A good definition of Internet of Things (“IoT”) found in Wikipedia is “the network of physical devices, vehicles, buildings and other items—embedded with electronics, software, sensors, and network connectivity that enables these objects to collect and exchange data.”
Although this is a very broad definition, it is important to understand the massive amount of information currently produced by over 6 billion devices, with a forecast of over 20 billion by 2020. This is a segment of big data that should not be underestimated but considered as a great source of data that can be collected and used for various purposes, including digital investigations.
IoT data comes in various forms, and it is important for someone wanting to use this type of data to be able to decipher its content once it is collected. Some devices make it easy, as they are associated with customized applications, or “apps,” that can be easily reviewed and analyzed for investigative purposes.
In a civil lawsuit last year, a Canadian personal injury lawyer used data from a wearable device Fitbit to present evidence and demonstrate a certain level of physical activity on behalf of his client. In this kind of situation, one would need to use other evidence to support the data presented. However, the wearable data can be very powerful if properly represented to the courts.
Any investigator will tell you that digital evidence is good as long as you can associate a user behind the information. In this Fitbit case, the user profile created with the application, as well as the historical data from the device’s purchase record, could be used to strengthen the identity of the user of the wearable. Hypothetically, a gold mine of digital evidence, in this case, would be found in the legal collection of the iOS or Android device associated with the user.
A forensic analysis of the device would easily show various activities on the phone that could associate a proper user to the wearable. For instance, the forensic analysis could show that a phone call, an email, or a purchase associated with a specific user on the phone was made before or after a physical activity was recorded in the Fitbit app.
It is evident that more data from other IOT devices could help this investigation. For example, a TraKr device is a small chip tag that you can use to track your belongings, such as your briefcase, backpack, or glasses case to name a few. The TraKr devices will keep track as to where you last stored your items. This is very convenient when you are forgetful or you need to locate your luggage at the airport for example.
Should an investigator have access to the app, it would be easy for him/her to identify your items’ last locations and potentially your current or last location. Other real-time GPS locators are also available in the form of a ring that will display text messages, phone numbers and contact names.
For an investigator, the ultimate properties of IoT devices are their interconnectivity and sometimes a distinctive connection to the Internet. To achieve this type of communication between IoT devices, an investigator will have to become familiar with the IFTTT (“If This Than That”) platform, which is a free web-based service allowing users to create chains of simple conditional statements called “recipes” that are small programming “IF” statements controlling your IOT devices.
For example, a user could have their Android phone automatically switch to silent mode when arriving at work through the use of the device’s geo-location. Another example of a recipe would be for a user to set up their weather app to send them an email if there is a rain forecast in their area before a meeting. Additionally, a user could receive a text message to use sunscreen if the UV index is high on a particular day. There are thousands of free available recipes on the Internet for users to choose from and make their IoT devices talk to each other.
Ultimately, a digital investigator operating within an IoT environment in hope of identifying various sources of digital evidence needs to understand basic IoT facts. First, raw data collected from various IoT devices and sensors is not always the best source of information needed to decipher and identify a user’s profile associated with certain activities. However, IoT data used in conjunction with conventional digital evidence, such as a proper forensic collection and review of emails, text messages and smartphone activities can be extremely useful.
Secondly, IoT devices’ data can be a great source of evidence when an investigator creates a timeline of events for a certain user’s activities. A fraudulent personal injury claim is a good example where IoT evidence could be used to generate a timeline showing that a certain user was or was not physically active during a certain time period.
Finally, recipes used for IoT devices can be a great source of evidence to identify a user profile and establish specific activity records generated by the various devices.
In brief, within the next four years, the number of IoT devices in the world will more than triple in number to 20 to 30 billion devices, which will be more than three times the world’s forecast population. All users’ digital footprints will be deep-rooted in our society to make our lives better and more efficient.
However, it will also increase our exposure to digital frauds and other cybercrimes. Hence the need to maintain and improve good digital investigation processes.
About the Author: René Hamel (@hamel_rene) is a forensic technology investigator. His cyber security and forensic technology career spans over seventeen years. His broad spectrum of working experience includes Government, corporate and financial services. He has a strong investigative background having been a member of the Royal Canadian Mounted Police “RCMP” for sixteen years. He is a well recognized and respected leader in his field having work in North and South America, Europe and Asia. René has also been appointed as an expert witness in both criminal and civil courts in Canada and Ireland. His evidence and testimony has often been instrumental in the recovery of large financial assets.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.