The University of Southampton
University of Southampton Institutional Repository

An investigation framework for the Internet of Things (IoT) forensics

An investigation framework for the Internet of Things (IoT) forensics
An investigation framework for the Internet of Things (IoT) forensics
Recently, the usage of the Internet of Things (IoT) technology has rapidly increased. Smart devices are used in major domains including healthcare, transportation, agriculture and residential. Even though there are billions of devices available on the market, IoT devices are still immature. With the IoT constraints and low-security feature, devices could easily be attacked, treated and exploited by cybercriminals. This may cause the devices to provide wrong data leading to wrong interpretation and actuation to the legitimate users. Since the number of incidents related to IoT devices is alarming, a new digital forensic framework is needed to handle crimes related to the IoT. Therefore, this thesis addresses the requirement to develop a conceptual framework to support IoT forensics investigation. The main contribution of this research is the development of the IoT forensics investigation framework to support an integrative approach to understanding and evaluating the nature of the IoT components and forensics requirements to run investigations. The framework enables us to understand the needs of security factors in IoT devices and the requirement of the investigation process. Based on theories and prior research findings, the framework indicates that the security of the IoT devices is determined by five factors: (1) Authentication, (2) Availability, (3) Integrity, (4) Confidentiality, and (5) Access Control. Meanwhile, the forensic investigation is determined by three main phases: (1) Pre-investigation; (2) Investigation and (3) Post-Investigation. Deriving from the IoT forensics investigation framework, the pre-investigation phase has been emphasised and evolved through the development of a Readiness Instrument. The instrument measures the stakeholder’s readiness to conduct an IoT forensic investigation. There are six readiness factors measured: (1) Capability of the organisation, (2) Strategic Planning, (3) Resources, (4) Operability, (5) Knowledge of IoT and (6) Awareness IoT. After a series of experiments, the instrument has been validated and used in a research scenario. A Goal-Question-Metric (GQM) approach is used to generate the items in the instruments. The potential item was then being evaluated by a series of experiments: (1) pre-test and (2) the validation study. In the pre-test, the items were assessed using content validity ratio by digital forensic experts. After that, the validation study completed two experiments that investigated the correlation analyses and internal reliability. A part of the development of the investigation framework and readiness instrument, the IoT Vulnerability table has also been established to help the investigator in the pre-investigation phase. The table lists the components of each IoT entity and common threats that attack IoT devices. The IoT vulnerability table can be used as guideline for the investigator to run the preliminary investigation. The table has been validated by digital experts and used in a research scenario. The readiness instrument and the IoT vulnerability table were later applied in three IoT crime cases to test the practicality of both contributions. The validated instrument and table were sent to the digital forensic experts for assessment, before the interview was held. The findings revealed that both tested instrument and table have achieved good impact in usability and user acceptance. Therefore, the instrument has been recommended by experts for implementation in the pre-investigation as they need to prepare before conducting the IoT forensic investigation. With the guide from the IoT vulnerability table, it can reduce investigation time and helps the investigator to narrow down the scope of investigation during the preliminary stage. This thesis presents a detailed discussion on the development and validation of the IoT forensic investigation framework, readiness instrument and, the IoT vulnerability table. These contributions have shown significant impact in the forensic field specifically in the IoT context. For the management level, the instrument has highlighted readiness issues that need to be considered in their organisation and preparation to be forensically ready to run the IoT forensic investigation. At the operational level, people need to have a knowledge and awareness of the nature of IoT before handling IoT crime cases. The guide table enables the investigator to focus and run the investigation effectively. For the researcher, the framework, readiness instrument and, IoT vulnerability table helps to conceptualise their research and use it as a basis for further investigation in the future.
University of Southampton
Nik Zulkipli, Nurul Huda
36648b58-dbda-479e-8d80-a2c26337656f
Nik Zulkipli, Nurul Huda
36648b58-dbda-479e-8d80-a2c26337656f
Wills, Gary
3a594558-6921-4e82-8098-38cd8d4e8aa0

Nik Zulkipli, Nurul Huda (2019) An investigation framework for the Internet of Things (IoT) forensics. University of Southampton, Doctoral Thesis, 238pp.

Record type: Thesis (Doctoral)

Abstract

Recently, the usage of the Internet of Things (IoT) technology has rapidly increased. Smart devices are used in major domains including healthcare, transportation, agriculture and residential. Even though there are billions of devices available on the market, IoT devices are still immature. With the IoT constraints and low-security feature, devices could easily be attacked, treated and exploited by cybercriminals. This may cause the devices to provide wrong data leading to wrong interpretation and actuation to the legitimate users. Since the number of incidents related to IoT devices is alarming, a new digital forensic framework is needed to handle crimes related to the IoT. Therefore, this thesis addresses the requirement to develop a conceptual framework to support IoT forensics investigation. The main contribution of this research is the development of the IoT forensics investigation framework to support an integrative approach to understanding and evaluating the nature of the IoT components and forensics requirements to run investigations. The framework enables us to understand the needs of security factors in IoT devices and the requirement of the investigation process. Based on theories and prior research findings, the framework indicates that the security of the IoT devices is determined by five factors: (1) Authentication, (2) Availability, (3) Integrity, (4) Confidentiality, and (5) Access Control. Meanwhile, the forensic investigation is determined by three main phases: (1) Pre-investigation; (2) Investigation and (3) Post-Investigation. Deriving from the IoT forensics investigation framework, the pre-investigation phase has been emphasised and evolved through the development of a Readiness Instrument. The instrument measures the stakeholder’s readiness to conduct an IoT forensic investigation. There are six readiness factors measured: (1) Capability of the organisation, (2) Strategic Planning, (3) Resources, (4) Operability, (5) Knowledge of IoT and (6) Awareness IoT. After a series of experiments, the instrument has been validated and used in a research scenario. A Goal-Question-Metric (GQM) approach is used to generate the items in the instruments. The potential item was then being evaluated by a series of experiments: (1) pre-test and (2) the validation study. In the pre-test, the items were assessed using content validity ratio by digital forensic experts. After that, the validation study completed two experiments that investigated the correlation analyses and internal reliability. A part of the development of the investigation framework and readiness instrument, the IoT Vulnerability table has also been established to help the investigator in the pre-investigation phase. The table lists the components of each IoT entity and common threats that attack IoT devices. The IoT vulnerability table can be used as guideline for the investigator to run the preliminary investigation. The table has been validated by digital experts and used in a research scenario. The readiness instrument and the IoT vulnerability table were later applied in three IoT crime cases to test the practicality of both contributions. The validated instrument and table were sent to the digital forensic experts for assessment, before the interview was held. The findings revealed that both tested instrument and table have achieved good impact in usability and user acceptance. Therefore, the instrument has been recommended by experts for implementation in the pre-investigation as they need to prepare before conducting the IoT forensic investigation. With the guide from the IoT vulnerability table, it can reduce investigation time and helps the investigator to narrow down the scope of investigation during the preliminary stage. This thesis presents a detailed discussion on the development and validation of the IoT forensic investigation framework, readiness instrument and, the IoT vulnerability table. These contributions have shown significant impact in the forensic field specifically in the IoT context. For the management level, the instrument has highlighted readiness issues that need to be considered in their organisation and preparation to be forensically ready to run the IoT forensic investigation. At the operational level, people need to have a knowledge and awareness of the nature of IoT before handling IoT crime cases. The guide table enables the investigator to focus and run the investigation effectively. For the researcher, the framework, readiness instrument and, IoT vulnerability table helps to conceptualise their research and use it as a basis for further investigation in the future.

Text
An investigation framework for the Internet of Things (IoT) forensics - Version of Record
Available under License University of Southampton Thesis Licence.
Download (3MB)

More information

Published date: April 2019

Identifiers

Local EPrints ID: 480831
URI: http://eprints.soton.ac.uk/id/eprint/480831
PURE UUID: 44c765e6-20a4-46fc-b0c8-ae899efaa64e
ORCID for Gary Wills: ORCID iD orcid.org/0000-0001-5771-4088

Catalogue record

Date deposited: 10 Aug 2023 16:34
Last modified: 17 Mar 2024 02:43

Export record

Contributors

Author: Nurul Huda Nik Zulkipli
Thesis advisor: Gary Wills ORCID iD

Download statistics

Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.

View more statistics

Atom RSS 1.0 RSS 2.0

Contact ePrints Soton: eprints@soton.ac.uk

ePrints Soton supports OAI 2.0 with a base URL of http://eprints.soton.ac.uk/cgi/oai2

This repository has been built using EPrints software, developed at the University of Southampton, but available to everyone to use.

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we will assume that you are happy to receive cookies on the University of Southampton website.

×