user-friendly interface for forensic analysis using
TRANSCRIPT
i
User-friendly Interface for Forensic Analysis Using Raspberry Pi
by
Dilara Madinger
M.S., University of Colorado Boulder, 2018
A thesis submitted to the
Faculty of the Graduate School of the
University of Colorado in partial fulfillment
of the requirement for the degree of
Master of Science in Interdisciplinary Telecommunications
2018
ii
This thesis entitled:
User-friendly Interface for Forensic Analysis Using Raspberry Pi
written by Dilara Madinger
has been approved for the Interdisciplinary Telecommunications Program
_________________________________
Joe McManus
_________________________________
Levi Perigo
_________________________________
Jose Santos
Date
The final copy of this thesis has been examined by the signatories, and I
find that both the content and the form meet acceptable presentation standards
of scholarly work in the Interdisciplinary Telecommunications discipline.
IRB protocol # ____________________
IACUC protocol # __________________
iii
Abstract
Madinger, Dilara (MS., Interdisciplinary Telecommunications)
User-friendly Interface for Forensic Analysis Using Raspberry Pi
Thesis directed by Scholar in Residence Joe McManus
With a high variety of Internet of Things (IoT) devices and their inherently high
vulnerability level, it is crucial to save investigators’ time for forensic analysis (Bertino3). This
research aims to develop an application that would assist with performing forensic analysis on
Raspberry Pi devices and would provide user-friendly information to investigators or
researchers. Automating many tasks and highlighting areas that need human inspection would
optimize investigators’ time and effort (Kebande12). Providing user-friendly graphs and text
outputs suitable for reports and communication would empower non-technical persons to
understand the results of inspections (Tassone25).
Research methods for this effort include setting up Raspberry Pi devices, performing
attacks over the network on one device, collecting commands that get events history, automating
these commands as feasible, and visualizing the forensic data. As a result, I identified the tasks
that lend themselves to automation, forensic data that can be communicated with visual
representations, and I developed an application that assists in performing forensics quickly.
iv
Contents
I. Research question and problem setting ……………………………………………………… 6
II. Research sub-problems ……………………………………………………………………… 8
III. Literature review ………………………………………………………………………….... 9
IV. Research design and methodology ………………………………………………………… 12
V. Research plan ……………………………………………………………………………….. 14
VI. Analysis ……………………………………………………………………………………. 23
VII. Conclusion ……………………………………………………………………………….... 24
BIBLIOGRAPHY …………………………………………………………………………...…. 26
APPENDIX …………………………………………………………………………………….. 29
v
Figures
Figure
1. Raspberry Pi ………………………………………………………………………….. 12
2. Task Diagram ……………………………………………………………………....… 15
3. Application Architecture ……………………………………………………………... 18
4. Database Structure ………………………………………………………………..…... 20
5. Main Page …………………………………………………………………………….. 22
6. Bar chart for login statistics …………………………………………………………... 22
7. Pie chart for IP origins .……………………………………………………………….. 22
8. App directions ……………………………………………………………………….... 23
1
Research Question and Problem Setting
As Internet of things (IoT) devices enter the markets for household purposes and other
areas of life, they will introduce multiple vulnerabilities to people’s safety and to the integrity of
their personal information (Weber29). IoT devices perform relatively simple functions, such as
sensing metrics like temperature or movement; switching data traffic; notifying users when
certain conditions are met; and communicating to other devices wirelessly. In some academic
resources, the definition of IoT devices includes more complex and powerful mobile devices,
such as laptops and smartphones (Hossain7). It is with this definition that the Raspberry Pi, a
microcomputer, was used for this research as a model for an IoT device.
IoT devices are used extensively in private homes and in industries. The Raspberry Pi
devices alone sold more than 12.5 million units becoming the third best-selling computer
(Johnson10). According to Richardson22, the company’s Executive Director, these do-it-yourself
(DIY) mini computers are used in “classrooms, libraries, hackspaces, research laboratories, and
within the industrial environment.” Due to the great level of penetration into homes and
companies, there is great interest by malicious actors to use these devices for unauthorized data
collection. As reported by Kaspersky Lab in June 2017: “the number of new malware samples …
this year targeting connected internet-of-things (IoT) devices has already more than doubled last
year’s total” (Mimoso18). In its 2018 Trustwave28 report, authors write that 61% of organizations
that used IoT technology had to deal with security incidents due to these devices.
In addition to fulfilling a cornucopia of functions in various environments, IoT devices
also provide vital information for law enforcement officials in traditional crimes. In 2016, a man
was charged with murder based on the data from his IoT water heater. A year later he agreed to
disclose data from his Amazon Echo – a speech recognition device - as requested by the
2
investigators (McLaughlin17). With inherent vulnerabilities and a high level of intrusion
by IoT devices into daily life, the need for timely and accurate analysis of these devices is
crucial (Bertino3). Although an emerging technology, IoT’s are quickly
becoming commonplace in various industries and homes. The need to protect these devices and
their networks, to understand their vulnerabilities, as well as to analyze their activity history
grows with each new device coming online.
As the need for device analysis grows, computer forensics is used not only for particular
cases in criminal cases, but also it is used to identify the ways to optimize device usages and
prolong their lives. “Computer forensics allows for identification of incidents, gathering of
evidence, analysis of evidence and potentially recovery of records” (Irons8). Multiple software
tools are available for digital forensics such as Foremost, John-the-Ripper, Tcpflow, dcfldd and
others. However, these tools do not run scripts simultaneously and do not provide a
comprehensive analysis when used individually: “dd is both powerful and flexible, but has a
somewhat complex command line interface” (“Latest Version 1.3.4-1.”15). Their outputs are
entries in the logs that have to be analyzed by engineering professionals. What if investigators
with a minimal technical background could extract vital information from IoT devices in a timely
manner?
In this research, I identified the tasks that could be performed by a computer application
and speculated, if the outputs of the application are meaningful for forensic analysts. To make
the data easier to understand, I created a graphical representation of these data using Chart.js -
open source software for creating graphs. For clarity purposes, the data used for generating
forensic analysis is saved in a directory raw_files and it is available for the researchers to view
without initiating their own search through the file system.
3
The limitations of this study come from the small amount of homogeneous IoT devices
used – Raspberry Pi – and the atypical usage of these devices. It would be beneficial to conduct
this study on a variety of IoT devices and with different vulnerabilities exposed for each of them.
Additionally, the devices used in this study, may undergo stresses to which they would not
otherwise be exposed under normal conditions. Such stresses included denial of service attack
(DDoS), which may overheat the devices and take them offline.
Research Sub-Problems
In researching and developing a forensic tool for IoT, I solved smaller problems:
identified which forensic methods can be automated; found the best method to perform this
automation; and visualized the forensic process and result with the necessary graphic tools. The
overall research used a mixed-method design, as individual sub-problems used both quantitative
and qualitative research approaches.
Identify forensic methods suitable for automation.
To identify forensic methods that lend themselves to automation, I used quantitative
design, employing observation as a primary technique. After the initial stage of setting up and
using a Raspberry Pi device to accumulate history on SD cards, I collected activity history data
for each device. During forensic analysis, I used cross-sectional study by recording every
command used across several devices with different activity histories. My goal was to identify
commands with the highest uniformity across various devices running a Linux-based interface.
Such an approach allows for the future expansion of the program to include devices other than
Raspberry Pi running the Raspbian operating system (OS).
4
Automating forensic tools.
For automating forensic tools, I used a qualitative research design with the case study
approach. Using Raspberry Pi devices with the Raspbian tool suite for this research, I developed
an automated forensic toolkit specifically for this type of device. Even though specific in scope,
this research extends into the larger environment of IoT devices, because the Linux OS and tools
has become common among IoT devices (Keramidas13, 62).
Adding visualization tools.
The visualization sub-problem of this research required qualitative research design,
because it deals with translating data into graphics and human readable presentation. Applying
the same methodology as for the previous sub-problem, I conducted a case study for a
visualization problem. I organized files that have important information for forensic analysis and
categorized them as either analyzed with the automatic tool or needing human analysis.
Literature Review
IoT technology is an emerging field in engineering. Already there are active research
projects and proposals that integrate IoT devices into city management and farming operations.
For example, the SmartSantander project equipped a Spanish city with millions of IoT devices to
measure everything from weather and air quality to traffic and wireless spectrum utilization
(Sanchez23). Bangera2 et al. propose to build an IoT infrastructure on farms to collect data and
improve efficiency. Jha9 researches another way to use IoT technology - body IoT’s. A network
is established by a tattoo or a patch on the user’s body with sensing devices to patient’s smart
phone, cloud analytics, and doctor’s device. In all cases, the authors mention that battery life and
authentication protocols are points of weakness for this technology.
5
In fact, IoT authentication algorithms and methods are an important topic
in IoT technology. Cirani4 et al., reconstruct an HTTPS protocol for IoT devices and implement
this protocol through cloud services in their research. Results show that when compared to
implementation of authentication locally, cloud implementation uses less energy on local device.
However, the process of packet exchange with the cloud service consumes large amount of
energy, thus draining battery faster. Cloud authentication still appears to be a good solution
for IoT devices, since it saves memory space on the hardware, allowing for more optimized
sensing. Cirani4 et al. also found that cloud authentication is easily configurable allowing for
customization of policies per use and per service.
Authentication is only one of the major security challenges that IoT’s have. Bertino3 et al.
describe this technology as inherently insecure and provide the following list of vulnerabilities:
absence of well-defined perimeters, continuously changing nature of devices, high heterogeneity
in communication medium and protocols, utilizing of objects that are not designed for usage
within the internet context, and physical vulnerability. Pasha20 et al. provide additional
vulnerability, which is absence of upgrades for IoT devices. As a solution to this problem, the
authors of this research recommend to treat security holistically, that is starting with the physical
aspects of individual devices, quality of code that runs on these devices, to the protection of
network as a whole. Network level protection of IoT devices is in the research of Condry5 et al.
This team proposes usage of uniform gateways as interfaces for IoT’s. They
recommend hardening entrance to the network through three-point authentication (username,
password, and text message) and behavior-driven analytics.
While intrusion prevention is essential, forensics of IoT devices is as important for event
reconstruction and devising new preventative methods. In their research, Teing27 et al. set up
6
an IoT lab, installed and uninstalled BitTorrent application, and then analyzed devices to find
any information about erased communication and files. As a result of their research, the team
provided instructions explaining where data and metadata of the erased files are located. This
research includes various operating systems and more complex devices than one-
function IoT’s. Badenhop1 et al. used Z-Wave transceivers that are used in home IoT’s, for
forensics analysis. In their work, they identified that low memory capacity allows intruders to do
buffer overflow attacks, as well as acquire control of the device.
In their research of using Raspberry Pi devices as forensic analysis tools for medical
IoT’s, Feng6 et al. identified capabilities and limitations of these devices. For example,
Raspberry Pi devices are not able to store much data and they are themselves vulnerable to
attacks, if not properly configured. On the other side, these devices are affordable and convenient
to use with the full Linux-based operating system that lead to their high popularity. In addition to
their recommendations of using Raspberry Pi devices in forensic analysis, researchers also
identified logs and directories useful for the forensic analysis of Raspberry Pi. user.log,
history.log, .config files are among the sources that show the history of activities on the device
(Feng6, 10). This identification is useful for further work to parse and make the data in such logs
more readable and available for the investigators.
This literature review shows that even though much research has been done in the sphere
of IoT security and forensics, there is still much work that needs to be done, especially in the
question of appropriate tools for fast and productive forensic analysis. Some of the methods and
ways of reporting results, described in research papers cited above, were useful for our research,
by providing more case studies, as well as a proof of concept that automation of forensics is
possible and reporting results can be engaging.
7
Research Design and Methodology
IoT forensics involve three types of analysis: cloud, network, and device forensics
(Zawoad30). Network analysis and algorithms are promising for defensive strategies and a better
forensic analysis. Kumar14 et al. propose the algorithm to identify attacks for IPv6-Based
Wireless Sensor Networks, which is a powerful method to protect devices in the real time. In this
research, I considered cloud and network forensics and instead concentrated my efforts on device
forensics producing human readable formats for reports.
For this study Raspberry Pi was chosen
due to its immense popularity and convenience in
use. Even though small in size, this device runs
Raspbian – a Linux-based operating system that
has a lot in common with other Linux
distributions in terms of file system, commands,
and execution. With convenient tools provided by the OS design, this device also has all the
necessary ports (USB, SD, HDMI) to use with various other devices. In fact, combined with a
small touchscreen, Raspberry Pi device can serve as a standalone device that is mobile and easy
to use (Joksan11). Raspberry Pi cannot compete with Microsoft and Apple products in its power
or capacity, yet changing OS image is as easy as changing SD card. Carrying multiple SD cards
loaded with Raspbian, one has multiple machines, which is convenient for partitioning and
preserving data. Being designed for educational purposes, Raspberry Pi has extensive
documentation that is helpful for any type of device modification or usage for different purposes.
All these factors make Raspberry Pi devices highly convenient for analyzing various IoT
Fig. 1. Benjamin Nelan19. Raspberry Pi.
8
devices, especially if SD cards are preloaded with forensic analysis applications that function
without the need for the Internet connection.
At the high level, this research involves setting up Raspberry Pi device with a secure
digital (SD) card without hardening its application against attacks. Then I attacked the device
through the local network using a laptop. To maintain integrity of data, I avoided auto-mounting
SD card and so preserving the time stamps of the events. Moreover, I took hashing
representation of the SD card using message digest algorithm 5 (MD5) at different steps of the
research to ensure that there is no modification of data. After the initial stage of collecting data,
I identified the best way to automate such collection and developed a software application with
this purpose.
The majority of this research concentrates on forensic techniques to collect data from
devices. Spyridopoulos24 et al. describe post incident analysis phases: examination,
identification, collection, analysis, and documentation. In the examination phase, I identified
locations on the file system that produce useful data. In the identification phase, I investigated
operating system of the device, documentation and design, which helped with understanding of
format and nature of the data. During the collection phase, I got data from the memory system.
There are two types of data collected: 1) data pertaining to the events on device and 2) the
commands that were used to retrieve these data. The first type of data are
collected from IoT devices, routers, and virtual routers – “the triage examination” as proposed in
enhanced digital forensic model by Perumal21 et al. It contains login records, time, and events on
the device. The data can be found within the file system in the directories like /etc and /bin on
full Linux OS. These data need to be isolated, decrypted with software tools such as John-the-
Ripper and Hydra (for identifying passwords), and translated into human-readable language. I
9
stored these data on several machines, such as Secure Lab desktop, personal laptop, and backed
up these data on GitHub. To interpret obtained data, I reviewed device outputs and used
Raspbian documentation and device documentation to identify correct meaning of each field in
outputs.
The second type of collected data provided with Linux commands that can be used on
other Raspberry Pi devices running Raspbian OS. For each session of forensic analysis on
firmware, I recorded all of the commands used. Once all of the data obtained, I reviewed the
command log to identify the necessary commands for the forensic application. As measurement
instruments, I used logging with a format that captures date and time of each recording, as well
as continuous MD5 hashing of the SD cards to verify that disk data are not changed during
forensic analysis.
The first type of data described above are primary data that serve for analysis and is at the
basis of this research. Decrypted data, command logs, translations into human readable language
are secondary data that served for development of the software tool for automating forensics.
Returning to Spyridopoulos’s24 phases, I analyzed data from various perspectives:
understanding the layout of the system, data location, reading through any available logs to help
us make a timeline of events, identifying network information, and, if possible, the code that was
running on the device. The documentation phase was spread through each phase of the research
to capture all the necessary details. Digital documentation and report generation was the end goal
of this research.
Research Plan
As a general approach to planning this research, I adopted Teing’s27 method of forensic
analysis, which provides useful locations in the file system and gives the researcher a convenient
10
view of what type of data is in those locations. Teing’s27 team set up a network with various
devices, uploaded files through BitTorrent application, deleted data, performed forensic analysis,
and as a result provided practical instructions on locations and quality of useful data. Even
though I did not set up the full network, I attacked the Raspberry Pi device and analyzed the data
produced by these attacks. Recommendations on forensic analysis of Raspberry Pi
devices are captured in the functionality of the application, which was developed throughout this
research. The following are task descriptions that reference the task diagram:
Set up devices.
I set up a Raspberry Pi
device and uploaded Raspbian OS
on several SD cards for a fast way
to change the cards and thus
imitate having many devices.
Attack the first device.
I performed DDoS attack
on the device to get it offline. For
this I used <hping> Linux
command to produce many
requests that overwhelm the
device. Another SD card was used
in a regular way, downloading
some images and browsing various
Fig. 2. Task Diagram.
11
web pages. With such usage, I have data samples of normal and abnormal usages of the devices.
Identify methods to gather the most amount of information from the card.
First, I used Unix shell commands to read logs and system information of the device. For
example, <uname> with flags <-a>, <-r> provided type of operating system and the kernel level
respectively. Command <users | wc -w> provided number of users on the device. I gathered the
list of installed software from command <dpkg --get-selections | cut -f1> and listing /usr/sbin
directory. The directory /var/log provided times and the names of users that logged into the
device. To learn more about these login sessions, command <last –f /var/log/wtmp> was used,
which produced a detailed log of login activities. Of course, one of the most useful directories for
our purposes is /etc: from /resolv.conf I got dns servers that connected Raspberry Pi to the
internet, /hosts gives the host names, /init.d provides the names of the programs that start on
boot, /shadow contains hashed passwords that I can further analyze with the tools like John the
Ripper.
I used <foremost> and <tcpextract> for recovering files that were transferred over the
network and finding data connected to device history (“Tcpxtract”26). To save the commands and
the history of our search, I used Linux <script> command that saves all the commands into a file.
(“Linux Script Command Help and Examples”16). For encrypted passwords, I used <John the
Ripper> for decryption.
Identify business logic for the app.
Based on the data collected in steps 4 and 5, business logic was designed to perform
search and to parse data in the appropriate for the app format. Flask framework was used with
the Python programming language to create two web servers: one of these serves as a receiving
point for the data from the device and inserting that data into the database; the other server
12
extracts data from the database and presents it to the user. In order for the software to be
portable, both servers and database were packaged into individual Docker services.
Below is the architecture for the application. A set of scripts written in Python performs
information collection and saves these data into the directory /raw_files in a form of individual
text files. At this stage, each file is the output that researcher would usually see on their terminal
as a result of running some command.
Fig. 3. Application Architecture.
13
Once raw_files directory is populated and all the scripts finish their execution, send.py
script iterates through each text document and sends it to the Server via HTTP POST. Upon
receiving data, the server parses each document extracting necessary fields or arranging data in a
different format or data type. With these data, the server opens a connection to the MySQL
database and inserts data into corresponding tables. After closing all database connections, the
server finishes its execution.
The web server makes a connection to the database and extracts necessary fields to
populate its tables and graphs, presenting the user with a simplified output of the initial
commands. If the user is not satisfied with the presented data format, rather than repeating the
same commands on the terminal, they may look through the raw_files directory and find full
versions of all logs and outputs.
Develop database schema.
Based on the data collected in steps 4 and 5, database schema that allows for storage and
fast search of the data collected was designed. MySQL with MySQL workbench were used to
design and implement the database structure. The database consists of various tables holding
datasets such as IP addresses or passwords. Each table has a foreign key that connects all the data
for a particular investigation case. When a user inputs their case name into the web application,
that investigation name is connected to the results of forensic analysis.
Aside from using this database for the web application, it also allows advanced analysts
to search across various cases and use their results to discover patterns and attribute malicious
activity to certain actors.
14
Below is the chart from MySQL workbench, displaying the general architecture of the
database schema.
Implement the business logic developing a functioning app.
The app was developed with the ability to search SD card for any data useful for forensic
analysis, making text files of that output and placing these outputs into a raw_data folder. Once
the processors that perform forensic analysis finish executing, another process opens each file in
the raw_data directory and sends it to the server. As the server receives data, it parses it to isolate
Fig. 4. Database Structure.
15
necessary parts and inserts data into the database tables. On the other side of the database
webserver gets user input for investigation name and pulls the data from the database to display
it on the webpage. This app did not have a graphic interface and had only functioning features
without an acceptable user interface. This step allowed for making the infrastructure working and
proceeding to the user experience stage of the project.
Choose visualization framework.
In order for the data to be meaningful and for the researchers to save time, data must be
displayed in an appropriate way: using graphs and highlighting important pieces, such as DNS
connections, IP addresses, etc. To provide such visualization, I used Chart.js – an open source
framework – to generate graphs. For the website to have a good feel, Twitter Bootstrap was used,
which is also an open source framework that makes fonts and buttons look smoother.
Develop client side of visualization.
The interface for the app and visualizations of the data was created. The principle here
was to make the interface self-explanatory with the least amount of instructions needed. The user
needs to input the name for the case, which automatically generates a user id and triggers the
analysis. Within a couple of seconds, the data for the requested device is displayed on the web
page. All the data are displayed on one page with the navigation bar helping to orient on the
page. This means that search function across the whole web application does not need to be
16
implemented as user may use Ctrl+F or Command+F key combination to search for a particular
word. In addition to this, one page presentation allows for an easy print of the whole report.
In order to help investigators communicate their findings to people from all backgrounds,
it was important to generate graphs that could simply show important data. For this purpose,
charts such as pie chart or bar charts were used.
Fig. 5. Main Page.
Fig. 6. Bar chart for login statistics. Fig. 7. Pie chart for IP origins.
17
Develop a set of instructions and documentation on a Wiki page.
This project serves as a proof of concept and does not constitute a product ready to be
installed on user devices. In order to do this, code needs to be refactored and optimized; software
has to be packaged in a self-contained framework. To continue with this project and get more
feedback from other software engineers, documentation was generated for the project’s purpose,
its architecture, and instructions were included at Wiki page. Below are the directions to use
Easy Forensics app.
Fig. 8. App Directions.
18
Write a research paper with the results.
To explain results of the project and provide the background for this research, I wrote this
paper that details all the steps of the development and presents an analysis of feasibility and
complexity of forensic analysis tool development.
Analysis
Throughout the development of the app, choices have to be made as to what information
to display to the user. For example, logs like messages, syslog, user.log, and some others in
/var/log directory provide important and comprehensive information, yet such logs are hard to
parse and realistically need a human to analyze them. Yet information such as users, passwords,
system details is persistent in format in various Linux distributions and is easy to automate. In
fact, during the development, many such tasks for automation were identified and were not
implemented due to the time restrictions.
Even with the existing automated outputs, the forensic app saves users’ time to retrieve
certain information. Moreover, it presents an overview of the system and may help investigators
choose a direction of their investigation that is more promising. For example, if the machine has
many failed logins, the user may look into the possibility of brute force attack and check the
users that have weak passwords or do not have any password. If there are many IP addresses
leading to certain countries for the user that may not be associated with those countries, this may
indicate communication with the malicious actor from that country. In this case, researchers may
look at the installed programs and identify toolkits uploaded on the machine for the purposes of
spying.
As mentioned, even with incomplete set of automated tasks, the app may be a valuable
resource for investigators. However, the architecture of the application allows it to be modified
19
and enhanced with the feedback of its users. It does not disturb the functionality of the app to add
more scripts, parsing routines, database tables, and data representations. Due to its modular
structure, each part of the app can be enhanced, modified, or replaced completely without
affecting the overall functionality. This approach not only allows for agile development for
Raspberry Pi machines, but also for including other devices into the analysis. With the high
variety of IoT devices, this app is capable to function as a Swiss Army Knife tool for forensic
investigators. Furthermore, with the enhanced user interface, this app is useful for people without
technical background, which could shift monitoring and initial investigation from valuable
investigator resources to any person within the company. Therefore, the framework for forensic
applications designed in this research could be a valuable tool for the world filled with IoT
devices.
Conclusion
In this research Raspberry Pi device was used to create a user-friendly interface in order
to help investigators to quickly analyze other Raspberry Pi devices and communicate their results
to other people with the help of graphs and tables. Due to its modular design, each part of the app
can be modified or completely redeveloped without compromising the overall functionality.
Moreover, using Docker software, each server and database can function on any OS, virtual
machine, or in the cloud infrastructure. While using the image of the operating system for
analysis, it is still beneficial to use Docker images to isolate potential software from the OS used
for this analysis. Even though the software is not ready for general use, described modularity
allows it to be developed in the agile manner, adding more capabilities in forensic analysis and
more IoT devices for such analysis.
20
As a result, of this research we also established that it is important to provide
investigators with visual tools like graphs to communicate their results to the public not closely
acquainted with the digital technology. Moreover, developed application allows non-technical
persons to do forensic analysis without this deep understanding of Linux commands and the file
system. Running such an app regularly on the machines used in the infrastructure of a small
business, could alert workers to a potential vulnerability or a malicious activity weeks, days, or
hours before the business would experience damages. This could dramatically reduce
compromising events and business losses, as well as allow the companies to recover fast from
such events.
21
BIBLIOGRAPHY
1. Badenhop, Christopher W., Benjamin W. Ramsey, Barry E. Mullins, and Logan O. Mailloux.
"Extraction and analysis of non-volatile memory of the ZW0301 module, a Z-Wave
transceiver." Digital Investigation 17 (2016): 14-27. Web. 2. Bangera T., Chauhan A., HarshDedhia, Godambe R., and Mishra M. "IoT based smart
village." International Journal of Engineering Trends and Technologies 32. 6 (2016):
301-305. Web. 3. Bertino, Elisa, Kim-Kwang Raymond Choo, Dimitrios Georgakopolous, and Surya Nepal.
"Internet of Things (IoT)." ACM Transactions on Internet Technology 16.4 (2016): 1-7.
Web.
4. Cirani, Simone, Marco Picone, Pietro Gonizzi, Veltri L., and Gianluigi Ferrari. "IoT-OAS:
An OAuth-Based Authorization Service Architecture for Secure Services
in IoT Scenarios." IEEE Sensors Journal 15.2 (2015): 1224-234. Web. 5. Condry, M. W., and Nelson C.. "Using Smart Edge IoT Devices for Safer, Rapid
Response With Industry IoT Control Operations." Proceedings of the IEEE 104.5
(2016): 938-46. Web.
6. Feng X., Babatunde O., Liu E. “Cyber Security Investigation for Raspberry Pi Devices.”
International Refereed Journal of Engineering and Science. 28 Apr. 2017. Web.
7. Hossain, Md. Mahmud, et al. “Towards an Analysis of Security Issues, Challenges, and Open
Problems in the Internet of Things.” 2015 IEEE World Congress on Services, 2015,
doi:10.1109/services.2015.12.
8. Irons, A. (2006). Computer forensics and records management - compatible
disciplines. Records Management Journal, 16(2), 102-112. 9. Jha A.K. "Sensing and Supervising through IOT." International Journal of Computer
Applications 152.9 (2016): 7-9. Web.
10. Johnson, Luke. “Raspberry Pi Just Became the Third Best-Selling Computer of All Times.”
Trusted Reviews. 20 March 2017. Web.
11. Joksan. “Raspberry Pi LCD - 7’ Touchscreen.” LCD-13733 - SparkFun Electronics. Web.
12. Kebande R. Victor, Ray Indrakshi. A generic Digital Forensic Investigation Framework for
Internet of Things(IoT). 2016 IEEE 4th International Conference on Future Internet of
Things and Cloud. Web.
22
13. Keramidas, Georgios, Nikolaos S. Voros, and Michael Hübner. Components and Services
for IoT Platforms: Paving the Way for IoT Standards. Springer, Switzerland,
2016;2017; doi:10.1007/9783319423043 14. Kumar, V., Oikonomou, G., & Tryfonas, T. (2016). Traffic forensics for IPv6-based wireless
sensor networks and the internet of things. Paper presented at the 633-638.
15. “Latest Version 1.3.4-1.” Dcfldd, dcfldd.sourceforge.net/.
16. “Linux Script Command Help and Examples.” Computer Hope, 16 June 2017,
www.computerhope.com/unix/uscript.htm.
17. McLaughlin, Eliott C. "Suspect OKs Amazon to hand over Echo recordings in murder
case." CNN. Cable News Network, 26 Apr. 2017. Web. 27 June 2017. 18. Mimoso, Michael. "IoT Malware Activity Already More Than Doubled 2016
Numbers." Threatpost | The first stop for security news. N.p., 19 June 2017. Web. 28 June
2017.
19. Nelan, Benjamin. “Raspberry Pi.” Pixabay. Web.
20. Pasha M., Shah S.M., Pasha U. "Security framework for IoT systems." International Journal
of Computer Science and Information Security 14.11 (2016): 99-104. Web. 21. Perumal, Sundresan, Norita M. Norwawi, and Valliappan Raman. Internet of Things(IoT)
Digital Forensic Investigation Model: Top-Down Forensic Approach Methodology,
IEEE, 2015, doi:10.1109/ICDIPC.2015.7323000.
22. Richardson, Matt. “The Impact of Ten Million.” Raspberry Pi. 18 Oct. 2016. Web.
23. Sanchez L., Muñoz L., Galache J.A., Sotres P., Santana J. R., Gutierrez J.
R.., Ramdhany R., Gluhak A., Krco S., Theodoridis E., and Pfisterer D.
"SmartSantander: IoT experimentation over a smart city testbed." Computer
Networks 61 (2014): 217-38. Web.
24. Spyridopoulos, T., Tryfonas, T., & May, J. (2013). Incident analysis & digital forensics in
SCADA and industrial control systems. Paper presented at the
doi:http://dx.doi.org.colorado.idm.oclc.org/10.1049/cp.2013.1720
25. Tassone Christopher, Martini Ben, Raymond Kim-Kwang. “Visualizing digital forensic
datasets: a proof of concept.” Journal of Forensic Sciences. 1 Feb. 2017. Web.
26. “Tcpxtract.” Tcpxtract, tcpxtract.sourceforge.net/.
23
27. Teing, Y., Dehghantanha, A., Choo, K., Yang, L. "Forensic investigation of P2P cloud
storage services and backbone for IoT networks: BitTorrent Sync as a case study."
Computers and Electrical Engineering 58 (2017): 350-363. Web.
28. Trustwave. “New Trustwave Report Shows Disparity Between IoT Adoption and
Cybersecurity Readiness.” 28 Feb. 2018. Web.
29. Weber, R. H., and Weber, R.. Internet of Things: Legal Perspectives. vol.
Bd. 49., Springer, Zürich;Berlin;, 2010, doi:10.1007/978-3-642-11710-7.
30. Zawoad, S., & Hasan, R. (2015). FAIoT: Towards building a forensics aware eco system for
the internet of things. Paper presented at the 279-284.
24
APPENDIX
List of Tools Hardware:
Raspberry Pi board
SD cards
Laptop with a Linux distribution
Software:
Raspbian – operating system on Raspberry Pi device
Python – used language
Flask – web servers
MySQL and MySQLbench – database
Chart.js – graphs
Twitter Bootstrap – web design