Merge pull request #216 from Digital-Forensics-Discord-Server/theAtro…

…pos4n6-patch-1

Update chapter14.txt

manuscript/chapter14.txt

@@ -1,4 +1,4 @@
-# Chapter B - IoT Forensics
+# Chapter 14 - IoT Forensics
 
 {width: 30%}
 ![](resources/Ch14/theAtropos4n6Logo.png)
@@ -11,7 +11,6 @@ Internet of Things (IoT) devices are becoming increasingly common and are used i
 
 {width: 50%}
 ![Forensic data sources of the smart city illustrated with weight of evidence stored.- Baig et al., 2017](resources/Ch14/SmartCity.jpg)
-{pagebreak}
 
 
 The ever-growing world of IoT is crowded with a plethora of manufacturers, products, communication protocols, proprietary file systems, undocumented APIs, and more. This heterogeneity poses a great number of challenges to the application of IoT Forensics. Practitioners are often puzzled about the location of the data of interest, how to collect and analyze them, etc.. This chapter will elaborate on some of the aforementioned concepts to enable readers to embark on their journey in this relatively new field of Digital Forensics. 
@@ -32,9 +31,6 @@ There are more than 20 studies (Alabdulsalam, et al., 2018), (Alenezi, et al., 2
 - **Lifespan of Evidentiary Data**: IoT appliances have limited storage capabilities; hence, the lifespan of the data stored within them is relatively brief and subject to frequent overwriting. Before overwriting occurs, the majority of this information is uploaded to the cloud. Therefore, certain implications related to the acquisition of cloud-based evidence, such as the absence of physical access to cloud servers, are also applicable in this context.
 - **Crime Scene Contamination**: Another point of consideration stemming from the storage limitations of IoT devices, is the possibility that any actions initiated by the first responders on the scene could exhaust the device's memory, leading to the overwrite of older pertinent events. Subsequently, these events are likely to be transferred to the cloud, resulting in the appliance's memory being tainted with data generated during the intervention at the crime scene. In instances where the collection of cloud-based evidence is restricted, this process could compromise the investigation.
 - **Securing the Chain of Custody**: Maintaining the chain of custody is arduous in IoT Forensics. It is nearly impossible to avoid contamination of the crime scene during evidence collection. While this step is essential, it is imperative to justify such actions in court for the acceptance of the collected evidence as legitimate. Additionally, determining appropriate handling procedures in such scenarios is a complex task. Moreover, preserving the integrity of seized IoT products is formidable due to their dynamic nature and the absence of forensic tools capable of preventing inadvertent modifications.
-
-{pagebreak}
-
 - **Data Storage Period in the Cloud**: Given that a significant portion of evidentiary data resides in the cloud, acquiring this evidence is crucial for an investigation. However, the period of time for which this information is stored depends on the data retention policies of each cloud service provider (CSP) and the legislation of the countries where the CSP operates. The varying storage periods, typically ranging between 6 months and up to 1 year in most cases, can severely affect the retrieval of this evidence source. 
 - **Data Format**: IoT appliances store information in diverse file formats, including databases, JSON, and logs. Furthermore, data related to a specific IoT device can be obtained from various evidence sources, including companion mobile applications, internal storage, and cloud servers. This segmentation of data requires rigorous effort for the comprehensive examination of all available evidence.
 - **Lack of Standardization**: The variety of log records (user events, network logs, application logs, etc.) and other data that are generated by IoT devices do not meet specific standards. Manufacturers selectively record information according to their preferences, occasionally in proprietary formats, and may even use their own operating/file systems. Due to the lack of standardization and uniformity, analyzing this type of evidence is a demanding assignment.
@@ -43,8 +39,6 @@ There are more than 20 studies (Alabdulsalam, et al., 2018), (Alenezi, et al., 2
 - **Interpreting Data Correctly**: Data extracted from IoT devices come in a variety of formats and are based on distinct operating/file systems, contingent upon the manufacturer and the device type. Misinterpreting such data could result in drawing inaccurate conclusions.
 - **Technical Expertise**: Communicating technical findings to non-technical stakeholders, such as juries and judges, demands a combination of in-depth technical and legal expertise, along with the ability to convey complex technicalities of IoT technology in an accessible and comprehensible way. This task can be particularly challenging, especially in this swiftly advancing field.
 
-{pagebreak}
-
 ### 2.2 Security Challenges
 
 - **Lightweight Security Measures**: IoT products face constraints in terms of CPU, storage, and power resources, which makes it challenging to implement robust security measures. What is more, many manufacturers neglect to patch the vulnerabilities of their IoT devices regularly or at all. Thus, these appliances are often vulnerable to hacking and data manipulation.
@@ -54,9 +48,6 @@ There are more than 20 studies (Alabdulsalam, et al., 2018), (Alenezi, et al., 2
 ### 2.3 Legal Challenges
 
 - **Data Privacy**: In the dynamic landscape of IoT, multiple interconnected devices frequently gather personal and sensitive information without user awareness or consent, raising serious concerns regarding user privacy. For example, IoT appliances like fitness trackers monitor sensitive data such as users' steps, geolocation, health status, or even medical records which are eventually transmitted to the manufacturer's cloud. Legislation, such as the General Data Protection Regulation (GDPR), imposes legal requirements stipulating that the processing of such personal data must adhere to principles of lawfulness, fairness, and transparency. However, applying data protection regulations to this kind of information poses substantial obstacles due to the rapid evolution and expansion of the IoT environment. Forensic investigations in this context further complicate matters, as investigators must delicately navigate legal complexities to avoid violating privacy laws.
-
-{pagebreak}
-
 - **Multijurisdictional Issues**: IoT products store and exchange their data employing multiple cloud servers scattered across several geographical locations and legal jurisdictions. Identifying the relevant legal framework for each situation and ensuring lawful access to the data can be complex and, at times, even impossible. For instance, when tackling an incident involving IoT devices, a primary problem is determining the appropriate jurisdiction for legal proceedings. Decisions must be made regarding whether the case falls under the jurisdiction related to the data storage location, the location of the IoT device in question, or the location of the perpetrator.
 - **Admissibility of Evidence**: Another important legal consideration involves establishing the admissibility of digital evidence obtained from IoT appliances in court. Within the IoT domain, it becomes challenging to demonstrate that the evidence was acquired and examined using reliable forensic methods, primarily due to the obstacles discussed above. Likewise, the task of ensuring and proving that the chain of custody was properly maintained to preserve the integrity of the evidence presents considerable hurdles.
 
@@ -67,7 +58,7 @@ There are more than 20 studies (Alabdulsalam, et al., 2018), (Alenezi, et al., 2
 Now that the reader has an understanding of the challenges associated with IoT Forensics, it is time to explore some of the skills required for conducting digital investigations of IoT products. As identified by Stoyanova et al., (2020) (See Fig. 1), IoT Forensics is divided into IoT device-level forensics, network forensics, and cloud forensics. One can be really proficient in one of these three disciplines and lack expertise in the other two, or any other possible combination may apply. A metaphor for an investigator in IoT forensics might be a [UFC](https://www.ufc.com/) fighter. Of course, this doesn't mean one should punch sensors and devices out of the way, nor grapple with the refrigerator. However, it implies that one needs develop and combine cross-disciplined investigative competencies to succeed in this field of digital forensics, similar to how a UFC fighter practices different fighting disciplines to enhance competitiveness. Each of the three categories, along with some of the skills that a practitioner needs to develop while diving into this field, are presented below:
 
 {width: 50%}
-![Components of the IoT Forensics - Stoyanova et al., 2020](resources/Ch14/Stoyanova.png)
+![Components of the IoT Forensics - Stoyanova et al., 2020](resources/Ch14/Stoyanova.PNG)
 
 {pagebreak}
 
@@ -83,8 +74,6 @@ This category encompasses the actual IoT devices that may require digital invest
 - **Programming and Scripting**: Programming and scripting skills can prove useful in every aspect of IoT Forensics. From parsing companion apps' data, unknown logs, and databases to contributing parsers to open-source tools, having such skills can benefit the whole DFIR community.
 - **Reverse Engineering**: Reverse engineering the firmware of IoT products can sometimes reveal information about them, including root credentials and security vulnerabilities that one can lawfully disclose to their manufacturers. In the case of a compromised IoT device, its rogue firmware can reveal the IP of the C2C server and more.
 
-{pagebreak}
-
 ### 3.2 Network Forensics
 
 Except for individual IoT appliances, digital evidence can also be obtained from the network (e.g., router) where these products were connected. This category involves the investigation of the network communication of these IoT products. An indicative list of the competencies that practitioners in this category should develop follows:
@@ -93,8 +82,6 @@ Except for individual IoT appliances, digital evidence can also be obtained from
 - **Network Architecture**: Understanding different network architectures (LAN, WAN, etc.) and possessing basic knowledge of subnetting and other network segmentation techniques. IoT products are sometimes set to use their own subnet for security reasons, so being able to navigate through the employed subnets can be a plus.
 - **Packet/Log Analysis**: IoT devices frequently fall victim to cyber attacks. Having the ability to capture, analyze, and interpret network traffic to identify anomalies or suspicious activities can assist in potentially tracing these attacks back to their perpetrators. Likewise, knowing how to examine logs from network devices like firewalls and routers may provide fruitful findings like tracking the timeline of events.
 
-{pagebreak}
-
 ### 3.3 Cloud Forensics
 
 The last category includes the data which are generated and/or processed by IoT appliances and are eventually stored in cloud services. Some of the abilities one needs to harness while entering this field are listed here:
@@ -125,8 +112,6 @@ In this section, a curated list of resources is shared to help both beginners an
 
 Establishing a new workflow or updating an old one according to widely accepted best practices is something that many agencies and practitioners around the globe usually do whenever it is deemed necessary. IoT Forensics requires the introduction or update of such procedures. Scientific Working Group on Digital Evidence ([SWGDE](https://www.swgde.org/home)) is a non-profit corporation that develops consensus-based standards, best practices, and more for use in digital investigations. SWGDE has [published](https://www.swgde.org/documents/published-complete-listing) both [best practices](https://drive.google.com/file/d/15rh-anGu_LeW0oYln_TrfzpVjA8rGwHH/view) and [technical notes](https://drive.google.com/file/d/1zcDxCLSrwTbwFlTAtjwB6UxMgMHOj3GY/view) documents on IoT Forensics. These documents can assist those who may be uncertain about which actions to take when approaching an IoT crime scene.
 
-{pagebreak}
-
 ### 5.2 Trainings and Courses
 
 There is a great number of trainings and courses offered for various aspects of IoT Forensics. Some of them are costly while others are free. Investing in certain trainings may facilitate the acquisition of practical experience with IoT devices, an aspect that could be challenging to attain otherwise. Below, you can find some of those that focus on IoT Forensics, listed in random order:
@@ -147,8 +132,6 @@ There is a great number of trainings and courses offered for various aspects of
 
 Out of a wide range of available blogs on digital forensics, the author could find two that had hosted several posts related to IoT Forensics. These are [zena forensics](https://blog.digital-forensics.it/) by [Mattia Epifani]((https://twitter.com/mattiaep)) and [elcomsoft](https://blog.elcomsoft.com/), the official blog of the company Elcomsoft. By no means does this imply that there aren't others out there. Here are two indicative posts from the [first one](https://blog.digital-forensics.it/2020/12/a-journey-into-iot-forensics-episode-4.html) and the [latter one](https://blog.elcomsoft.com/2022/02/iot-forensics-analyzing-apple-watch-3-file-system/).
 
-{pagebreak}
-
 ### 5.4 Presentations and Interviews on IoT Forensics
 
 There have been many presentations and interviews on IoT Forensics. Some are still available online, others cannot be accessed directly, and others are no longer available. A list of some talks that are still available and accessible online is mentioned below (in random order):