The Role of Forensics in the Internet of Things: Motivations and Requirements

by Dr. Suleman Khan
School of Information Technology, Monash University Malaysia

IEEE Internet Initiative eNewsletter, July 2017

Discuss this topic on Collabratec:

The Internet of Things (IoT) is an emerging technology which leads human life to interact with billions of devices of the world [1]. This provides unsurpassed convenience in the human life. However, the open nature of interaction between IoT devices makes way for intruders to exploit the data transferring among different devices [2]. To secure each and every device in the IoT paradigm with integrity of its data is an utmost challenge to IoT community [3]. Currently, the IoT community is starting to  think about IoT security in terms of developing embedded security solutions, middleware, cloud security, and much more. However, all these efforts count towards detection and prevention of security attacks. The recent efforts lack to investigate the source of  the attack that cause problems for IoT paradigms. Therefore, the IoT paradigm requires forensic solutions to find the root cause and to minimize different attacks [4].  

There is no single solution available to protect the entire IoT infrastructure from different security attacks. There is always an opportunity for an attacker to bypass security barriers because of rapid enhancement in the technologies, open source market, numerous applications, and various others. The detection and prevention mechanism fails to cope with an aforementioned scenario to have a complete safe and sound security environment for IoT users. This brings IoT forensics to play its part to investigate security breaches found in the IoT infrastructure. IoT forensics is a way to identify sequential steps performed by the attacker during its attack process. The sequential steps are identified by collecting evidence from different sources such as devices, logs, applications and networks used at the time of attack. From the evidence, new IoT forensic solutions will emerge with insight about the attacks.

IoT forensics solutions will help to find the root causes and attacks [5]. This will not only assist in minimizing the attacks but controlling similar attacks in the future. The main question arises: where should forensic solutions be integrated into IoT infrastructure to have a strong investigation mechanism? Honestly, this is a question which needs a lot of thought to have an accurate answer. Mainly there are three IoT components that need to be protected to have a secure interactive environment among the devices. This includes: IoT devices, cloud infrastructures, and IoT networks. However, the main challenge is the dynamic nature of IoT solutions. For instance, a mechanism to extract evidence from IoT devices may vary from device to device such as medical devices, appliances, tags, agricultural sensors and various others [6]. Moreover, the evidence should be collected from cloud computing, sensors, networks and Radio Frequency Identification (RFID) technologies. As a result, IoT forensics will encompass all technologies used in IoT infrastructure for investigation.

IoT forensics needs to identify, preserve, analyze, and present the digital evidence collected from the IoT components [7]. It requires well-defined accredited tools, efficient algorithms, adaptive frameworks, and dynamic solutions. Another challenge for IoT forensics is coping with the dynamic IoT environment. Each forensic solution might work in one environment but it may not suit with another environment [8]. For instance, extracting digital evidence from home appliances may be easier than from devices in healthcare. Due to the lack of principle design of IoT forensics, the security experts are currently looking to adopt an existing digital forensics mechanism that fits to some extent in an IoT environment. The major part of IoT forensics will rely on the physical and mechanical parts of the smart devices playing an important role in IoT infrastructure. Moreover, the cloud cybersecurity policy needs to be revised, because each IoT device generates data that is stored in the cloud. The cloud cybersecurity policy should be integrated with IoT infrastructure to have quick responses for any suspicious activity. The policy should be revised in terms of evidence identification, data integrity, preservation, and accessibility. The cloud vendor should ensure the integrity of the digital evidence retrieved from cloud computing components to have a fair investigation process in identifying the root cause of the attack in IoT.

The network used to connect smart devices to the cloud assists the attackers as well as forensic investigators. The attacker tries to exploit the data transferring on the network links. This might cause the data to be altered, diverted to malicious locations, or delay it to make the process malfunction. The forensic investigators trying to extract digital evidence from the network links may be easier than extracting evidence from the cloud resources [9]. The evidence should be in terms of finding data patterns on the networks that might help forensic investigators to know the malicious injected patterns.

IoT forensics demands for optimal solutions from researchers, security vendors, IoT experts, and cloud computing owners to secure IoT infrastructure from secure collapses occurred during the attacks. Different security research groups should integrate with IoT vendors to think about how IoT can be fault tolerant to mishaps happening through different attacks. This requires brainstorming from highly qualified potential researchers, IoT experts, market vendors, and cloud computing owners. The joint venture will lead towards synergetic effect through optimal and fast output while putting forth fewer efforts. A huge research investment is required in order to have the IoT forensics dream become a reality in the coming decade. The motivation for IoT forensics will create different opportunities for research projects that will allow researchers around the world to participate and provide their ideas and suggestions.

Consequently, to attract more users, IoT needs to integrate the forensic mechanism within its architecture to have a safe and secure environment without any angst and panic. This will create doors of opportunities for the development of IoT applications rather than putting efforts toward defending numerous invasions.


[1] Gubbi, J., et al., Internet of Things (IoT): A vision, architectural elements, and future directions. Future generation computer systems, 2013. 29(7): p. 1645-1660.

[2] Zhou, J., et al., Security and privacy for cloud-based IoT: challenges. IEEE Communications Magazine, 2017. 55(1): p. 26-33.

[3] Liu, C., et al., External integrity verification for outsourced big data in cloud and IoT: A big picture. Future Generation Computer Systems, 2015. 49: p. 58-67.

[4] Oriwoh, E., et al. Internet of things forensics: Challenges and approaches. in Collaborative Computing: Networking, Applications and Worksharing (Collaboratecom), 2013 9th International Conference Conference on. 2013. IEEE.

[5] Perumal, S., N.M. Norwawi, and V. Raman. Internet of Things (IoT) digital forensic investigation model: Top-down forensic approach methodology. in Digital Information Processing and Communications (ICDIPC), 2015 Fifth International Conference on. 2015. IEEE.

[6] Hegarty, R., D.J. Lamb, and A. Attwood. Digital Evidence Challenges in the Internet of Things. in INC. 2014.

[7] Kebande, V.R. and I. Ray. A Generic Digital Forensic Investigation Framework for Internet of Things (IoT). in Future Internet of Things and Cloud (FiCloud), 2016 IEEE 4th International Conference on. 2016. IEEE.

[8] Khan, S., et al., Software-Defined Network Forensics: Motivation, Potential Locations, Requirements, and Challenges. IEEE Network, 2016. 30(6): p. 6-13.

[9] Khan, S., et al., Network forensics: Review, taxonomy, and open challenges. Journal of Network and Computer Applications, 2016. 66: p. 214-235.

Dr. Suleman KhanDr. Suleman Khan

Dr. Suleman Khan is a Lecturer at School of Information Technology, Monash University Malaysia. He received his Ph.D. (Distinction) from Faculty of Computer Science and Information Technology, University of Malaya, Malaysia (2017). Previously, he completed several Master programs including Master of Science-MS (Distributed Systems) from Comsats Institute of Information Technology, Abbottabad, Pakistan (2011), Master of Business Administration (HRD) from Institute of Management of Sciences, Hayatabad, Pakistan (2007) and Master of Science M.Sc (Computer Science), from University of Peshawar, Pakistan (2006). Dr. Suleman has published 35+ High Impact Research articles in reputed international journals and conferences. He is currently an IEEE member and his research areas include but are not limited to Network Security, Network Forensics, Software Defined Networks (SDN), Internet of Things (IoT), Cloud Computing, and Vehicular Communications.


Dr. Ali Kashif Bashir Dr. Ali Kashif Bashir

Ali Kashif Bashir (S’16–M’15) is Associate Professor at Department of Science and Technology, University of the Faroe Islands, Faroe Islands, Denmark. In the past, he held appointments with Osaka University, Japan, the National Institute of Technology, Nara, Japan, the National Fusion Research Institute, South Korea, and Southern Power Co. Ltd, South Korea. He received his PhD in computer science and engineering from Korea University, South Korea, MS from Ajou University, South Korea and BS from University of Management and Technology, Pakistan. His research interests include: 5G, NFV/SDN, network virtualization, IoT, computer networks, internet security, etc. He is serving as the Editor-in-chief of the IEEE Internet Policy Newsletter and the IEEE Future Directions Newsletter. 


Article Contributions Welcomed

If you wish to have an internet policy related article considered for publication, please contact the Managing Editor of Technology Policy and Ethics IEEE Future Directions Newsletter.

View Editorial Guidelines

Past Issues

December 2018

September 2018

June 2018

March 2018

November 2017

September 2017

July 2017

May 2017

March 2017

January 2017

November 2016

September 2016

IEEE Internet Policy Newsletter Editorial Board

Dr. Ali Kashif Bashir, Interim Editor-in- Chief
Dr. Syed Hassan Ahmed
Dr. Mudassar Ahmad
Dr. Onur Alparslan
Dr. Muhammad Bilal
Dr. Syed Ahmad Chan Bukhari
Dr. Ankur Chattopadhyay
Dr. Junaid Chaudhry
Dr. Waleed Ejaz
Dr. Mohamed Elhoseny
Dr. Prasun Ghosal
Dr. Tahir Hameed
Dr. Y. Sinan Hanay
Dr. Shagufta Henna
Dr. Fatima Hussain
Dr. Rasheed Hussain
Dr. Saman Iftikhar
Sajida Imran
Dr. Stephan Jones
Dr. Mohammad Saud Khan
Olga Kiconco
Dr. Jay Ramesh Merja
Dr. Mubashir Husain Rehmani
Dr. Hafiz Maher Ali Zeeshan

About: This newsletter features technical, policy, social, governmental, but not political commentary related to the internet. Its contents reflect the viewpoints of the authors and do not necessarily reflect the positions and views of IEEE. It is published by the IEEE Internet Initiative to enhance knowledge and promote discussion of the issues addressed.