Most, if not all, digital systems are exposed to cyber security risks, thus, it is vital to innovate solutions to protect them and record proof of possible attacks.
One of the possible solutions would be using blockchain and distributed ledger technologies (DLT). The large-scale diffusion of Internet of Things (IoT) systems provides plentiful state-of-the-art solutions like e-healthcare, smart homes, e-voting, smart surveillance, e-democracy, smart industries, smart cities, e-commerce and smart grids.
Consequently, this has led to a significant increase in the threats that exploit the vulnerabilities of IoT devices. So, it is very crucial to engineer powerful cyber security solutions that are able to protect vulnerable devices and create models of digital forensics capable of recovering evidence of possible attacks.
This section shows two emerging technologies, fog/edge computing and blockchain, which can improve the forensic processes of the IoT.
The terms fog computing and edge computing are used interchangeably to describe the level that exploits the storage and processing of intermediate devices (fog nodes) between terminal devices and the cloud. Fog computing can be considered an implementation of edge computing. Edge computing brings services from the cloud to the edge of IoT networks. As these services include device authentication, access control and data processing and archiving, most Forensic Readiness modules can be implemented using fog computing.
The distributed and unchangeable features offered by DLTs meet the needs of IoT forensics. In the Decision Model, the evidence gathered from devices, controllers and cloud applications must be managed as in a ledger. The ideal solution for IoT forensics is represented by a blockchain, with private authorization, in which the number of nodes is limited and access is provided only to selected users.
The distributed nature of a blockchain combines with fog computing and provides evidence gathering and archiving services. These can be collected from any node and updated on the ledger. The immutability nature of a blockchain network ensures that the proof is not tampered with and is always effective, correct and valid. A blockchain further enables the verification of source of the evidence. These two features allow detective agents to access evidence reliably from any node at any time.
In summary, blockchains can be used for timestamping and archiving of evidence gathered from IoT devices. The blockchain and DLT can keep track of changes made to the firmware of IoT devices and automatically restore the original firmware in case of tampering. Similar approaches can be used to maintain the integrity of IoT evidence.
However, blockchain and IoT forensics is a challenge for researchers due to the complexity of connected devices and applications, and the lack of uniform standards between device manufacturers and system developers. Most tools are designed to work in conjunction with conventional systems that have significant storage and processing capabilities, rather than small, specialized devices. Encounters are also enforced by the heterogeneity of devices, applications and communication technologies. Consequently, the stored data has different formats and needs custom acquisition approaches.
Another challenge is the extraction of volatile data from IoT devices before they are overwritten. Sophisticated mechanisms are needed for a quick collection. The collection can be accelerated by storing data on the device itself, but the data must be periodically moved to an additional memory to free up the device's memory. Data can also be synchronized with fog nodes or cloud storage at regular intervals. This approach is safer in the long term because IoT devices can be tampered with or even destroyed. The transfer and aggregation of evidence makes the management of the chain of custody more complex; fortunately, this aspect can be solved using blockchain technology.