4.4 Pre-investigation and real-time approach 11
This approach proposed two phases to make sure that all evidences are acquired and stored in an accepted way, so that investigators can retrieved evidences smoothly, the first phase is the pre-investigation phase which has two sides, the first is from the management perspective and the second is from the technical perspective, the management perspective discuss the procedures that could facilitate the IoT investigation from managerial perspective, like preparing plans and determine the assists needed by investigators, the technical perspective discuss how to interact with the incident and narrow the scope of the evidences and devices included in the investigation by answering the following questions What/How to identify ?, What/How to collect ?, wo to preserve?, the second phase is to monitor the IoT devices in real-time and if there are any abnormal activities are detected then in an automatic way start collecting the data identified in the pre-investigation phase.
While approaches mentioned in sections (4.2, 4.3, 4.4) seem to be effective and solve some mentioned challenges, they are more suitable for large to medium IoT infrastructure, they could be difficult to implement in small IoT infrastructure like smart home because the relative complexity of deployment.
4.5 Top-Down forensics methodology 12
This model is designed to fill the gap existing in current models, started with authorization, planning and warrant, after completing the three fundamental stages the investigator would start to discover the IoT infrastructure, determine and capture the interested IoT devices from the selected zone Figure (), then the investigator can complete the traditional forensics procedures like Chain of custody, analysis proof and defense.
1. conclusion and discussion
our approach is to work side by side with the 1-2-3 zone approach, since the mentioned approach divides the IoT environment to three zones, our approach is to divide the IoT forensics process to three domains, 1) Domain 1 related to IoT endpoint forensic, 2) Domain 2 related to Network forensic, 3) Domain 3 related to Cloud forensic.
We can see that in any IoT environment, events would be noticed by one or more sensors, the main role of sensors is to transmit what has been measured to the IoT controllers which in turn would process the received data and could store it then transmit it to other domain, So, the investigator in this stage would need to use tow forensic domains Domain 1 (IoT endpoint forensic) and domain2 (Network forensic).
Once data has been captured and processed by controller it would be travel toward its final destination which would be the cloud, the medium and devices that would be taken during that journal would belong to the second domain, and since the devices that are involved in this domain would be network devices like