Publication Date:  September 2020

Publication Name:  PhD Thesis, School of Computer Science, University College Dublin,

Abstract:   Modern legal and corporate investigations heavily rely on the field of digital forensics to uncover vital evidence. The dawn of the IoT devices has expanded this horizon by providing new kinds of evidence sources that were not available in traditional digital forensics. However, unlike desktop and laptop computers, the bespoke hardware and software employed on most IoT devices obstructs the use of classical digital forensic evidence acquisition methods. This situation demands alternative approaches to forensically inspect IoT devices. EMSA is a branch in information security that exploits EM radiation of computers to eavesdrop and exfiltrate sensitive information. A multitude of EMSCA methods have been demonstrated to be effective in attacking computing systems under various circumstances. The objective of this thesis is to explore the potential of leveraging EMSCA as a forensic evidence acquisition method for IoT devices. Towards this objective, this thesis formulates a model for IoT forensics that uses EMSCA methods. The design of the proposed model enables the investigators to perform complex forensic insight-gathering procedures without having expertise in the field of EMSCA. In order to demonstrate the function of the proposed model, a proof-of-concept was implemented as an open-source software framework called EMvidence. This framework utilises a modular architecture following a Unix philosophy; where each module is kept minimalist and focused on extracting a specific forensic insight from a specific IoT device. By doing so, the burden of dealing with the diversity of the IoT ecosystem is distributed from a central point into individual modules. Under the proposed model, this thesis presents the design, the implementation, and the evaluation of a collection of methods that can be used to acquire forensic insights from IoT devices using their EM radiation patterns. These forensic insights include detecting cryptography-related events, firmware version, malicious modifications to the firmware, and internal forensic state of the IoT devices. The designed methods utilise supervised ML algorithms at their core to automatically identify known patterns of EM radiation with over 90% accuracy. In practice, the forensic inspection of IoT devices using EMSCA methods may often be conducted during triage examination phase using moderately-resourced computers, such as laptops carried by the investigators. However, the scale of the EM data generation with fast sample rates and the dimensionality of EM data due to large bandwidths necessitate rich computational resources to process EM datasets. This thesis explores two approaches to reduce such overheads. Firstly, a careful reduction of the sample rate is found to be reducing the generated EM data up to 80%. Secondly, an intelligent channel selection method is presented that drastically reduces the dimensionality of EM data by selecting 500 dimensions out of 20,000.The findings of this thesis paves the way to the noninvasive forensic insight acquisition from IoT devices. With IoT systems increasingly blending into the day-to-day life, the proposed methodology has the potential to become the lifeline of future digital forensic investigations. A multitude of research directions are outlined, which can strengthen this novel approach in the future.

Download Thesis:

BibTeX Entry:

      @phdthesis{sayakkara2020PhDEMSideChannelIoT,

	title="{Electromagnetic Side-Channel Analysis Methods for Digital Forensics on Internet of Things}",

	author={Sayakkara, Asanka},

	school={School of Computer Science, University College Dublin},

	month=09,

	year=2020,

	address={Dublin, Ireland},

	abstract={Modern legal and corporate investigations heavily rely on the field of digital forensics to uncover vital evidence. The dawn of the IoT devices has expanded this horizon by providing new kinds of evidence sources that were not available in traditional digital forensics. However, unlike desktop and laptop computers, the bespoke hardware and software employed on most IoT devices obstructs the use of classical digital forensic evidence acquisition methods. This situation demands alternative approaches to forensically inspect IoT devices. EMSA is a branch in information security that exploits EM radiation of computers to eavesdrop and exfiltrate sensitive information. A multitude of EMSCA methods have been demonstrated to be effective in attacking computing systems under various circumstances. The objective of this thesis is to explore the potential of leveraging EMSCA as a forensic evidence acquisition method for IoT devices. Towards this objective, this thesis formulates a model for IoT forensics that uses EMSCA methods. The design of the proposed model enables the investigators to perform complex forensic insight-gathering procedures without having expertise in the field of EMSCA. In order to demonstrate the function of the proposed model, a proof-of-concept was implemented as an open-source software framework called EMvidence. This framework utilises a modular architecture following a Unix philosophy; where each module is kept minimalist and focused on extracting a specific forensic insight from a specific IoT device. By doing so, the burden of dealing with the diversity of the IoT ecosystem is distributed from a central point into individual modules. Under the proposed model, this thesis presents the design, the implementation, and the evaluation of a collection of methods that can be used to acquire forensic insights from IoT devices using their EM radiation patterns. These forensic insights include detecting cryptography-related events, firmware version, malicious modifications to the firmware, and internal forensic state of the IoT devices. The designed methods utilise supervised ML algorithms at their core to automatically identify known patterns of EM radiation with over 90% accuracy. In practice, the forensic inspection of IoT devices using EMSCA methods may often be conducted during triage examination phase using moderately-resourced computers, such as laptops carried by the investigators. However, the scale of the EM data generation with fast sample rates and the dimensionality of EM data due to large bandwidths necessitate rich computational resources to process EM datasets. This thesis explores two approaches to reduce such overheads. Firstly, a careful reduction of the sample rate is found to be reducing the generated EM data up to 80%. Secondly, an intelligent channel selection method is presented that drastically reduces the dimensionality of EM data by selecting 500 dimensions out of 20,000.The findings of this thesis paves the way to the noninvasive forensic insight acquisition from IoT devices. With IoT systems increasingly blending into the day-to-day life, the proposed methodology has the potential to become the lifeline of future digital forensic investigations. A multitude of research directions are outlined, which can strengthen this novel approach in the future.}

}