Computer Forensics: Embedded Device Analysis and Examination Steps
Nowadays, digital devices are everywhere and everything is connected via the Internet. These devices include digital watches, gaming consoles, multimedia appliances, etc. The growing use of such devices brings greater attention to embedded devices forensics. This article is concerned with forensic analysis of embedded devices and shows the examination steps that should be followed. Furthermore, it describes how this workflow is different when examining mobile phones. Finally, it enumerates the data recovery and analysis techniques that are used in embedded device forensics.
What Is an Embedded Device/System?
Embedded systems, unlike multitasking personal computers, are whole computer systems dedicated to performing one precise function. In other words, they are designed to do one job and to do it well. These systems vary in size as well as in complexity and function. They range from tiny portable devices like digital watches and MP3 players to large ones like traffic light controllers or supervisory control and data acquisition (SCADA) controllers. They can have low complexity, like a single micro-controller chip used to open and close a gate, or very high complexity, like multiple complex embedded systems gathered to automate an aircraft. Embedded systems are hugely widespread. They are surrounding us in every type of situation one can possibly imagine: consumer electronics, industrial control, military devices, networking systems, telecommunications, the medical industry, power plants, etc. As a matter of fact, they are used to control an enormous variety of situations on a regular daily basis. Thus, these systems can provide vast amounts and different kinds of information and data that can be used for many purposes, such as crime investigations and forensic examination.
What Is Embedded Device Forensics?
A cyber-forensics professional uses embedded systems that are consumer electronic devices, like music players, gaming consoles, personal data assistants, and global positioning system (GPS) devices to identify digital reliable evidence in order to answer legal questions in a court of law.
What Are the Examination Steps in Embedded Device Forensics?
Many steps need to be followed in a forensic examination. To begin with, preserving stored data is the primary task of all cybercrime investigators. Since data is often a volatile commodity, any electronic device or potential digital evidence related to the case must be secured. Once data has been preserved and secured, the next step is collecting and managing evidence. This process must be carried out properly or the veracity of the investigation may be compromised and entire cases may be lost even before any analysis begins. Attention must be paid to every single detail because it can make all the difference. Evidence must be relevant and reliable and it is not an easy job to exactly determine what we should consider as evidence in the first place. In addition, the techniques and technologies used must be ultimately appropriate. Besides, all applicable rules and laws must be followed; the evidence needs to be acquired legally or it will be disallowed by the court. The next step is data analysis, a crucial process that needs to be dealt with carefully. The cyber-forensics examiner will examine the embedded system, looking for relevant evidence. This procedure should lead to a report about files or data related to the underlining investigation. Then comes the final step: Reporting and presenting. No one can deny that converting data into evidence to be presented before a trial is an art unto itself. But it is challenging to maintain the authenticity of the evidence while converting it to a suitable format for presentation. Integrity, reliability, skill, and objectivity are key tributes in the whole process.
How Is This Workflow Different When Examining Mobile Phones?
Here are some sections highlighting embedded systems as well as the data contained on their storage media and related to forensic examination.
Gaming Consoles: Actually, their basic components can be very similar to those found in a desktop computer. They are even able to run traditional operating systems like Linux. These embedded systems contain a sizable internal hard drive capable of holding any type of data. In various cases, gaming consoles were used to host contraband images instead of games.
Digital Video Recorders (DVRs): DVRs are not simply TV recording machines. They are a specific kind of computer with large internal hard drives. Thus, these devices can easily be modified to hold any type of data, like pirated software, contraband images, or any kind of illicit content.
Global Positioning System Devices: Wherever you go, your GPS will always know. GPS devices keep track logs, containing a series of points that show the device’s location at specific points of time. Often, these track logs are not user-accessible or detectable. They can play the role of a secret detective undercover recording location data over the years, even after deleting user-accessible data. During the investigation, this location data is crucial to revealing the locations of suspects, victims, other potential crime scenes, other evidence, and to provide strong links between digital and physical evidence.
Networking Devices: Many network services are provided by small office and non-office routers. The routers maintain some level of logging that can be used to obtain crucial information in cases. The logs may reveal an external IP address of a hacker or provide evidence of unauthorized devices attached to the network. Data extraction from these devices depends on the media in place, such as flash memory, disks, or embedded hard drives.
Raspberry Pi and System on a Stick: The Raspberry Pi is a credit card-sized board used to build an embedded system. The boards are available online and are accessible to a wide range of people for wider range of uses: building arcade machines, tablet computers, and home security systems. Live forensics can be performed while such systems are running.
Printers: Large networked printers also have hard disks. Print jobs are often saved in a TIFF image file format or sometimes in a PostScript file format. Unallocated space on the hard disk might be very useful. File carving through it can recover old print jobs that could possibly be related to the case. Adding to that, some printers’ log files contain data such as user names, IP addresses, and timestamps that could be of evidentiary value. Some of the large network printers run web services to receive scanned documents and faxes that might reveal valuable evidence.
Scanners: Big networked scanners contain hard drives that cache scanned documents before delivery. During the investigation, forged documents can be obtained. A forensic examiner can link copied documents to the hardware that made the copy.
Fax Machines: These devices save logs on internal flash storage or a hard drive capable of detailing the sender and receiver fax numbers, date/time stamp of transmission, and even a copy of a transmitted document.
Answering Machines and Voice Records: These devices provide recorded data. If the recording was deleted, recovering data is also possible. It requires removing the flash memory chip, reading the unallocated space and file carving for sound files.
What Data Recovery and Analysis Techniques Are Used in Embedded Device Forensics?
Data analysis is about transforming raw data into meaningful information. This involves, for example, reconstructing a file system or decoding call stacks from embedded device data, reconstructing a track log from GPS data, producing a timeline from SCADA data, etc. One sound analysis approach could be dividing the analysis process into two phases: the hardware analysis phase and the software analysis phase. The first focuses on hardware specifications, characteristics and modification, while the latter focuses on the installed software or firmware.
In this article, we looked at forensic analysis of embedded devices. We enumerated various types of embedded devices and pointed out some data recovery and analysis techniques in embedded device forensics. The conclusion that can be drawn is that the more embedded devices are proliferating, the more forensic experts are concentrating efforts on research and development into all types of embedded devices.