Digital Forensics: The Missing Piece of Internet of Things Promise

morning and thanks for coming for my top digital problems it's the missing piece of Internet of Things promise I first warn you that I'm going to mainly discuss about the existing issues and the problems in the field and the gap that we have on digital currencies instead of providing solutions right on the existing issues that we have but let me start with a quick introduction I am currently serving as the EU Marie Curie international incoming fellow at University of Salford I have a PhD in security in computing so some are calling me doctor of seek and I had a classical carrier track what software developer that become security analyst forensics investigator up until like two

years ago and then I move to the higher education in 2015 that's my blog that you can find all this noise already uploaded there my teacher and my Iman icons but probably the most important part of that is law is the goal just to enjoy having a conversation so you probably see me talking less than you right the drink is a specific presentation because I put more questions than giving answers but before I go I start my own presentation let me just give a little bit advertisement and with what we do we are mainly working on applied research in collaboration with eu-wide law enforcement agencies and SMEs in cyber security forensics and malware analysis you can see those few projects were the

most recent projects as we have delivered recently in this school and the offer an undergrad program ABAC in cyber security and MSC in cyber security forensics and threat intelligence we have a standard so you can get that fliers if you want to you interested to know more about these programs but Internet of Things is it really the next evolution what do you think hmm what's new in terms of sayings can you tell me one of the new things that you see instead of saying so I can call it an evolution or some new developments hmm smart meters right yeah sure but what is the main innovation their power academies are calling contributions but generally speaking

what is the innovation what's differentiating Internet of Things from the previous generation of computing life pervasive computing ubiquitous computing connecting things the Internet right well I remember when I was doing my it's not in my MSC in 2005 and much of our that was selling at allé there's a new generation of computing called ubiquitous computing it used to be calling pervasive computing but you know in the ubiquitous computing you have all devices connected to the same network and you're interacting with each other right until 2005 I know you are calling them Internet of Things so what you can see here is the names the titles the field has been changed but it's similar thing that we do right you're

having smart connected things talking to each other in a more ubiquitous manner so I would not consider it as a kind of evolution or evolutionary development but gradual development of a technology and some name changes only but these days we see internet of everything almost everywhere right from agriculture to a small probability as small cities industrial processing in the silicon so systems so it would be very difficult to find an industry or find a sector that is not touched by small things and connected networks this is the usual basic IOT architecture we usually see a backbone network layer which is hosted on the cloud then you are having apps applications usually on your mobile phones which are connecting to the IOT

devices though he devices themselves the sensors themselves are actually sensing the information serving the dates are on the cloud or on your network saving layer the users are getting access to a application interface well you know if you look into my carrier track I used to be a kind of mobile forensics investigator for quite some time then I moved on The Killers forensics investigation and then I saw that diagram I think that's probably my natural movement to move to that Internet of Things because you know I have done close forensics I have done mobile forensics I know you are adding a sensor layer to it and we will commit we'll call it any tenants of seeing's

forensic so it was kind of natural move to myself and I was thinking that ok same thing you are doing the exactly similar things that we have done before just adding a sensor layer to it be the different type of data but before I want to talk I go ahead and talk about the real challenges that I face let me just share my or what was a common definition of digital forensics and the definition that I am going to use throughout these slides when I've talked about the forensics forensics is application of scientific techniques so the technique that we are using should be scientific meaning it should be proved it should be practice and should be repeaters right

by the other practitioners to collect and preserve evidences so you're talking about identifying the evidence locations collect them in a foreign signal manner and then preserve them in a foreign city sound manner from a digital platform in a suitable manner for presentation in a court of law and that's an important part because whatever we do all our efforts are directed towards convincing jaws or the juries that a specific crime has been happened and these are the real evidences of the activities of the suspects so you need to have all these three elements in an investigation so you can call it a forensically sound investigation meaning first your method should be scientific second you should collect and preserve evidences in a

foreign citizen manner and sir you should prove that these evidences have been generated by a specific users activities right so should be able to link it to someone or a specific liable person or a group of the persons right that their activity has caused generation of those digital evidences and we have a rule of thumb if phoronix investigation from the time that the case is passed to you you usually have about 48 hours to find all the evidences extract them so your evidence will be relevant and useful right so we have that tight time limitation as well so when you look into the traditional digital investigation like Windows investigation or pc-based investigation that we have we already have

methodologies developed and tested so we have a methodology to follow we have already tested tools as well that they are passing a test called Daubert tests right if your tool or your platform is passing the orbit test it means it's acceptable in the court of law that your tool can be used for forensic investigation right and that is those tools are usually have gone through several cases in the court trials so you can refer to them and say that as the other person have used the same tool in the trial somewhere else in the world I am using the same tool for collection and preservation of their evidences that's the usual practice that we have

when we talk about digital forensics investigation right so now with having these definitions involved was a finger forensics and the time limitation that we have let's focus more on Internet of Things devices probably the first question that anybody asked is is there any crime is any cyber crime happening using Internet of Things so do we really need a digital investigation platform method tool for Internet of Things or not if you want to show that there is a crime you should you should show three elements opportunities Moe shifts and means right let's look into each one opportunities do we have any opportunity to compromise IOT devices or use them as the means to do further attacking or

causing some damage what do you think yes why yes

that's the nature of IOT devices right he's supposed to be always providing services they are all connected right and working autonomously so great opportunity right you are having some type of devices some type of sensor and whatever you call it some of those things that's supposed to be responsive 24 hours right all the days and they are going to work autonomously right so if you can compromise if you can get to them you can just control the device remotely as well so I would say there are lots of opportunities and there's a huge attack surface in Internet of Things environment what word means do we have tools or I would say exploit vulnerabilities that can help us

compromising in terms of six devices I say you can just name conference of them right it stays okay every single day you'll find these kind of vulnerabilities and quite trivial to write exploits code for them right so there are tons of means to do that but what about no shifts that's an interesting element what is the most even compromising Internet of Things devices what can you gain what foots holding things are never right that's a great place to be right so you can imitate the privilege of the user or of the owner of the IOT device and do the lateral movements on the network right and try to bypass the detections and being unnoticed but in your in your

lateral movements right what else there are I mean many of the IOT devices are no collecting very private information right that you could build a lot of use cases around them right ranging from the health information go up until connected financial devices right they will even since transactions which are running on their network is there any other moshe via

exactly exactly see much of many of these IOT devices are controlling physical environments so you can compromise them you might be able to affect that physical environment as well which could be that you can control the temperature not much important if it is just Hall here right but it could be concerning a nuclear device right or not your platform right so you could cause some physical damages as well so you can see that on most ships out there but before I continue have you ever heard about any digital forensics methodology or platform for Internet of Things devices anyone interested I mean I have seen a lot of works on more than ability detection right I have reported a couple

of them as well right I have seen a lot of work on securing these devices but when we go for the forensics investigation let's assume that we have some devices compromised how can be first detected that they have been compromised collect the evidences and preserve them and follow a methodology for that

exactly right it's quite vast yeah yeah it's quite challenging is quite vast right what's the crime me to steal a right I mean potential for the crime right but always say them I mean obviously the main reason is who is going to fund that kind of activities I mean do you can you find any customer who is going to give you time I found your time to build a tool for forensics investigation of IOT devices well I find that usually forensics activities are funded by the law enforcement agencies and they usually have not much money right right but could that could be another contributing reason for not seeing a lot of research on it a lot of things for a

six and that was the reason that I decided that less looking to this area especially that as I as I have a funding from European Union so let's use it for these networks all right but you know I obviously watching that always that's research right you know in December 2011 ABC News has put that saying I mean at one point the penetration into US Chamber of Commerce was so complete that the chamber of chamber time I thought was communicating with the computer in China I know your time chamber employees were surprised to see one of the printers printing in Chinese right and I'm not talking about 2017 this is 2011 right so the estate of Arts in

compromising Internet of Things devices and the motions behind scoid advanced usually fall into a state-sponsored hacking groups and they are really building tools techniques and procedures for compromising IOT devices and IOT devices are always at risk if you just follow the news you keep seeing that more when the makers are found on them even we have seen ransomware targeting IOT devices the Mira botnet was probably the one which hit the news and everybody got I mean take the attention of everyone there right then I'll go to the voices are trees and it has been this IOT base compromises have been seen in a lot of cyber warfare starting from stocks nets hitting Iran 22 2011 2010 and then in

January 2011 Iranian responds back by expanding the cyber war militia you know well Suresh mentioned that he is originally Iranian I am originally Iranian Azeris we have two speakers right which are coming from Iran but I remember back then there was advertisement going to the I mean the public government advertised when the government was looking to recruit 1 million hackers you know I haven't seen that kind of advertising before that I see after that right at the government actually advertising for 1 million hye-kyo position right anyway but then in December 2011 Iranian have they claim that they have hacked the US Drought and make it to land in Iran in March 2016 we have uranium attacks on New York Dam and

go ahead right cyber attacks of the toggling on all platforms so we have seen a lot of attacks and compromises of IOT devices so it is not Eve but then your iOS devices are compromised and then by compromising those devices attackers get to other parts of network or other clients and then FRS is investigating with a start and they want to know how far you are liable for that specific attack right or how can you protect your devices so that was the question that I had in mind that since we have seen all these what is the state of art what are the previous researchers in the field of internet of sayings for Aziz so this was the first framework

that I have seen for far as this investigation of Internet of Things devices it is called one two three zone approach and then the same authors are by the way this has been developed by friends in MMU university by rome and the others so they can it goes to them but they have suggested a framework that you can do the investigation and step by step from the sensors going to the server and then moving to the cloud that's kind of in two and four and six investigate but first it lacks any detail so you cannot follow it in a real case right it's very general right and very high-level and I haven't seen any forest

imitator adopting it later on in any cases right but that was the first forest with a message I would have seen further investigation further research I find out that a group of researchers in University of Texas San Antonio has been built forensic imaging tool to take the memory image of kontiki base IOT devices and I was really surprised great there are other people out there thinking about extracting acquiring evidence in a forensically sound manner but then when I download the tool I stopped practicing I find out that Dale tool is only working with the texas instrument chipsets that has the kontiki devices so if you just change it on any other chipsets IOT based devices it

won't work and that's one of the challenges you know the Internet of Things environments even if you build a forensics tool to acquire memory acquire data from it a platform and practice and show it is for a signal sound it would only work for that specific chipset and probably even for digest Pacific implementation right and for any other thing you need to have more research and more development in the field but that was a great tool to University of Illinois any noise in the u.s. they have assorted working on building a platform for investigation of autonomous vehicles right so they have been a range of tools they have tested against forward Fiat if I'm not mistaken it's Ford something

something I can't recall right car and they show that how they can collect evidences from Entertainment System write infotainment system of the car specifically and how they can preserve it in a foreign sickly sound manner they have even ported it as a kind of Python base set of scripts and show how it was in the backtrack and in kali linux later on a great development but again it was limited only to that a specific car right and the caramel that they have practice with I think they got it because because I'm a poor Raja - they have received from their law enforcement agencies other them aluminate I have seen in Internet of Things forensics was a tool

called Sami go they were looped by ex Samsung forensics investigators right and they have actually router software and a tool that you could connect it to your Samsung Smart TV collect all evidences from memory from a data save on the chip right and then preserved them in forensically sound manner they have even tested it they mentioned that they have tested in a couple of cases trials in the Korea right and South Korea and presented the evidence says again I have got the tool download it is a chase it sounds like a smart today didn't work for my smaller Smart TV for any reason then I followed up I had to reverse engineer some of the codes there right

and I find out that the the tool is very specific about the set of the custom stuff of your TV so if you have purchased a TV in the United Kingdom then this specific tool would not work but then you've got to make some changes and I don't know whether if you make those changes they still accept Lee in the court of law or not right but that was a technique they have suggested they take for the cheap off I don't know how many of you are have done cheap off for the mobile forensics but you could just take the cheap out and take the imaging of the chip but that seems to me I mean

replicating the mobile forensics approach right you just take the chip out and then take the image of the chip this one has me suggested by Estee Watson for JTAG equivalence of the for extracting information from our Dino chips he is the foreign he was the chief for us is mr. Gator himself he has his own his own company now but his suggestion was to take out the audio chip and then wire it in a specific manner that he has written in his paper so we can take bits by bits image in a forest in his own manner of autoships and he has shown that he could do it for different 3d printers right so yeah I

have got an extensive research and you're sinking yeah that's it I can't find any other valuable work there so I'm ready right I am ready to accept cases and the investigation in Internet of Things so I have been presented with a challenge not mentioning the name of the group but a law enforcement agency in the northern part of the UK and they told me that Sally we have seen news of people being able to print they're gone and print their bullets we can provide you with any number of 3d printers that you like but can you build a tool technical procedure that we can follow when we find these things in our real cases and prove that this a specific

print there have been used to print a 3d gun or the bullet of the gun anyone has any idea how I can do that hmm Rock Falls yeah yeah good yeah from there how can you look into the logs or look into the instructions that go to printer and prove that it has been used for printing the gun because you could have the same sort of instruction and pretty something else yeah you could show that it could be used it may not be used for printing the gun but the other party lawyer can come back and say yeah the same instruction can be used to print 10 other things too and here's even can you

link it and say that it has been printed by this a specific printer how can I prove that this law that I acquired from the printer was actually generated by that printer I haven't put it in the printer the issue is many of these 3d printers are not having any metadata right so you have the code you have their scripts but nobody can prove that these escapes where on the 2d printer say two years ago or last mouse and it was not me as a foreign service we had put the s.coups inside that because there's no timeline yeah I agree with that right yeah but first you need to have the same material in the printer right that's the

first thing but but but forget that right you are in the Troy on the course right and the other party liar is trying to prove that you were wrong he has like a hundred studies to build and say see I put these materials inside this printer go to the same instructure is printing something else right but before that you could come back and say that can you prove that you were not the person who put this lock on the copy on this particular printer and print the gun yourself if you do not have metadata timeline analysis you can't really prove that way it has been happened right oh is it still an open challenge by the way

it's like a year and a half of them trying to build path right and practicing with if you can save tons of printers right but I'm yet to come with a kind of repeatable scientific methodology I can present and saying that this is the method you can follow right any kind of help and contribution is much much appreciated right but I was working on this Ryan immediate danger research and it come another challenge they say if you have raided to a drug dealer mm Wow a drug dealer environment right I would say a house and it was mansion right and we find couple of Amazon echo devices there and if you want to know whether we can connect any evidences

from them by the way you have like 48 hours now 72 hours and I was like okay always start searching I have a smell like that from those 72 hours 48 hours to just find out if there is any evidence urge on how you can collect evidences from Amazon echo devices have you came across anything

yes right well yeah clearing the Kelo I have done that a Nickelodeon visitation case prior to this research as well you know you can usually query the kiddo I have used it previously because there was a case that you are investigating a Canadian citizen in Canada and we couldn't get the needed search warrants to prove that he has some kind of interaction with the cloud but I find out that the data load provided is having a load balancing so if you can compromise the AI code and then send the queries from somewhere else in the world the date of that is saved on his code would be copied transferred to near a server right for providing that customer

services right so what I did is I got the data travel to Singapore a place that I know I can easily get search warrants on any server that I like right actually it was me la mala is you're technically in that Singapore right I saw its query get easier transferred collect data from the server and then come back way to the to agency this is the date of the cast on his killer right but yeah we could query we could query to do the same thing with the Amazon killer but the issue I mean I couldn't figure out right that how can you actually query it in a way that you can prove this data has been generated by

this specific Amazon echo devices I mean more than happy we are reverse this platform because I have tried to do so but some of the university lawyers and the legal team advised me not to do so because they said we were seeing the rescission hearing someone else product without their consent is not really really go I have sent like 20 emails so far to different people in Amazon asking for permission and no one comes by for the permission to me right to do so but anyone has done that please I'm more than happy to receive tips right how we can do that anyway I had no luck absolutely no luck right it's on finding evidences on the Amazon echo device

itself or correlating it with the other evidences which are out there right so many I have researched a lot with like one year and a half of my research time and keep charging European Union for getting nothing I have been fed in almost all cases that have you referred to me so I am here to just share with you remaining challenges and ask for help than coming with a solution you know one of the biggest challenges we have in IOT for ends this is evidence collection preservation the divorces are keep changing the chipsets are keep changing and really building something general right that can be followed for forensic investigation and then building the tools that can follow that would be an

issue right but any ideas here that how can we build such a saying what are the best approaches is really welcome trying on evidence collection and preservation from different IOT devices privacy is a big issue in forensic investigation of IOT devices you know I used to get lots of complaints when I was doing finance investigation on the clothes environments from George juries and the others that make sure you are not collecting private information I was doing an investigation of child pornography right and I actually knew that this guy is doing that and I have it smell like city mouse to convince you to the Jewish to give me the permission to collect a pick up data and said no

way I can't give you the permission to put a sniffer in front of the server so you can just and I asked him to give you permission to collect in it fellow data you know the metadata right it's a statistics only right and then I could correlate let's see this guy have been downloaded or having uploaded two kilobyte of data this networking the same tweet oh I have later so this is the same thing he is doing that right but it took me like a year and a half right I wanted I could just get the permission to put a sniffer there and then prove right and three and four this investigation that he's involved in that

a specific case but see I am talking I mean that specific case I wanted to only collect a network data from someone that I have reasonable evidences right that he's doing something illegal and I go through that very hard time to get a search warrant for that but imagine that you are going to get a search warrant for a internet-of-things health care monitoring devices right good luck all right it is no way for the user may say say you are doing investigation at the end of the investigation you find out that he's not guilty but the user can't do anything to change his health statistics or health dates all right I mean you could say that in the other

cases I could do the investigation I find couple of you Savannah passwords you will go and change their password have an investigation you might find you not guilty fine right but what what can I change on his health records right anyway so privacy is a big issue there evidence correlation as a couple of you have been mentioned we could correlate evidences from the cloud with the IOT devices information and then link them to each other well fine if you are talking about one or two IOT devices and a limited amount of information but say you are a Internet of Things service provider and you have a cloud service provider at the back as well and then you want to find out which

of these IOT devices have been compromised right or how they have been compromised how you can correlate all these dates are considering that majority of these IOT devices are having even a time line right properly on their devices and we have tons of legal challenges as you could imagine in Internet of Things forensics so these are the future generations they have put their building privacy respecting the usual investigation big days of what evidence correlation theme by OSS pressing matter for data collection IOT centralized and distributed loyal capabilities and reversing always similar codes what do you think is that's all the thing that we can do there can you add anything or you are saying this is totally wrong

don't take this right I have another suggestion but just thing to do yeah

yeah well that's right so we can have more walking on the paper walk and an eagle manner and then educating those who are making a decision in this area

exactly right fairly matrix under said yeah yeah yeah that's actually something that I am singing with however Internet of Things device who totally wrong by the way right that if you go back to 2010 right on the mobile devices you have all range of mobile phones 100 mobile phones produced in China only right but these days they're fairly a standard to have more at phones that you have I I mean initially being 2015 I started my research I was thinking that the same trend would be happening in Internet of Things I haven't seen it yet right because you know unlike mobile phones that they are having very specific usage right so you say that called SMS apps

right for the IOT devices you will have a void range different range of devices I don't know what it would happen or not but yes in one day we have that the standards in place on the development side you can easily come be there for this

right well you know the thing is that on the private speaking follows investigation on traditional platforms right what we do is we have to two main approaches first is revealing information based on prior knowledge right so for example a pharmacist investigator who would like to get access to the record X should show that he has already have access to record Y right and this is usually linked to each other these two records and then the judge can be saw the record X can be given to this guy or not right that's that's one approach or to do so the other a / x thing is implemented a lot these days using artificial intelligence so instead of getting a human being

analyzed and evidence we get the machine to analyze the evidence and compete a percentage of confidence right with this person of confidence I think the Machine thinks that these are specific piece of data is relevant to this case right so if you see this fuzzy base forensic investigation techniques I don't know how many of you familiar with that those are usually used for this kind of prediction right because you know there is no privacy rules or regulations at the moment around about a machine knowing something about human being but there are rules about a human being knowing something with another human being right so that's another way around I'm seeing a lot of expansion on using

machine learning based digital for investigation for person privacy right obviously there are other usage as well but privacy is one of the constants that can be addressed but when you are trying to do the same thing for Internet of Things devices what will happen is the nature of data is different you know for example I don't know say when you are looking at the traffic generated by a heartbeat recorder for example right what kind of other data should be provided or should be given to the forest investigator so you can say that no you can have access to this data you guess me right so we cannot build that chain of evidence as chain of evidences

so we can link and say that this evidence can be released for the finest investigator based on a search found that they have right but yes I have seen researchers trying to implement the same thing for the Internet of Things devices

exactly exactly missing that's a cute poster in that in terms of sneezy voices well this was all the future directions I put there right I'm more than happy to get more feedbacks but what I found is I'm kind of wrong in terms of doing all these right look at this video and then I'll continue my right well not mentioning there and who but I have been invited to a meeting that they were telling me that Ally we are going to launch and small city projects have been investing on it for years right I'm talking about the millions dry and the launch would be saying few days and you have been invited as an academician to

just be there and see how good we are and then just ask I mean what are the security testing penetration testing security assessment that you have done in this environment never liked ally all or coming to get your HTTP as you guys missed a few right all intern community myself we are secure and I was like what that's it that's your understanding of security meter sings well so I asked them for two days two days of testing three testing by the way by myself and couple of my students right and they have like 12 thousandths a smart-mouthed in that town and we're compromising around about 2500 all those know sort of evil controlling them know them from my

own office right even I was not in the nursing business right okay not getting more tips but see and then I assaulted communique eating and talking more with IOT development community right well I had a friend of mine at MIT who is a great engineer and he's developing engineering things for brewing for a boss right and I was looking to his couch because he was just talking to me with security of getting hiring more taxes don't be sensors and I find that he doesn't even have the basic securities a parameter length check on his couch so you could eat him a horrible hopeful attack and I just asked him that do you know about before a flu attack and you

know they have been around since as I remember right and you know I mean in 2011-2012 I was a situation that I do not want to teach my student Picaro through anymore because you know you have all these protections are there's no way that you can actually write a successful exploit be the basic of our fluently but these days have added back to my lecture materials because I keep saying these IOT developers are great in reintroducing neural inability is now I mean long now documented mistakes eat their products and then when you talk to them and ask them so what's going on here they were saying the cially I have received this order five years

ago so majority of these designs and everything is you can see I've been done five years ago so I cannot touch it anymore you know I was in a flight from Singapore to London and for a moment the lights turned off I turn on back again and I was seeing on the on the boards there that Linux five-point something is coming off I was like Linux five points something really you know you see using uh and and the pilot was telling me that we were safe and secure and we who will be one over in if you may know you're not save your nozzle using UNIX point for a 5 point something you know that

has inheritable amazes nobody can patch it all right let's see well so are these days I am spending a lot of my time a lot I mean portion of my time sitting and talking with IOT developers right and giving them offering them free kind of training that guys if you are developing tools developing techniques place these are the basic security you got to follow right so probably in next generation of the IOT sings we would not see these basic security issues and then we have proper security environment to do the forensics investigation right but so that was my main future direction educate the worker right but I just want to highlight that there is a new field of development

especially in biotechnology called internet of nano things right if you call go to biotechnology lab solve for universe Manchester mm you would see a lot of them right that these people are happily putting chips on the brains on the bodies of live people right and so I nobody cares about the security or communication of these devices at all right so I don't know how fast they are developing but if one day that happens and you have the same kind of development that we have seen in IOT it isn't often honest things I am really afraid that probably we can compromise the real brain of the human beings right and get into those planted nonno things

in their brains time for attention [Applause]