Internet of Things Forensics



With more internet connected devices than people on Earth, the “Internet of Things” (IoT) is a quickly expanding field of technology. The term IoT refers to physical objects that can communicate or send and receive data over a network. These objects can include everything from a crockpot (from WEMO) and slippers (from 24eight) to routers that connect a laptop to the internet. With the diversity and usefulness of these objects, this field is an interesting case study for security and forensic research.

With the IoT industry growing at a rapid rate, many security engineers have begun to take an interest in it. For example, there is a website that has assembled a long list of guides on how to root IoT devices created by people who enjoy reverse engineering. Additionally, there are many resources that explain how to intercept network traffic used by IoT devices and even modify data as it is sent in transit. Since it’s possible that each IoT device has its own modified operating system, it will be interesting to analyze the various forensic artifacts that could potentially be pulled from the device.


This semester the LCDI will be researching how to conduct forensic investigations on various “Internet of Things” (IoT) devices. Some of the devices being researched include the Nest Thermostat, the Wink Hub, and a Samsung Smart Camera. We will be looking at what data is stored on the devices themselves, while also looking at a Next Best Thing (NBT) approach. This type of approach has been proposed by other researchers in the field of IoT forensics and involves looking at the device that will hold the next best source of evidence. As access to the cloud server where most of the devices will store data and process data will be limited in this project, we will also be examining the smart phone applications that control the end devices.

Some of the questions that will be asked are as follows:

  1. Do any of the Internet of Things devices hold any forensic data such as temperature, video, traces of intrusion, or when persons were in the home? What is the format of the data, e.g. SQLite?
  2. How can Internet of Things device data be helpful in an investigation?
  3. Where is data being sent and how often?
  4. Are these devices’ data stored in a mobile application?
  5. Does the device have a web based / cloud application – can this be exploited for information?
  6. Is it possible to do a flow (traffic pattern) analysis to determine when someone is in the house/away?


These are just a few of the questions we hope to answer through our research. We would love to hear suggestions as to other questions that the forensic community would be interested in having answered! Leave a comment or contact us on Twitter at @ChampForensics.


Oriwoh, Edewede, and Geraint Williams. “Internet of Things: The Argument for Smart Forensics.” Handbook of Research on Digital Crime, Cyberspace Security, and Information Assurance (2014): 407.

LCDI Twitter LCDI Facebook

More Research Projects
The Leahy Center Inventory Project
Social Media Footprint Awareness
My Experience on The VPN Comparison Team