Content uploaded by Fm Spencer
Author content
All content in this area was uploaded by Fm Spencer on Jan 04, 2019
Content may be subject to copyright.
Digital Forensics
with
Artificial Intelligence Internet of Things
F M Spencer
December 2018
1
Abstract
Criminals and investigators of criminals continue to race against each other. With advanced developments
in technology, criminals believe they remain steps ahead of investigators. Digital forensic authorities may at
times seem lagging behind sophisticatedly equipped criminals. The world of networks of the Internet of
Things (IoT) appears to reduce this gap along with Artificial Intelligence (AI) expediting algorithms to
corner perpetrators. Digital forensics, for the most part, will not fully automate as crime scenes and
criminal activities do not always follow standard statistical patterns but are entirely random and diverse. AI
incorporates advanced decoding skills for complex encryption leaving criminals exposed. Forensic
investigators, despite digital and automated systems, will continue to follow stringent procedures for
gathering evidence in compliance with legal jurisdictions, advance personal knowledge and train to work
side-by-side with the emerging technologies of AIoT. Data scientists depend on the feedback of
investigators to design algorithms for AIoT. To date and in the future, AIoT will carry out routine tasks as
smart assistants for investigators to analyze the unpredictable criminal mindsets.
Introduction
Forensic investigators require advanced systems to examine the crime scenes, collect evidence and
analyze data. IoT enhances AI through linking, signaling, and exchanging data (Woods, 2018). Use of IoT
and AI, collectively AIoT, for automating forensics in crime scenes is no longer an option but a viable
mandatory procedure. Current developments in AIoT for forensic investigations continue to evolve
synchronously to the advancing technologies. AI investigations virtually increase efficiencies of forensic
methodologies for data acquisition, sight analysis, devices, encryption, storage, and investigative tools.
Humans program AIoT algorithms to generate specific results. Henceforth, AIoT cannot wholly replace
human investigators to gather evidence at crime scenes. AIoT merely represents patterns of data mechanism
training steered with application-based manually tweaked algorithms and workflows (Leetaru, 2018).
Crime scenes and criminals do not embody predictable patterns analogous to programmable algorithms for
AIoT functions. Human investigators, alternatively, analyze the full picture to identify evidence germane in
legal proceedings. AIoT and humans must together for evidence identification and amassing from crime
scenes by applying investigative intricacies of processing and handling digital evidence, maintaining privacy
and legal issues for attaining device(s) or data, decoding encryption entirely, streamlining data acquisition
in cloud and device(s), and applying optimal forensic investigative tools both hardware and software.
Processing and Handling Digital Evidence
Investigations must have untainted and uncompromised evidence for legitimacy in legal
proceedings. Uncompromised proof in untampered crime scenes, the first rule of investigations, depends
on understandings of investigators to customize evidence gathering strategies and suspect devices leading to
the criminal activities. Plausibly, as digital technologies advance so do the digital crimes, thereby making it
necessary to assemble evidence from multiple venues for practical use in legal proceedings (Soltani & Seno,
2017). With the extensive use of smartphones, internet, and storage, criminals leave traces that
investigators must retrieve appropriately to refrain from disregarding it in court as indiscriminate evidence.
Digital evidence, virtually present in all criminal investigations, even as smidgens of stored or deleted data,
with the appropriate forensic tools is recoverable (Haris & Salkic, 2016). Investigators have
accountabilities to comply with the procedures in handling digital evidence. Responsibilities stem from
recognizing evidentiary digital information, gathering, containing, recording, assessing, ordering, and
verifying the ability to recreate exact outcomes multiple times (Nelson, Phillips, & Steuart, 2019).
Investigators must preserve the veracity of the digital evidence all the way from the crime scene to a digital
forensics’ lab. Specific methods for producing image files emanate from creating a forensic image of
captured digital evidence to storing on an approved hard drive or RAID, getting a digital hash by running
hashing algorithms MD5 or SHA-1 on the image file, separately safeguarding original media, and
analyzing with appropriate forensic tools (Nelson, Phillips, & Steuart, 2019).
2
Investigators must maintain excellent standards and quality while collecting evidence to avert any
countersuits. Department of Justice website has details of evidence processing and handling including the
FRE (Federal Rules of Evidence), 803(6)
1
: Section V which refers to seizing electronic proof. Besides
following legal paths of warrants for searches, investigators must comply with guidelines for each type of
evidence gathering. Authorities have established evolving
2
standards and bylaws for best practices derived
from ISO/IEC 27037:2012
3
and Digital Forensics Research Workshops model (Haris & Salkic, 2016).
High Technology Criminal Investigators Association and International Association of Computer
Investigative Specialists insist on methodologies of disk imaging to ascertain trustworthiness, inclusiveness,
precision, and certifiability of evidence from computer disk comply with legal procedures (Kenneally &
Brown, 2005). Disk imaging, however, is coupled with financial and legal burdens as alleviating associated
risks is cumbersome on investigative organizations concerning the cost-benefit inquiry. Data and device
from the crime scenes cannot become hindrances to appropriate legal proceedings so investigators must
comply with standards and handling processes. In cybercrimes, an age-old unease amid forensic examiners
is costly travels to gather compelling proof of tampered devices thereby deferring investigations, a
pronounced hindrance to safeguard victims and capture rogues. Other possibilities involve high-cost tools
and operational know-how which again expose the evidence to adulteration and losing information if
relocated to other computers (Kapersky Lab, 2017). The merging of AI and IoT technologies and
solutions, AIoT, develop into discerning links, structures, and answers skilled in resolving issues of
extensive ranges via machine learning and enhanced decision making (Woods, 2018). Data scientists can
program AIoT with algorithms for routine procedures, detailed previously, according to the legal bindings
of DOJ rules for crime scene investigations with minimal human interventions. Present apparatuses instill
object-recognition arrangements for detecting occurrences in manipulated images or sections. Accepting
neural-network guesses is exceptionally challenging. Guesses stem from several hundred to thousands of
individual nodes making decisions, a route underway to increasing transparency. Picturing the object-
recognition method permits software developers to get a more fine-grained comprehension of learning
mechanisms of networks. Human intelligence, with all its imperfections in comparison to machines, has
flexibility and aptitude to comprehend in multifaceted milieus (Martineau, 2018). Investigators can
initially assess the crime scenes, identify evidence, as well as allow AIoT to handle, process, and record
forensic details to alleviate potential human errors.
Privacy and Legal Issues for Acquiring Data or Device
Investigators, legally bound to local and federal laws, must appropriately acquire data and devices
at the crime scenes. Each state has specific guidelines for gathering and storing evidence which investigators
must comply with as well as follow controls of Federal Rules of Evidence (Nelson, Phillips, & Steuart,
2019). To prevent countersuits of mishandling or to raise doubts during trials can have severe legal
ramifications with the culprit possibly getting away with the crime as well as investigators defending their
actions in cumbersome lawsuits. Authorities must train and certify as digital forensic investigators even if it
is a financial burden as amateurs can destroy crucial evidence. The prime example is the case of Bradley
Cooper where marginally trained investigator unintentionally obliterated data from the smartphone because
of his ignorance (Lynne, 2011). Certified investigators must know the relevant search warrants, subpoenas
according to the respective domestic and international laws as, without legal documents, investigators
cannot tamper with the crime scene data and devices. Everyone has the right to privacy according to the
1
www.uscourts.gov/uscourts/rules/rulesevidence.pdf
2
Evolving as technologies continue to develop
3
ISO/IEC 27037:2012 (ISO, 2012)
3
Fourth Amendment
4
of the US Constitution (Cornell, 2018). Computers, network logs, emails, image and
word processing files, relevant evidence of criminal activities, which investigators can retrieve even if deleted
from electronic devices. Most crimes leave digital traces; investigators need this evidence to implicate the
perpetrators. For respective privacies of all persons, investigators are bound to the Fourth Amendment, as
well as the statutory privacy laws codified at 18 U.S.C. §§ 2510-22, 18 U.S.C. §§ 2701- 12, and 18
U.S.C. §§ 3121-27 (Brattain, 2016). The government cannot wiretap anyone without a judge’s warrant,
which the FBI and IRS avoid as both organizations prefer to spy on private individuals by gather data from
digital traces. Authorities do not need to prove probable cause to collect information from internet service
providers, phone companies, and or online applications such as Google (Meyer, 2014). However, if
authorities suspect a crime and authorities want to track digital footprints, then they must obtain proper
legal documents. Therefore, authorities can retrieve IP addresses and GPS for locations, with a court order
for real-time access as well as with a subpoena, authorities can get historical records of IP addresses,
locations, including 180 days old text messages and emails (Meyer, 2014). Authorities do not apply the
same laws to data gathering on public postings on social media.
Conversely, authorities can issue time-constrained subpoenas to social media providers in
compliance with the Fed. R. Civ, P. 26(b)(1)
5
, if it is necessary to trace the posts and users of the social
media platform (Lee, 2015). Social media companies initially refused to disclose data for user privacies.
Authorities applied section 2702(b)(3)
6
as valid consent where defendants use social media’s public posts
as evidence in criminal proceedings (Vogeler, 2018). Whether public or private, retrieving data without
permission or probable cause is against the law. Investigators must take extra steps to obtain necessary legal
documents for gathering information and evidence at crime scenes. Artificial intelligence merger with the
internet of things or AIoT presents the ultimate solutions for readiness as legal repercussions may minimize
with ongoing data collection. Possibilities of human errors minimize, and people under surveillance will
need a different set of laws to counteract privacy issues. Laws alter very slowly even if technologies
continue to develop. Algorithms for AIoT functions as smart assistants to principal investigators cover
routine tasks of automation of data collection and storage. AIoT use may create additional legal
frameworks similar to the General Data Protection Regulation (US SEC, 2018). AIoT support will
identify appropriate legal requirements and fulfill the necessary steps which may virtually minimize any
countersuits.
Decoding Encryption
Encryption protects data from sophisticated digital forensic investigators as they need a key or
phrase to decrypt. Live forensic retrieval and virtualization may be viable options for forensic investigators
to recover data (Casey & Stellatos, 2008). Criminals are quite advanced in safeguarding data with
encryption. Forensic investigators must use tools to decrypt data mount file preferably when the computer
is on which can get lost upon shutting down the computer as all data is unavailable in static memory dump
(Rafique & Khan, 2013). Forensic investigators use multiple tools and solutions to prevent data loss during
decryption to unravel criminal activity. Encryption technology can lose a significant amount of data when
forensic investigators attempt to retrieve it in crime scenes especially during static acquisitions (Balogun &
Zhu, 2013). Lost data may include passwords, clipboard contents, and encryption since the volatile RAM
loses information when the system is shut down (Nelson, Phillips, & Steuart, 2019). Criminals remain
steps ahead of authorities using the latest technologies, and authoritative bodies may lag in updated
4
Fourth Amendment: Prevent unreasonable searches of persons and their property
5
Federal Rules of Procedure Rule 26: Duty to disclose; general provisions governing discovery (Cornell, 2018).
6
18 U.S.C. § 2703 - U.S. Code - Unannotated Title 18. Crimes and Criminal Procedure § 2703. Required disclosure
of customer communications or records (Vogeler, 2018).
4
developments. Criminals know how to hide information from authorities with the use of Kryptos, ciphers,
and encryption with complex decoding requiring cumbersome hours to retrieve data (Higgins, 2012).
Encryption continues to become more complex with long and involved algorithms, so forensic investigators
need better solutions and tools to retrieve data for criminal proceedings. As of date, questionable solutions
and tools exist to retrieve data from IoT devices which present challenges to forensic investigators
specifically with encryption technologies (Watson & Dehghantanha, 2016). With chat encryption on
androids, forensic investigators will have a plethora of additional issues of data retrieval. By using two
Android phones of unique brands, forensic investigators can decrypt to retrieve information with rooting
one android phone (Zhang, Chen, & Liu, 2018). For now, encryption may represent a choice data
preservation mode; however, with rapid advancements in forensic investigations, data acquisition from
encrypted devices also present a threat of criminal inquiries to the perpetrators. AIoT will log in details of
encryption with accompanying passphrases and keys. Authorities can retrieve later if investigations become
necessary due to illegal activities. AI linked to the output of bombe can distinguish German-language
features and flag message to decode (Allen, 2017). AIoT algorithms will decrypt the most complicated
encryption as advanced systems development.
Data Acquisition Methodology
Data acquisition, imperative for forensic investigators, remains a possibility and a challenge. As
discussed earlier, for encrypted data, live acquisition of data mandates preventing losing information due to
RAM volatility when the system is shut down. For live acquisition of data, the sequence of instability
depends on the length of information on the network. Live acquisition starts from creating a bootable
forensic drive, recording actions, using Forensic Tool Kit Imager for RAM dump or acquisition, and
storing data on a sterile drive (Nelson, Phillips, & Steuart, 2019). Data acquisition in cloud presents yet
another challenge to forensic investigators. Cloud data, virtual, short-lived, and spread geographically, raises
legal and technical repercussions. Collecting and analyzing residual data from cloud storage applications
such as Dropbox, One and Google Drives, streamlines forensic investigations (Ab Rahman, Cahyani, &
Choo, 2016). Given the rapid transition of computing devices to mobile and IoT in the cloud, authorities
will have to design another set of solutions and tools to retrieve data from the virtual system of cloud
storage. Forensic investigators have to intercept servers behind SaaS to IoT devices to link to cloud-based
CRM or proprietary source code repository for information retrieval (Shomo, 2018). An AIoT open-source
digital tool can tenuously assemble crucial forensic resources, attain complete disk images from storage on
the network or connected locally, as well as distantly help in malware occurrence handling in cybercrimes.
Even data analysis can carry out remotely via dependable container-based seclusion for integral source data
storage (Kapersky Lab, 2017). Remote forensics may cost less for data acquisition and may minimize the
need for storage. Current building tools, as mentioned above, can distinguish the tampered image from the
original image. Virtual storage systems may take another form in AIoT systems, so forensic investigators will
require a new set of skills and tools to carry out investigations.
Forensic and Investigative Tools
As technology moves towards artificial intelligence and internet of things (AIoT), the forensic
investigation continues to employ advance systems to gather data for criminal proceedings. While
automation erases virtually all incidences of human errors, AIoT is not flawless. Live data acquisitions from
hardware supersede static data acquisition for nearly full data retrieval as the volatile RAM loses data upon
system shutdown. Tools for hardware and software in forensic investigations include Autopsy,
OSforensics, WinHex, and IrfanView. Kapersky Lab’s (2017) BitScout, customizable to investigators
requirements, comes with upgraded features and tailored software. BitScout, an open-source solution, free
of charge, transparent, user-friendly, and self-contained functions as an instrument that even marginally
trained investigators can use for incidence response to remotely carve and scan (Kapersky Lab, 2017).
AIoT may minimize human errors but is not entirely foolproof as improved threat detections give rise to
5
numerous false positives thereby keeping responders busy unnecessarily (Shomo, 2018). As such, certified
forensic investigators will continue to monitor data retrieval and storage by AIoT until its glitches resolve.
In several incidences, human logic will override AIoT investigations to create a full scenario of the criminal
activities. Since AIoT lacks gray areas, human forensic investigators will prevail in reverse engineering or
modeling encryption keys from RAM in a ransomware case (Shomo, 2018). With the evolving forensic tools
mechanizing incidence responses may reduce false positives. The Security Orchestration Automation and
Response (SOAR) products, a forensic multiplier, mandate advanced skills for security professionals in forensic
investigations. While AIoT appears to increase efficiencies and streamline investigative processes, human
intervention is imperative to alleviate and improvise crime scene investigations (Shomo, 2018). Even with the use
of Kapersky Lab’s (2017) BitScout, investigators need to intervene for distant examination of live systems
without sabotaging or losing evidence.
Future Strategies
Bringing it all together, the use of AIoT, forensic investigators can eliminate human error, and
detection machine learning will detect anomalies before and during criminal activities thereby alerting
authorities. AIoT systems and solutions to refine, augment, and enhance network operations by extracting
value from data with intensely amended, processes, analytics and results (Woods, 2018). With each
development of AIoT systems, there is expedited acceptance of the technology to drive costs down and
enhance operational efficiencies. AIoT bots will improve in responses and inspection of evidence as smart
assistants to investigators, and AIoT chatbots will develop to broaden functions and become more efficient
(Martineau, 2018). Human responders will continue to provide feedback for enhancement of AIoT to
create more algorithms for automating forensic tasks to lower costs and increase efficiencies. New solutions
incorporate AIoT as necessary elements for streamlining tasks and minimizing human errors (Press, 2018).
AIoT continues to evolve and improve for automation of multiple functions including digital forensics.
6
References
Ab Rahman, N. H., Cahyani, N. D., & Choo, K.-K. R. (2016, May 19). Cloud incident handling and
forensic‐by‐design: cloud storage as a case study.
Concurrency and Computation: Practice and
Experience
.
AI. Business. (2017). How IoT and AI are helping to fight crime. Retrieve from
http://ai.business/2017/10/09/how-iot-and-ai-is-helping-to-fight-crime/
Allen, T. (2017, December 1).
Cloud and AI used to break Enigma code in under 15 minutes
. Retrieved
from V3: https://www.v3.co.uk/v3-uk/news/3022322/cloud-and-ai-used-to-break-enigma-
code-in-under-15-minutes
Balogun, A. M., & Zhu, S. Y. (2013). Privacy impacts of data encryption on the efficiency of digital
forensics technology
arXiv preprint arXiv:1312.3183
.
Bouchaud, F., Grimaud, G., & Vantroys, T. (2018, August). IoT Forensic: identification and classification
of evidence in criminal investigations. In
Proceedings of the 13th International Conference on
Availability, Reliability, and Security
(p. 60). ACM.
Brattain, B. (2016). The Electronic Communications Privacy Act: Does the Act Let the Government
Snoop Through Your Emails and Will It Continue?
North Carolina Journal of Law &
Technology
,
17
(5), On-185.
Casey, E., & Stellatos, G. J. (2008). The impact of full disk encryption on digital forensics.
ACM SIGOPS
Operating Systems Review
,
42
(3), 93-98.
Cornell, L. (2018).
Rules.
Retrieved from https://www.law.cornell.edu/
Haris, H., & Salkic, H. (2016, February). The Basic Steps of Digital Evidence Handling Process. Vitez,
Travnik, Bosnia, and Herzegovina.
Haris, H., & Salkic, H. (2016, February). The Basic Steps of Digital Evidence Handling Process. Vitez,
Travnik, Bosnia, and Herzegovina.
Higgins, C. (2012). Kryptos. Retrieved from http://mentalfloss.com/article/12918/kryptos-cia-cipher-
hiding-plain-sight
ISO
. (2012, 10). Extracted from the International Organization for Standardization.
Kapersky Lab. (2017, July 6).
Kaspersky Lab Researcher Creates Free Software Tool For Collecting
Remote Evidence After Cyber-Attacks
. Retrieved from iSBuzznews:
https://www.informationsecuritybuzz.com/news/kaspersky-lab-researcher-creates-free-software-
tool-collecting-remote-evidence-cyber-attacks/
Kenneally, E. E., & Brown, C. L. (2005). Risk-sensitive digital evidence collection.
Digital Investigation
,
2
(2), 101-119.
Lee, K. (2015).
Social Media Subpoena Guide 2015 Edition
. Retrieved from Associates Mind:
https://associatesmind.com/2015/01/26/social-media-subpoena-guide-2015-edition/
Leetaru, K. (2018, December 15).
Does AI Truly Learn And Why We Need to Stop Overhyping Deep
Learning
. Retrieved from Forbes: 2018
Lynne. (2011, November).
Cary police destroy evidence in the Nancy Cooper murder investigation
.
Retrieved from Brad Cooper Case:
https://justiceforbradcooper.wordpress.com/2011/11/08/cary-police-destroy-evidence-in-the-
nancy-cooper-murder-investigation/
Martineau, K. (2018, December 16).
Aleksander Madry on building trustworthy artificial intelligence
.
Retrieved from Phys.org: https://phys.org/news/2018-12-aleksander-madry-trustworthy-
artificial-intelligence.html
Meyer, T. (2014, June 27).
No Warrant, No Problem: How the Government Can Get Your Digital Data
.
Retrieved from ProPublica: https://www.propublica.org/article/no-warrant-no-problem-how-
the-government-can-still-get-your-digital-data
7
Nelson, B., Phillips, A., & Steuart, C. (2019).
Guide to Computer Digital Forensics and Investigations.
Cengage Learning US.
Press, G. (2018, December 12).
20 More AI Predictions For 2019
. Retrieved from Forbes:
https://www.forbes.com/sites/gilpress/2018/12/12/20-more-ai-predictions-for-
2019/#105363334d74
Rafique, M., & Khan, M. N. A. (2013). Exploring static and live digital forensics: Methods, practices, and
tools.
International Journal of Scientific & Engineering Research
,
4
(10), 1048-1056.
Shomo, P. (2018, Feb 12).
4 reasons forensics will remain a pillar of cybersecurity
. Retrieved from CSO
Online: https://www.csoonline.com/article/3254180/data-protection/4-reasons-forensics-will-
remain-a-pillar-of-cybersecurity.html
Soltani, S., & Seno, S. A. (2017, October 26). A survey on digital evidence collection and analysis.
ICCKE
.
Mashhad, Razavi Khorasan Province, Iran: ICCKE 2017: 7th International Conference on
Computer and Knowledge Engineering.
US SEC. (2018). Form S-I. Retrieved from
https://www.sec.gov/Archives/edgar/data/1145057/000162828018003319/forescouts-1.htm
Vogeler, W. (2018, June 15).
Social Media Companies Must Comply With Subpoenas for User
Communications
. Retrieved from FindLaw: https://lp.findlaw.com/
Watson, S., & Dehghantanha, A. (2016). Digital forensics: the missing piece of the internet of things
promised —
Computer Fraud & Security
,
2016
(6), 5-8.
Woods, L. (2018, December 12).
Artificial Intelligence and Internet of Things Convergence (AIoT)
Markets to 2023 - IoT Will Represent 83% of the Entire AI Chipsets Market by 2023
. Retrieved
from GlobeNewswire: https://globenewswire.com/news-
release/2018/12/12/1666057/0/en/Artificial-Intelligence-and-Internet-of-Things-
Convergence-AIoT-Markets-to-2023-IoT-Will-Represent-83-of-the-Entire-AI-Chipsets-Market-
by-2023.html
Yakubu, O., Adjei, O., & Babu, N. (2016). A Review of Prospects and Challenges of the Internet of
Things.
International Journal of Computer Applications
,
139
(10).
Zhang, H., Chen, L., & Liu, Q. (2018, March). Digital Forensic Analysis of Instant Messaging
Applications on Android Smartphones. In
2018 International Conference on Computing,
Networking and Communications (ICNC)
(pp. 647-651). IEEE.
