In this study, we proposed an architecture that generally expresses the smart home environment from a forensic perspective based on the components of the smart home. The architecture is organized through five layers: cloud, platform, service, IoT device, and device component, and each of these layers is a common element of the smart home environment. The smart home common architecture includes all the components of the smart home and can be the basis for smart home forensic research because it is designed to fit the smart home architecture. In addition, our proposed architecture can be added-on even when new devices, services, and platforms are released, so it can be expanded.
This study proposed a forensic framework through the previously derived smart home common architecture, and the framework consists of three parts. In the function analysis-based smart home data inference step, it is possible to identify the functions supported by the IoT device and the functions of each platform through the functional analysis of the smart home application. Samsung and Xiaomi operate through the SmartThings and Mi home apps, respectively, and both apps include the ability to remotely control linked devices. Accordingly, expected data was derived through functions supported by interlocking devices and platforms. Through this functional analysis, data in the smart home can be inferred, which can help set and plan target devices in the forensic readiness stage.
The inferred data can be stored in the cloud and management devices as well as the internal storage of IoT devices. Accordingly, different data acquisition methods are applied to extract the actual data. When stored in the device's internal storage, data can be extracted by applying various acquisition methods to devices with internal storage. In this study, data inside the actual device was extracted from Nand Flash and SD cards in Samsung and Xiaomi devices, and data such as user information and linked device list could be identified. Although not performed in this study, it seems that more artifacts can be obtained if deleted files can be recovered through file system recovery of acquired images [29,30]. Other devices such as the Samsung Smart Hub could not verify data owing to disk encryption, and small devices such as smart plugs and smart tags could not obtain data owing to the lack of storage. In addition, devices such as Xiaomi Smart TV could not acquire data due to technical limitations. Currently, numerous data acquisition method studies have been conducted. However, as mentioned above, as new technologies are applied to IoT devices, a new methodology is required through the investigation of SW/HW of IoT devices, which requires additional research on the latest IoT devices in smart homes.
If it is stored in the cloud, it can be verified by analyzing the packet between the IoT device and the cloud server. In this study, packets could not be checked with TLS encryption, and unencrypted packets may not seem important because they are not meaningful data. However, there are cases where artifacts have been identified from packets, which can help with warrant review. In particular, if a certificate can be inserted into the device, tools such as Burp suite can be used to decrypt TLS packets, and data stored in the cloud server can be extracted through a replay attack.
When stored in a smartphone app, data can be extracted by extracting images from smartphones linked with Samsung and Xiaomi applications. The research team confirmed that a large amount of app data is stored in smartphones, but there is a limitation that is difficult to acquire for smartphones at home. However, for smartphones, it is possible to obtain information from IoT devices that lack storage, such as sensors and door locks, therefore, if the smartphone can be acquired in the field, it can be strong evidence.
Finally, the data derived in this manner are used differently depending on the type of crime. Accordingly, the research team defined the data characteristics by dividing them into device use data, user data, and smart home environment data. Device usage data can be used to specify a suspect's alibi, and user data can help identify victims and suspects. In addition, smart home environment data can be used by investigators to accurately examine the smart home environment, enabling efficient investigations.