Repository logo
 

An Investigation Framework for Internet of Things Spatial Modelling and Forensic Reconstruction

Files

Thesis(34.65 MB)

Date

2024

Authors

Supervisor

Nisbet, Alastair
Mohaghegh, Mahsa

Item type

Thesis

Degree name

Doctor of Philosophy

Journal Title

Journal ISSN

Volume Title

Publisher

Auckland University of Technology

Abstract

Internet-enabled Things, equipped with sensors and utilised for various applications, are a complex type of digital device that has become considerably more prevalent over the last decade. Coming in a variety of form factors to suit different physical environments, this digital device type has caused the lines that traditionally separated a physical scene from a digital scene to blur. Though often resource-constrained, Things are a valuable source of digital evidence in investigations. Whilst the data generated depends on the role of a device for an application, the data may be stored across multiple platforms, including any locally available storage. Forensic examination of Things collected from an evidential scene may yield valuable evidence for the forensic investigator. However, identifying Things at the scene of a forensic examination is difficult. The conventional procedure of search and seizure applicable for identifying digital devices is more suited for device types, such as USB sticks, mobile phones and computers, which are immediately distinguishable as digital devices because of their external appearance. Most Things, however, are not immediately distinguishable due to physical similarities to ordinary physical objects. Therefore, investigators searching for digital devices may overlook various Things and leave those devices behind. Additionally, identifying Things by applying the search and seizure procedure risks inadvertently tampering with the scene, as actions that investigators take to search for digital devices at the evidential scene may trigger changes to the state of one or more sensor-equipped devices. This research attempts to fill this significant gap in investigative procedures by providing a framework that will enable investigators to search an evidential scene much better prepared to identify Things. An approach that will also give investigators the greatest possibility to obtain forensic evidence of the various Things at the scene, including their locations, is to capture and examine the real-time communications of Things for the number and locations of active Things. With every active Thing located prior to entry, investigators will be able to search for digital devices and avoid leaving an unknown number of Things at the evidential scene unaccounted for. With evidence of the locations obtained in the form of communications before entering a scene, investigators will be able to justify the actions involved to search the locations for the sensor-equipped devices. However, there are several challenges to this approach. Consider a domestic residence as an example of a scene that investigators monitor for some time to obtain evidence of the location of every active Thing. Communications that yield forensic evidence will need to be obtained without entering a scene and without using any fixed monitoring infrastructure, both because that may not be possible and to avoid tampering with the evidential scene inadvertently. This research, hence, provides a framework that is specifically suited for forensic investigators to locate and track the active Things at the evidential scene whilst obtaining evidence suitable for forensic purposes. As one of the principal objectives of capturing communications is to obtain location evidence, this research examines how location accuracy is affected by the distance and the number of locations from which communications are captured. Whilst the framework developed is primarily suited for investigative purposes, the framework may be utilised in any of many other scenarios, where monitoring network traffic of Things to locate them is required.

Description

Keywords

Source

DOI

Publisher's version

Rights statement

Permanent link

http://hdl.handle.net/10292/18130

Collections

Doctoral Theses