Towards the design of a forensic methodology for the investigation of cyberincidents on the internet of things

Resumen

The digital era has meant a drastic change in the way in which mankind acts, bringing technology to environments which did not previously have any technological devices. Until recently, such devices were easily recognizable due to their size; the first computers were the size of an entire room, and something similar occurred with the early smart phones, making it unthinkable that they would eventually fit in the pocket of a pair of jeans. Nowadays, we can carry our mobile phone in the palm of our hand, and its computing power considerably exceeds that of the computer which sent the first human into space. Even though the use of computers, smart phones and tablets may be considered by the ordinary user as the greatest technological development in recent years, the truth is that we are now facing a scenario which is having, and will have, a greater impact. This scenario is the IoT, and, as may be suspected from its name, its scope is unimaginable. What for many people is an unknown term is, in reality, a colossal system that is evolving at a rapid pace. Data do not lie, and nowadays the number of IoT devices which are connected to the Internet exceeds the number of those which are not. Therefore, the immediate question that arises from this fact is the following: what is an IoT device? The answer, however, is not as immediate. When we talk of IoT devices we are referring to sensors, TV, actuators, smart watches, and even refrigerators. While the term ``things'' may be vague, it is, in fact, very representative: anything that is connected to the Internet. The direct consequence of any element being able to connect to the Internet is that new environments appear which did not exist before. For example, we speak of eHealth when this technology is applied in the field of medicine, of smart homes when applying it to a building, or smart industry when the target is factories or the means of production. Pacemakers connected to the Internet which are constantly sending data regarding the health of their owners, sensors which monitor the presence of a person, for example, in a room and alert the homeowner when movement is detected, or devices controlling the stock in a warehouse are examples of IoT devices. Ultimately, the term IoT may not be familiar to some, but we are surrounded by it. Unfortunately, not every piece of news is positive when we talk about the IoT. The security of these devices has not been as successful as their market share, a fact which has caused IoT systems to be one of the favourite environments for cybercriminals to perform their attacks on. If we combine weak security measures with the sensitivity of the data that IoT devices handle, the result is a scenario in which it is very easy to obtain valuable information with little effort. Consequently, the materialization of cyberattacks means the creation of cyberincidents, which must be studied in order to determine what has occurred. This process is known as a forensic investigation. As in any other field, the arrival of a new technology, in this case the IoT, implies the need to develop new solutions, and, at the same time, requires an evaluation of the existing ones in order to determine whether they are capable of managing the new scenario with all the necessary guarantees. At the same time, due to the close relationship between forensic analysis and the justice system, these solutions must comply with the existing legal framework. And this is the objective of this doctoral thesis, namely to develop a solution which can assist in making IoT forensic investigations more effective and complete. To achieve this, after carefully studying the existing solutions in the field of forensics and evaluating the characteristics and requirements of IoT devices, this doctoral thesis proposes a forensic methodology which details the phases and considerations that an investigator must take into account when performing an investigation in this new environment. This methodology combines aspects of conventional forensic analysis, which targets the study of non-IoT devices, and which has been approved by the scientific community and is used daily in legal processes, with specifically designed elements which address the examination of IoT devices, presenting a solution which complies with the current legal framework and is easy to adopt by forensic investigators. In fact, when it was evaluated, it was determined that the proposal can be successfully used as a reference for performing forensic investigations in scenarios simulating real life cyberincidents, achieving better results than those of the existing IoT models, frameworks and methodologies designed by the research community.