iot forensics challenges and opportunities for digital traces · iot forensics challenges and...
TRANSCRIPT
IoT Forensics Challenges and Opportunities for Digital Traces
260419
DFRWS Europe 2019
1
Francesco Servida Eoghan Casey
Outline
bull Smart Devicesbull Forensic Interestbull Methodologybull Resultsbull Discussion
2
Smart Devices
3
Security systemscamerasdoor locksmotion sensorssmoke amp CO detectors
Smart assistantsaudiovideo
Smart hubs
Smart firewalls
Smartmicrowave stove grill crock potrefrigeratorgrow systemcoffee makertelevisionthermostatlight bulbsplugstoys
Forensic Interest
bull Myriad of sensors
bull Highly connected
bull Low security
4
bull Direct Targetsndash Sensitive Data
bull Secondary targetsndash Alarm Systemsndash laquoTrojan Horsesraquondash Botnets (eg Mirai)
bull Witnesses
IoT forensics approach
Enterprise IoT- Proactive collection
Home IoT- What to do on an ldquounpreparedrdquo crime scene
5
Methodology
6
Methodology
7
- Literature review
- Existing Vulnerability Reports
- Home automation communities
Methodology
8
Methodology
9
Who How What
Methodology
10
What traces on a smartphone
bull Traditional Tools -gt No parsers
bull Manual investigation and correlation
bull Plugin development
Methodology
11
- Builds on Network Analysis- Listening ports Traffic Type Traffic Content
- MITM- mitmproxy SSLsplit
- Firmware Analysis- Binwalk strings hexdumphellip
Methodology
12
- Serial Connection- Root Access- (JTAG)- (Chip Off)
- Physical Images- NVRAM Settings- Filesystem Images
Network Analysis
13
- Mostly TLS
- Only a minority is local traffic
Network Analysis
14
- iSmartAlarm- laquoEncryptedraquo traffic with Android app 1
- Unauthenticated diagnostic logs access (CVE-2018-16224)
- QBee- Cleartext traffic with Android app (CVE-2018-16225)
- (UPnP port forwarding)
(1) httpsdojobullguardcomdojo-by-bullguardblogburglar-hacker-when-a-physical-security-is-compromised-by-iot-vulnerabilities
Physical Analysis
15
- Memory Images- Arlo iSmartAlarm Cube One
- Filesystem Images- Wink Arlo (Partially)
- NVRAM Settings
- Settings amp Events depending on device
Physical Analysis
16
Smartphone Application Artifacts
17
- Android Phone (Samsung Galaxy Edge S6)
iSmartAlarm Arlo Nest QBee WinkCloud Credentials
EventsUPnP discovered devices
MQTT Topic Infos
Cloud Credentials (token)Linked devices
Thumbnails
User InformationsDispositifs Lieacutes
EventsVideo Extracts
Cloud Credentials User Info
Linked DevicesEvents (Long term storage)
Smartphone Application Artifacts
18
Investigation App Decompilation
Smartphone Application Artifacts
19
Nest cache
Arlo cache
Arlo Settings (Realm DB)Wink Hub Events
ArloNest
Offi
cial
App
s
Agg
rega
tors
CloudIncreased persistence
Access
- Reuse of credentials on smartphone- Request to Service Provider
Arlo
- Recorded videos
DFRWS Challenge submissions
- Wink Hub - Devices amp Events iSmartAlarm - Members Nest - Devices Events amp Clips 1
20
Freezing the IoT crime sceneLive Data (Transmitted)
Authentication Credentials (eg CVE-2018-16225) Current Events
Stored Data
Not always persistent Sometimes accessible live (w previous knowledge of the device)
Eg CVE-2018-16224
First responder activities generate IoT traces at scene
Risk of data loss
Discussion
22
Discussion
23
New devices
Unknown meaning of the data prone to error and misinterpretation
Controlled Environment Testing
Share results (+ Peer Review) Better and more accepted knowledge of the meaning
of the data Increased admissibility
Issues
24
bull Smartphone artifacts not produced in background
bull Physicalndash Extraction methodsndash Volatility of traces
bull Variety of protocols
Future ResearchStudy common smarthome IoT devices
Analyse IoT RF activities (eg Zigbee Z-Wave)
Chip-off analysis
25
26
httpsgithubcomfservidamsc_autopsy_plugins
Thank You
httpsgithubcomfservidamsc_thesis 1041639
httpsfrancescoservidach
francescoservidaunilch
Outline
bull Smart Devicesbull Forensic Interestbull Methodologybull Resultsbull Discussion
2
Smart Devices
3
Security systemscamerasdoor locksmotion sensorssmoke amp CO detectors
Smart assistantsaudiovideo
Smart hubs
Smart firewalls
Smartmicrowave stove grill crock potrefrigeratorgrow systemcoffee makertelevisionthermostatlight bulbsplugstoys
Forensic Interest
bull Myriad of sensors
bull Highly connected
bull Low security
4
bull Direct Targetsndash Sensitive Data
bull Secondary targetsndash Alarm Systemsndash laquoTrojan Horsesraquondash Botnets (eg Mirai)
bull Witnesses
IoT forensics approach
Enterprise IoT- Proactive collection
Home IoT- What to do on an ldquounpreparedrdquo crime scene
5
Methodology
6
Methodology
7
- Literature review
- Existing Vulnerability Reports
- Home automation communities
Methodology
8
Methodology
9
Who How What
Methodology
10
What traces on a smartphone
bull Traditional Tools -gt No parsers
bull Manual investigation and correlation
bull Plugin development
Methodology
11
- Builds on Network Analysis- Listening ports Traffic Type Traffic Content
- MITM- mitmproxy SSLsplit
- Firmware Analysis- Binwalk strings hexdumphellip
Methodology
12
- Serial Connection- Root Access- (JTAG)- (Chip Off)
- Physical Images- NVRAM Settings- Filesystem Images
Network Analysis
13
- Mostly TLS
- Only a minority is local traffic
Network Analysis
14
- iSmartAlarm- laquoEncryptedraquo traffic with Android app 1
- Unauthenticated diagnostic logs access (CVE-2018-16224)
- QBee- Cleartext traffic with Android app (CVE-2018-16225)
- (UPnP port forwarding)
(1) httpsdojobullguardcomdojo-by-bullguardblogburglar-hacker-when-a-physical-security-is-compromised-by-iot-vulnerabilities
Physical Analysis
15
- Memory Images- Arlo iSmartAlarm Cube One
- Filesystem Images- Wink Arlo (Partially)
- NVRAM Settings
- Settings amp Events depending on device
Physical Analysis
16
Smartphone Application Artifacts
17
- Android Phone (Samsung Galaxy Edge S6)
iSmartAlarm Arlo Nest QBee WinkCloud Credentials
EventsUPnP discovered devices
MQTT Topic Infos
Cloud Credentials (token)Linked devices
Thumbnails
User InformationsDispositifs Lieacutes
EventsVideo Extracts
Cloud Credentials User Info
Linked DevicesEvents (Long term storage)
Smartphone Application Artifacts
18
Investigation App Decompilation
Smartphone Application Artifacts
19
Nest cache
Arlo cache
Arlo Settings (Realm DB)Wink Hub Events
ArloNest
Offi
cial
App
s
Agg
rega
tors
CloudIncreased persistence
Access
- Reuse of credentials on smartphone- Request to Service Provider
Arlo
- Recorded videos
DFRWS Challenge submissions
- Wink Hub - Devices amp Events iSmartAlarm - Members Nest - Devices Events amp Clips 1
20
Freezing the IoT crime sceneLive Data (Transmitted)
Authentication Credentials (eg CVE-2018-16225) Current Events
Stored Data
Not always persistent Sometimes accessible live (w previous knowledge of the device)
Eg CVE-2018-16224
First responder activities generate IoT traces at scene
Risk of data loss
Discussion
22
Discussion
23
New devices
Unknown meaning of the data prone to error and misinterpretation
Controlled Environment Testing
Share results (+ Peer Review) Better and more accepted knowledge of the meaning
of the data Increased admissibility
Issues
24
bull Smartphone artifacts not produced in background
bull Physicalndash Extraction methodsndash Volatility of traces
bull Variety of protocols
Future ResearchStudy common smarthome IoT devices
Analyse IoT RF activities (eg Zigbee Z-Wave)
Chip-off analysis
25
26
httpsgithubcomfservidamsc_autopsy_plugins
Thank You
httpsgithubcomfservidamsc_thesis 1041639
httpsfrancescoservidach
francescoservidaunilch
Smart Devices
3
Security systemscamerasdoor locksmotion sensorssmoke amp CO detectors
Smart assistantsaudiovideo
Smart hubs
Smart firewalls
Smartmicrowave stove grill crock potrefrigeratorgrow systemcoffee makertelevisionthermostatlight bulbsplugstoys
Forensic Interest
bull Myriad of sensors
bull Highly connected
bull Low security
4
bull Direct Targetsndash Sensitive Data
bull Secondary targetsndash Alarm Systemsndash laquoTrojan Horsesraquondash Botnets (eg Mirai)
bull Witnesses
IoT forensics approach
Enterprise IoT- Proactive collection
Home IoT- What to do on an ldquounpreparedrdquo crime scene
5
Methodology
6
Methodology
7
- Literature review
- Existing Vulnerability Reports
- Home automation communities
Methodology
8
Methodology
9
Who How What
Methodology
10
What traces on a smartphone
bull Traditional Tools -gt No parsers
bull Manual investigation and correlation
bull Plugin development
Methodology
11
- Builds on Network Analysis- Listening ports Traffic Type Traffic Content
- MITM- mitmproxy SSLsplit
- Firmware Analysis- Binwalk strings hexdumphellip
Methodology
12
- Serial Connection- Root Access- (JTAG)- (Chip Off)
- Physical Images- NVRAM Settings- Filesystem Images
Network Analysis
13
- Mostly TLS
- Only a minority is local traffic
Network Analysis
14
- iSmartAlarm- laquoEncryptedraquo traffic with Android app 1
- Unauthenticated diagnostic logs access (CVE-2018-16224)
- QBee- Cleartext traffic with Android app (CVE-2018-16225)
- (UPnP port forwarding)
(1) httpsdojobullguardcomdojo-by-bullguardblogburglar-hacker-when-a-physical-security-is-compromised-by-iot-vulnerabilities
Physical Analysis
15
- Memory Images- Arlo iSmartAlarm Cube One
- Filesystem Images- Wink Arlo (Partially)
- NVRAM Settings
- Settings amp Events depending on device
Physical Analysis
16
Smartphone Application Artifacts
17
- Android Phone (Samsung Galaxy Edge S6)
iSmartAlarm Arlo Nest QBee WinkCloud Credentials
EventsUPnP discovered devices
MQTT Topic Infos
Cloud Credentials (token)Linked devices
Thumbnails
User InformationsDispositifs Lieacutes
EventsVideo Extracts
Cloud Credentials User Info
Linked DevicesEvents (Long term storage)
Smartphone Application Artifacts
18
Investigation App Decompilation
Smartphone Application Artifacts
19
Nest cache
Arlo cache
Arlo Settings (Realm DB)Wink Hub Events
ArloNest
Offi
cial
App
s
Agg
rega
tors
CloudIncreased persistence
Access
- Reuse of credentials on smartphone- Request to Service Provider
Arlo
- Recorded videos
DFRWS Challenge submissions
- Wink Hub - Devices amp Events iSmartAlarm - Members Nest - Devices Events amp Clips 1
20
Freezing the IoT crime sceneLive Data (Transmitted)
Authentication Credentials (eg CVE-2018-16225) Current Events
Stored Data
Not always persistent Sometimes accessible live (w previous knowledge of the device)
Eg CVE-2018-16224
First responder activities generate IoT traces at scene
Risk of data loss
Discussion
22
Discussion
23
New devices
Unknown meaning of the data prone to error and misinterpretation
Controlled Environment Testing
Share results (+ Peer Review) Better and more accepted knowledge of the meaning
of the data Increased admissibility
Issues
24
bull Smartphone artifacts not produced in background
bull Physicalndash Extraction methodsndash Volatility of traces
bull Variety of protocols
Future ResearchStudy common smarthome IoT devices
Analyse IoT RF activities (eg Zigbee Z-Wave)
Chip-off analysis
25
26
httpsgithubcomfservidamsc_autopsy_plugins
Thank You
httpsgithubcomfservidamsc_thesis 1041639
httpsfrancescoservidach
francescoservidaunilch
Forensic Interest
bull Myriad of sensors
bull Highly connected
bull Low security
4
bull Direct Targetsndash Sensitive Data
bull Secondary targetsndash Alarm Systemsndash laquoTrojan Horsesraquondash Botnets (eg Mirai)
bull Witnesses
IoT forensics approach
Enterprise IoT- Proactive collection
Home IoT- What to do on an ldquounpreparedrdquo crime scene
5
Methodology
6
Methodology
7
- Literature review
- Existing Vulnerability Reports
- Home automation communities
Methodology
8
Methodology
9
Who How What
Methodology
10
What traces on a smartphone
bull Traditional Tools -gt No parsers
bull Manual investigation and correlation
bull Plugin development
Methodology
11
- Builds on Network Analysis- Listening ports Traffic Type Traffic Content
- MITM- mitmproxy SSLsplit
- Firmware Analysis- Binwalk strings hexdumphellip
Methodology
12
- Serial Connection- Root Access- (JTAG)- (Chip Off)
- Physical Images- NVRAM Settings- Filesystem Images
Network Analysis
13
- Mostly TLS
- Only a minority is local traffic
Network Analysis
14
- iSmartAlarm- laquoEncryptedraquo traffic with Android app 1
- Unauthenticated diagnostic logs access (CVE-2018-16224)
- QBee- Cleartext traffic with Android app (CVE-2018-16225)
- (UPnP port forwarding)
(1) httpsdojobullguardcomdojo-by-bullguardblogburglar-hacker-when-a-physical-security-is-compromised-by-iot-vulnerabilities
Physical Analysis
15
- Memory Images- Arlo iSmartAlarm Cube One
- Filesystem Images- Wink Arlo (Partially)
- NVRAM Settings
- Settings amp Events depending on device
Physical Analysis
16
Smartphone Application Artifacts
17
- Android Phone (Samsung Galaxy Edge S6)
iSmartAlarm Arlo Nest QBee WinkCloud Credentials
EventsUPnP discovered devices
MQTT Topic Infos
Cloud Credentials (token)Linked devices
Thumbnails
User InformationsDispositifs Lieacutes
EventsVideo Extracts
Cloud Credentials User Info
Linked DevicesEvents (Long term storage)
Smartphone Application Artifacts
18
Investigation App Decompilation
Smartphone Application Artifacts
19
Nest cache
Arlo cache
Arlo Settings (Realm DB)Wink Hub Events
ArloNest
Offi
cial
App
s
Agg
rega
tors
CloudIncreased persistence
Access
- Reuse of credentials on smartphone- Request to Service Provider
Arlo
- Recorded videos
DFRWS Challenge submissions
- Wink Hub - Devices amp Events iSmartAlarm - Members Nest - Devices Events amp Clips 1
20
Freezing the IoT crime sceneLive Data (Transmitted)
Authentication Credentials (eg CVE-2018-16225) Current Events
Stored Data
Not always persistent Sometimes accessible live (w previous knowledge of the device)
Eg CVE-2018-16224
First responder activities generate IoT traces at scene
Risk of data loss
Discussion
22
Discussion
23
New devices
Unknown meaning of the data prone to error and misinterpretation
Controlled Environment Testing
Share results (+ Peer Review) Better and more accepted knowledge of the meaning
of the data Increased admissibility
Issues
24
bull Smartphone artifacts not produced in background
bull Physicalndash Extraction methodsndash Volatility of traces
bull Variety of protocols
Future ResearchStudy common smarthome IoT devices
Analyse IoT RF activities (eg Zigbee Z-Wave)
Chip-off analysis
25
26
httpsgithubcomfservidamsc_autopsy_plugins
Thank You
httpsgithubcomfservidamsc_thesis 1041639
httpsfrancescoservidach
francescoservidaunilch
IoT forensics approach
Enterprise IoT- Proactive collection
Home IoT- What to do on an ldquounpreparedrdquo crime scene
5
Methodology
6
Methodology
7
- Literature review
- Existing Vulnerability Reports
- Home automation communities
Methodology
8
Methodology
9
Who How What
Methodology
10
What traces on a smartphone
bull Traditional Tools -gt No parsers
bull Manual investigation and correlation
bull Plugin development
Methodology
11
- Builds on Network Analysis- Listening ports Traffic Type Traffic Content
- MITM- mitmproxy SSLsplit
- Firmware Analysis- Binwalk strings hexdumphellip
Methodology
12
- Serial Connection- Root Access- (JTAG)- (Chip Off)
- Physical Images- NVRAM Settings- Filesystem Images
Network Analysis
13
- Mostly TLS
- Only a minority is local traffic
Network Analysis
14
- iSmartAlarm- laquoEncryptedraquo traffic with Android app 1
- Unauthenticated diagnostic logs access (CVE-2018-16224)
- QBee- Cleartext traffic with Android app (CVE-2018-16225)
- (UPnP port forwarding)
(1) httpsdojobullguardcomdojo-by-bullguardblogburglar-hacker-when-a-physical-security-is-compromised-by-iot-vulnerabilities
Physical Analysis
15
- Memory Images- Arlo iSmartAlarm Cube One
- Filesystem Images- Wink Arlo (Partially)
- NVRAM Settings
- Settings amp Events depending on device
Physical Analysis
16
Smartphone Application Artifacts
17
- Android Phone (Samsung Galaxy Edge S6)
iSmartAlarm Arlo Nest QBee WinkCloud Credentials
EventsUPnP discovered devices
MQTT Topic Infos
Cloud Credentials (token)Linked devices
Thumbnails
User InformationsDispositifs Lieacutes
EventsVideo Extracts
Cloud Credentials User Info
Linked DevicesEvents (Long term storage)
Smartphone Application Artifacts
18
Investigation App Decompilation
Smartphone Application Artifacts
19
Nest cache
Arlo cache
Arlo Settings (Realm DB)Wink Hub Events
ArloNest
Offi
cial
App
s
Agg
rega
tors
CloudIncreased persistence
Access
- Reuse of credentials on smartphone- Request to Service Provider
Arlo
- Recorded videos
DFRWS Challenge submissions
- Wink Hub - Devices amp Events iSmartAlarm - Members Nest - Devices Events amp Clips 1
20
Freezing the IoT crime sceneLive Data (Transmitted)
Authentication Credentials (eg CVE-2018-16225) Current Events
Stored Data
Not always persistent Sometimes accessible live (w previous knowledge of the device)
Eg CVE-2018-16224
First responder activities generate IoT traces at scene
Risk of data loss
Discussion
22
Discussion
23
New devices
Unknown meaning of the data prone to error and misinterpretation
Controlled Environment Testing
Share results (+ Peer Review) Better and more accepted knowledge of the meaning
of the data Increased admissibility
Issues
24
bull Smartphone artifacts not produced in background
bull Physicalndash Extraction methodsndash Volatility of traces
bull Variety of protocols
Future ResearchStudy common smarthome IoT devices
Analyse IoT RF activities (eg Zigbee Z-Wave)
Chip-off analysis
25
26
httpsgithubcomfservidamsc_autopsy_plugins
Thank You
httpsgithubcomfservidamsc_thesis 1041639
httpsfrancescoservidach
francescoservidaunilch
Methodology
6
Methodology
7
- Literature review
- Existing Vulnerability Reports
- Home automation communities
Methodology
8
Methodology
9
Who How What
Methodology
10
What traces on a smartphone
bull Traditional Tools -gt No parsers
bull Manual investigation and correlation
bull Plugin development
Methodology
11
- Builds on Network Analysis- Listening ports Traffic Type Traffic Content
- MITM- mitmproxy SSLsplit
- Firmware Analysis- Binwalk strings hexdumphellip
Methodology
12
- Serial Connection- Root Access- (JTAG)- (Chip Off)
- Physical Images- NVRAM Settings- Filesystem Images
Network Analysis
13
- Mostly TLS
- Only a minority is local traffic
Network Analysis
14
- iSmartAlarm- laquoEncryptedraquo traffic with Android app 1
- Unauthenticated diagnostic logs access (CVE-2018-16224)
- QBee- Cleartext traffic with Android app (CVE-2018-16225)
- (UPnP port forwarding)
(1) httpsdojobullguardcomdojo-by-bullguardblogburglar-hacker-when-a-physical-security-is-compromised-by-iot-vulnerabilities
Physical Analysis
15
- Memory Images- Arlo iSmartAlarm Cube One
- Filesystem Images- Wink Arlo (Partially)
- NVRAM Settings
- Settings amp Events depending on device
Physical Analysis
16
Smartphone Application Artifacts
17
- Android Phone (Samsung Galaxy Edge S6)
iSmartAlarm Arlo Nest QBee WinkCloud Credentials
EventsUPnP discovered devices
MQTT Topic Infos
Cloud Credentials (token)Linked devices
Thumbnails
User InformationsDispositifs Lieacutes
EventsVideo Extracts
Cloud Credentials User Info
Linked DevicesEvents (Long term storage)
Smartphone Application Artifacts
18
Investigation App Decompilation
Smartphone Application Artifacts
19
Nest cache
Arlo cache
Arlo Settings (Realm DB)Wink Hub Events
ArloNest
Offi
cial
App
s
Agg
rega
tors
CloudIncreased persistence
Access
- Reuse of credentials on smartphone- Request to Service Provider
Arlo
- Recorded videos
DFRWS Challenge submissions
- Wink Hub - Devices amp Events iSmartAlarm - Members Nest - Devices Events amp Clips 1
20
Freezing the IoT crime sceneLive Data (Transmitted)
Authentication Credentials (eg CVE-2018-16225) Current Events
Stored Data
Not always persistent Sometimes accessible live (w previous knowledge of the device)
Eg CVE-2018-16224
First responder activities generate IoT traces at scene
Risk of data loss
Discussion
22
Discussion
23
New devices
Unknown meaning of the data prone to error and misinterpretation
Controlled Environment Testing
Share results (+ Peer Review) Better and more accepted knowledge of the meaning
of the data Increased admissibility
Issues
24
bull Smartphone artifacts not produced in background
bull Physicalndash Extraction methodsndash Volatility of traces
bull Variety of protocols
Future ResearchStudy common smarthome IoT devices
Analyse IoT RF activities (eg Zigbee Z-Wave)
Chip-off analysis
25
26
httpsgithubcomfservidamsc_autopsy_plugins
Thank You
httpsgithubcomfservidamsc_thesis 1041639
httpsfrancescoservidach
francescoservidaunilch
Methodology
7
- Literature review
- Existing Vulnerability Reports
- Home automation communities
Methodology
8
Methodology
9
Who How What
Methodology
10
What traces on a smartphone
bull Traditional Tools -gt No parsers
bull Manual investigation and correlation
bull Plugin development
Methodology
11
- Builds on Network Analysis- Listening ports Traffic Type Traffic Content
- MITM- mitmproxy SSLsplit
- Firmware Analysis- Binwalk strings hexdumphellip
Methodology
12
- Serial Connection- Root Access- (JTAG)- (Chip Off)
- Physical Images- NVRAM Settings- Filesystem Images
Network Analysis
13
- Mostly TLS
- Only a minority is local traffic
Network Analysis
14
- iSmartAlarm- laquoEncryptedraquo traffic with Android app 1
- Unauthenticated diagnostic logs access (CVE-2018-16224)
- QBee- Cleartext traffic with Android app (CVE-2018-16225)
- (UPnP port forwarding)
(1) httpsdojobullguardcomdojo-by-bullguardblogburglar-hacker-when-a-physical-security-is-compromised-by-iot-vulnerabilities
Physical Analysis
15
- Memory Images- Arlo iSmartAlarm Cube One
- Filesystem Images- Wink Arlo (Partially)
- NVRAM Settings
- Settings amp Events depending on device
Physical Analysis
16
Smartphone Application Artifacts
17
- Android Phone (Samsung Galaxy Edge S6)
iSmartAlarm Arlo Nest QBee WinkCloud Credentials
EventsUPnP discovered devices
MQTT Topic Infos
Cloud Credentials (token)Linked devices
Thumbnails
User InformationsDispositifs Lieacutes
EventsVideo Extracts
Cloud Credentials User Info
Linked DevicesEvents (Long term storage)
Smartphone Application Artifacts
18
Investigation App Decompilation
Smartphone Application Artifacts
19
Nest cache
Arlo cache
Arlo Settings (Realm DB)Wink Hub Events
ArloNest
Offi
cial
App
s
Agg
rega
tors
CloudIncreased persistence
Access
- Reuse of credentials on smartphone- Request to Service Provider
Arlo
- Recorded videos
DFRWS Challenge submissions
- Wink Hub - Devices amp Events iSmartAlarm - Members Nest - Devices Events amp Clips 1
20
Freezing the IoT crime sceneLive Data (Transmitted)
Authentication Credentials (eg CVE-2018-16225) Current Events
Stored Data
Not always persistent Sometimes accessible live (w previous knowledge of the device)
Eg CVE-2018-16224
First responder activities generate IoT traces at scene
Risk of data loss
Discussion
22
Discussion
23
New devices
Unknown meaning of the data prone to error and misinterpretation
Controlled Environment Testing
Share results (+ Peer Review) Better and more accepted knowledge of the meaning
of the data Increased admissibility
Issues
24
bull Smartphone artifacts not produced in background
bull Physicalndash Extraction methodsndash Volatility of traces
bull Variety of protocols
Future ResearchStudy common smarthome IoT devices
Analyse IoT RF activities (eg Zigbee Z-Wave)
Chip-off analysis
25
26
httpsgithubcomfservidamsc_autopsy_plugins
Thank You
httpsgithubcomfservidamsc_thesis 1041639
httpsfrancescoservidach
francescoservidaunilch
Methodology
8
Methodology
9
Who How What
Methodology
10
What traces on a smartphone
bull Traditional Tools -gt No parsers
bull Manual investigation and correlation
bull Plugin development
Methodology
11
- Builds on Network Analysis- Listening ports Traffic Type Traffic Content
- MITM- mitmproxy SSLsplit
- Firmware Analysis- Binwalk strings hexdumphellip
Methodology
12
- Serial Connection- Root Access- (JTAG)- (Chip Off)
- Physical Images- NVRAM Settings- Filesystem Images
Network Analysis
13
- Mostly TLS
- Only a minority is local traffic
Network Analysis
14
- iSmartAlarm- laquoEncryptedraquo traffic with Android app 1
- Unauthenticated diagnostic logs access (CVE-2018-16224)
- QBee- Cleartext traffic with Android app (CVE-2018-16225)
- (UPnP port forwarding)
(1) httpsdojobullguardcomdojo-by-bullguardblogburglar-hacker-when-a-physical-security-is-compromised-by-iot-vulnerabilities
Physical Analysis
15
- Memory Images- Arlo iSmartAlarm Cube One
- Filesystem Images- Wink Arlo (Partially)
- NVRAM Settings
- Settings amp Events depending on device
Physical Analysis
16
Smartphone Application Artifacts
17
- Android Phone (Samsung Galaxy Edge S6)
iSmartAlarm Arlo Nest QBee WinkCloud Credentials
EventsUPnP discovered devices
MQTT Topic Infos
Cloud Credentials (token)Linked devices
Thumbnails
User InformationsDispositifs Lieacutes
EventsVideo Extracts
Cloud Credentials User Info
Linked DevicesEvents (Long term storage)
Smartphone Application Artifacts
18
Investigation App Decompilation
Smartphone Application Artifacts
19
Nest cache
Arlo cache
Arlo Settings (Realm DB)Wink Hub Events
ArloNest
Offi
cial
App
s
Agg
rega
tors
CloudIncreased persistence
Access
- Reuse of credentials on smartphone- Request to Service Provider
Arlo
- Recorded videos
DFRWS Challenge submissions
- Wink Hub - Devices amp Events iSmartAlarm - Members Nest - Devices Events amp Clips 1
20
Freezing the IoT crime sceneLive Data (Transmitted)
Authentication Credentials (eg CVE-2018-16225) Current Events
Stored Data
Not always persistent Sometimes accessible live (w previous knowledge of the device)
Eg CVE-2018-16224
First responder activities generate IoT traces at scene
Risk of data loss
Discussion
22
Discussion
23
New devices
Unknown meaning of the data prone to error and misinterpretation
Controlled Environment Testing
Share results (+ Peer Review) Better and more accepted knowledge of the meaning
of the data Increased admissibility
Issues
24
bull Smartphone artifacts not produced in background
bull Physicalndash Extraction methodsndash Volatility of traces
bull Variety of protocols
Future ResearchStudy common smarthome IoT devices
Analyse IoT RF activities (eg Zigbee Z-Wave)
Chip-off analysis
25
26
httpsgithubcomfservidamsc_autopsy_plugins
Thank You
httpsgithubcomfservidamsc_thesis 1041639
httpsfrancescoservidach
francescoservidaunilch
Methodology
9
Who How What
Methodology
10
What traces on a smartphone
bull Traditional Tools -gt No parsers
bull Manual investigation and correlation
bull Plugin development
Methodology
11
- Builds on Network Analysis- Listening ports Traffic Type Traffic Content
- MITM- mitmproxy SSLsplit
- Firmware Analysis- Binwalk strings hexdumphellip
Methodology
12
- Serial Connection- Root Access- (JTAG)- (Chip Off)
- Physical Images- NVRAM Settings- Filesystem Images
Network Analysis
13
- Mostly TLS
- Only a minority is local traffic
Network Analysis
14
- iSmartAlarm- laquoEncryptedraquo traffic with Android app 1
- Unauthenticated diagnostic logs access (CVE-2018-16224)
- QBee- Cleartext traffic with Android app (CVE-2018-16225)
- (UPnP port forwarding)
(1) httpsdojobullguardcomdojo-by-bullguardblogburglar-hacker-when-a-physical-security-is-compromised-by-iot-vulnerabilities
Physical Analysis
15
- Memory Images- Arlo iSmartAlarm Cube One
- Filesystem Images- Wink Arlo (Partially)
- NVRAM Settings
- Settings amp Events depending on device
Physical Analysis
16
Smartphone Application Artifacts
17
- Android Phone (Samsung Galaxy Edge S6)
iSmartAlarm Arlo Nest QBee WinkCloud Credentials
EventsUPnP discovered devices
MQTT Topic Infos
Cloud Credentials (token)Linked devices
Thumbnails
User InformationsDispositifs Lieacutes
EventsVideo Extracts
Cloud Credentials User Info
Linked DevicesEvents (Long term storage)
Smartphone Application Artifacts
18
Investigation App Decompilation
Smartphone Application Artifacts
19
Nest cache
Arlo cache
Arlo Settings (Realm DB)Wink Hub Events
ArloNest
Offi
cial
App
s
Agg
rega
tors
CloudIncreased persistence
Access
- Reuse of credentials on smartphone- Request to Service Provider
Arlo
- Recorded videos
DFRWS Challenge submissions
- Wink Hub - Devices amp Events iSmartAlarm - Members Nest - Devices Events amp Clips 1
20
Freezing the IoT crime sceneLive Data (Transmitted)
Authentication Credentials (eg CVE-2018-16225) Current Events
Stored Data
Not always persistent Sometimes accessible live (w previous knowledge of the device)
Eg CVE-2018-16224
First responder activities generate IoT traces at scene
Risk of data loss
Discussion
22
Discussion
23
New devices
Unknown meaning of the data prone to error and misinterpretation
Controlled Environment Testing
Share results (+ Peer Review) Better and more accepted knowledge of the meaning
of the data Increased admissibility
Issues
24
bull Smartphone artifacts not produced in background
bull Physicalndash Extraction methodsndash Volatility of traces
bull Variety of protocols
Future ResearchStudy common smarthome IoT devices
Analyse IoT RF activities (eg Zigbee Z-Wave)
Chip-off analysis
25
26
httpsgithubcomfservidamsc_autopsy_plugins
Thank You
httpsgithubcomfservidamsc_thesis 1041639
httpsfrancescoservidach
francescoservidaunilch
Methodology
10
What traces on a smartphone
bull Traditional Tools -gt No parsers
bull Manual investigation and correlation
bull Plugin development
Methodology
11
- Builds on Network Analysis- Listening ports Traffic Type Traffic Content
- MITM- mitmproxy SSLsplit
- Firmware Analysis- Binwalk strings hexdumphellip
Methodology
12
- Serial Connection- Root Access- (JTAG)- (Chip Off)
- Physical Images- NVRAM Settings- Filesystem Images
Network Analysis
13
- Mostly TLS
- Only a minority is local traffic
Network Analysis
14
- iSmartAlarm- laquoEncryptedraquo traffic with Android app 1
- Unauthenticated diagnostic logs access (CVE-2018-16224)
- QBee- Cleartext traffic with Android app (CVE-2018-16225)
- (UPnP port forwarding)
(1) httpsdojobullguardcomdojo-by-bullguardblogburglar-hacker-when-a-physical-security-is-compromised-by-iot-vulnerabilities
Physical Analysis
15
- Memory Images- Arlo iSmartAlarm Cube One
- Filesystem Images- Wink Arlo (Partially)
- NVRAM Settings
- Settings amp Events depending on device
Physical Analysis
16
Smartphone Application Artifacts
17
- Android Phone (Samsung Galaxy Edge S6)
iSmartAlarm Arlo Nest QBee WinkCloud Credentials
EventsUPnP discovered devices
MQTT Topic Infos
Cloud Credentials (token)Linked devices
Thumbnails
User InformationsDispositifs Lieacutes
EventsVideo Extracts
Cloud Credentials User Info
Linked DevicesEvents (Long term storage)
Smartphone Application Artifacts
18
Investigation App Decompilation
Smartphone Application Artifacts
19
Nest cache
Arlo cache
Arlo Settings (Realm DB)Wink Hub Events
ArloNest
Offi
cial
App
s
Agg
rega
tors
CloudIncreased persistence
Access
- Reuse of credentials on smartphone- Request to Service Provider
Arlo
- Recorded videos
DFRWS Challenge submissions
- Wink Hub - Devices amp Events iSmartAlarm - Members Nest - Devices Events amp Clips 1
20
Freezing the IoT crime sceneLive Data (Transmitted)
Authentication Credentials (eg CVE-2018-16225) Current Events
Stored Data
Not always persistent Sometimes accessible live (w previous knowledge of the device)
Eg CVE-2018-16224
First responder activities generate IoT traces at scene
Risk of data loss
Discussion
22
Discussion
23
New devices
Unknown meaning of the data prone to error and misinterpretation
Controlled Environment Testing
Share results (+ Peer Review) Better and more accepted knowledge of the meaning
of the data Increased admissibility
Issues
24
bull Smartphone artifacts not produced in background
bull Physicalndash Extraction methodsndash Volatility of traces
bull Variety of protocols
Future ResearchStudy common smarthome IoT devices
Analyse IoT RF activities (eg Zigbee Z-Wave)
Chip-off analysis
25
26
httpsgithubcomfservidamsc_autopsy_plugins
Thank You
httpsgithubcomfservidamsc_thesis 1041639
httpsfrancescoservidach
francescoservidaunilch
Methodology
11
- Builds on Network Analysis- Listening ports Traffic Type Traffic Content
- MITM- mitmproxy SSLsplit
- Firmware Analysis- Binwalk strings hexdumphellip
Methodology
12
- Serial Connection- Root Access- (JTAG)- (Chip Off)
- Physical Images- NVRAM Settings- Filesystem Images
Network Analysis
13
- Mostly TLS
- Only a minority is local traffic
Network Analysis
14
- iSmartAlarm- laquoEncryptedraquo traffic with Android app 1
- Unauthenticated diagnostic logs access (CVE-2018-16224)
- QBee- Cleartext traffic with Android app (CVE-2018-16225)
- (UPnP port forwarding)
(1) httpsdojobullguardcomdojo-by-bullguardblogburglar-hacker-when-a-physical-security-is-compromised-by-iot-vulnerabilities
Physical Analysis
15
- Memory Images- Arlo iSmartAlarm Cube One
- Filesystem Images- Wink Arlo (Partially)
- NVRAM Settings
- Settings amp Events depending on device
Physical Analysis
16
Smartphone Application Artifacts
17
- Android Phone (Samsung Galaxy Edge S6)
iSmartAlarm Arlo Nest QBee WinkCloud Credentials
EventsUPnP discovered devices
MQTT Topic Infos
Cloud Credentials (token)Linked devices
Thumbnails
User InformationsDispositifs Lieacutes
EventsVideo Extracts
Cloud Credentials User Info
Linked DevicesEvents (Long term storage)
Smartphone Application Artifacts
18
Investigation App Decompilation
Smartphone Application Artifacts
19
Nest cache
Arlo cache
Arlo Settings (Realm DB)Wink Hub Events
ArloNest
Offi
cial
App
s
Agg
rega
tors
CloudIncreased persistence
Access
- Reuse of credentials on smartphone- Request to Service Provider
Arlo
- Recorded videos
DFRWS Challenge submissions
- Wink Hub - Devices amp Events iSmartAlarm - Members Nest - Devices Events amp Clips 1
20
Freezing the IoT crime sceneLive Data (Transmitted)
Authentication Credentials (eg CVE-2018-16225) Current Events
Stored Data
Not always persistent Sometimes accessible live (w previous knowledge of the device)
Eg CVE-2018-16224
First responder activities generate IoT traces at scene
Risk of data loss
Discussion
22
Discussion
23
New devices
Unknown meaning of the data prone to error and misinterpretation
Controlled Environment Testing
Share results (+ Peer Review) Better and more accepted knowledge of the meaning
of the data Increased admissibility
Issues
24
bull Smartphone artifacts not produced in background
bull Physicalndash Extraction methodsndash Volatility of traces
bull Variety of protocols
Future ResearchStudy common smarthome IoT devices
Analyse IoT RF activities (eg Zigbee Z-Wave)
Chip-off analysis
25
26
httpsgithubcomfservidamsc_autopsy_plugins
Thank You
httpsgithubcomfservidamsc_thesis 1041639
httpsfrancescoservidach
francescoservidaunilch
Methodology
12
- Serial Connection- Root Access- (JTAG)- (Chip Off)
- Physical Images- NVRAM Settings- Filesystem Images
Network Analysis
13
- Mostly TLS
- Only a minority is local traffic
Network Analysis
14
- iSmartAlarm- laquoEncryptedraquo traffic with Android app 1
- Unauthenticated diagnostic logs access (CVE-2018-16224)
- QBee- Cleartext traffic with Android app (CVE-2018-16225)
- (UPnP port forwarding)
(1) httpsdojobullguardcomdojo-by-bullguardblogburglar-hacker-when-a-physical-security-is-compromised-by-iot-vulnerabilities
Physical Analysis
15
- Memory Images- Arlo iSmartAlarm Cube One
- Filesystem Images- Wink Arlo (Partially)
- NVRAM Settings
- Settings amp Events depending on device
Physical Analysis
16
Smartphone Application Artifacts
17
- Android Phone (Samsung Galaxy Edge S6)
iSmartAlarm Arlo Nest QBee WinkCloud Credentials
EventsUPnP discovered devices
MQTT Topic Infos
Cloud Credentials (token)Linked devices
Thumbnails
User InformationsDispositifs Lieacutes
EventsVideo Extracts
Cloud Credentials User Info
Linked DevicesEvents (Long term storage)
Smartphone Application Artifacts
18
Investigation App Decompilation
Smartphone Application Artifacts
19
Nest cache
Arlo cache
Arlo Settings (Realm DB)Wink Hub Events
ArloNest
Offi
cial
App
s
Agg
rega
tors
CloudIncreased persistence
Access
- Reuse of credentials on smartphone- Request to Service Provider
Arlo
- Recorded videos
DFRWS Challenge submissions
- Wink Hub - Devices amp Events iSmartAlarm - Members Nest - Devices Events amp Clips 1
20
Freezing the IoT crime sceneLive Data (Transmitted)
Authentication Credentials (eg CVE-2018-16225) Current Events
Stored Data
Not always persistent Sometimes accessible live (w previous knowledge of the device)
Eg CVE-2018-16224
First responder activities generate IoT traces at scene
Risk of data loss
Discussion
22
Discussion
23
New devices
Unknown meaning of the data prone to error and misinterpretation
Controlled Environment Testing
Share results (+ Peer Review) Better and more accepted knowledge of the meaning
of the data Increased admissibility
Issues
24
bull Smartphone artifacts not produced in background
bull Physicalndash Extraction methodsndash Volatility of traces
bull Variety of protocols
Future ResearchStudy common smarthome IoT devices
Analyse IoT RF activities (eg Zigbee Z-Wave)
Chip-off analysis
25
26
httpsgithubcomfservidamsc_autopsy_plugins
Thank You
httpsgithubcomfservidamsc_thesis 1041639
httpsfrancescoservidach
francescoservidaunilch
Network Analysis
13
- Mostly TLS
- Only a minority is local traffic
Network Analysis
14
- iSmartAlarm- laquoEncryptedraquo traffic with Android app 1
- Unauthenticated diagnostic logs access (CVE-2018-16224)
- QBee- Cleartext traffic with Android app (CVE-2018-16225)
- (UPnP port forwarding)
(1) httpsdojobullguardcomdojo-by-bullguardblogburglar-hacker-when-a-physical-security-is-compromised-by-iot-vulnerabilities
Physical Analysis
15
- Memory Images- Arlo iSmartAlarm Cube One
- Filesystem Images- Wink Arlo (Partially)
- NVRAM Settings
- Settings amp Events depending on device
Physical Analysis
16
Smartphone Application Artifacts
17
- Android Phone (Samsung Galaxy Edge S6)
iSmartAlarm Arlo Nest QBee WinkCloud Credentials
EventsUPnP discovered devices
MQTT Topic Infos
Cloud Credentials (token)Linked devices
Thumbnails
User InformationsDispositifs Lieacutes
EventsVideo Extracts
Cloud Credentials User Info
Linked DevicesEvents (Long term storage)
Smartphone Application Artifacts
18
Investigation App Decompilation
Smartphone Application Artifacts
19
Nest cache
Arlo cache
Arlo Settings (Realm DB)Wink Hub Events
ArloNest
Offi
cial
App
s
Agg
rega
tors
CloudIncreased persistence
Access
- Reuse of credentials on smartphone- Request to Service Provider
Arlo
- Recorded videos
DFRWS Challenge submissions
- Wink Hub - Devices amp Events iSmartAlarm - Members Nest - Devices Events amp Clips 1
20
Freezing the IoT crime sceneLive Data (Transmitted)
Authentication Credentials (eg CVE-2018-16225) Current Events
Stored Data
Not always persistent Sometimes accessible live (w previous knowledge of the device)
Eg CVE-2018-16224
First responder activities generate IoT traces at scene
Risk of data loss
Discussion
22
Discussion
23
New devices
Unknown meaning of the data prone to error and misinterpretation
Controlled Environment Testing
Share results (+ Peer Review) Better and more accepted knowledge of the meaning
of the data Increased admissibility
Issues
24
bull Smartphone artifacts not produced in background
bull Physicalndash Extraction methodsndash Volatility of traces
bull Variety of protocols
Future ResearchStudy common smarthome IoT devices
Analyse IoT RF activities (eg Zigbee Z-Wave)
Chip-off analysis
25
26
httpsgithubcomfservidamsc_autopsy_plugins
Thank You
httpsgithubcomfservidamsc_thesis 1041639
httpsfrancescoservidach
francescoservidaunilch
Network Analysis
14
- iSmartAlarm- laquoEncryptedraquo traffic with Android app 1
- Unauthenticated diagnostic logs access (CVE-2018-16224)
- QBee- Cleartext traffic with Android app (CVE-2018-16225)
- (UPnP port forwarding)
(1) httpsdojobullguardcomdojo-by-bullguardblogburglar-hacker-when-a-physical-security-is-compromised-by-iot-vulnerabilities
Physical Analysis
15
- Memory Images- Arlo iSmartAlarm Cube One
- Filesystem Images- Wink Arlo (Partially)
- NVRAM Settings
- Settings amp Events depending on device
Physical Analysis
16
Smartphone Application Artifacts
17
- Android Phone (Samsung Galaxy Edge S6)
iSmartAlarm Arlo Nest QBee WinkCloud Credentials
EventsUPnP discovered devices
MQTT Topic Infos
Cloud Credentials (token)Linked devices
Thumbnails
User InformationsDispositifs Lieacutes
EventsVideo Extracts
Cloud Credentials User Info
Linked DevicesEvents (Long term storage)
Smartphone Application Artifacts
18
Investigation App Decompilation
Smartphone Application Artifacts
19
Nest cache
Arlo cache
Arlo Settings (Realm DB)Wink Hub Events
ArloNest
Offi
cial
App
s
Agg
rega
tors
CloudIncreased persistence
Access
- Reuse of credentials on smartphone- Request to Service Provider
Arlo
- Recorded videos
DFRWS Challenge submissions
- Wink Hub - Devices amp Events iSmartAlarm - Members Nest - Devices Events amp Clips 1
20
Freezing the IoT crime sceneLive Data (Transmitted)
Authentication Credentials (eg CVE-2018-16225) Current Events
Stored Data
Not always persistent Sometimes accessible live (w previous knowledge of the device)
Eg CVE-2018-16224
First responder activities generate IoT traces at scene
Risk of data loss
Discussion
22
Discussion
23
New devices
Unknown meaning of the data prone to error and misinterpretation
Controlled Environment Testing
Share results (+ Peer Review) Better and more accepted knowledge of the meaning
of the data Increased admissibility
Issues
24
bull Smartphone artifacts not produced in background
bull Physicalndash Extraction methodsndash Volatility of traces
bull Variety of protocols
Future ResearchStudy common smarthome IoT devices
Analyse IoT RF activities (eg Zigbee Z-Wave)
Chip-off analysis
25
26
httpsgithubcomfservidamsc_autopsy_plugins
Thank You
httpsgithubcomfservidamsc_thesis 1041639
httpsfrancescoservidach
francescoservidaunilch
Physical Analysis
15
- Memory Images- Arlo iSmartAlarm Cube One
- Filesystem Images- Wink Arlo (Partially)
- NVRAM Settings
- Settings amp Events depending on device
Physical Analysis
16
Smartphone Application Artifacts
17
- Android Phone (Samsung Galaxy Edge S6)
iSmartAlarm Arlo Nest QBee WinkCloud Credentials
EventsUPnP discovered devices
MQTT Topic Infos
Cloud Credentials (token)Linked devices
Thumbnails
User InformationsDispositifs Lieacutes
EventsVideo Extracts
Cloud Credentials User Info
Linked DevicesEvents (Long term storage)
Smartphone Application Artifacts
18
Investigation App Decompilation
Smartphone Application Artifacts
19
Nest cache
Arlo cache
Arlo Settings (Realm DB)Wink Hub Events
ArloNest
Offi
cial
App
s
Agg
rega
tors
CloudIncreased persistence
Access
- Reuse of credentials on smartphone- Request to Service Provider
Arlo
- Recorded videos
DFRWS Challenge submissions
- Wink Hub - Devices amp Events iSmartAlarm - Members Nest - Devices Events amp Clips 1
20
Freezing the IoT crime sceneLive Data (Transmitted)
Authentication Credentials (eg CVE-2018-16225) Current Events
Stored Data
Not always persistent Sometimes accessible live (w previous knowledge of the device)
Eg CVE-2018-16224
First responder activities generate IoT traces at scene
Risk of data loss
Discussion
22
Discussion
23
New devices
Unknown meaning of the data prone to error and misinterpretation
Controlled Environment Testing
Share results (+ Peer Review) Better and more accepted knowledge of the meaning
of the data Increased admissibility
Issues
24
bull Smartphone artifacts not produced in background
bull Physicalndash Extraction methodsndash Volatility of traces
bull Variety of protocols
Future ResearchStudy common smarthome IoT devices
Analyse IoT RF activities (eg Zigbee Z-Wave)
Chip-off analysis
25
26
httpsgithubcomfservidamsc_autopsy_plugins
Thank You
httpsgithubcomfservidamsc_thesis 1041639
httpsfrancescoservidach
francescoservidaunilch
Physical Analysis
16
Smartphone Application Artifacts
17
- Android Phone (Samsung Galaxy Edge S6)
iSmartAlarm Arlo Nest QBee WinkCloud Credentials
EventsUPnP discovered devices
MQTT Topic Infos
Cloud Credentials (token)Linked devices
Thumbnails
User InformationsDispositifs Lieacutes
EventsVideo Extracts
Cloud Credentials User Info
Linked DevicesEvents (Long term storage)
Smartphone Application Artifacts
18
Investigation App Decompilation
Smartphone Application Artifacts
19
Nest cache
Arlo cache
Arlo Settings (Realm DB)Wink Hub Events
ArloNest
Offi
cial
App
s
Agg
rega
tors
CloudIncreased persistence
Access
- Reuse of credentials on smartphone- Request to Service Provider
Arlo
- Recorded videos
DFRWS Challenge submissions
- Wink Hub - Devices amp Events iSmartAlarm - Members Nest - Devices Events amp Clips 1
20
Freezing the IoT crime sceneLive Data (Transmitted)
Authentication Credentials (eg CVE-2018-16225) Current Events
Stored Data
Not always persistent Sometimes accessible live (w previous knowledge of the device)
Eg CVE-2018-16224
First responder activities generate IoT traces at scene
Risk of data loss
Discussion
22
Discussion
23
New devices
Unknown meaning of the data prone to error and misinterpretation
Controlled Environment Testing
Share results (+ Peer Review) Better and more accepted knowledge of the meaning
of the data Increased admissibility
Issues
24
bull Smartphone artifacts not produced in background
bull Physicalndash Extraction methodsndash Volatility of traces
bull Variety of protocols
Future ResearchStudy common smarthome IoT devices
Analyse IoT RF activities (eg Zigbee Z-Wave)
Chip-off analysis
25
26
httpsgithubcomfservidamsc_autopsy_plugins
Thank You
httpsgithubcomfservidamsc_thesis 1041639
httpsfrancescoservidach
francescoservidaunilch
Smartphone Application Artifacts
17
- Android Phone (Samsung Galaxy Edge S6)
iSmartAlarm Arlo Nest QBee WinkCloud Credentials
EventsUPnP discovered devices
MQTT Topic Infos
Cloud Credentials (token)Linked devices
Thumbnails
User InformationsDispositifs Lieacutes
EventsVideo Extracts
Cloud Credentials User Info
Linked DevicesEvents (Long term storage)
Smartphone Application Artifacts
18
Investigation App Decompilation
Smartphone Application Artifacts
19
Nest cache
Arlo cache
Arlo Settings (Realm DB)Wink Hub Events
ArloNest
Offi
cial
App
s
Agg
rega
tors
CloudIncreased persistence
Access
- Reuse of credentials on smartphone- Request to Service Provider
Arlo
- Recorded videos
DFRWS Challenge submissions
- Wink Hub - Devices amp Events iSmartAlarm - Members Nest - Devices Events amp Clips 1
20
Freezing the IoT crime sceneLive Data (Transmitted)
Authentication Credentials (eg CVE-2018-16225) Current Events
Stored Data
Not always persistent Sometimes accessible live (w previous knowledge of the device)
Eg CVE-2018-16224
First responder activities generate IoT traces at scene
Risk of data loss
Discussion
22
Discussion
23
New devices
Unknown meaning of the data prone to error and misinterpretation
Controlled Environment Testing
Share results (+ Peer Review) Better and more accepted knowledge of the meaning
of the data Increased admissibility
Issues
24
bull Smartphone artifacts not produced in background
bull Physicalndash Extraction methodsndash Volatility of traces
bull Variety of protocols
Future ResearchStudy common smarthome IoT devices
Analyse IoT RF activities (eg Zigbee Z-Wave)
Chip-off analysis
25
26
httpsgithubcomfservidamsc_autopsy_plugins
Thank You
httpsgithubcomfservidamsc_thesis 1041639
httpsfrancescoservidach
francescoservidaunilch
Smartphone Application Artifacts
18
Investigation App Decompilation
Smartphone Application Artifacts
19
Nest cache
Arlo cache
Arlo Settings (Realm DB)Wink Hub Events
ArloNest
Offi
cial
App
s
Agg
rega
tors
CloudIncreased persistence
Access
- Reuse of credentials on smartphone- Request to Service Provider
Arlo
- Recorded videos
DFRWS Challenge submissions
- Wink Hub - Devices amp Events iSmartAlarm - Members Nest - Devices Events amp Clips 1
20
Freezing the IoT crime sceneLive Data (Transmitted)
Authentication Credentials (eg CVE-2018-16225) Current Events
Stored Data
Not always persistent Sometimes accessible live (w previous knowledge of the device)
Eg CVE-2018-16224
First responder activities generate IoT traces at scene
Risk of data loss
Discussion
22
Discussion
23
New devices
Unknown meaning of the data prone to error and misinterpretation
Controlled Environment Testing
Share results (+ Peer Review) Better and more accepted knowledge of the meaning
of the data Increased admissibility
Issues
24
bull Smartphone artifacts not produced in background
bull Physicalndash Extraction methodsndash Volatility of traces
bull Variety of protocols
Future ResearchStudy common smarthome IoT devices
Analyse IoT RF activities (eg Zigbee Z-Wave)
Chip-off analysis
25
26
httpsgithubcomfservidamsc_autopsy_plugins
Thank You
httpsgithubcomfservidamsc_thesis 1041639
httpsfrancescoservidach
francescoservidaunilch
Smartphone Application Artifacts
19
Nest cache
Arlo cache
Arlo Settings (Realm DB)Wink Hub Events
ArloNest
Offi
cial
App
s
Agg
rega
tors
CloudIncreased persistence
Access
- Reuse of credentials on smartphone- Request to Service Provider
Arlo
- Recorded videos
DFRWS Challenge submissions
- Wink Hub - Devices amp Events iSmartAlarm - Members Nest - Devices Events amp Clips 1
20
Freezing the IoT crime sceneLive Data (Transmitted)
Authentication Credentials (eg CVE-2018-16225) Current Events
Stored Data
Not always persistent Sometimes accessible live (w previous knowledge of the device)
Eg CVE-2018-16224
First responder activities generate IoT traces at scene
Risk of data loss
Discussion
22
Discussion
23
New devices
Unknown meaning of the data prone to error and misinterpretation
Controlled Environment Testing
Share results (+ Peer Review) Better and more accepted knowledge of the meaning
of the data Increased admissibility
Issues
24
bull Smartphone artifacts not produced in background
bull Physicalndash Extraction methodsndash Volatility of traces
bull Variety of protocols
Future ResearchStudy common smarthome IoT devices
Analyse IoT RF activities (eg Zigbee Z-Wave)
Chip-off analysis
25
26
httpsgithubcomfservidamsc_autopsy_plugins
Thank You
httpsgithubcomfservidamsc_thesis 1041639
httpsfrancescoservidach
francescoservidaunilch
CloudIncreased persistence
Access
- Reuse of credentials on smartphone- Request to Service Provider
Arlo
- Recorded videos
DFRWS Challenge submissions
- Wink Hub - Devices amp Events iSmartAlarm - Members Nest - Devices Events amp Clips 1
20
Freezing the IoT crime sceneLive Data (Transmitted)
Authentication Credentials (eg CVE-2018-16225) Current Events
Stored Data
Not always persistent Sometimes accessible live (w previous knowledge of the device)
Eg CVE-2018-16224
First responder activities generate IoT traces at scene
Risk of data loss
Discussion
22
Discussion
23
New devices
Unknown meaning of the data prone to error and misinterpretation
Controlled Environment Testing
Share results (+ Peer Review) Better and more accepted knowledge of the meaning
of the data Increased admissibility
Issues
24
bull Smartphone artifacts not produced in background
bull Physicalndash Extraction methodsndash Volatility of traces
bull Variety of protocols
Future ResearchStudy common smarthome IoT devices
Analyse IoT RF activities (eg Zigbee Z-Wave)
Chip-off analysis
25
26
httpsgithubcomfservidamsc_autopsy_plugins
Thank You
httpsgithubcomfservidamsc_thesis 1041639
httpsfrancescoservidach
francescoservidaunilch
Freezing the IoT crime sceneLive Data (Transmitted)
Authentication Credentials (eg CVE-2018-16225) Current Events
Stored Data
Not always persistent Sometimes accessible live (w previous knowledge of the device)
Eg CVE-2018-16224
First responder activities generate IoT traces at scene
Risk of data loss
Discussion
22
Discussion
23
New devices
Unknown meaning of the data prone to error and misinterpretation
Controlled Environment Testing
Share results (+ Peer Review) Better and more accepted knowledge of the meaning
of the data Increased admissibility
Issues
24
bull Smartphone artifacts not produced in background
bull Physicalndash Extraction methodsndash Volatility of traces
bull Variety of protocols
Future ResearchStudy common smarthome IoT devices
Analyse IoT RF activities (eg Zigbee Z-Wave)
Chip-off analysis
25
26
httpsgithubcomfservidamsc_autopsy_plugins
Thank You
httpsgithubcomfservidamsc_thesis 1041639
httpsfrancescoservidach
francescoservidaunilch
Discussion
22
Discussion
23
New devices
Unknown meaning of the data prone to error and misinterpretation
Controlled Environment Testing
Share results (+ Peer Review) Better and more accepted knowledge of the meaning
of the data Increased admissibility
Issues
24
bull Smartphone artifacts not produced in background
bull Physicalndash Extraction methodsndash Volatility of traces
bull Variety of protocols
Future ResearchStudy common smarthome IoT devices
Analyse IoT RF activities (eg Zigbee Z-Wave)
Chip-off analysis
25
26
httpsgithubcomfservidamsc_autopsy_plugins
Thank You
httpsgithubcomfservidamsc_thesis 1041639
httpsfrancescoservidach
francescoservidaunilch
Discussion
23
New devices
Unknown meaning of the data prone to error and misinterpretation
Controlled Environment Testing
Share results (+ Peer Review) Better and more accepted knowledge of the meaning
of the data Increased admissibility
Issues
24
bull Smartphone artifacts not produced in background
bull Physicalndash Extraction methodsndash Volatility of traces
bull Variety of protocols
Future ResearchStudy common smarthome IoT devices
Analyse IoT RF activities (eg Zigbee Z-Wave)
Chip-off analysis
25
26
httpsgithubcomfservidamsc_autopsy_plugins
Thank You
httpsgithubcomfservidamsc_thesis 1041639
httpsfrancescoservidach
francescoservidaunilch
Issues
24
bull Smartphone artifacts not produced in background
bull Physicalndash Extraction methodsndash Volatility of traces
bull Variety of protocols
Future ResearchStudy common smarthome IoT devices
Analyse IoT RF activities (eg Zigbee Z-Wave)
Chip-off analysis
25
26
httpsgithubcomfservidamsc_autopsy_plugins
Thank You
httpsgithubcomfservidamsc_thesis 1041639
httpsfrancescoservidach
francescoservidaunilch
Future ResearchStudy common smarthome IoT devices
Analyse IoT RF activities (eg Zigbee Z-Wave)
Chip-off analysis
25
26
httpsgithubcomfservidamsc_autopsy_plugins
Thank You
httpsgithubcomfservidamsc_thesis 1041639
httpsfrancescoservidach
francescoservidaunilch
26
httpsgithubcomfservidamsc_autopsy_plugins
Thank You
httpsgithubcomfservidamsc_thesis 1041639
httpsfrancescoservidach
francescoservidaunilch