WIXLIB

IoT Forensics Challenges and Opportunities forDigital TracesFrancesco Servida, Eoghan CaseyDFRWS Europe 201926.04.191

Outline Smart DevicesForensic InterestMethodologyResultsDiscussion2

Smart DevicesSecurity systemscamerasdoor locksmotion sensorssmoke & CO detectorsSmart assistantsaudiovideoSmart hubsSmart:microwave, stove, grill, crock potrefrigeratorgrow systemcoffee makertelevisionthermostatlight bulbsplugstoys.Smart firewalls3

Forensic Interest Myriad of sensors Direct Targets– Sensitive Data Secondary targets Highly connected Low security– Alarm Systems– «Trojan Horses»– Botnets (eg. Mirai) Witnesses4

IoT forensics approachEnterprise IoT- Proactive collectionHome IoT- What to do on an “unprepared” crime scene?5

Methodology6

Methodology- Literature review- Existing Vulnerability Reports- Home automation communities7

Methodology8

MethodologyWho?How?What?9

MethodologyWhat traces on a smartphone? Traditional Tools - No parsers Manual investigation and correlation Plugin development10

Methodology- Builds on Network Analysis- Listening ports, Traffic Type, Traffic Content- MITM- mitmproxy, SSLsplit- Firmware Analysis- Binwalk, strings, hexdump 11

Methodology-Serial ConnectionRoot Access(JTAG)(Chip Off)- Physical Images- NVRAM Settings- Filesystem Images12

Network Analysis- Mostly TLS- Only a minority is local traffic.13

Network Analysis- iSmartAlarm- «Encrypted» traffic with Android app 1- Unauthenticated diagnostic logs access (CVE-2018-16224)- QBee- Cleartext traffic with Android app (CVE-2018-16225)- (UPnP port ity-is-compromised-by-iot-vulnerabilities/14

Physical Analysis- Memory Images- Arlo, iSmartAlarm Cube One- Filesystem Images- Wink, Arlo (Partially)- NVRAM Settings- Settings & Events dependingon device15

Physical Analysis16

Smartphone Application Artifacts- Android Phone (Samsung Galaxy Edge S6)iSmartAlarmArloNestQBeeWinkCloud CredentialsEventsUPnP discovered devicesMQTT Topic InfosCloud Credentials (token)Linked devicesThumbnailsUser InformationsDispositifs LiésEventsVideo ExtractsCloud CredentialsUser InfoLinked DevicesEvents (Long term storage)17

Smartphone Application ArtifactsInvestigationApp Decompilation18

AggregatorsArlo cacheOfficial AppsSmartphone Application ArtifactsArloNestNest cacheWink Hub EventsArlo Settings (Realm DB)19

CloudIncreased persistenceAccess-Reuse of credentials on smartphoneRequest to Service ProviderArlo-Recorded videosDFRWS Challenge submissions-Wink Hub - Devices & Events, iSmartAlarm - Members, Nest - Devices, Events & Clips 120

Freezing the IoT crime scene?Live Data (Transmitted) Authentication Credentials (e.g. CVE-2018-16225)Current EventsStored Data Not always persistentSometimes accessible live (w/ previous knowledge of the device) E.g. CVE-2018-16224First responder activities generate IoT traces at scene Risk of data loss!

Discussion22

DiscussionNew devices Unknown meaning of the data, prone to error andmisinterpretationControlled Environment Testing Share results ( Peer Review)Better and more accepted knowledge of the meaningof the dataIncreased admissibility23

Issues Smartphone artifacts not produced in background Physical:– Extraction methods– Volatility of traces Variety of protocols24

Future ResearchStudy common smarthome IoT devicesAnalyse IoT RF activities (e.g., Zigbee, Z-Wave)Chip-off analysis25

https://github.com/fservida/msc autopsy pluginshttps://github.com/fservida/msc thesis chThank You.26

IoT Forensics Challenges and Opportunities for Digital Traces 26.04.19 DFRWS Europe 2019 1 Francesco Servida, Eoghan Casey