Skip to main content
SpringerLink
Log in

A context-centered methodology for IoT forensic investigations

  • regular contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

The weakness of the security measures implemented on Internet of Things (IoT) devices, added to the sensitivity of the data that they handle, has created an attractive environment for cybercriminals to carry out attacks. This has caused a substantial increase in the number of cyberincidents, requiring the opening of digital investigations in order to shed light on what has occurred. However, the characteristics of this new environment, such as its variety of contexts, make it impossible to use the methodology followed until now in conventional analysis. Therefore, a new common procedure is needed to ensure that IoT examinations are carried out in a complete and efficient manner. In this article, after reviewing the methodological requirements of IoT forensics, and studying the suggestions made by the research community, a methodology to perform investigations in a certain context of the IoT environment is proposed. In addition, its practicality is evaluated in three different security incident scenarios, proving its effectiveness and appropriateness to be used in future cases.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18
Fig. 19

Similar content being viewed by others

Notes

  1. The output of the “mount” command has been cropped in order to reduce the size of the image, only showing the most relevant partitions in the system.

  2. The output of the “mount” command has been cropped in order to reduce the size of the image, only showing the most relevant partitions in the system.

  3. The IP addresses shown in the image that were used to download the bash files were no longer operative when the case study was carried out, so in order to execute them, the addresses were replaced by local ones.

References

  1. Lueth, K.L.: Why it is called Internet of Things: definition, history, disambiguation. https://iot-analytics.com/internet-of-things-definition/. Accessed 18 Mar 2020

  2. Postel, J., Reynolds, J.K.: Telnet protocol specification. https://tools.ietf.org/html/rfc854. Library Catalog: tools.ietf.org. Accessed 18 Mar 2020

  3. Ylonen, T., Lonvick, C.: The secure shell (SSH) authentication protocol. https://tools.ietf.org/html/rfc4252. Library Catalog: tools.ietf.org. Accessed 18 Mar 2020

  4. Demeter, D., Preuss, M., Shmelev, Y.: IoT: a malware story—securelist. https://securelist.com/iot-a-malware-story/94451/. Accessed 18 Mar 2020

  5. Lueth, K.L.: State of the IoT 2018: number of IoT devices now at 7B. Market accelerating - IoT Analytics. https://iot-analytics.com/state-of-the-iot-update-q1-q2-2018-number-of-iot-devices-now-7b/. Accessed 18 Mar 2020

  6. Scully, P.: The top 10 IoT segments in 2018 based on 1,600 real IoT projects—IoT analytics. https://iot-analytics.com/top-10-iot-segments-2018-real-iot-projects/. Accessed 18 Mar 2020

  7. Gartner Inc. Gartner says 8.4 billion connected “Tthings” will be in use in 2017, up 31 percent from 2016. https://www.gartner.com/en/newsroom/press-releases/2017-02-07-gartner-says-8-billion-connected-things-will-be-in-use-in-2017-up-31-percent-from-2016. Accessed 4 Mar 2020

  8. Yusoff, Y., Ismail, R., Hassan, Z.: Int. J. Comput. Sci. Inf. Technol. 3 (2011). https://doi.org/10.5121/ijcsit.2011.3302

  9. Brezinski, D., Killalea, T.: RFC 3227: guidelines for evidence collection and archiving. https://www.ietf.org/rfc/rfc3227.txt. Accessed 13 Mar 2020

  10. International Organization for Standardization. ISO: ISO/IEC 27037:2012—information technology—security techniques—guidelines for identification, collection, acquisition and preservation of digital evidence. https://www.iso.org/standard/44381.html?browse=tc. Accessed 2 Apr 2020

  11. International Organization for Standardization. ISO: ISO/IEC 27041:2015—information technology—security techniques—guidance on assuring suitability and adequacy of incident investigative method. https://www.iso.org/standard/44405.html?browse=tc. Accessed 2 Apr 2020

  12. International Organization for Standardization. ISO: ISO/IEC 27042:2015—information technology—security techniques—guidelines for the analysis and interpretation of digital evidence. https://www.iso.org/standard/44406.html?browse=tc. Accessed 2 Apr 2020

  13. International Organization for Standardization. ISO: ISO/IEC 27043:2015—information technology—security techniques—incident investigation principles and processes. https://www.iso.org/standard/44407.html?browse=tc. Accessed 2 Apr 2020

  14. International Organization for Standardization. ISO: ISO/IEC 27050-1:2016—information technology—security techniques—electronic discovery—part 1: overview and concepts. https://www.iso.org/standard/63081.html. Accessed 2 Apr 2020

  15. Du, X., Le-Khac, N., Scanlon, M.: CoRR (2017). arXiv:1708.01730

  16. Oriwoh, E., Jazani, D., Epiphaniou, G., Sant, P.: In: 9th IEEE International Conference on Collaborative Computing: Networking, Applications and Worksharing, pp. 608–615 (2013)

  17. Lillis, D., Becker, B., O’Sullivan, T., Scanlon, M.: CoRR (2016). arXiv:1604.03850

  18. Yaqoob, I., Hashem, I.A.T., Ahmed, A., Kazmi, S.A., Hong, C.S.: Future Gener. Comput. Syst. 92, 265 (2019). https://doi.org/10.1016/j.future.2018.09.058. http://www.sciencedirect.com/science/article/pii/S0167739X18315644

  19. Hou, J., Li, Y., Yu, J., Shi, W.: IEEE Internet Things J. 7(1), 1 (2020)

  20. Nieto, A., Rios, R., Lopez, J.: In: 2017 IEEE Trustcom/BigDataSE/ICESS, pp. 626–633 (2017). https://doi.org/10.1109/Trustcom/BigDataSE/ICESS.2017.293

  21. Perumal, S., Norwawi, N.M., Raman, V.: In: 2015 Fifth International Conference on Digital Information Processing and Communications (ICDIPC), pp. 19–23 (2015). https://doi.org/10.1109/ICDIPC.2015.7323000

  22. Kebande, V.R., Ray, I.: In: 2016 IEEE 4th International Conference on Future Internet of Things and Cloud (FiCloud), pp. 356–362 (2016). https://doi.org/10.1109/FiCloud.2016.57

  23. Zawoad, S., Hasan, R.: In: 2015 IEEE International Conference on Services Computing, pp. 279–284 (2015). https://doi.org/10.1109/SCC.2015.46

  24. Goudbeek, A., Choo, K.K.R., Le-Khac, N.A.: pp. 1446–1451 (2018).https://doi.org/10.1109/TrustCom/BigDataSE.2018.00201

  25. Al-Sadi, M.B., Chen, L., Haddad, R.J.: In: SoutheastCon 2018, pp. 1–5 (2018). https://doi.org/10.1109/SECON.2018.8479042

  26. Carrier, Brian: Sleuthkit.org. Autopsy—The Sleuth Kit. http://www.sleuthkit.org/autopsy/. Accessed 6 Apr 2020

  27. Wireshark Foundation. Wireshark.org. Wireshark—network protocol analyzer. https://www.wireshark.org/. Accessed 6 Apr 2020

  28. Voncken, Guy.: Guymager.net. Guymager free forensic imager. http://guymager.sourceforge.net/. Accessed 6 Apr 2020

  29. Costa, G., De Franceschi, A.: Xplico.org. Xplico—open source network forensic analysis tool (NFAT). http://www.xplico.org/. Accessed 6 Apr 2020

  30. Oriwoh, E., Sant, P.: In: 2013 IEEE 10th International Conference on Ubiquitous Intelligence and Computing and 2013 IEEE 10th International Conference on Autonomic and Trusted Computing, pp. 544–550 (2013).https://doi.org/10.1109/UIC-ATC.2013.71

  31. Jo, W., Shin, Y., Kim, H., Yoo, D., Kim, D., Kang, C., Jin, J., Oh, J., Na, B., Shon, T.: Digit. Invest. 29, S80 (2019). https://doi.org/10.1016/j.diin.2019.04.013. http://www.sciencedirect.com/science/article/pii/S1742287619301628

  32. Baggili, I., Oduro, J., Anthony, K., Breitinger, F., McGee, G.: In: 2015 10th International Conference on Availability, Reliability and Security, pp. 303–311 (2015). https://doi.org/10.1109/ARES.2015.39

  33. Chung, H., Park, J., Lee, S.: Digit. Invest. 22, S15 (2017).https://doi.org/10.1016/j.diin.2017.06.010. http://www.sciencedirect.com/science/article/pii/S1742287617301974

  34. Castelo Gómez, J.M., Roldán Gómez, J., Carrillo Mondéjar, J., Martínez Martínez, J.L.: Entropy 21(12) (2019). https://doi.org/10.3390/e21121141. https://www.mdpi.com/1099-4300/21/12/1141

  35. Windows Dev Center. Overview of Windows 10 IoT Core—Windows IoT-Microsoft Docs. https://docs.microsoft.com/es-es/windows/iot-core/windows-iot-core. Accessed 20 Mar 2020

  36. Android Developers. Android Things. https://developer.android.com/things. Accessed 20 Mar 2020

  37. Canonical Group. Ubuntu Core—Ubuntu. https://ubuntu.com/core. Accessed 20 Mar 2020

  38. Smith, D.: Android developers blog: an update on Android Things. https://android-developers.googleblog.com/2019/02/an-update-on-android-things.html. Accessed 20 Mar 2020

  39. OpenWrt Project: Welcome to the OpenWrt Project. https://openwrt.org/. Accessed 20 Mar 2020

  40. Le-Khac, N.A., Jacobs, D., Nijhoff, J., Bertens, K., Choo, K.K.R.: Future Gener. Comput. Syst. (2018). https://doi.org/10.1016/j.future.2018.05.081. http://www.sciencedirect.com/science/article/pii/S0167739X17322422

  41. Badenhop, C.W., Ramsey, B.W., Mullins, B.E., Mailloux, L.O.: Digit. Invest. 17, 14 (2016). https://doi.org/10.1016/j.diin.2016.02.002. http://www.sciencedirect.com/science/article/pii/S1742287616300214

  42. Wurm, J., Hoang, K., Arias, O., Sadeghi, A., Jin, Y.: In: 2016 21st Asia and South Pacific Design Automation Conference (ASP-DAC), pp. 519–524 (2016). https://doi.org/10.1109/ASPDAC.2016.7428064

  43. Elstner, J., Roeloffs, M.: Digit. Invest. 16, 29 (2016). https://doi.org/10.1016/j.diin.2016.01.016. http://www.sciencedirect.com/science/article/pii/S174228761630010X

  44. Computer Hope. Computerhope.com. Linux and Unix dd Command. http://www.computerhope.com/unix/dd.htm. Accessed 6 Apr 2020

  45. Google Developers. Android Debug Bridge—Android Developers. https://developer.android.com/studio/command-line/adb?hl=es-419. Accessed 6 Apr 2020

  46. The GNU Netcat—Official homepage. http://netcat.sourceforge.net/. Accessed 20 Mar 2020

  47. Rob Landley. What is toybox? http://landley.net/toybox/about.html. Accessed 20 Mar 2020

  48. AccessData Corp. Forensic Toolkit (FTK). Using command line imager. https://accessdata.com/product-download. Accessed 20 Mar 2020

  49. CGSecurity. CGSecurity.org. PhotoRec ES—CGSecurity. http://www.cgsecurity.org/wiki/PhotoRec_ES. Accessed 20 Mar 2020

  50. United States Air Force Office of Special Investigations. Foremost.org. Foremost—recovery tool. http://foremost.sourceforge.net/. Accessed 20 Mar 2020

  51. Metz, Joachim.: Github.com. Log2timeline Supertimeline Tool. https://github.com/log2timeline/plaso. Accessed 20 Mar 2020

  52. Phil Harvey. ExifTool by Phil Harvey. Read, write and edit meta information. https://www.sno.phy.queensu.ca/~phil/exiftool/. Accessed 20 Mar 2020

  53. Zimmerman, Eric.: Github.com. Eric Zimmerman’s tools. https://ericzimmerman.github.io/. Accessed 20 Mar 2020

  54. Zimmerman, Eric.: Kroll artifact parser and extractor—KAPE. https://www.kroll.com/en/insights/publications/cyber/kroll-artifact-parser-extractor-kape. Accessed 20 Mar 2020

  55. Windows Hardware Dev Center. Install Windows configuration designer (Windows 10)—configure Windows. https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-install-icd. Accessed 27 Aug 2020

  56. Windows Hardware Dev Center. Windows 10 IoT Core recovery. https://docs.microsoft.com/en-us/windows-hardware/service/iot/recovery. Accessed 27 Aug 2020

  57. Cloud Computing Services | Microsoft Azure. https://azure.microsoft.com/en-gb/. Accessed 27 Aug 2020

  58. Windows Hardware Dev Center. Windows 10 IoT Core reset. https://docs.microsoft.com/en-us/windows-hardware/service/iot/reset. Accessed 27 Aug 2020

  59. Ubuntu IoT Developer Documentation | Ubuntu for IoT developers documentation. https://core.docs.ubuntu.com/en/image/custom-images. Accessed 28 Aug 2020

  60. Snapcraft IO. Snapshots | Snapcraft documentation. https://snapcraft.io/docs/snapshots. Accessed 27 Aug 2020

  61. Android Developers. Create an Android Things product. https://developer.android.com/things/console/create. Accessed 27 Aug 2020

  62. Android Developers. Manually flash Android Things. https://developer.android.com/things/hardware/fastboot. Accessed 27 Aug 2020

  63. Raspberry Pi Foundation. Buy a Raspberry Pi 3 Model B Raspberry Pi. https://www.raspberrypi.org/products/raspberry-pi-3-model-b/. Accessed 19 Apr 2020

  64. Intel Corporation. Introduction to Intel Galileo Boards. https://www.intel.co.uk/content/www/uk/en/support/articles/000005912/boards-and-kits/intel-galileo-boards.html. Accessed 19 Apr 2020

  65. Bassetti, N.: CAINE Live USB/DVD—computer forensics digital forensics. https://www.caine-live.net/. Accessed 19 Apr 2020

  66. BionicBeaver/ReleaseNotes—Ubuntu Wiki. https://wiki.ubuntu.com/BionicBeaver/ReleaseNotes. Accessed 20 Mar 2020

  67. Shinotsuka, H.: Linux.Dofloo—Symantec. https://www.symantec.com/security-center/writeup/2015-070812-0012-99. Accessed 27 Apr 2020

Download references

Funding

This research was supported by the University of Castilla La Mancha under the contract 2018-PREDUCLM-7476 and the Project 2020-GRIN-28846, by the Spanish Ministry of Science and Innovation under Grants FPU 17/03105 and FPU 17/02007, by the Spanish Ministry of Economic Affairs and Digital Transformation under the Project RTI2018-098156-B-C52 and by the Regional Government of Castilla-La Mancha under the Project SBPLY/17/180501/000353.

Author information

Authors and Affiliations

  1. Universidad de Castilla-La Mancha, Albacete Research Institute of Informatics, Investigación 2, Albacete, 02071, Spain

    Juan Manuel Castelo Gómez, Javier Carrillo Mondéjar, José Roldán Gómez & José Luis Martínez Martínez

Authors
  1. Juan Manuel Castelo Gómez
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Javier Carrillo Mondéjar
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. José Roldán Gómez
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. José Luis Martínez Martínez
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Juan Manuel Castelo Gómez.

Ethics declarations

Conflict of interest

The authors declare that they have no conflict of interest.

Ethical approval

This article does not contain any studies with human participants or animals performed by any of the authors.

Availability of data and material

Not applicable.

Code availability

Not applicable.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Castelo Gómez, J.M., Carrillo Mondéjar, J., Roldán Gómez, J. et al. A context-centered methodology for IoT forensic investigations. Int. J. Inf. Secur. 20, 647–673 (2021). https://doi.org/10.1007/s10207-020-00523-6

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-020-00523-6

Keywords

Search

Navigation