IoT: The Investigator’s Goldmine


The world of IoT (Internet of Things) is growing at an exponential rate. Coffee machines, thermostats, AC vents, door locks…everything you touch has been or can be converted to Bluetooth or Wi-Fi.  This can make a digital investigation difficult because forensically imaging IoT devices, with their growing varieties and formats, is not possible with one tool. However, IoT devices are rarely standalone products; they are controlled and accessed through a peripheral device, usually a laptop, mobile phone, or a cloud server.  Forensically imaging these controlling peripherals is significantly more effective and it can usually be done through the use of one tool. This article details Magnet Forensics’ Internet Evidence Finder (IEF) and its IoT data recovery capabilities through peripherals and describes a recent case where IoT data has been critical to prosecutors.

No matter what IoT device you may come across during an investigation, its important to remember that each of those devices can be, and usually have been, controlled by an external peripheral device.  The devices that control them are almost always something that can be forensically imaged.  Cell phones can control much more than email accounts, chat apps, and your toaster and can contain more than just text messages and geolocation data.

Amazon Alexa

Utilizing IEF an investigator can recover telling data from Alexa, Amazon’s system for operating its various internet appliances.  The Alexa-enabled devices are controlled by a person’s voice and sets of commands.  The appliance can be connected to and control a home’s lights, toaster, and other devices. Importantly, the Alexa appliance, like other home internet appliances, listens for commands and stores the audio it hears.  Alexa can also be controlled through a cell phone by installing the Alexa App.  Instead of attempting to recover data from the different versions of the Alexa appliance itself or petitioning to release that data, an investigator can recover data from the controlling cell phone using a tool he probably already has.

For instance, an investigator can recover Amazon Alexa Audio Activity.  This data artifact includes details about the audio activity detected by the Amazon Alexa App over time.  To recover this data, information is retrieved from the cell phone application’s cached data. While, it may not represent a complete record of the user’s activities, the information may still be relevant to an investigation.

Another data artifact an investigator can recover is Alexa Device Information.  This data artifact contains details about Alexa-enabled devices, which includes Nuclues Anywhere Intercom which allows you to connect with family and friends no matter where they are.  An investigator can also recover Alexa Tasks, a data artifact that contains details about shopping lists and other tasks tracked by and contained in the application.  It also contains information about Amazon API resources contacted by the Alexa app.  Amazon’s Voice Service API allows developers or individuals to voice-enable connected products with a microphone and speaker.  This gives the peripheral access to and full control over everything the Alexa app has to offer.  This means that an individual can use everything inside of the Alexa app without having an Alexa dedicated device such as the Amazon Echo, Echo Dot and Echo Look.

FitBit Fitness Tracker

Fitbit fitness tracker is another IoT device that has controlling peripherals.  Unlike the Alexa appliance, which stays at home, the FitBit is a device that a person wears everyday where ever he or she goes.  It looks like a narrow, rubber watch.  Like Alexa, the FitBit’s controlling peripherals are better suited to forensic examination than the device itself. As of February 2017, the FitBit company produced eight different wearable devices and had 23.2 million active users. These devices are designed to be worn almost all the time; they track the wearer’s physical activity while worn and transfer the data to an application that stores and analyzes the data and then makes recommendations on diet, sleep habits, and workouts.  The integrated application can be installed on over two hundred internet connected devices, which means its data can be recovered from those controlling peripherals using IEF.  Fitbit Steps, which specifies information about how many steps are taken while wearing the Fitbit, is only one kind of physical activity the FitBit tracks. The Fitbit Steps data became critical evidence for prosecutors in a murder case out of Connecticut earlier this year

A man charged with murdering his wife found his story challenged by the data recovered from his dead wife’s FitBit device. Investigators recovered data from her FitBit that showed the wife’s last movements were at 10:05am, which is about one hour after her husband said she was attacked.

The data obtained from the FitBit is one piece of a large, complex investigation. The investigators in this case combined evidence, including several digital fingerprints from other devices, to support the Fitbit evidence. Facebook activity and messages were examined to determine whether the suspect made incriminating statements to friends or family. In addition, cell phone records were pulled to gain a more thorough understanding of behavior.

This case illustrates the important role that supporting and corroborating evidence plays in every case. Supporting evidence, such as the data from IoT devices, cell phones, and social media were critical in developing, building, or reject investigative hypotheses.  It is to be noted that in order to examine cell phone records, an investigator can subpoena the calls from the cellphone provider in addition to performing a forensic image of the cell phone.  Imaging the cell phone will allow the investigator to examine call logs, text messages, and photos. The investigator can then image the laptop or desktop, which allows the investigator to view internet browser history, deleted files, emails, Facebook chat and a slew of other potential pieces of evidence.  The data available for recovery varies by device and by security settings.

Another recent issue related to FitBit and other fitness trackers involved the accidental disclosure of multiple secret military sites around the world. The Global Heat Map published by GPS tracking company Strava shows where people have been running over the last several years, and inadvertently reported the locations where soldiers had been exercising. While much of the disclosure was related to well-known military installations, there were also multiple instances of unknown outposts reporting data from areas in conflict zones.

IoT devices may provide a new level of convenience and insight for their users, but their controlling peripheral devices like smartphones and laptops provide new levels of insight for investigators.

About the Authors

Nicholas Dearman, ACE, MCFE is a certified, licensed forensic investigator at McCann Cyber. His work focuses on cyber forensics, incident response, and investigations, as well as digital tracking and location and is a published author featured in The Texas Investigator.

About McCann Investigations

In today’s complex legal cases, evidence is rarely singularly digital or traditional, but begins in one realm and quickly cross over into the other. The days of an investigation involving merely taking statements and photocopying documents are all but things of the past. Modern evidence gathering requires the agility to go where the evidence leads, no matter the source.

This not only means overcoming the challenge of understanding the ever-evolving web of digital evidence, but owning the entire evidentiary space; The nexus of both the digital and the non-digital.

McCann runs the table in this space. We either have the digital or traditional expert you need on staff, or we know that expert…. personally. McCann operates its own dedicated state of the art digital forensics lab, staffed with certified technicians, supplemented with veteran law enforcement investigators, cybersecurity experts, and certified fraud examiners. McCann is the only turnkey solution for the gathering, processing, analyzing, and reporting of all types of evidence, no matter the source. Our team, drawn from both government service and private industry, has the resources, knowledge, and experience to provide expert testimony ensuring the evidence is both relevant and defensible in all proceedings.

McCann Investigations IS that nexus.


Leave a Reply

Your email address will not be published. Required fields are marked *