Interconnecting smart devices open companies, government agencies and individual consumers to a whole new world of useful applications. But while the Internet of Things (IoT) makes our day-to-day lives more convenient and dynamic, it also creates more opportunities for malicious actors to attack in ways that directly impact us.

Today, discussions around IoT typically focus on applications, benefits and privacy, while there isn’t much talk about incident response and forensic investigations. The need for an intelligent, adaptable forensic methodology to investigate IoT-related crimes, however, is becoming pertinent.

Forensics Investigations in the New Age

Digital forensics is slowly developing as a solution to this problem. At its core, this brand of forensics is the process of identifying, preserving, analyzing and presenting digital evidence to the court of law. It does so using well-defined principles and accredited tools.

IoT forensics has more areas of interest than traditional forensics. In addition to the traditional type of networks — wired, Wi-Fi, wireless and mobile — IoT also has the RFID sensor network. Different IoTware such as appliances, tags and medical devices should be considered as sources of evidence during investigation as well.

The main challenge in investigating an IoT crime is introduced by the dynamic nature of IoT solutions. IoT is a combination of many major technology areas, which includes cloud computing, mobile devices, computers and tablets, sensors and RFID technologies. As a result, forensics for IoT will encompass all of these aforementioned areas.

Sources of evidence on IoT can be categorized into three groups:

  1. All evidence collected from smart devices and sensors;
  2. All evidence collected from hardware and software that provide a communication between smart devices and the external world (e.g., computers, mobile, IPS, IDS and firewalls), which are included in traditional computer forensics; and
  3. All evidence collected from hardware and software that are outside the network under investigation. This group includes cloud, social networks, ISPs and mobile network providers, virtual online identities and the internet.

A Multifaceted Approach

While there are no defined principles for IoT forensics, investigations will significantly rely on the mechanical and physical nature of the smart device, since identifying evidence sources is a major challenge. Evidence could be collected from fixed sensors in homes and buildings, moving sensors built into cars and wearable devices, communication devices, cloud storage and even ISP logs. However, another main challenge is constrained evidence collection due to proprietary jurisdictions.

Cloud forensics will also play a main role in reinforcing cybersecurity best practices, since all data generated by IoT components will be stored on cloud due to its scalability, capacity and convenience.

As a result of the continued growth in the number of IoT-connected devices, it has become a necessity to develop a new process to investigate IoT-related incidents. Addressing security concerns will rely on a new era of digital forensics and best practices to simulaneously verify and leverage physical and digital evidence within a changing regulatory landscape.

More from Endpoint

The Evolution of Antivirus Software to Face Modern Threats

Over the years, endpoint security has evolved from primitive antivirus software to more sophisticated next-generation platforms employing advanced technology and better endpoint detection and response.  Because of the increased threat that modern cyberattacks pose, experts are exploring more elegant ways of keeping data safe from threats.Signature-Based Antivirus SoftwareSignature-based detection is the use of footprints to identify malware. All programs, applications, software and files have a digital footprint. Buried within their code, these digital footprints or signatures are unique to the respective…

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

3 Reasons to Make EDR Part of Your Incident Response Plan

As threat actors grow in number, the frequency of attacks witnessed globally will continue to rise exponentially. The numerous cases headlining the news today demonstrate that no organization is immune from the risks of a breach. What is an Incident Response Plan? Incident response (IR) refers to an organization’s approach, processes and technologies to detect and respond to cyber breaches. An IR plan specifies how cyberattacks should be identified, contained and remediated. It enables organizations to act quickly and effectively…