What is IoT Forensics and How is it Different from Digital Forensics?

Internet of Things (IoT) refers to a network of connected physical devices, smart home appliances, wearable electronic devices and embedded electronic items etc. with different types of sensors for seamless connectivity and transfer of data amongst them. 

The Internet of Things has become very popular and transformed various facets of life. Some common examples for the IoT devices include Smart home accessories such as smart locks, sensors for temperature, ambient light, water, gas etc., and wearables such as smart watches, glasses, pacemakers and fitness gear and includes components such as M2M (Machine to Machine communications), RFID sensors, wearable and context-aware computing.

Digital Forensics and IoT Forensics

The Discipline of Digital Forensics deals with the Identification, collection, analysis, and presentation of digital evidence from various types of digital/electronic storage media in a Litigation/Cybercrime or information security incidents.  Typically, the storage media can be anything from a server machine to a mobile device. 

The proliferation of IoT devices and the increased number cyber security incidents on the IoT devices/applications has necessitated the collection and analysis of digital evidence from different types of IoT devices and came to be known as IoT Forensics, a subdivision of Digital Forensics. IoT Forensics requires a multi-faceted approach where evidence may be collected from a variety of sources such as sensor devices, communication devices, cloud storage and even ISP logs.

Interception of cardiac devices such as pacemakers, Patient/Infant monitoring systems, Launching DDOS attacks using compromised IoT devices (Mirai Botnet), Hacking/Interception of In-Vehicle Infotainment (IVI) systems, Hacking of various CCTV and IP cameras are some of the examples of IoT device hacking incidents.

The purpose of IoT forensics is to identify and obtain digital evidence from IoT devices for legal or investigative purposes.

Collection of Digital Evidence from IoT devices

Since IoT devices come in a variety of models, operating systems, file systems and proprietary hardware and software there is no single standard approach that can be followed in identifying and collecting data from a given IoT device. The following are some methods for collecting the data.

  • Acquiring a Flash Memory Image
  • Acquiring a memory dump using Linux dd command or netcat
  • Extract Firmware data by using JTAG and UART techniques

Telnet, SSH, Bluetooth and Wi-Fi protocols were also used to gain access and interact with the devices.

Acquiring a Flash Memory Image:  In this method, if an IoT device can be connected to a computer, the internal storage of the device can be forensically imaged using forensic imaging utilities such as FTK Imager, X-ways forensics or Winhex. The collected forensic image can be analyzed using the majority of the digital forensic applications. Whenever possible, the flash memory storage device such as NAND/NOR Flash chips, SD/CF/MMC cards has to be imaged in a bit-stream/full physical mode.

Acquiring a memory dump using Linux dd command: For IoT devices with operating systems such as Linux or embedded Linux, internal utilities such as Linux dd or netcat can be used to acquire a forensic image of a selected drive or the device memory. This requires booting into the device and a terminal access. The resultant forensic image can be analyzed to identify and extract information relevant to the case/ incident. Below is the syntax of dd command that can be used to acquire a forensic image of a selected partition or drive.

dd if=/dev/mtd of=forensic-image.dd bs=65536 conv=noerror, sync 

Firmware data extraction by JTAG: JTAG stands for Joint Test Action Group which was later standardized as IEEE 1149.1 Standard Test Access Port. The port was initially designed for testing PCB (Printed Circuit Boards). JTAG Forensics involves acquiring firmware data using standard Test Access Ports (TAPs). The data is transferred in a raw format. Standard JTAG/Chip-off tools such as RIFF Boxes and Flashers are used to access firmware data. This is a useful technique to dump the physical content of the firmware which cannot be acquired by other means but it is also an invasive technique which can damage the device circuitry irreversibly. However, this option has to be selected by keeping the above risks in view on a case by case basis.

Firmware data extraction by UART – UART is Universal Asynchronous Receiver/Transmitter, a computer hardware device which is a part of Integrated circuitry and used for serial communications over a computer or peripheral device serial port. It provides an interface between components and a debug console interface for embedded devices. Accessing the firmware via UART pins and extracting the data requires specialized interfaces and it is also an invasive technique which can reset the devices to factory settings resulting in loss of data.  Below is the image (Figure-1) for JTAG and UART Interfaces.

Figure-1: JTAG and UART Interfaces

Analysis of Collected data

Once the data is collected from an IoT device, depending on the operating system and file systems the storage is configured with, various artifacts would be identified and data extracted from them. Typically the root and user file systems contain different types of logs containing the user activity. Below is the structure (Figure-2) of the user and root components of an embedded Linux operating system. Data and files can be carved from the acquired dumps using multiple forensic tools.

Figure-2: Linux root and user directories


In comparison with the standard digital forensic collection and analysis techniques, IoT forensics presents multiple challenges owing to the variety and complexity of the IoT devices. Below are some of the challenges:

  • Diversity of devices and IoT ware
  • Proprietary Hardware and Software
  • Data spread across multiple devices and platforms
  • Data gets changed, modified, and lost/overwritten quickly
  • Jurisdiction and SLA constraints when data is stored in a cloud or a different geography


The advent and proliferation of IoT devices and the information security incidents involving them necessitated their forensic collection and analysis through the practice of IoT Forensics.  Though not conceptually different from standard digital forensics principles and processes, IoT Forensics require special handling procedures, techniques, and knowledge of multiple operating systems and file systems. The forensic acquisition and analysis of IoT devices pose a considerable challenge due to the wide variety of devices and their complexity. IoT Forensics is constantly evolving to cope with new types of devices, storage media, and operating systems.

Authored By - Bhanu Prakash Kondapally
TCS Cyber Security Practice

Rate this article: 
Average: 4.9 (60 votes)
Article category: