Evidence identification and acquisition based on network link in an internet of things environment

Abstract

In an Internet of Things (IoT) environment, IoT devices are typically connected through different network media types such as mobile, WiFi and wired networks. Due to the pervasive nature of such devices, they are a potential evidence source in both civil litigation and criminal investigations. It is, however, challenging to identify and acquire forensic artifacts from the broad range of devices, which have varying storage and communication capabilities. We posit the importance of focusing on the hidden links between different IoT devices (e.g. whether one device is controlled or can be accessed from another device in the system), and design an approach to do so. Specifically, our approach adopts a graph to model the message flows of IoT communications, with the aim of facilitating the identification of correlated network traffic, based on the direction of the network and the associated attributes. To demonstrate how such an approach can be deployed in practice, we evaluate our approach using IoT devices in a smart home environment and achieve an accuracy rate of 98.3% for detecting hidden links between devices.