Forensic State Acquisition from Internet of Things (FSAIoT): A General Framework and Practical Approach for IoT Forensics through IoT Device State Acquisition

Authors

Christopher S. Meffert, University of New Haven
Devon R. Clark, University of New Haven
Ibrahim Baggili, University of New HavenFollow
Frank Breitinger, University of New HavenFollow

Author URLs

Professor Breitinger's Faculty Profile

Professor Breitinger's web page

Professor Breitinger's Full Bibliography

Professor Baggili's Faculty Profile

Professor Baggili's web page

UNHcFREG (UNH Cyber Forensics Research & Education Group / Lab)

Document Type

Conference Proceeding

Publication Date

8-29-2017

Subject: LCSH

Computer crimes--Investigation, Internet of things

Disciplines

Computer Engineering | Computer Sciences | Electrical and Computer Engineering | Forensic Science and Technology | Information Security

Abstract

IoT device forensics is a difficult problem given that manufactured IoT devices are not standardized, many store little to no historical data, and are always connected; making them extremely volatile. The goal of this paper was to address these challenges by presenting a primary account for a general framework and practical approach we term Forensic State Acquisition from Internet of Things (FSAIoT). We argue that by leveraging the acquisition of the state of IoT devices (e.g. if an IoT lock is open or locked), it becomes possible to paint a clear picture of events that have occurred. To this end, FSAIoT consists of a centralized Forensic State Acquisition Controller (FSAC) employed in three state collection modes: controller to IoT device, controller to cloud, and controller to controller. We present a proof of concept implementation using openHAB -- a device agnostic open source IoT device controller -- and self-created scripts, to resemble a FSAC implementation. Our proof of concept employed an Insteon IP Camera as a controller to device test, an Insteon Hub as a controller to controller test, and a nest thermostat for a a controller to cloud test. Our findings show that it is possible to practically pull forensically relevant state data from IoT devices. Future work and open research problems are shared.

Comments

© 2017 Association for Computing Machinery. This is the authors' version of the work. It is posted here for your personal use. Not for redistribution. The definitive Version of Record was published in ACM Digital Library, Proceedings of ARES ’17, http://dx.doi.org/10.1145/3098954.3104053

Dr. Baggili was appointed to the University of New Haven’s Elder Family Endowed Chair in 2015.

DOI

10.1145/3098954.3104053

Repository Citation

Meffert, Christopher S.; Clark, Devon R.; Baggili, Ibrahim; and Breitinger, Frank, "Forensic State Acquisition from Internet of Things (FSAIoT): A General Framework and Practical Approach for IoT Forensics through IoT Device State Acquisition" (2017). Electrical & Computer Engineering and Computer Science Faculty Publications. 74.
https://digitalcommons.newhaven.edu/electricalcomputerengineering-facpubs/74

Publisher Citation

Christopher Meffert, Devon Clark, Ibrahim Baggili, and Frank Breitinger. 2017. Forensic State Acquisition from Internet of Things (FSAIoT): A general framework and practical approach for IoT forensics through IoT device state acquisition. In Proceedings of ARES ’17, Reggio Calabria, Italy, August 29- September 01, 2017, 11 pages.