]. these smart, self-decision-making devices collect the sheer amount of human and systems activities in order to take decisions and make our life more easier and productive.

And since IoT records almost everything around us, that make the collected information and devices itself very valuable sources for digital forensics practitioners.

Digital forensics is the science that is interested in collecting evidence from digital devices and analyses them in a way that is legally admissible in court, it has been evolved over past years to cover new technology and devices like PC’s, router, switches, and many other devices but when it comes to IoT, the nature of technologies that are used in IoT like RFID, seniors, Cloud Computing, mobility, proprietary protocols and others make traditional DFI techniques and tools are not enough to handle forensics operations.

In this paper we will try to cover the most well-known challenges in the IoT forensics fields and the approaches that have proposed to handle these challenges, finally we propose an approach to solve the challenges that have not been covered, section 2 is a general overview of the IoT architecture, section 3 discusses the IoT challenges, section 4 cover the known approaches for IoT forensics and section 5 is the proposed approach.

IoT Architecture.

The basic design of any IoT system figure (1) consists of the following component:

I.Sensors: – the main function of sensors in IoT is to monitor the IoT environment, for example, the temperature in smart home or person’s activities in wearable smart devices, and based on the sense mode, the sensor starts collecting measurements and information, this collected information from one sensor or more usually would not be useful in its analog form, so there is a need to be processed and analyzed.

II. Local ProcessingLocal Storage: – after data is received from sensors, microcontrollers and embedded boards are used to process data and stored it locally, a very important aspect of these devices is that it has a limited storage unit, especially in Smart Home devices and wearable smart devices,

III.Network and Internet: – collected data is transmitted through Gateways to IoT service provider, protocols could be used at this level (MQTT, CoAp, AMQP …etc.).

IV.IoT Cloud: – data finally is stored in the IoT service provider servers, IoT provider could process the data and usually provide the user with a web interface to access data after processing and analysis.

IoT Forensics Challenges

Digital forensics encompasses four stages of identification, preservation, analysis, and presentation of evidence [2], in this section, we will discuss challenges related to each stage separately.

IoT identification forensics challenges

The first stage of any digital forensic investigation requires the investigator to determine the location of the evidence, what it is the format and how it is stored, answer these questions enable the investigator to draw a proper plan for the rest of investigation, following are challenges related to these questions in IoT investigation:

i. Due to the design and functional nature of IoT infrastructure, evidences could be anywhere, mainly we could divide the location of evidences to two locations the first is IoT devices and/or IoT cloud provider, and in some special cases evidences could be in other’s IoT devices or cloud-like when a sensor detects a motion in neighbor’s house then collect and measure that motion, in the first scenario where evidence located in IoT devices there could be hundreds of sensors and control devices which make it difficult and time-consuming for investigators to identify all evidence [3], and in some cases evidences could be invisible like when sensors are embedded in human body, or when data is read by sensors belong to other parties (Mobility of IoT), the second scenario if the evidence are located in the cloud where evidence could be distributed over multiple locations and multiple servers [4], which arise new challenges to the investigator of how to locate and aggregate these evidence.

ii.The generated data from IoT devices comes in many standards, non-standard and mix formats, the source of data would be single or multiple sensors, which force the investigator to deal with multiple formats of data that came from different sources [5], besides that, and during of the data journey from IoT devices to the cloud, data could be processed many times by multiple devices and in different formats some of them could be proprietary and could be duplicated.

iii. Typically, IoT devices have limited storage space, which means data would not be stored there for long time, instead of that data would be transmitted to the cloud service using protocol like (HTTPS, XMAPP, CoAP, MQTT, AMQP) [6] for more analysis and longtime storage this would arise the following challenges:

1-Evidences could be overwritten in IoT devices if the connection between the IoT devices and cloud service lost for a long time [3].

2-Evidences that are stored in the cloud could be located in different countries which means different laws and procedures followed in DFI [7], even if there are agreements between the involved countries the time between issuing a traditional warrant and beginning the investigation could be long enough to damage, overwritten or change the consistency of evidence.

3-Evidences stored either in local IoT devices or in the Cloud could be encrypted [8].

IoT Preservation forensics challenges

Collected evidence from the crime scene should keep it is original state and integrity without any modification, this is a well-known fact in digital investigation and when it comes to courts procedures are important than fact so any changes in facts could make them unacceptable in courts, this would be handled in traditional forensics by using write-blocker, Hash function, forensic image…etc., In IoT domain preserving evidences is more difficult and has more challenges: –

1-Sensors play a vital role in IoT operations, and its known that sensors are very sensitive devices which make them susceptible to false negative and false positive results which are in turn could make the evidence doubtful at court.

2-Once data is sent to the IoT provider cloud, data is subject to further analysis and changes, which means the original state of evidence that is generated in the crime scene has changed.

IoT analysis forensics challenges

Once the investigator defines the location of evidence, it’s format and storing layout, the next step would be to extract evidence from its location analysis and interpret them.

1-Most of the current digital forensics software’s are not designed to extract data from IoT devices

2-Some of IoT devices come in proprietary file system and software which add complexity to the extraction of the data and analyses it. [-x]

IoT presentation forensics challenges the final phase of the digital investigation is to present the collected evidence and findings in the court, the challenge in this phase comes from the diversity of IoT devices, while in traditional forensics the sources of evidence and evidence are relatively clear to most jurors members, but when it comes to IoT the heterogeneous and complexity of IoT environment could be difficult for them to understand

IoT Digital Forensics Framework

1-2-3 Zones and Next-Best-Thing

Combining all IoT forensics challenges shows that IoT investigation includes cloud computing, Mobile forensics, RFID, Virtualization and network forensics, which made the IoT investigation process are sort of confusing, beside investigating a large number of devices and different types of formats would be time and resources wasted, so it is important to make the crime scene as clear as possible, and guarantee that forensics practitioners can focus on each area of the crime scene based on its functional nature. the proposed approach divides the crime scene into three zones, Internal network, Middle, External network Figure ().

1-Internal Zone: – this zone contains all IoT devices that exist in the location of the crime scene, the investigator should determine which devices are related to the crime and start investigating them.

2-Middle zone: – this zone contains all devices that are responsible for support communication between the internal zone and external zone, devices included like Firewall, IDS/IPS should examine and valuable evidence like logs and events.

3-External Zone: – this zona contains all hardware, software, and services that are outside the crime scene like IoT cloud service, ISP, and Mobile network.

While this approach is great to make the investigation process easier and more effective by allowing the ability to investigate all zones in parallel or determine the most important zone and intensify investigation, it does not provide solutions for IoT investigation like dealing with propriety data formats or judiciary issues.


This approach can be used side by side with 1-2-3 zone approach, by supposing that the IoT object contains the evidence has been removed from the crime scene or it cannot be accessed, so in situations like this the investigator can look for the next available source related to the evidence, deciding the what is the next best source is subject of further research.


The proposed approach suggests using a secure repository that will store IoT related evidence, the evidence is divided into three types: device evidence, network evidence, cloud evidence, that would make the process of identification and analysis of evidence more easer. This approach contains three models Secure Evidence Module, Secure provenance and Access to evidence through API module, the first model Secure Evidence Module will keep track of all registered IoT devices, collect and save evidences in the repository, evidence is stored based on its IoT device which enables store evidence from multiple devices, this module use asymmetric encryption to make sure that only authorized people can access evidence, Hadoop is used for the repository, the second model is used to preserve the evidence access, the last model provides investigators and law enforcement an access to the evidence through a read-only APIs, which enable them to retrieve the evidence.

FSAIoT in their paper Forensic state acquisition from internet of things, Meffert created a general framework that makes the crime scene more clear through IoT devices state acquisition, the proposed approach suggests existence of a controller that is used to control and manage IoT devices, beside its ability to acquire data from IoT devices but not change the stat of the device the controller has integrity features and capable to record the data when the stat of the IoT device changed, the controller comes in three mode controller to device, controller to cloud , controller to controller, the authoress stated that there are couple of limitation with this approach like dealing with deleted and historical data, and there is no approach access the deceives physically which is required in some cases.

Pre-investigation and real-time approach

This approach proposed two phases to make sure that all evidence is acquired and stored in an accepted way, so that investigators can retrieve evidence smoothly, the first phase is the pre-investigation phase which has two sides, the first is from the management perspective and the second is from the technical perspective, the management perspective discuss the procedures that could facilitate the IoT investigation from managerial perspective, like preparing plans and determine the assists needed by investigators, the technical perspective discuss how to interact with the incident and narrow the scope of the evidence and devices included in the investigation by answering the following questions What/How to identify ?, What/How to collect ? who to preserve?, the second phase is to monitor the IoT devices in real-time and if there are any abnormal activities are detected then in an automatic way start collecting the data identified in the pre-investigation phase.

While approaches mentioned in sections (4.2, 4.3, 4.4) seem to be effective and solve some mentioned challenges, they are more suitable for large to medium IoT infrastructure, they could be difficult to implement in small IoT infrastructure like smart home because of the relative complexity of deployment.

Top-Down forensics methodology [12]

This model is designed to fill the gap existing in current models, started with authorization, planning and warrant, after completing the three fundamental stages the investigator would start to discover the IoT infrastructure, determine and capture the interested IoT devices from the selected zone Figure (), then the investigator can complete the traditional forensics procedures like Chain of custody, analysis proof, and defense.

Our approach is to work side by side with the 1-2-3 zone approach, since the mentioned approach divides the IoT environment to three zones, our approach is to divide the IoT forensics process to three domains, 1) Domain 1 related to IoT endpoint forensic, 2) Domain 2 related to Network forensic, 3) Domain 3 related to Cloud forensic.

We can see that in any IoT environment, events would be noticed by one or more sensors, the main role of sensors is to transmit what has been measured to the IoT controllers which in turn would process the received data and could store it then transmit it to other domain, So, the investigator in this stage would need to use tow forensic domains Domain 1 (IoT endpoint forensic) and domain2 (Network forensic).

Once data has been captured and processed by controller it would be travel toward its final destination which would be the cloud, the medium, and devices that would be taken during that journal would belong to the second domain, and since the devices that are involved in this domain would be network devices like firewalls, switches, routers, the forensic science that would mostly be used in this domain is network forensic, the final destination of data as we previously mentioned would be the cloud, in this level of investigation domain 3 (Cloud forensic ) would be used, Domain 2 ( Network Forensic ) and Domain 3 ( Cloud forensic ) have been around for quite some time and many types of research and solutions have been developed to cover it. Domain 1 (IoT endpoint forensic) needs more researches and development.

IoT challenges in Domain 1 (Endpoint forensic) can be divided into two categories; Technical challenges and legal challenges, the key legal challenges are represented in the ability to issue a warrant as soon as possible and this challenge cannot be solved traditionally, one idea that would be worth to examine is to make an agreement between the legal authorities and IoT vendors, state that any vendor wants to deploy IoT devices should agree to make it’s cloud data that is related to the IoT devices available when authorities need to investigate it, based on an electronic warrant which in turn speed up investigation process.

Main Technical challenge related to IoT endpoint forensic is the lack of standards, most IoT devices have its own proprietary interfaces, protocols and file system which arise the need to develop tools that can deal with these devices.

Remember: This is just a sample from a fellow student.

Your time is important. Let us write you an essay from scratch

100% plagiarism free

Sources and citations are provided

Cite this Essay

To export a reference to this article please select a referencing style below:

GradesFixer. (2018). IoT Forensics Challenges and Approaches. Retrived from
GradesFixer. "IoT Forensics Challenges and Approaches." GradesFixer, 16 Jun. 2018,
GradesFixer, 2018. IoT Forensics Challenges and Approaches. [online] Available at: <> [Accessed 11 August 2020].
GradesFixer. IoT Forensics Challenges and Approaches [Internet]. GradesFixer; 2018 [cited 2018 Jun 16]. Available from:
copy to clipboard

Sorry, copying is not allowed on our website. If you’d like this or any other sample, we’ll happily email it to you.

    By clicking “Send”, you agree to our Terms of service and Privacy statement. We will occasionally send you account related emails.


    Attention! this essay is not unique. You can get 100% plagiarism FREE essay in 30sec

    Recieve 100% plagiarism-Free paper just for 4.99$ on email
    get unique paper
    *Public papers are open and may contain not unique content
    download public sample

    Sorry, we cannot unicalize this essay. You can order Unique paper and our professionals Rewrite it for you



    Your essay sample has been sent.

    Want us to write one just for you? We can custom edit this essay into an original, 100% plagiarism free essay.

    thanks-icon Order now

    Hi there!

    Are you interested in getting a customized paper?

    Check it out!
    Having trouble finding the perfect essay? We’ve got you covered. Hire a writer uses cookies. By continuing we’ll assume you board with our cookie policy.