Can you do a full research work for Network Security in Cloudcomputing with AWS as a case study, under the umbrella of Cyberforensics. The case study has to be detailed and has to be

Task details and instructions You are required to submit an essay and conduct a digital forensic analysis of Network Security in AWS platform. Specifically, you are required to conduct a digital forensic investigation and analysis of the AWS platform in an approach similar to the given base-paper. You are required to follow the methodology of the given base paper; however, you need to apply it to AWS accordingly. You are required to follow the given base paper methodology and produce comparable results and document your results in a similar format.

Formatting Should be in single column, font 12 Times New Roman, IEEE referencing format (numbered), single line spacing, left aligned and not less than 3,000 words. All figures should be focused and very sharp! Figures and tables should be used only when necessary and inclusion of irrelevant contents would be penalized! Please make sure all figures and tables are cited in- text. Obviously, your paper should not have any writing or grammar issues!

IEEE INTERNET OF THINGS JOURNAL, VOL. 6, NO. 4, AUGUST 2019 6487

IoT Forensics: Amazon Echo as a Use Case Shancang Li , Kim-Kwang Raymond Choo , Senior Member, IEEE, Qindong Sun ,

William J. Buchanan, and Jiuxin Cao

Abstract—Internet of Things (IoT) are increasingly common in our society, and can be found in civilian settings as well as sensitive applications, such as battlefields and national security. Given the potential of these devices to be targeted by attackers, they are a valuable source in digital forensic investigations. In addition, incriminating evidence may be stored on an IoT device (e.g., Amazon Echo in a home environment and Fitbit worn by the victim or an accused person). In comparison to IoT security and privacy literature, IoT forensics is relatively under-studied. IoT forensics is also challenging in practice, particularly due to the complexity, diversity, and heterogeneity of IoT devices and ecosystems. In this paper, we present an IoT-based forensic model that supports the identification, acquisition, analysis, and presentation of potential artifacts of forensic interest from IoT devices and the underpinning infrastructure. Specifically, we use the popular Amazon Echo as a use case to demonstrate how our proposed model can be used to guide forensics analysis of IoT devices.

Index Terms—Amazon Echo forensics, digital forensics, Internet of Things (IoT), IoT forensic model, IoT forensics.

I. INTRODUCTION

IN AN Internet of Things (IoT) setting, the number of smart devices connected to the Internet can range from a few to

billions. Such devices are often able to sense their environ- ment (e.g., temperature, humidity, and wind speed), as well as interconnecting and communicating with each other [1]–[3]. According to Juniper research [4], more than 20.4 billion smart devices will be connected to IoT by the year 2020, generating approximately £134 billion annually by 2022 for the IoT cyber security industry. This is telling of the IoT trend in our society, which is also evident by IoT being extended to sectors, such

Manuscript received July 24, 2018; revised November 21, 2018 and February 13, 2019; accepted March 10, 2019. Date of publication March 22, 2019; date of current version July 31, 2019. This work was supported in part by the National Natural Science Foundation under Grant 61571360, in part by the Shaanxi Science and Technology Co-Ordination and Innovation Project under Grant 2016KTZDGY05-09, and in part by the Innovation Project of Shaanxi Provincial Department of Education under Grant 17JF023. (Corresponding author: Shancang Li.)

S. Li is with the School of Computer Science, Xi’an University of Technology, Xi’an 710048, China, and also with the Department of Computer Science and Creative Technologies, University of the West of England, Bristol BS16 1QY, U.K. (e-mail: [email protected]).

K.-K. R. Choo is with the Department of Information Systems and Cyber Security, University of Texas at San Antonio, San Antonio, TX 78249 USA (e-mail: [email protected]).

Q. Sun is with the School of Computer Science and Engineering, Xi’an University of Technology, Xi’an 710048, China (e-mail: [email protected]).

W. J. Buchanan is with the School of Computing, Edinburgh Napier University, Edinburgh EH10 5DT, U.K. (e-mail: [email protected]).

J. Cao is with the School of Computer Science and Engineering, Southeast University, Nanjing 211189, China (e-mail: [email protected]).

Digital Object Identifier 10.1109/JIOT.2019.2906946

as battlefields and military (e.g., Internet of Battlefield Things and Internet of Military Things).1

In 2017, it was reported that users of Bose headphones were being spied upon without their consent [5]. Specifically, a plaintiff filed a complaint against Bose for their Bose con- nect application, which allegedly collected data on the music and audio books their users listened to, and sent the col- lected information to a third-party data miner (Segment.io). In the same year, Vizio [6], a Smart TV manufacturer, was also allegedly monitoring over 11 million smart TVs, where user data were being sent to other third parties without user consent [6]. Specifically, it was alleged that the manufac- turer monitored the pixels displayed on the TV screen and matched these to movies stored on a database. This technique is known as automatic content recognition (ACR). Vizio was subsequently fined a total of $2.2 Million by the U.S. Federal Trade Commission, and was also ordered not to track their users [6]. In addition, the organization was ordered to delete all their existing data relating to this incident (e.g., near-by access point details, postal codes, and the Internet protocol address (IP address) of the local network, and implement a privacy policy [7].

In general, an IoT system consists of a (large) number of IoT devices, IoT infrastructures, services and applications, and interface to other applications or services, which can be organized into four layers as shown in Fig. 1 [8].

1) Sensing layer, which includes sensing devices to sense and acquire information, such as smart sensors, radio- frequency identification (RFID), and client components of IoT.

2) Network layer, which is the infrastructure to support connectivity to Internet and other devices.

3) Service layer, which provides and manages services to users or other applications.

4) Application-interface layer, which provides interface to users or other services.

It can be expected that the increasing popularity and perva- siveness of IoT devices will make such devices more attractive to attackers, seeking to compromise our systems or exfiltrate our data, and gain a competitive advantage. In other words, any IoT device such as a 3-D printer, a smart switch, or a smart bulb in a smart home environment can potentially be compro- mised to gain access to the smart devices or the user’s personal data [1], [3], [9], [10]. In 2016, for example, distributed denial of service (DDoS) attacks targeting the domain name system

1[Online]. Available: https://www.arl.army.mil/www/default.cfm?page=3050 (last accessed February 12, 2019)

2327-4662 c© 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

Authorized licensed use limited to: UNIVERSITY OF SALFORD. Downloaded on September 23,2023 at 21:59:39 UTC from IEEE Xplore. Restrictions apply.

6488 IEEE INTERNET OF THINGS JOURNAL, VOL. 6, NO. 4, AUGUST 2019

Fig. 1. General IoT architecture.

(DNS) provider, Dyn, was carried out by a botnet comprising a large number of 2.5 million compromised IoT devices (e.g., IP camera, smart printers, and home WiFi gateway) [2], [11]. In the past two years, a large number of vulnerability scans tar- geting IoT devices have also been reported. For example in a recent study Pour et al. [12] examined more than 1 TB of pas- sive measurement data collected from a/8 network telescope (of IoT devices), in correlation with 400 GB of information from the Shodan service. Based on their findings, the authors were able to classify the “inferred IoT devices based on their hosting sector type (financial, education, manufacturing, etc.) and most abused IoT manufacturers” [13]. They also identi- fied more than 120 000 Internet-scale exploited IoT devices, including in critical infrastructure sectors, as well as inferring “140 large-scale IoT-centric probing campaigns; a sample of which includes a worldwide distributed campaign where close to 40% of its population includes video surveillance cam- eras from Dahua, and another very large inferred coordinated campaign consisting of more than 50 000 IoT devices.” These findings echoed findings such as those of [14], in the sense that a large number of today’s IoT devices are insecure. This is not surprising due to the challenges in designing efficient security and privacy solutions. In other words, security and pri- vacy solutions designed for IoT devices will have to take into consideration the interoperability and complex ecosystems, as well as the computational limitations in IoT devices.

Hence, IoT devices are likely to be sources of evidence in a cyber security investigation (e.g., investigation of a DDoS attack) [15]. Unlike conventional digital forensics (e.g., mobile device forensics), the diversity in IoT devices (e.g., 3-D print- ers, roadside units in a smart transportation system, smart healthcare devices in a hospital, and smart military uniforms), and the different evidence and privacy regulations compound the challenges of such investigations [16]. Some of these challenges are as follows.

1) Identification: Identification of potential evidence in IoT environment can be challenging, particularly if the inves- tigators are not familiar with the types of IoT devices present as well as the underpinning infrastructure.

2) Preservation: Once the potential source of evidence is identified, then the question is how can we acquire

and preserve the evidence from the IoT devices, com- panion application, IoT services, networks in the IoT infrastructure, and so on, in a forensically sound manner.

3) Analysis: Depending on the format that the evidence is acquired, analysis of the acquired evidence may be challenging. We also have to ensure that the analy- sis takes into consideration data provenance and the interaction between IoT and cloud servers that facilitate the aggregation and processing of data from the IoT.

The following major contributions are presented in this paper.

1) We propose an IoT-based forensic analysis model, which supports the identification, acquisition, analysis, and presentation of potential artifacts of forensic interest from IoT devices and the underpinning infrastructure.

2) We address IoT devices forensic investigation processes from the forensic perspective, in which each IoT devices are expected to provide important forensic artifacts.

3) We analyze forensic artifacts retrieved from the popular Amazon Echo as a use case to demonstrate how our proposed model can be used to guide forensics analysis of IoT devices.

In this paper, we present an IoT forensic model (see Section III) and demonstrate how it can be used to guide the investigation of IoT devices, using Amazon Echo as a case study in Section IV. In the next section, we will briefly discuss related literature.

II. RELATED LITERATURE

In recent years, IoT forensic has attracted attention from the forensic community [17]–[20], for example in wearable devices [21], smart vehicles [22], smart home devices [23], and so on. Approaches may vary between the nature and type of digital forensic investigation. For example, at the IoT network layer, network forensics tools or methods are gen- erally applied. We refer interested readers to the work of Caviglione et al. [24], who reviewed popular digital tech- niques in network forensics, reverse engineering, and so on, as well as the prevalent data storage formats and files systems. Key challenges were also briefly discussed. In another related

Authorized licensed use limited to: UNIVERSITY OF SALFORD. Downloaded on September 23,2023 at 21:59:39 UTC from IEEE Xplore. Restrictions apply.

LI et al.: IoT FORENSICS: AMAZON ECHO AS USE CASE 6489

work Copos et al. [18] categorized IoT forensics into three zones: 1) IoT zone; 2) network zone; and 3) cloud zone, where each zone consists of different areas and forensics analysis activities.

Oriwoh and Sant [25] presented an automated forensic management system (FEMS) that was designed to collect data from a three-layered architecture, namely: perception, network, and application layers. However, in dynamic IoT networks, it is difficult for FEMS to investigate all states of the IoT devices. Zawoad and Hasan [14] proposed a forensic-aware IoT (FAIoT) model, which allows the col- lected evidence to be stored in a secure evidence repository server. Arias et al. [19] described the methods to investigate the device’s hardware and the relevant system (e.g., operating system, boot loader, remote installation, and communication system). In addition, a detailed security measurement for IoT devices was provided. In [26], a general IoT forensics frame- work was proposed, comprising a forensic state acquisition (FSAIoT), and a centralized forensic state acquisition (FSAC) to classify the evidence acquisition of IoT devices into three modes (i.e., controller to IoT devices, controller to cloud, and controller to controller) [27].

There have also been research efforts in smart home devices and the forensic of such devices. For example, Amazon Echo is increasingly used as the voice controller hub of smart sensors and devices, which plays a centric role in bridging differ- ent smart home devices and the Amazon cloud server. The Amazon Echo is activated by wake words like “Alexa,” but must also constantly listen for the wake-up command, and clearly this is a potential evidence source [20], [23], [28]. For example, Chung et al. [29] explained how companion clients (i.e., devices used to send and capture commands and responses from intelligent home assistants, such as Alexa) can also be a source of evidence.

A number of device fingerprinting techniques have also been developed, which can be used for the investigation of IoT devices. For example, sensor pattern noise (SPN) can be used to identify the source device that has acquired a digital image or video, and this is relevant for the investigation of IoT devices that have a image or video acquisition capability (e.g., unmanned aerial vehicles). In SPN-based image foren- sic analysis, as the most dominant part of SPN the photograph response nonuniformity (PRNU) noise can be extracted from an image to build image fingerprint and camera fingerprint, which has been widely used in image origin identification and image forgery detection. Flicker forensics can also allow an investigator to identify an IoT device by analyzing the flicker signal and associate the parameters with some internal characteristics of the particular device [30].

In the next section, we will address our IoT forensic model.

III. PROPOSED IOT FORENSIC MODEL

When we conduct an IoT forensic investigation, we have to consider the sources of evidence other than the actual IoT devices, for example, the sensing, network, service, and interface layers (see Fig. 1).

Fig. 2. Proposed IoT forensic model.

Similar to conventional digital forensics, IoT forensics mainly consists of the following four stages: 1) identification; 2) preservation; 3) analysis; and 4) presentation [31].

1) In the identification stage, the focus should be on IoT devices (e.g., sensors and intelligent home assistants such as Amazon Echo), and any related infrastructure (e.g., routers).

2) In the preservation stage, we may require special- ized/customized tools to acquire data from (proprietary) hardware and applications.

3) In the analysis stage, customized forensic tools may be required to analyze data from certain devices, other than the typical commercial forensic tools (e.g., EnCase and FTK). Both EnCase and FTK are commonly used foren- sics tools that can be used in digital security, security investigation, and e-discovery.

4) In the presentation stage, forensic investigators will need to detail the findings and be able to articulate the anal- ysis, findings and their implications in a court of law. Meanwhile, the evidence items should be presented with their original format.

Building on the typical four-stage digital forensic process, we present an IoT forensic model (see Fig. 2). Specifically, our model starts from an offense classification stage, where the roles of IoT are classified into IoT as a target, IoT as a tool, and IoT as a witness. Then, each related device and the companion apps are examined using the above four-stage process. In addition, all acquired forensic artifacts are stored in an encrypted evidence repository.

A. Offense Classification

Due to the diversity of devices and heterogeneity of networks in an IoT setting, it can be challenging to identify

Authorized licensed use limited to: UNIVERSITY OF SALFORD. Downloaded on September 23,2023 at 21:59:39 UTC from IEEE Xplore. Restrictions apply.

6490 IEEE INTERNET OF THINGS JOURNAL, VOL. 6, NO. 4, AUGUST 2019

Fig. 3. IoT device identification procedure.

all sources of evidence and collect all relevant forensic arti- facts in a timely fashion, especially if third parties or remote servers (e.g., websites and cloud servers) are involved. First, to effectively identify the devices for an investigation, it is impor- tant to consider the nature of the offense (e.g., a serious and organized crime type will generally mean that more resources should be spent on the case), data acquisition methods, and relevant laws (e.g., what are the elements of proof) and reg- ulations. In general, the IoT-related crimes can be group into three classes [32].

1) IoT device as a target (e.g., cyberattacks where vul- nerabilities in IoT devices are exploited). IoT devices, particularly inexpensive devices, are likely to be resource limited in terms of computation capabilities, storage space, and power supply. Thus, it is challenging, or impractical, to install security solutions/packages on such devices, which make them an easy target for cyber attacks.

2) IoT device as a tool, IoT devices can be used by forensic investigators as tools to identify, collect, analyze, or even present evidences in digital investigation. For example, a compromised IoT device is been used to facilitate other malicious activities such as a botnet attack.

3) IoT device as a witness (e.g., data stored in the IoT device can directly implicate an individual accused of a crime), in which IoT devices are able to identify, collect, and preserve evidential data for forensic inves- tigation. One prominent example involved the Amazon Echo, where an Arkansas man was accused of killing his friend. The prosecutor then sought recordings from the defendant’s Amazon Echo to be used as evidence [33]. IoT as a witness will likely happen again in the future frequently because IoT devices are now an integral part of our daily life.

Fig. 3 shows the workflow of IoT device identification, in which an IoT device will be examined using the appropriate approach.

B. IoT Device Identification

In this stage, we seek to answer the following questions. 1) What was/were available at the event/crime scene or a

remote site?

Fig. 4. IoT device identification.

2) Who and what was/were there when the event/crime occurred?

3) What are the constraints in collecting the required evidence?

4) What is the minimum set of evidence required to support the elements of proof for this specific offense?

A six-step IoT device identification method is presented in Fig. 4.

1) Define device space, to identify the devices relating to the specific case.

2) Establish the device lifecycle, to identify the time span for the device examination.

3) Establish access, to identify the accessibility of the devices, including confidentiality, authentication, autho- rization, and so on.

4) Define data categories, to define the data category that the device can provide.

5) Network access control, to identify the connectivity of the networks relating to the device and isolate the device from the connections.

6) Identify the access to devices, this stage summarizes previous steps and establish the availability of the device for investigators.

Despite the diversity of IoT device manufacturers, IoT devices share some similar features and capability. In gen- eral, an IoT device consists of a processer or micro-controller, read-only memory (ROM), random access memory (RAM), communication module (Bluetooth, wireless, ZigBee, etc.), and data input/output interfaces. To record the collected or generated data, an IoT device may be equipped with built-in secure digital (SD) memory to support removable memory. Software features of an IoT device include operating systems (some simple IoT devices may only run very simple code

Authorized licensed use limited to: UNIVERSITY OF SALFORD. Downloaded on September 23,2023 at 21:59:39 UTC from IEEE Xplore. Restrictions apply.

LI et al.: IoT FORENSICS: AMAZON ECHO AS USE CASE 6491

TABLE I EXAMPLE OF HARDWARE CHARACTERIZATION FOR IOT DEVICES

TABLE II EXAMPLE OF SOFTWARE CHARACTERIZATION FOR IOT DEVICES

without an operating system), middleware, file system, and applications. Many IoT devices do not have a specific file system and in this case, the investigator may need undertake further research, for example how to leverage the application software development kit (SDK) to obtain more information.

Conventional digital forensic tools, such as DD, EnCase, FTK Imager, and SIFT, may also be useful in some cases. In IoT forensics, the data extraction tools/methods can be classified into five levels, namely: manual, logical, hex dump- ing/JTAG, chip-off, and micro-read [34]. For IoT devices that are not supported by existing forensic tools, the investiga- tor could also consider seeking the cooperation of the device owner, reviewing seized material, seeking the assistance of the service provider (e.g., Amazon in the case of Amazon Echo), and so on.

C. Evidence Preservation

Tables I and II show the potential avenues for data preser- vation, and in this paper, we will focus on memory forensics. Specifically, we will focus on: 1) extracting data from the memory of a target IoT device and 2) analyzing the physical memory data (from RAM), page file (or SWAP space) data, etc. Swap space denotes areas on disk used for interchanging contents between main RAM and secondary memory, in Linux swap is an actual disk partition and in windows machine, the swap space is a pagefile. In digital forensics, Swap file is a rich source of key evidence items, including passwords, sensitive data, encryption keys, etc.

Live memory evidence extraction is another major issue in IoT forensic preservation. In resource-constrained IoT devices (e.g., limited computation, storage, energy supply, etc.), volatile memory extraction can often be conducted to extract key evidence stored in the RAM or an ongoing communication session [35]. A number of memory acquisi- tion tools have been developed in the literature, such as the Android-based memory subsystem (ashmem) [36], Android low memory killer [37], and memory grab [38].

However, there are still challenges in live memory acquisi- tion. For example, the memory protect unit (MPU) technology only allows specific instructions or code to access the memory. This prevents the forensic investigator from accessing the memory. In addition, anti-forensics (AF) techniques, including activities to overwrite data and metadata compound the chal- lenges of memory acquisition. For example, TimeStomp2 can be used to overwrite NTFS create, modify, access, and change timestamps [39].

Also, while a number of tools have been developed for live memory acquisition from computers and laptops (e.g., Winen, dd, dumpit.exe, winhex, nigilant32, memoryze, and readline), there are limited tools designed for IoT devices.

D. IoT Forensic Analysis and Presentation

IoT forensic analysis can be scenario- and device-specific, since IoT systems can have different configurations and set- tings. For example, in a smart home system as shown in Fig. 5, the devices involved may differ from an Industry IoT (IIoT) systems. The general approach can include attempts to recon- struct the IoT crime/event scenes. The findings of the analysis also need to be documented and presented, for example to the jury, prosecutors, and judges.

IV. AMAZON ECHO (PI) FORENSICS

Amazon Echo is a popular intelligent home assistant or “smart home” IoT hub, which takes voice commands from the users to control itself and other connected IoT devices/sensors (e.g., smart lights, smart kettles, smart locks, smart ther- mostats, and smart doors) [40]. Using the voice recognition technology (i.e., Alexa in the case of Amazon Echo), users can interact with the connected IoT devices using their voice. Clearly, the devices require some sort of Internet connection (e.g., WiFi) [20].

In a prior work involving the analysis of Amazon Echo [29], it was reported that the user’s history data and interactions with Alexa are stored in the SQLite database and Web cache files. The authors analyzed two Amazon Echo Dots, with Android 4.4.2 + Alexa app, iOS 10.1.1 + Alexa app, OS X 10.10.5 + Chrome, and Windows 10 + Chrome. For the network analysis, it was determined that most of the communications were encrypted and the JSON format was used for pass- ing parameters. The authors’ analysis of the communications revealed undocumented API calls to RESTful Web services. In other words, there are seven categories of data on the device, namely: account, customer setting, Alexa-associated devices,

2[Online]. Available: https://www.offensive-security.com/metasploit- unleashed/timestomp/ (last accessed June 20, 2018)

Authorized licensed use limited to: UNIVERSITY OF SALFORD. Downloaded on September 23,2023 at 21:59:39 UTC from IEEE Xplore. Restrictions apply.

6492 IEEE INTERNET OF THINGS JOURNAL, VOL. 6, NO. 4, AUGUST 2019

Fig. 5. General IoT forensic analysis.

TABLE III LOCATION OF CLIENT ARTIFACTS [29]

Fig. 6. Alexa Pi firmware images created using EnCase 7.0.

skills and behaviors of user, user activity, etc. The researchers found that most of the data contain UNIX timestamps, which could be used to create timeline of activities within an investi- gation [29]. Within this applications, the utterance API could be used to download voice files [41].

The location of the client artifacts depends on the access method being used, such as for SQLite databases on iOS and Android, and within Chrome caches for OS X and Windows 10. A summary of these locations is presented in Table III.

On Android device, the SQLite files are contained in map_data_storage.db (token information for the current user, and is deleted when the user signs out) and DataStore.db. For iOS device, there is a single file named LocalData.sqlite. While the Android analysis was fairly easy, the iTunes backup protocol had to be used in iOS analysis. The chrome access data was found stored in the data-block-files, which could be possible to rebuild Alexa-related caches into the first HTTP headers, and cached data. This could be useful for determin- ing user behaviors as the stored things (e.g., user clicks) can lead to calls to Alexa APIs [41], [42].

In IoT forensics, analyzing embedded files and data with firmware images is an effective way. By connecting the uni- versal asynchronous receiver/transmitter (UART) port in Echo, the boot debug messages can be output to a terminal. In our

research, we determine that Echo uses u-boot as its boot loader, which is a popular open source bootloader and a num- ber of commands/tools can be used to extract information in the firmware. In this paper, we use the Alexa Pi to build an Echo over Raspberry Pi Version B, which uses similar firmware with Amazon Echo. In our experiment, we analyze the Alexa Pi over Ubuntu (16.04), the companion app installed on an iPad 4 (iOS 12), and the Alexa voice server (AVS).

We first use u-boot to output the firmware in Alexa Pi, which results in three EnCase images (see Fig. 6).

A. Data Type

We then analyze the data type created, transmitted, pro- cessed, and stored on the IoT devices. For an Amazon Echo and the AVS service, we determine that

Collepals.com Plagiarism Free Papers

Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.

Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS

Why Hire Collepals.com writers to do your paper?

Quality- We are experienced and have access to ample research materials.

We write plagiarism Free Content

Confidential- We never share or sell your personal information to third parties.

Support-Chat with us today! We are always waiting to answer all your questions.