1.1 IoT Preservation forensics challenges
Collected evidences from the crime scene should keep it is original state and integrity without any modification, this is a well-known fact in digital investigation and when it comes to courts procedures are important than fact so any changes in facts could make them unacceptable in courts, this would be handled in traditional forensics by using write-blocker, Hash function, forensic image…etc., In IoT domain preserving evidences is more difficult and has more challenges: –
1- Sensors play a vital role in IoT operations, and its known that sensors are very sensitive devices which make them susceptible to false negative and false positive results which is in turn could make the evidences doubtful at court.
2- Once data is sent to the IoT provider cloud, data is subject to further analysis and changes, which means the original stat of evidences that are generated in the crime scene has changed.
1.2 IoT analysis forensics challenges
Once the investigator defines the location of evidences, it’s format and storing layout, the next step would be to extract evidences from the its location analysis and interpret them.
1- Most of the current digital forensics software’s are not designed to extract data from IoT devices 9. 1- Some of IoT devices come in proprietary file system and software which add complexity to extraction of the data and analyses it. -x2- 1.1 IoT presentation forensics challengesthe final phase of the digital investigation is to present the collected evidences and findings in the court, the challenge in this phase comes from the diversity of IoT devices, while in traditional forensics the sources of evidences and evidences are relatively clear to most jurors members, but when it comes to IoT the heterogeneous and complexity of IoT environment could be difficult for them to understand 2. IoT Digital Forensics Framework 2.1 1-2-3 Zones and Next-Best-Thing 7Combining all IoT forensics challenges shows that IoT investigation includes cloud computing, Mobile forensics, RFID, Virtualization and network forensics, which made the IoT investigation process are sort of confusing, beside investigating large number of devices and different types of formats would be time and resources wasting, so it is important to make the crime scene as clear as possible, and guarantee that forensics practitioners can focus on each area of the crime scene based on its functional nature. the proposed approach divides the crime scene into three zones, Internal network, Middle, External network Figure ().
1- Internal Zone: – this zone contains all IoT devices that exists in the location of the crime scene, the investigator should determine which devices are related to the crime and start investigate them.1- communication between the internal zone and external zone, devices included like Firewall, IDS/IPS should examined and valuable evidences like logs and events. 2- External Zone: – this zones contains all hardware, software and services that are outside the crime scene like IoT cloud service, ISP and Mobile network. While this approach is great to make the investigation process easier and more effective by allowing the ability to investigate all zones in parallel or determine the most important zone and intensify investigation, it does not provide solutions for IoT investigation like dealing with propriety data formats or judiciary issues.Next-Best-Thing: – This approach can be used side by side with 1-2-3 zone approach, by supposing that the IoT object contains the evidence has been removed from the crime scene or it cannot be accessed, so in situations like this the investigator can look for the next available source related to the evidence, deciding the what is the next best source is subject of further research.