The Forensic Swing of Things: The Current Legal and Technical Challenges of IoT Forensics
Authors: Pantaleon Lutta, Mohamed Sedky, Mohamed Hassan
Abstract:
The inability of organizations to put in place management control measures for Internet of Things (IoT) complexities persists to be a risk concern. Policy makers have been left to scamper in finding measures to combat these security and privacy concerns. IoT forensics is a cumbersome process as there is no standardization of the IoT products, no or limited historical data are stored on the devices. This paper highlights why IoT forensics is a unique adventure and brought out the legal challenges encountered in the investigation process. A quadrant model is presented to study the conflicting aspects in IoT forensics. The model analyses the effectiveness of forensic investigation process versus the admissibility of the evidence integrity; taking into account the user privacy and the providers’ compliance with the laws and regulations. Our analysis concludes that a semi-automated forensic process using machine learning, could eliminate the human factor from the profiling and surveillance processes, and hence resolves the issues of data protection (privacy and confidentiality).
Keywords: Cloud forensics, data protection laws, GDPR, IoT forensics, machine learning.
Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 1084References:
[1] S. L. Garfinkel, ‘Digital forensics research: The next 10 years’, Digit. Investig., vol. 7, no. SUPPL., 2010.
[2] S. N. Silva, C. Reed, and E. Kennedy, ‘Responsibility, Autonomy and Accountability : legal liability for machine learning’, no. 243, pp. 1–31, Oct. 2016.
[3] V. S. Harichandran, F. Breitinger, I. Baggili, and A. Marrington, ‘A cyber forensics needs analysis survey: Revisiting the domain’s needs a decade later’, Comput. Secur., vol. 57, pp. 1–13, 2016.
[4] J. H. Ziegeldorf, O. G. Morchon, and K. Wehrle, ‘Privacy in the internet of things: Threats and challenges’, Secur. Commun. Networks, vol. 7, no. 12, pp. 2728–2742, Dec. 2014.
[5] J. Singh, C. Millard, C. Reed, J. Cobbe, and J. Crowcroft, ‘Accountability in the IoT: Systems, Law, and Ways Forward’, Computer (Long. Beach. Calif)., vol. 51, no. 7, pp. 54–65, Jul. 2018.
[6] R. Mukundan, S. Madria, and M. Linderman, ‘Efficient integrity verification of replicated data in cloud using homomorphic encryption’, Distrib. Parallel Databases, vol. 32, no. 4, pp. 507–534, Dec. 2014.
[7] K. Megas, B. Piccarreta, D. Gabel, and O. ’rourke, ‘Internet of Things (IoT) Cybersecurity Colloquium A NIST Workshop Proceedings’, Dec-2017. (Online). Available: https://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8201.pdf. (Accessed: 01-Oct-2018).
[8] Z. A. Baig et al., ‘Future challenges for smart cities: Cyber-security and digital forensics’, Digital Investigation, vol. 22. pp. 3–13, Sep-2017.
[9] S. Zawoad and R. Hasan, ‘FAIoT: Towards Building a Forensics Aware Eco System for the Internet of Things’, in Proceedings - 2015 IEEE International Conference on Services Computing, SCC 2015, 2015, pp. 279–284.
[10] V. R. Kebande and I. Ray, ‘A generic digital forensic investigation framework for Internet of Things (IoT)’, in Proceedings - 2016 IEEE 4th International Conference on Future Internet of Things and Cloud, FiCloud 2016, 2016, pp. 356–362.
[11] A. Induruwa, ‘Hidden in the clouds: The impact on data security and forensic investigation’, 2011, pp. 77–77.
[12] E. Oriwoh, D. Jazani, G. Epiphaniou, and P. Sant, ‘Internet of Things Forensics: Challenges and Approaches’, in Proceedings of the 9th IEEE International Conference on Collaborative Computing: Networking, Applications and Worksharing, 2013.
[13] S. Wachter, ‘Normative challenges of identification in the Internet of Things: Privacy, profiling, discrimination, and the GDPR’, Comput. Law Secur. Rev., vol. 34, no. 3, pp. 436–449, Jun. 2018.
[14] M. Harbawi and A. Varol, ‘An improved digital evidence acquisition model for the Internet of Things forensic I: A theoretical framework’, in 2017 5th International Symposium on Digital Forensic and Security, ISDFS 2017, 2017, pp. 1–6.
[15] C. J. D’Orazio, K. K. R. Choo, and L. T. Yang, ‘Data Exfiltration from Internet of Things Devices: IOS Devices as Case Studies’, IEEE Internet Things J., vol. 4, no. 2, pp. 524–535, Apr. 2017.
[16] M. Conti, A. Dehghantanha, K. Franke, and S. Watson, ‘Internet of Things security and forensics: Challenges and opportunities’, Future Generation Computer Systems, vol. 78, pp. 544–546, Jan-2018.
[17] A. Dehghantanha and K. Franke, ‘Privacy-respecting digital investigation’, in 2014 12th Annual Conference on Privacy, Security and Trust, PST 2014, 2014, pp. 129–138.
[18] C. P. Chike, ‘The Legal Challenges of Internet of Things Mass Communications View project Cybersecurity Law View project’, 2018.
[19] W. K. Hon, C. Millard, and J. Singh, ‘Twenty Legal Considerations for Clouds of Things’, Jan. 2016.
[20] I. Walden, ‘Law Enforcement Access to Data in Clouds*’, in Cloud Computing Law, Oxford University Press, 2014, pp. 285–310.
[21] A. Collins, A. J. Fleisher, R. Freeman, and A. Maughan, ‘SCL: The Internet of Things: The Old Problem Squared’, 2014. (Online). Available: https://www.scl.org/articles/3055-the-internet-of-things-the-old-problem-squared. (Accessed: 24-Oct-2019).
[22] J. Kokott and C. Sobotta, ‘The distinction between privacy and data protection in the jurisprudence of the CJEU and the ECtHR’, Int. Data Priv. Law, vol. 3, no. 4, pp. 222–228, Nov. 2013.
[23] European Union, ‘Regulation, G. D. P. (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing D’, Off. J. Eur. Union, vol. 59, no. 294, pp. 1–88, 2016.
[24] P. Commissioner, ‘International study finds privacy shortfalls in Internet of Things devices’, 2016.
[25] B. Godfrey, ‘Electronic work monitoring: An ethical model’, Sel. Pap. from Second Aust. Inst. Comput. Ethics Conf., vol. 1, no. figure 1, pp. 18–21, 2000.
[26] T. M. Mitchell, ‘Machine Learning’, Computer (Long. Beach. Calif)., vol. 2005, no. April, p. 414, 1997.
[27] J. Copeland, ‘AlanTuring.net What is AI?’, 2000. (Online). Available: http://www.alanturing.net/turing_archive/pages/reference articles/what is ai.html. (Accessed: 24-Oct-2019).
[28] D. Kamarinou, C. Millard, and J. Singh, ‘Machine Learning with Personal Data’, Nov. 2017.
[29] M. Hildebrandt, ‘Defining profiling: A new type of knowledge?’, in Profiling the European Citizen: Cross-Disciplinary Perspectives, Springer Netherlands, 2008, pp. 17–45.
[30] M. Hildebrandt, ‘Some Caveats on Profiling The Onlife Initiative View project Smart Technologies and the End(s) of Law View project’, Data Prot. a Profiled World, pp. 31–41, 2010.