STITCHER: Correlating Digital Forensic Evidence on Internet-of-Things Devices
This addresses the correlation and consistency problem in digital forensic evidence for IoT devices, which is a pressing concern for investigators and law enforcement agencies, though it is incremental as it builds on prior issues in forensics.
The study tackled the lack of formal documentation on challenges in IoT digital forensics by conducting a user study with 39 investigators and developing STITCHER, a tool that helped 96.2% of users handle a simulated IoT crime and enabled 61.5% to solve it completely.
The increasing adoption of Internet-of-Things (IoT) devices present new challenges to digital forensic investigators and law enforcement agencies when investigation into cybercrime on these new platforms are required. However, there has been no formal study to document actual challenges faced by investigators and whether existing tools help them in their work. Prior issues such as the correlation and consistency problem in digital forensic evidence have also become a pressing concern in light of numerous evidence sources from IoT devices. Motivated by these observations, we conduct a user study with 39 digital forensic investigators from both public and private sectors to document the challenges they faced in traditional and IoT digital forensics. We also created a tool, STITCHER, that addresses the technical challenges faced by investigators when handling IoT digital forensics investigation. We simulated an IoT crime that mimics sophisticated cybercriminals and invited our user study participants to utilize STITCHER to investigate the crime. The efficacy of STITCHER is confirmed by our study results where 96.2% of users indicated that STITCHER assisted them in handling the crime, and 61.5% of users who used STITCHER with its full features solved the crime completely.