Interconnecting smart devices open companies, government agencies and individual consumers to a whole new world of useful applications. But while the Internet of Things (IoT) makes our day-to-day lives more convenient and dynamic, it also creates more opportunities for malicious actors to attack in ways that directly impact us.

Today, discussions around IoT typically focus on applications, benefits and privacy, while there isn’t much talk about incident response and forensic investigations. The need for an intelligent, adaptable forensic methodology to investigate IoT-related crimes, however, is becoming pertinent.

Forensics Investigations in the New Age

Digital forensics is slowly developing as a solution to this problem. At its core, this brand of forensics is the process of identifying, preserving, analyzing and presenting digital evidence to the court of law. It does so using well-defined principles and accredited tools.

IoT forensics has more areas of interest than traditional forensics. In addition to the traditional type of networks — wired, Wi-Fi, wireless and mobile — IoT also has the RFID sensor network. Different IoTware such as appliances, tags and medical devices should be considered as sources of evidence during investigation as well.

The main challenge in investigating an IoT crime is introduced by the dynamic nature of IoT solutions. IoT is a combination of many major technology areas, which includes cloud computing, mobile devices, computers and tablets, sensors and RFID technologies. As a result, forensics for IoT will encompass all of these aforementioned areas.

Sources of evidence on IoT can be categorized into three groups:

  1. All evidence collected from smart devices and sensors;
  2. All evidence collected from hardware and software that provide a communication between smart devices and the external world (e.g., computers, mobile, IPS, IDS and firewalls), which are included in traditional computer forensics; and
  3. All evidence collected from hardware and software that are outside the network under investigation. This group includes cloud, social networks, ISPs and mobile network providers, virtual online identities and the internet.

A Multifaceted Approach

While there are no defined principles for IoT forensics, investigations will significantly rely on the mechanical and physical nature of the smart device, since identifying evidence sources is a major challenge. Evidence could be collected from fixed sensors in homes and buildings, moving sensors built into cars and wearable devices, communication devices, cloud storage and even ISP logs. However, another main challenge is constrained evidence collection due to proprietary jurisdictions.

Cloud forensics will also play a main role in reinforcing cybersecurity best practices, since all data generated by IoT components will be stored on cloud due to its scalability, capacity and convenience.

As a result of the continued growth in the number of IoT-connected devices, it has become a necessity to develop a new process to investigate IoT-related incidents. Addressing security concerns will rely on a new era of digital forensics and best practices to simulaneously verify and leverage physical and digital evidence within a changing regulatory landscape.

More from Endpoint

Combining EPP and EDR tools can boost your endpoint security

6 min read - Endpoint protection platform (EPP) and endpoint detection and response (EDR) tools are two security products commonly used to protect endpoint systems from threats. EPP is a comprehensive security solution that provides a range of features to detect and prevent threats to endpoint devices. At the same time, EDR is specifically designed to monitor, detect and respond to endpoint threats in real-time. EPP and EDR have some similarities, as they both aim to protect endpoints from threats, but they also have…

The needs of a modernized SOC for hybrid cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

X-Force identifies vulnerability in IoT platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…