Internet of Things 19 (2022) 100544

Contents lists available at ScienceDirect

Internet of Things
journal homepage: www.elsevier.com/locate/iot

Review article

Advanced digital forensics and anti-digital forensics for IoT systems:

Techniques, limitations and recommendations
Jean-Paul A. Yaacoub a,b , Hassan N. Noura a , Ola Salman c ,∗, Ali Chehab c
a Univ. Bourgogne Franche-Comté (UBFC), FEMTO-ST Institute, CNRS, Belfort, France
b Arab Open University, Department of Computer Sciences, Beirut, Lebanon
c
American University of Beirut, Department of Electrical and Computer Engineering, Lebanon

ARTICLE INFO ABSTRACT

Keywords: Recently, the number of cyber attacks against IoT domains has increased tremendously. This
IoT digital-forensics resulted into both human and financial losses at all IoT levels especially individual and
IoT anti-forensics organization levels. Recently, cyber-criminals have kept on leveraging new skills and capabilities
Anti-anti-forensics techniques
by conducting anti-forensics activities and employing techniques and tools to cover their tracks
Counter anti-forensics
to evade any possible detection of the attack’s events, which has targeted either the IoT system
Internet of things forensics
Internet of Forensics Things
or/and its component(s). Consequently, IoT cyber-attacks are becoming more efficient and more
IoT digital forensics investigation sophisticated with higher risks and threat levels based on their more frequent likelihood to occur
IoT source of evidences and their impact. However, traditional security and forensics solutions are no longer enough
Protecting and preserving IoT evidences to prevent nor investigate such cyber attacks, especially in terms of acquiring evidence for
attack investigation. Hence, the need for well-defined, sophisticated, and advanced forensics
investigation techniques is highly required to prevent anti-forensics techniques and track down
cyber criminals. This paper reviews the different forensics and anti-forensics methods that
can be applied in the IoT domain including tools, techniques, types, and challenges, while
also discussing the rise of the anti-anti-forensics as a new forensics protection mechanism
against anti-forensics activities. This would help forensics investigators to better understand
the different anti-forensics tools, methods and techniques that cyber criminals employ while
launching their attacks. Moreover, the limitations of the current forensics techniques are
discussed, especially in terms of issues and challenges. Finally, this paper presents a holistic view
from a literature point of view over the forensics domain in general and for IoT in particular.

1. Introduction

In IoT forensics, investigators aim to retrieve digital evidence from digital and cyber/physical devices including network devices,
computers, smart and mobile sensors and devices, as well as drones and robots. Unfortunately, the recent forensics investigations
seem not to be very effective due to the increasing use of anti-forensics techniques. In fact, current forensics approaches suffer from
different technical flaws due to the adoption of anti-forensics tools to avoid detection. The anti-forensics techniques are used to
disable and distort forensics investigation by attacking the forensics tools or by deleting, hiding or encrypting the evidence itself.
More specifically, some anti-forensics tools are used to compromise the integrity of evidences. In this paper, the existing forensics
techniques are reviewed including the sub-domains of IoT such as computer, mobile, network, clouds, digital, malware forensics,

∗ Corresponding author.
E-mail address: oms15@mail.aub.edu (O. Salman).

https://doi.org/10.1016/j.iot.2022.100544
Received 29 December 2021; Received in revised form 28 March 2022; Accepted 10 May 2022
Available online 23 May 2022
2542-6605/© 2022 Elsevier B.V. All rights reserved.
J.-P.A. Yaacoub et al. Internet of Things 19 (2022) 100544

where the anti-forensics techniques and activities are also described and classified. Recently, the anti-anti-forensics or counter anti-
forensics techniques appeared to defend the forensics tools and techniques against anti-forensics activities. Therefore, the importance
of forensics and anti-anti-forensics will be highlighted to identify the anti-forensics attempts that target the evidence.
Lately, not enough focus was given to the digital forensics domain, especially, in some fields such as the Internet of Things
(IoT) and Cyber–Physical Systems (CPS). Therefore, this paper aims to develop a robust knowledge about recent forensics and anti-
forensics approaches, methods, techniques, tools, towards reducing and preventing the causes and consequences of cyber attacks.
Therefore, one of the paper objectives is to provide a better understanding of the digital forensics and anti-forensics domains.

1.1. Contributions

This paper’s contributions can be summarized in the following points:

• Identifying & Classifying: digital forensics domains, techniques, tools, while also presenting their different approaches along
their limitations, especially in IoT domains that can contain limited and resource-constrained IoT devices.
• Identifying & Classifying: anti-forensics activities, techniques and tools that can be applied in IoT systems, along with their
outcomes and consequences.
• Including: the limitations and challenges that digital forensics investigators encounter during their investigation in general
and in IoT in particular.
• Discussing: Counter Anti-Forensics (CAF) or Anti-Anti-Forensics (AAF) in terms of detection using machine learning methods,
and in terms of prevention using evidence availability (preserving) solutions to protect digital evidences retrieved from IoT
systems and devices.
• Highlighting: the most persistent digital forensics challenges, especially in IoT systems.
• Proposing: various suggestions and recommendations which are included to overcome the existing challenges and to enable
efficient forensics investigations that are efficient and suitable for the IoT domain.

1.2. Related work

Many surveys were conducted and solely focused on how to investigate incidents related to cyber-crimes from a forensics
viewpoints and how to mitigate this threat that targets one or many IoT systems [1–4], while separately discussing digital forensics
tools depending on the forensics type (network, malware, memory, etc.) [5–7], especially against cyber-crimes [8,9]. The main issue
is that most of the presented work only focused on one aspect of digital forensics and did not cover the remaining forensics topics
in general. This work comes in addition to the already presented work by providing additional information based on the recent
Internet of Forensics Things (IoFT) concept.
Also, anti-forensics techniques were presented in [10–12] to show how these techniques can be adopted by cyber-criminals to
cover their traces and how to also hinder any forensics investigation. Despite highlighting the main anti-forensics techniques, these
papers were rather specific on covering certain aspects rather than giving a full insight on all the existing anti-forensics techniques
that are being mainly adopted despite presenting a detailed analysis on this matter. Our paper’s aim is to carry on with the already
presented work by providing additional and recent information about this regard, as well as the main anti-forensics techniques and
tools that are being currently adopted and introduced to provide new information and insight and to keep up with the forensics and
IoT domains.
The big data concept which was also presented and discussed in [13], was taken into consideration as a serious challenge from a
forensics view point especially in clouds as discussed in [14,15]. This was further highlighted and discussed in our paper, especially
in relation to the forensics concept in the IoT domain with more explanatory details. Moreover, the anti-anti-forensics or counter
anti-forensics which was described in [16], was further presented and analyzed in our work, highlighting additional analysis and
presented solutions and tools. Thus, being among the first to discuss the anti-anti-forensics or counter anti-forensics aspect.
In addition to all of the mentioned above, this paper presents a detailed analytical understanding of the forensics domain in
terms of IoT including the chain of custody, evidence source, forensics types, available tools and approaches. The anti-forensics
domain is also presented including its aspects, techniques, tools and approaches.
A broader range of forensics challenges is also presented and analyzed especially in relation to the IoT domain. Finally, privacy
preserving of digital evidences’ aspect was also presented in this work from a forensics viewpoint in respect to users’ privacy and
evidences’ integrity by preserving the evidence and without altering it from any IoT device. In other terms, this paper covers all the
topics that are separately presented by the other fellow researchers’ work, and also develops its own perspective on forensics/anti-
forensics techniques. This will help our fellow researchers and colleagues to broaden their search, knowledge and understanding
abilities.

1.3. Problem formulation

Cyber-crimes are expanding daily, and the use of anti-forensics techniques and activities is also increasing. As a result, this
made it difficult to retrieve traces and gather evidences in regards of starting a forensics investigation. This paper aims to identify
the different forensics and anti-forensics approaches for a better understanding and further enhancements and precautions against
anti-forensics activities.

2
J.-P.A. Yaacoub et al. Internet of Things 19 (2022) 100544

Fig. 1. An Example of IoT system with 𝑛 IoT devices, and 𝑚 servers.

1.4. Organization

This paper is divided into seven sections aside the introduction and is presented as follows: In Section 2, the background of the
IoT forensics domain is introduced, while forensics data and forensics investigators are also classified and presented, along with the
concept of cyber-threat, cyber-crimes and forensics chain-of-custody being discussed. Section 3, detailed and discussed the IoT digital
forensics sub-domains such as computer, network, cloud/fog, malware, memory, mobile forensics, including their techniques and
tools. In Section 4, the IoT digital forensics challenges were presented, detailed and discussed, especially technical, cryptographic,
operational, legal, investigative, mobile and device, big data, and educational challenges. In Section 5, the anti-forensics sciences
was presented by detailing and analyzing its main aspects and techniques. As for Section 6, the anti-anti-forensics or the counter
anti-forensics science concept was presented where both prevention and detection techniques were highlighted and analyzed. Both
suggestions and recommendation for IoT forensics or Internet of Forensics Things (IoFT) were presented in Section 7. In Section 8,
this paper’s work is concluded with an insight about the future work regarding the newly introduced counter anti-forensics or
anti-anti-forensics topics.

2. Background - IoT forensics domain

In this section, both necessary background and overview are presented to further explain the digital forensics concept for IoT
systems, in addition to the description of the digital forensics mechanisms, where the data classification is highlighted. Moreover, the
cyber-crimes aspects are discussed from a digital forensics point of view, in addition to identifying and classifying IoT cyber-threats.

2.1. IoT systems

Unfortunately, in IoT, systems, applications and (resource-constrained) devices are still prone to ongoing persistent challenges
which security professionals are on a constant race to try and grasp the outgrowing threat, and understand the main vulnerabilities
that surround them to present suitable security solutions via the reliance and on the digital forensics concept and its appliance to
the IoT domain.
As shown in Fig. 1, an IoT network consists of IoT devices that are connected to a data center (or application servers) through a
gateway. The communication between IoT devices and the gateway is wireless, of which IoT devices can be interconnected through
several gateways.
In fact, the digital forensics domain, aside ethical hacking, is now being extensively used in IoT systems, applications, devices,
mobile devices, servers, and networks to investigate IoT-related events and incidents. As a result, the Internet of Forensics Things
(IoFT) concept was added to the other IoT-related domain including but not limited to: Internet of Medical Things (IoMT) [17],
Internet of Robotic Things (IoRT) [18,19], Internet of Cyber–Physical Things (IoCPT) [20], Internet of Communication Things (IoCT)
(i.e LoRaWAN) [21], Internet of Powerlines of Things (IoPLT) [22], Internet of Agricultural Things (IoAT), and Internet of Military
Things (IoMT)/Internet of Battlefield Things (IoBT) [23].

3
J.-P.A. Yaacoub et al. Internet of Things 19 (2022) 100544

Fig. 2. A set of possible IoT Applications.

Thus, presenting the introduction of a new forensics concept being integrated in the IoT domain to form the Internet of Digital
Forensics Things (IoDFT) and Internet of Forensics Things (IoFT). However, recently, a set of anti-digital forensics mechanisms were
also presented to remove or modify evidences or even to prevent their recovery (via encryption or hiding them) to cover and prevent
forensics investigators from tracking and tracing these attacks. Unfortunately, these approaches can also be applied in IoT systems,
where attackers are constantly trying to use them to launch indirect attacks such as the well known Mirai DoS attack against IoT’s
resource-constrained devices [24,25].
In the following, we describe a set of IoT applications.

2.2. Iot applications

Fig. 2 shows a set of possible applications that benefit from the IoT system, where they are briefly described below:

• Health-care systems: Health-care systems are shifting towards digitization and remote diagnosis, monitoring, and tele-
operations, where medical operations are relying more and more on the use of IoT end devices to perform medical surgeries
and operations with high accuracy and with the least error margin. In addition to that, the IoT concept is being also introduced
in the rescue domain allowing first responders (i.e medics, firefighters, etc.) to act in a timely manner with the least possible
(traffic/available personnel) delay(s) [26]. Hence, it is important to adopt the forensics aspect part since most of the IoMT
devices and servers are prone to cyber-attacks, as recent attacks have proven to be vital for the lessons learnt on how to
improve it [27].
• Smart grids: especially in cyber–physical systems and smart cities, which are part of the Industrial IoT (IIoT), are considered as
the next generation of electrical power distribution and transmission systems, since they use a combined bidirectional stream
of power and data. Powergrids are a prime example of that case such as the cyber-attacks against powergrids in the US, Israel,
Iran and Ukraine [28–30]. Moreover, Smart grids allow both service providers and customers to monitor and have control
over pricing, production and consumption in a real-time manner while relying on Industrial Control Systems (ICS) and other
smart devices, systems and servers to maintain the operability and inter-operability of the Internet of Cyber–Physical Things
(ICPT) domain [20]. Also, the reliance on smart power-lines communication systems which were also implemented in the
IoT, introducing the new Internet of Powerlines of Things concept [22] has increased the need for more forensics tools to be
adopted.
• Decentralized Smart Building Control: especially in smart homes, apartments and buildings, where this application relies
on sensors that are deployed and interconnected in a wireless manner inside a building [31]. The information gets exchanged
among the various sensors for tracking events and proper reaction, by relying on the intranet and internet concepts to ensure
internal and external communication. Hence it is important to rely on the forensics domain to ensure that the adopted forensics
tools are more timely, accurate and more resistant to anti-forensics techniques.
• Traffic Control Systems: Intelligent traffic control systems and their introduction into the IoT domain offer many advantages
such as early detection of ambulance flashing lights, preventing accidents, collecting traffic data [32], and alarming early
drivers about traffic congestion and road closures [33]. The reliance on the forensics tools is based on the lessons-learnt
from previous unfortunate events (cyber/physical) attacks against traffic control systems and devices to ensure how to evade
cyber-attacks by ensuring an early detection and faster response.

4
J.-P.A. Yaacoub et al. Internet of Things 19 (2022) 100544

Fig. 3. Forensics data classification in IoT, where the red circle represents the most important part.

• Military and Law Enforcement Systems: the modernization of law enforcement and police systems and devices in the new
digital era has show a remarkable timely improvement in terms of countering both domestic crimes and terrorism [34], as
well as cyber-crimes (i.e state sponsored or hacktivism). This proved to be very effective especially when it comes to road
inspection and monitoring, border patrols, thermal/motion sensors, (armed) border trespassing, infiltration or raids [35,36].
Also, the introduction of underwater equipment [37], camouflage [38], Electronic Measures (EM) and Electronic Counter-
Measures (ECM) to ensure the Explosive/Bomb Ordnance Disposal (E/BOD), as well as a higher mine/IED detection capabilities
depending on the IED/mine type and the terrain. Counter-terrorism, counter-insurgency and counter-piracy, along with counter
cyber-terrorism and cyber/electronic-warfare and the use of robots are among the other main key specialities and tasks, aside
the use of smart munition and surveillance/reconnaissance, humanitarian or evacuation missions. Moreover, the reliance on
communications and ammunition/weapons storage that are part of the Internet of Military Things (IoMT) [39], and Internet
of Battlefield Things (IoBT) [40]. Hence the reliance on forensics tools to learn from the already investigated events to ensure
a higher level of detection, response and mitigation. Robots are also being used in search of the remains of missing military
personnel of previous conflicts, or rescue people (injured, trapped or stranded) in need following a disaster [41].
• Robotic Systems: which their integration in the IoT domain covering many fields (i.e medical, agriculture, search and rescue,
military, law enforcement, industry, etc.) introduced the new Internet of Robotic Things (IoRT) concept, sch as the use of:

– Robots: Unmanned Ground Vehicles (UGV), Unmanned Surface Vehicles (USV), Unmanned Underwater Vehicles (UUV)
and Unmanned Aerial Vehicles (UAVs) saw a remarkable adoption into the IoT domain such as border control [42],
traffic/suspect monitoring, biological discovery/research, agriculture, medical, combat, rescue, forensics filming, and
many other domains [18,19]. In this case, robots can also be an additional help to investigate forensics crimes and in
search for evidences in case of domestic/international terrorism or crime(s).
– Modular Robots: which are being integrated into the IoT domain due to their ability to establish a swarm robotic
communication [43], reshape and resize via self-configuration and self-healing processes by relying on sandboxing,
scaffolding and coating [44]. Since modular robots overcome the limitations of normal robotic systems, their adoption
to investigate forensics crimes makes the more likely to be adopted in a forensics search for missing personnel, stolen
IoT devices, targeted IoT systems etc.
– AI-based Robots: include the adoption of smart AI-based systems that to monitor the IoT network traffic, and evaluate
the IoT-based system performance.

In the following, we explain the digital forensics and its corresponding classification in detail.

2.3. Forensics data classification

Till now, there is no unique nor standard uniform that classifies forensics data especially when being used in an IoT domain.
However, some of the existing classifications are somewhat similar. In [45], Halboob et al. identified the forensics data as being
Directly Accessible Data (DAD), Privacy-preserved Accessible Data (PAD), or Non-Accessible Data (NAD). However, in a more
granular way, in IoT, forensics data can be classified into four main categories (see Fig. 3), as listed in the following:

• Public and Irrelevant Data: This type of data does not present any useful information. It aims to ensure that investigations
are more time consuming and less accurate.
• Public and Relevant Data: This data can be modified and wiped beyond recovery by cyber-criminals to evade any detection
and eliminate any data that can serve as a possible evidence.
• Private and Irrelevant Data: This data can be encrypted or hidden by using data hiding techniques (e.g. steganography).
• Private and Relevant Data: This type of data serves as a hidden treasure for forensics investigators. In fact, this data can
reveal many information about the attackers, including their source, attack fingerprints, skills, experience and strategies, which
can help with tracking and identifying them.

5
J.-P.A. Yaacoub et al. Internet of Things 19 (2022) 100544

IoT means that all the devices, services and systems are interconnected together via the Internet. This results in a massive
production of data that can introduce challenges related to privacy-preserving, big data, security and redundancy in different terms.
Indeed, these huge amounts of data are the result of the ongoing collection of data from millions of IoT active devices that are used
on a daily basis. It is therefore necessary to put in place new forensics mechanisms that can classify the relevance of data in-use.
These solutions can primarily be based on supervised Machine Learning Algorithm (MLA). Besides, any solution should take into
consideration the limitation of IoT devices, systems or services in order for it to be considered as efficient. This means that a simple
MLA can be implemented on IoT devices, whereas a complex one can be implemented at the application and/or network servers.
In IoT systems including digital systems, attackers will use anti-forensics techniques to prevent the recovery of any relevant
data (evidence) that can be useful to recover their identities or techniques. Therefore, the main challenge is to classify which data
is relevant and consequently define new countermeasures to preserve them by using a secure distributed solution such as [46] to
protect IoT devices log files by using a secret sharing variant.

2.4. Forensics investigators classification

Depending on the source of the retrieved data, whether its IoT-related or not, forensics investigators can be classified into three
categories:

• Physical Forensics Investigators: or traditional investigators rely on their expertise, knowledge, and experience to retrieve
physical forensics evidences, mainly from hardware equipment and devices.
• Logical Forensics Investigators: or Digital Forensics Investigators (DFI) are concerned about retrieving evidences from digital
devices, including software, operating systems, Portable Computers (PCs), laptops, or even smart-phones found at a crime
scene.
• Cyber Forensics Investigators: are involved in the recent world of IoT and its different fields/domains, including cloud/fog
services. This is due to IoT systems consisting of a set of emerging technologies. For this reason, the technical skills for any
investigator in this class should be high and diverse covering various IoT systems’ components including computers, networks,
cloud/fog, mobiles, etc.

2.5. Cyber-crimes

It is essential to identify a committed cyber-crime’s life-cycle to achieve a criminal goal, which is the same for any IoT system.
In the following, the cyber-crimes steps, cyber-threats and cyber-attacks are discussed in details.

2.5.1. Cyber-crime steps

Cyber-crimes are achieved by using predefined steps to commit various crimes such as hacking, phishing, spamming, or to
commit cyber-offense hate crimes, racism (racial discrimination/profiling) [47], anti-semitism [48], blackmails, bullying child/adult
pornography [49–53]. This paper presents the cyber-crime’s life-cycle as follows (see Fig. 4), which is a modified version of the main
cyber-crime phases presented in [54].

• Reconnaissance: This phase consists of collecting information by the attacker about the targeted victim(s) (individuals or
organizations) depending on an attacker’s objective, available budget and resources.
• Covert Attacks: Once the information is gathered, attacking plans and strategies are prepared according to their available
tools and techniques. Most of these attacks are conducted through covert channels using Virtual Private Networks (VPNs), The
Onion Router (TOR) or proxies. These attacks can be performed by:

– Insiders: or whistle-blowers, by being a rogue or unsatisfied employee recruited by a competitive organization to target
a rival company.
– Outsiders: by leading a covert remote attack through spamming emails that lure an employee to click on malicious links,
or visit malicious websites.

Finally, the types of attacks that can be performed by an attacker, in this phase, can be divided into two types:

– Direct Human Interaction Attacks: are performed through social and reverse engineering attack types [55,56].
– Indirect Human Interaction Attacks: are performed through phishing, spear phishing, whaling and vishing [57].

• Disclosing Information: Data/information disclosure is possible by using a covert malicious software/application being
installed on the victim’s system either through spamming or surveillance attacks to reveal business trade secrets, target an
organization’s reputation, intellectual property theft, or causing huge financial losses.
• Information Transfer: This phase includes copying the exposed information to a place, where it is easier for the attacker to
manipulate it without being detected. Most of the time, the exposed data might be encrypted, where decrypting would be time
consuming.
• Data Retrieval: Data can be retrieved in three main ways [54]:

(1) Is based on retrieving data instantaneously, but with a higher risk of being detected.

6
J.-P.A. Yaacoub et al. Internet of Things 19 (2022) 100544

Fig. 4. Cyber-crime cycle.

(2) Is based on retrieving data passively, which is a time consuming process but without the risk of being detected.
(3) Is based on creating a false-flag attack to divert the attention of the attacker towards another incident.

These attackers more time to retrieve the needed data and cover their tracks, with organizations taking months and even years
to recover from their losses.

2.5.2. Cyber-criminal classification

Cyber-criminal can be classified into three main categories:

• Worldwide Organised Groups (WOG): are geographically separated groups that operate (jointly/separately) locally, region-
ally, or even globally to cause a bigger damage against their intended target(s). These are the main reasons as in why this
group can be considered as the most powerful one especially in terms of experience, knowledge, skills and available tools
compared to other ones.
• Regional Organised Groups (ROG): operate locally or regionally within a limited geographical area and are limited in terms
of experience, knowledge, skills and available tools (script kiddies) compared to WOG.
• Individuals: are known as lone wolves and mainly operate locally. Their ability is limited especially in terms of available
manpower and skills to perform coordinated tasks compared to WOG and ROG.

These three cyber-criminals categories have shifted their focus on targeting IoT systems. Therefore, a risk management method
should be well-advised and prepared depending on the employed IoT systems and applications.

2.5.3. Cyber-crime structure

A cyber-crime’s type is defined depending on the cyber-criminal’s skills, knowledge, experience, available tools, resources,
and manpower. This also includes the level of structure, communication, collaboration and cooperation between different cyber-
criminals. In fact, and are not limited to cyber-attacks, but also to the money laundering in bitcoin cryptocurrency [58,59]. In this
regard, this work classifies cyber-crimes into four main types.

• Coordinated & Organized: Cyber-crimes are coordinated if they are performed simultaneously and in a professional,
experienced and synchronized manner. These crimes are mainly based on Web defacement or series Distributed Denial of
Service (DDoS) attacks compromising the availability of a given organization and preventing legitimate users from gaining
any access for a given period of time. This causes serious financial and economic losses. These cyber-crimes can also be used
to perform a cyber-heist against banks [60,61].
Organized cyber-crimes are conducted to exploit organizations’ vulnerabilities and security gaps to ensure a higher profit at a
lower risk [62] through the coordination and the collaboration between well-trained and skilled cyber-criminals. This is done
using anonymous covert connection types such as The Onion Router (TOR) [63] and the deep dark web [64,65] to evade any
detection.

7
J.-P.A. Yaacoub et al. Internet of Things 19 (2022) 100544

Fig. 5. Classification of cyber attackers.

• Uncoordinated & Disorganized: Uncoordinated crimes can be easily detected due to flaws in the carried out attacks. This is
due to the lack of experience, knowledge, communication, and synchronization between cyber-criminals. As for disorganized
attacks, there is a possibility to loose the attack’s tracks and fail to eliminate any possible evidence source. Thus, unfulfilling
the attacker’s main objective.
• Conventional: These crimes can be predictable, due to following a certain attack or hacking cycle, which makes it easier
to identify them. In fact, they can have serious impact and implications whenever they are conducted, especially if they are
coordinated and organized.
• Unconventional: This class of cyber-crimes is unpredictable and can be divided into two main types. The first type is related
towards conducting highly advanced attacks through the exploitation of unknown security gaps. The second type is based on
using advanced anti-forensics tools to erase data beyond recognition and recovery.

Fig. 5 includes the attackers’ types according to their intentions.

2.6. Cyber-threats

Threats occur from the risk and potential of having the occurrence of an accident, or a given attack. In fact, the types of the
existing threats can be summarized in Fig. 6. However, it is still not enough to really understand the source and nature of the attack.

2.6.1. Threat source

A cyber-threat source cannot be always easily tracked due to criminals relying on anonymous ways to perform their attack.
However, it can be classified as one of the following categories:

• Cyber-Criminals: are usually organized hacking groups or individuals that mainly conduct cyber-heist, bullying, blackmailing
or leaking private (financial, military, medical or governmental) information to malicious third parties through the deep dark
web for personal or monetary gains.
• Hacktivists: are usually hackers that aim to launch (distribute) denial of service or web defacement attacks as part of creating
a cyber-protest against a political party or a government.
• Cyber-Terrorists: aim to perform web-defacement and information leakage attacks targeting organizations, oil industries,
governmental and military installations as part of their cyber-jihad (i.e e-jihad, online extremism, propaganda, funding,
recruitment, etc.) [66–68].
• Cyber-Spies: usually target organizations, enterprises, governmental and military installations as part of conducting espionage
or/and sabotage operations.

8
J.-P.A. Yaacoub et al. Internet of Things 19 (2022) 100544

Fig. 6. Threat identification and classification.

In fact, the different types of threats sources aim to compromise IoT devices to launch an external attacks against other IT systems
(indirect attack) or against their internal system, where in case of external attacks, IoT devices will be the attack source. Following
each attack, these compromised IoT devices (or their corresponding systems) often contain key evidences that are essential to detect
and trace the source of these attacks.

2.6.2. Threat type

Depending on their nature, threats can be identified differently. For example, Stoneburner et al. defined a threat as being a
potential security breach that aims to accidentally trigger or exploit a specific vulnerability or security gap [69]. It is somehow
similar to a technical exposure. Therefore, identifying threats is not a straightforward task. However, this paper classifies them as
follows:

• Security Breach: is usually caused by the presence of weak security measures (gaps), or limited security measures that only
cover parts of the exploited system without applying the defense-in-depth mechanism, unless its a zero-day attack attempt.
• Cyber Attack: is primary caused through the exploitation of a given system, device or/and information via wireless
communications including networks and internet, by targeting its confidentiality, integrity, availability or/and authenticity.
• Physical Attack: is caused by criminals masqueraded as employees that breach into a given organization and physically
damage its systems and devices.
• Untested Application: applications that are untested are prone to various malicious and non-malicious security breaches,
including malfunctioning, abnormal performance, backdoors, rootkits and malwares including viruses and Trojans.
• Old Version Systems: that are not constantly/regularly updated are usually targeted by already known exploits/attacks,
leading to various security/privacy breaches.
• Exploitable Vulnerability: is an exploitable gap found in a given security program which upon its exploitation it allows a
given attacker to gain an unauthorized access to a given system/device.

Unfortunately, all the presented threat types target the IoT systems.

2.7. Forensics chain of custody

To accomplish a forensics investigation, a Chain-of-Custody [70] should be followed by any forensics investigator. This chain
consists of four phases, and they are described as follows:

(1) Identification: includes identifying the event and identifying the possible evidence(s). In fact, to investigate an incident,
two types of investigation skills are needed: soft investigations skills and hard investigation skills. This will achieve a
successful investigation to identify what happened, where it happened, how it happened, who was targeted, and who was
the attacker. These two types of skills can be defined as follows:

• Soft Digital Forensics Investigative Skills (SDFIK): include a strong cooperation and collaboration between forensics
investigators, the public, and the investigation team. Its main task is to assess a situation promptly and to help, identify
and differentiate between normal and suspicious events.

9
J.-P.A. Yaacoub et al. Internet of Things 19 (2022) 100544

Fig. 7. Classification of IoT digital forensics artifacts.

• Hard Digital Forensics Investigative Skills (HDFIK): require the collection of information from any public domain,
while maintaining the needed awareness level, following the chain-of-custody.

(2) Data Collection: can be done in the context of IoT, either by monitoring network communication, or intercepting network
communication, or by collecting specific data from host devices (IoT devices) such as log files, resources consumption, etc.
In this phase, all data types are collected to identify any potential evidence. The original data must first be copied, and then,
all the forensics work can be performed on the copied data once the hashes are compared and matched.

• Monitoring Communications: is usually achieved by conducting an ‘‘intrusive surveillance’’ [71,72] (i.e covert
vehicle [73], mainly a covert spying van), conducting a ‘‘directed surveillance’’ [74] (i.e relying on smart street or
security cameras), or using human agents (HUMINT) [75].
• Intercepting Communications: is usually achieved by identifying and intercepting IP/MAC addresses of cyber-
criminals and suspects alike [76,77], in addition to tracking their e-mails/web-activities, and identifying their phone
numbers and monitoring their phones messages, calls and logs (i.e land-lines and smart-phones [78]).

(3) Analysis & Evaluation: Upon completion of initial investigation phases, it is also important to analyze what happened in
order to evaluate the type of crimes committed. In the context of IoT, this phase consists of analyzing the retrieved data from
software/hardware equipment including IoT devices, IoT servers, network traffics, and network devices such as gateways.
The result of this analysis is to identify all possible evidences.
(4) Reporting: is the last phase of any forensics investigation. Thus, it is divided into two main steps:

• The first step consists of the evidences collection to follow a legal process of prosecution to prove that the suspected
criminal is guilty.
• The second step is the legal process to prove the evidence’s legality. A legal evidence is based on identifying whether
a given fact can be proven and backed or not. This is done by checking whether the evidence is supported by real facts
which are enough to prosecute a given suspect or not. In some cases, the evidence can be returned [79].

In the next section, the paper dives deeper in the digital forensics domain in general and IoT in particular in addition to reviewing
its different sub-domains.

3. IoT digital forensics sub-domains

Digital forensics are used to uncover and interpret electronic data related to a cyber-crime. The aim is to preserve the evidence to
be legally used in courts without any alteration/modification. In fact, IoT digital forensics evidences can be retrieved from various
digital forensics sources, as illustrated in Fig. 7. This means that IoT digital forensics consist of several digital forensics types such

10
J.-P.A. Yaacoub et al. Internet of Things 19 (2022) 100544

as computer (devices and server), network (gateway, network server and traffics), and mobile (user) forensics, which they are
considered as a sub-domain of IoT forensics and will be discussed as follows:

3.1. Computer forensics

As explained previously, the link between IoT and computer forensics is that both IoT devices (a set) and servers rely on the
use of Operating Systems (OS) in addition to the user(s) that are also connected to IoT servers/devices depending on the adopted
configuration. Therefore, computer forensics can be considered as a sub-class of IoT digital forensics.
Cyber-crimes led to more than $2 trillion losses in business by 2019 [80] and these losses will increase exponentially if IoT
systems will not start taking into consideration both security and forensics issues. In fact, more than 4,762,376,960 data records
were either lost or stolen since 2013. As a result, the demands for Computer Forensics (CF) techniques and tools are on a constant
rise.
Through investigations, computer forensics collect data from computer-based devices (or IoT devices). This allows them to check
the running processes on the attacker/victim computer through system file checking and extraction, which makes it possible to track
and trace a given attack. Therefore, CFs read the hard disk information derived from digital sources within a short time span [81],
before any deletion/modification occurs.

3.1.1. Available computer forensics tools

Since computer forensics help with identifying and tracking down attackers [7], different tools started being used (see Table 1),
including FTK imager, Encase, Helix, Winhex, SMART, X-Ways and Autopsy, along with other tools listed in [2,82–84]. However,
computer forensics still present various challenges, limitations and drawbacks that need to be considered [85–87].

3.1.2. Computer forensics steps

Several computer forensics steps must be considered to ensure a successful investigation. In [88], Kumari et al. discussed some
computer forensics steps like sanitizing the storage area to protect forensics processes, and the use of Message-Digest algorithm
(MD5 hash) image’s calculated value to find out whether the image used is original or not. As a result, computer forensics can be
divided into five main steps, which are also mentioned in [89] including:

(1) Developing Policies & Procedures: digital evidences can be complex and sensitive, where data can be easily compromised
if not carefully handled and protected. Therefore, establishing standard policies and procedures with strict guidelines can
help support and enhance a computer forensics investigation.
(2) Assessing Evidences: evidence/potential evidence assessment reveals a clear understanding of the committed cyber-crime
details. Therefore, new methods need to be adopted to assess any potential information serving as an evidence, including the
digital evidence type and its format.
(3) Acquiring Evidences: requires a very detailed plan to acquire data legally. However, documenting data is recommended
before, during and after any acquisition process. This allows essential information (based on software and hardware
specifications) to be recorded and preserved by maintaining data integrity.
(4) Examining Evidences: includes examining the data that is copied, retrieved and stored in databases from a given designated
archive, by relying on specific key words or/and file types/names even if these files were recently deleted. This offers the
chance to know when the data was created or/and modified.
(5) Documenting & Reporting: An accurate record of the activities is kept by computer forensics investigators. This includes
methods of retrieving, copying and storing data Without alteration, along with acquiring, examining and assessing the
evidence. Thus, preserving the data integrity, enforcing the right policies and procedures, and authenticating any findings
(how/when/where) related to the recovered evidence.

Moreover, two additional representation types of computer activity are further presented and described in the following:

• Computer Activity Timeline Detection: Computer Activity Timeline Detection (CAT Detect) [90,91] is based on analyzing
computer activities to detect inconsistencies in a computer system timeline. However, the investigation process is prone to data,
event, or even file loss either through deletion, manipulation or overwriting. ‘‘CAT Detect’’ can remove inconsistencies in a
given timeline by parsing the window system event logs, and can access the MAC (Modified Accessed Created) file metadata,
and create a database table related to the information file that is being accessed. Thus, making it possible to build the evidence
through time-line construction.
• Computer Forensics Timeline Visualization: Computer Forensics Timeline Visualization (CFT Visual) is a timeline based tool
used in the Cyber-forensic Timelab [92]. By applying this method, the obtained evidences are based on the time variations
which would result into creating a timeline based graph of events that allows the investigators to know and identify what
happened right after and before a given event (cause/consequence).

11
J.-P.A. Yaacoub et al. Internet of Things 19 (2022) 100544

Table 1
Existing Computer Forensics Analysis Tools (CFAT) that can be used with IoT devices and servers in addition to user(s) devices (i.e. mobiles).
CFATs Definition Description Operating system(s) Maintained Type
Sleuth Kit N/A Performs in-depth analysis of various file systems, detects Linux/ Windows-based Yes Open source
suspicious computer behavior without network interruption
Autopsy N/A GUI-based Open source digital forensics program that Mac/Linux/ Yes Commercial
analyzes hard drives and smartphones Windows-based
Magnet EDD Magnet Encrypted Serves to check encrypted physical drives Windows-based Yes Open source
Disk Detector
Splunk N/A Combines many tools including WHOIS/GeoIP lookup Mac/Android/Linux/ Yes Commercial
along pinging and port scanning along other tools Windows-based
FAW Forensics Acquisition Captures the entire or partial page, along HTML Windows, Mac OS X Yes Commercial
of Websites source code and all image types and Linux
Orion USB Write N/A Extracts the USB drives content without Mac/Linux-based Yes Open source
Blocker leaving any fingerprint
NFI Defraser Netherlands Forensic Detects partial or/and full multimedia files Android/Linux/ Yes Commercial
Institute Defraser in data streams Windows-based
Toolsley N/A File identification and signature verification, along Linux-based Yes Open source
Data URI and password generating, and other useful
investigative tools
SIFT SANS Investigative Among the most popular incident response platforms set Linux/Windows- Yes Open source
Forensics Toolkit to conduct a details forensics examination based
Dumpzilla N/A Extracts different browser information and analyzes them Mac/Linux/Windows- Yes Open source
based
Foxton N/A Can be a browser history capturer or a browser Windows-based Yes Commercial
history viewer
ForensicUserInfo N/A Extracts NT Hash, login counts, profile paths account Windows-based Yes Open source
expiry date, password reset and other information
BackTrack N/A Used as a pen testing and a forensics tool Linux-based No Open source
Paladin N/A Has a variety of forensics tools needed to Mac/Linux/Windows- Yes Commercial
investigate any incident based
CAINE Computer Aided Analyzes, investigates and creates a forensics report Mac/Linux/Windows- Yes Open source
Investigate using a variety of tools based
Environment
EnParse N/A Simultaneously analyzes multiple evidence files, extracts Windows-based Yes Commercial
metadata in many formats and prepares Excel report
EnCase N/A Can access a large file system number of file system Linux/Windows-based Yes Commercial
whilst creating timestamps
FTK Forensics Tool Kit Analyzes different file systems on local hard drives, network Window- Yes Commercial
drives, CDs/DVDs, and reveals their different timestamps based
Zeitline N/A Used as Timeline editor, collects evidences from log Windows-based No Open source
files to solve digital crime case
CFTL Cyber Forensics Used to scan and view hard-drives whilst identifying Linux/Windows-based No Open source
TimeLab the sorted timestamp of the found file
Falcon Forensics N/A Offers comprehensive data collection, performs triage Mac/Linux/Windows- Yes Commercial
analysis during an investigation based
Registry Recon N/A Extracts registries information (previous/current) from Windows-based Yes Commercial
the evidence and rebuilds their representation
Libforensics N/A A library for digital forensics applications, developed Windows-based Yes Commercial
in Python, extracts information from different evidence types
Coroner’s Toolkit N/A Used to aid analysis of computer disasters and data recovery Linux-based Yes Open source
COFEE Computer Online Gathers evidence, can be installed on a USB pen drive Windows-based Yes Commercial
Forensics Evidence or external hard disk with 150 different tools
Extractor
Helix3 Pro N/A Focuses on incident response and computer forensics MAC/Linux/Windows- Yes Commercial
based

3.2. Network forensics

Similar to computer forensics, network forensics can also be considered as a sub-domain of IoT forensics since IoT devices, servers
and users are interconnected together via the internet. In fact, network-forensics is a branch that derives from the digital forensics

12
J.-P.A. Yaacoub et al. Internet of Things 19 (2022) 100544

Fig. 8. Network Based Evidence (NBE) that can be useful for IoT based network attacks.

tree. It is responsible of monitoring and analyzing network devices (gateway, server) and network traffic as part of legal information
gathering and legal evidence retrieval.

3.2.1. Network-based evidence

Network forensics tools are used to retrieve network-based evidences, which are categorized as follows (see Fig. 8).

• Network Devices: include wireless Access Points (W-APs), switches and routers, with their IP and MAC addresses pools. In
the context of IoT, each gateway is an essential source of key evidence as all traffic between IoT devices and servers pass
through it.
• Servers: include DHCP/DNS Servers, as well as authentication and application servers, with the usernames, passwords,
activities, and privileges.
• Security Elements: include Web proxies, network Intrusion Detection/Prevention Systems (IDS/IPS), as well as stateful and
stateless firewalls to monitor incoming and outgoing internet traffic and saved logs.
• Local Networks: include diagrams and used applications, with their logs that contain details and information about the
connected users.

3.2.2. Network forensics approaches

Due to the increase in the network misuse behavior, new approaches were needed to ensure a quick emergency response and
incident investigation, to enhance the network security and forensics aspects. As a result, an evidence graph was presented by Wei
et al. in [95]. In [88], Kumari et al. reviewed different approaches used for network forensics investigations. In [96], Alzaabin
et al. presented a forensics analysis system used for crime investigation. The authors relied on the ‘‘Crime Investigation System
Using the Relative Importance of Information Spreaders in Networks Depicting Criminals Communications’’ (CISRI) framework [96]
to determine the head of the cyber-criminal group through crime investigation and to describe the relationship between a given
criminal group through a graph that is based on phone calls, call logs and messages. In [97], Hajdarevic et al. presented a different
approach that allows the collection, the analysis and the reporting of evidences through a forensics investigation. This helps making
the digital evidence legal and acceptable by courts. In [98], new network forensics prototype tools were presented to generate
an automated evidence analysis. This helps with reducing the response time to overcome the issues of manual analysis. In fact,
these prototypes would help with identifying the attackers and determine each one’s role in a given cyber-criminal group. In [99],
Koroniotis et al. managed to provide a new network forensics taxonomy that is applicable to botnets in IoT-related and non-IoT-
related domains to assess their strengths and weaknesses. In [1], Pilli et al. developed a network forensics analysis framework
known as ‘‘Network Forensics System’’ including forensics analysis, and network security and monitoring tools [1,100], to seize
cyber-criminals in cyber-space [101].
In fact, network forensics can be categorized differently, or mainly as two categories explained in [102,103]. In the first category,
‘‘Catch It As You Can (CIAYC)’’ [104], all packets are sent through a traffic point before being stored into databases for further
analysis. In the second category, ‘‘Stop Look And Listen (SLAL)’’ [105], data is only stored in databases for future analysis.

3.2.3. NFA & NSM tools

Network Forensics Analysis Tools (NFATs) [107] and Network Security and Monitoring Tools (NSMTs) [103] are used to analyze
the collected and aggregated data. Moreover, they provide IP security, along with the detection of insider/outsider attacks, as well
as ensuring a risk analysis, and data recovery. This allow them being used for anomaly detection with the ability to detect and
predict future attacks through the reliance on IDS/IPS and Firewall logs [108]. Therefore, the main network forensics tools are
summarized in Table 2. A Further description of network security and monitoring tools is summarized in Table 3.

13
J.-P.A. Yaacoub et al. Internet of Things 19 (2022) 100544

Table 2
Network Forensics Tools (NFT) can be used for IoT network forensics investigations.
NFTs Definition Description Operating system(s) Maintained Type
NetIntercept Network Used to capture network traffic, stores it in a pcap format, Mac/Linux/Windows- No Commercial
Intercept detects spoofing, and generates a variety of reports based
NetWitness Network Captures network traffic and reconstructs the network Mac/Linux/Windows- Yes Commercial
Witness sessions to the application layer to ensure an automated based
analysis and zero-day detection
NetDetector Network Captures intrusions and performs multi time-scale network Mac/Linux/Windows- Yes Commercial
Detector analysis and signature-based anomaly detection based
Iris N/A Collects network traffic and reassembles it, also it has Linux/Windows-based Yes Commercial
an advanced search and filtering mechanism for a quick
data identification
Infinistream N/A Utilizes intelligent Deep Packet Capture (iDPC) technology, Linux-based Yes Commercial
whilst performing a real-time or back-in-time analysis
Solera OS 5150 N/A Provided a live network forensics analysis, used as an Linux-based No Open source
analysis, captures high-speed data, filters network traffic
and extracts metadata
DeepSee N/A Included three software which are reports, sonar and Windows-based No Open source
search, to index, search and reconstruct network traffic
Om- N/A Provides a real-time network visibility, high capture Linux/Windows-based Yes Commercial
niPeek/Etherpeek capabilities, expert analysis, and ensures a low-level
network traffic analysis
SilentRunner N/A Captures, analyzes and visualizes network activity, whilst Linux-based Yes Commercial
reconstructing security incidents in their exact sequence
NetworkMiner N/A Captures network traffic through real-time or passive Mac/Linux/Windows- Yes Open source
sniffing, and assesses how much data was leaked based
Xplico N/A Captures Internet traffic and reconstructs it to present Linux-based Yes Open source
the results in a visualized form
PyFlag Python Flag Analyzes network captured packets, supports number Linux-based Yes Open source
of network protocols and pcap files, extracts/dissects
packets at low level protocols
Ngrep Network Grep Used to debug plaintext protocol interactions to analyze Linux/Windows-based No Open source
and identify any anomalous network communication
Airxxx-ng N/A Used to ensure a low-level traffic analysis tools Linux-based No Open source
for wireless LANs
DeepNines N/A Used to provide a real-time identity-based network Linux/Windows-based No Open source
defense with basic network forensics
ARGUS Audit Record Used for non-repudiation purposes, along with the Mac/Linux/Windows- Yes Open source
Generation and detection of slow scans, whilst supporting zero-day attacks based
Utilization System
Fenris N/A Used for code/protocol analysis, debugging, vulnerability Linux-based No Open source
research, security audits, network forensics and reverse
engineering
Forensics Log N/A Ensures a log file analysis combined with network Linux/Windows-based Yes Commercial
Analysis forensics, and Python implementation
Savant N/A Used for a live forensics/network Linux/Windows-based Yes Commercial
analysis, along with critical infrastructure reporting
Dragon IDS Dragon Intrusion Offers network/host intrusion detection, and Linux-based Yes Commercial
Detection System forensics network analysis
RSA EnVision Rivest Shamir Provides a live network forensics analysis, data leakage Windows-based Yes Commercial
Adleman EnVision protection and log management

3.3. Cloud/fog forensics

IoT devices communicate data to fog and/or cloud. Therefore, security incidents that are realized at the cloud or fog level make
cloud/fog forensics as a sub-domain of IoT forensics.
The evolution of the digital world, led to the cooperation and collaboration between cloud forensics and digital forensics for IoT.
In this context, cloud forensics [109,110] play a key role in the big data especially in this IoT era. Smart-phones, computers, laptops,
tablets, and vehicles, etc, all store their data in the cloud, which presents several benefits. These benefits include the scalability, the
large capacity, and the on-demand accessibility. However, transferring the data over the network exposes it to various attacks against
cloud-related domains. As a result, cloud users would become victims of cyber-crimes. Hence, this calls for digital forensics to be

14
J.-P.A. Yaacoub et al. Internet of Things 19 (2022) 100544

Table 3
Description Of Network Security & Monitoring Tools (NSMT) that are useful for IoT security attacks.
NSMTs Definition Description Operating system(s) Maintained Type
Wireshark N/A Forms a basis of network forensics monitoring and Linux/Windows-based Yes Open source
forensics studies
TCPDump Transport Control Packet sniffer and analyzer that runs in a command line, Mac/Android/Linux/ Yes Open source
Protocol Dump intercepts and displays network transmitted packets Windows-based
TCPFlow N/A Tool that captures transmitted data as part of TCP Linux/Windows-based Yes Open source
connections and stores it for a protocol analysis
TCPTrace N/A Produces different output types containing information, Linux/Windows-based No Open source
such as elapsed time and throughput
TCPStat TCP Statistics Reports the network’s bandwidth, along with the Linux/Windows-based No Open source
number of packets and the average packet size
TCPDstat TCP Debian Produces a per-protocol traffic breakdown, including Debian-based (Linux) Yes Open source
Statistics network packets and traffic patterns
TCPReplay N/A Classifies previously captured traffic, rewrites the layers Linux/Windows-based Yes Open source
headers and replays the network traffic
TCPXtract TCP Extractor TCPXtract Linux/Windows-based No Open source
NfDump Network Works with NetFlow formats by capturing daemon reads, Linux-based Yes Open source
Forensics displays them and creates statistics of flows and stores
Dump the filtered data
PADS Passive Asset Lightweight and intelligent network sniffer, and a MAC-based Yes Commercial
Detection System signature-based detection engine used to passively
detect any network asset
Nessus N/A A vulnerability scanner that ensures a high-speed and Linux/Windows-based Yes Commercial
sensitive data discovery and vulnerability analysis
Sebek N/A Designed to capture all Honeypot activity Linux/Windows-based No Open source
Ntop N/A Used for network traffic measurement, monitoring, Linux-based Yes Commercial
planning, and detection of any security violations
NetFlow Network Flow Collects IP attributes of each forwarded packet, and Linux/Windows-based Yes Commercial
Analyzer Analyzer detects network anomalies and security vulnerabilities
SiLK System for Supports an efficient capture, storage and analysis Mac/Linux-based Yes Open source
Internet-Level of network data flow, along with supporting network
Knowledge forensics
P0f Passive OS Tool that captures incoming traffic from hosts to Linux/Windows-based Yes Open source
fingerprinting networks, and detects the presence of firewall
Nmap Network Map Tool that is used for OS fingerprinting and port scanning Linux/Windows-based Yes Open source
Zeek Formerly Bro A network intrusion detection system that passively Mac/Linux-based Yes Open source
monitors network traffic
Snort N/A A network intrusion detection/prevention system that Linux/Windows-based Yes Open source
performs packet logging, sniffing and real-time traffic analysis

Table 4
Cloud Forensics Analysis Tools (CFAT) that can be employed for IoT cloud forensics investigations.
CFAT Definition Description Type Initial Supported operating Interface(s)
platform system(s)
FROST Forensic Open- Acquires data from API logs, virtual disks & Commercial OpenStack Ubuntu-Linux Website and
Stack Tools [93] firewall logs to carry out digital forensics application
investigations, stores data logs in Hash trees programming
and returns it in a Cryptographic form interface
Cellebrite Universal Forensic Collects, preserves and analyzes public/private Commercial Cellebrite iOS, Android, User interface
UFED Extraction Device data from all cloud-based content including hardware Windows and macOS
[94] social media platform

applied in the cloud environments (known as cloud forensics) [111]. However, cloud forensics investigation is not a straightforward
task, due to the difficulty in locating and identifying the evidence’s source, along with the lack of accountability of cloud providers.
Despite the fact that there are few available cloud forensics tools, there is an increasing demand to develop more sophisticated
and more efficient ones [112]. In [93,113,114], different cloud forensics tools are discussed and compared. Hence, the main cloud
forensics tools are presented in Table 4.

15
J.-P.A. Yaacoub et al. Internet of Things 19 (2022) 100544

Table 5
Malware Forensics Analysis Tools (MFAT) suitable to investigate malware types in IoT systems and devices.
MaFTs Definition Description Operating system(s) Maintained Type
FOR610 Reverse Engineering Helps with acquiring the needed practical skills to Mac/Linux/Windows- Yes Commercial
FORENSICS 610 Malware examine malicious programs that infect Windows systems based
Cuckoo N/A Automates malicious file analysis with a detailed meaningful Mac/Linux/Android- Yes Open source
Sandbox [106] feedback, and ensures malware detection and protection based
YARA Yet Another Malware attribution tool that classifies and analyzes Mac/Windows-based Yes Open source
Recursive Acronym malware samples based on textual or binary patterns
GRR Google Rapid An interactive incident response framework between the Mac/Linux/Windows- Yes Open source
Response target system and agent that analyzes specific based
workstations for malware footprints
REMnux Reverse Engineering Uses the one-stop-shop approach to reverse engineer and Linux-based Yes Open source
Malware linux analyze malware samples, help investigating
browser-based malware, ensure memory forensics

3.4. Malware forensics

In fact, malware forensics can be considered as a sub-class of live computer forensics. It can be used to analyze live IoT devices
and servers or user’s devices. Furthermore, it is also known as malware analysis that aims to study the process of determining
the functionality of a given malware, along with its impact, origins and type (i.e virus, worm, trojan horse, rootkit, or backdoor).
Since most mobile forensics analysis focus on the process of data acquisition [115,116], it is very essential to identify suspicious
applications, especially since malware can be hidden in malicious applications that seem to be legitimate, especially on Android
platforms [117,118].

3.4.1. Malware forensics approaches

To ensure a better malware analysis, Various approaches were presented as part of solving malware forensics issues and
challenges. In [121], Li et al. identified the first steps of mobile forensics analysis, which is based on identifying malicious
applications. However, there still are many challenges related to the malware detection tools [122]. In [123], Khurana et al. divided
the malware analysis into two main areas including behavioral analysis and code analysis. More precisely, the behavioral analysis
aims to examine how a malware interacts with its environment [124], while the code analysis examines the malware malicious
code [125]. Moreover, several methods and taxonomies were presented in [126]. However, the behavioral analysis still remains
as an open issue. In [127], Cook et al. relied on six main individual metrics to measure the level of the attribution’s effectiveness
in the Industrial Control Systems (ICS) context applied to Critical Infrastructures (CI). In [128], Rathnayaka et al. presented a
malware analysis that integrates the malware static analysis with forensic analysis of memory dumps. Their approach can analyze
advanced malware types that hide their behaviors without showing any possible artifact with an accuracy result of 90%. However,
this approach is not compatible with different environments and suffers from memory dump size issues.

3.4.2. Malware forensics tools

Malware forensics tools are essential for any malware analysis and investigation. For this reason, different malware forensics
tools are summarized in the following table Table 5 and are further explained and discussed in [129–132].

3.5. Memory forensics

Memory forensics reveal most of the crime credential information. This forensics type is meant to evaluate the physical memory
including completeness, correctness, speed and amount of interference. As a result, various useful memory forensics tools and steps
were listed for an enhanced memory forensics investigation in [133,134].

3.5.1. Memory visualization

Volatile memories are characterized by their high speed of read/write operations. Thus, the visualization is crucial in the volatile
memory case, especially with large disk size and full disk encryption. In this context, MAC memory readers permit the visualization
of the physical memory mapping, similarly to the show boot memory map used in the apple kernel debug kit [133,135].
After mapping the memory, the investigation process requires a recording of the ‘‘correct and complete physical memory’’ of a
given device or Basic Input/Output System (BIOS) [136,137]. Hence, its main role is to record the image memory to avoid memory
alteration, especially in the physical RAM [138].

16
J.-P.A. Yaacoub et al. Internet of Things 19 (2022) 100544

Table 6
Memory Forensics Investigation Tools (MFIT) suitable to investigate memory attacks against IoT systems and devices.
MeFTs Definition Description Operating system(s) Maintained Type
PlainSight N/A Examines physical memory dumps, Internet histories, USB Windows-based Yes Open source
device usage, extracts password hashes and gathers information
Volatility N/A A memory forensics framework for incident response and Windows/Mac/Linux- Yes Open source
malware analysis, extracts digital artifacts from volatile based
memory (RAM) dumps
ExifTool N/A Helps investigators to read, write and edit meta information Linux-based Yes Commercial
for various file type, supports large range of file format
Free Hex N/A Designed to handle & load very large files, along, Windows-based Yes Open source
Editor Neo information gathering, or searching for hidden data
Bulk N/A Scans a disk image, file, or directory of files and extracts Windows-based Yes Open source
Extractor information including e-mail addresses, URLs, and ZIP files
DEFT Digital Evidence & Helps with Incident Response, Cyber Intelligence and Ubuntu/Linux-based Yes Open source
Forensic Toolkit Computer forensics scenarios
LastActivityView N/A Views actions taken by users and occurring events Windows-based Yes Open source
occurred on machines
DSi USB Write N/A Ensures a write-block to USB devices to keep data Windows-based No Open source
Blocker and metadata safe
FireEye N/A Performs host memory and file analysis, collects memory Mac/Windows/Linux- Yes Open source
RedLine information and gathers file systems to build an overall based
threat assessment profile
HxD Hex eDitor Performs a low-level editing and modification of a Mac/Windows-based Yes Open source
raw disk or main memory (RAM)
Helix3 Pro N/A Detects, identifies, isolates, analyzes, responds to Linux/Windows-based Yes Commercial
incidents and preserves and without user detection
USB Historian N/A Displays useful information including USB drives & the serial Linux/Windows-based Yes Open source
numbers, to understand if data was stolen, moved or accessed
Magnet RAM N/A Captures a computer’s physical memory and analyzes Windows-based Yes Open source
Capture memory artifacts
CrowdStrike N/A Gathers a system’s information to initiate an incident Mac/Windows-based Yes Commercial
CrowdResponse response along with security engagements [119]
Cellebrite PA Physical Analyzer Traces events, gathers and examines key pieces of digital data Linux/Windows-based Yes Commercial
Cellebrite UFED Universal Forensics A unified workflow, allows investigators to collect, protect Linux/Windows-based Yes Commercial
[120] Extraction Device and act on mobile data in a fast yet accurate
way without compromising

3.5.2. Memory forensics approaches

As for memory forensics, various approaches were presented in [139] to mitigate volatile memory issues (i.e Random Access
Memory (RAM) [140]) to allow law enforcement agencies to take legal actions against cyber-criminals. In [141], Shosha et al.
developed a prototype to detect programs being maliciously used by criminals. This prototype is based on evidence deduction,
which in turn, is based on traces of the program’s suspect. In [139], Olajide et al. used RAM dumps to extract information about
the user input from Windows applications. In [142], Ellick et al. introduced a RAM forensics tool known as ForenScope [143].
This tool ensures the investigation of a given machine by using regular bash-shell, which permits to disable the anti-forensics tools
whilst searching for any potential evidence. In [144], Johannes et al. presented a different approach. This approach investigates
the firmware along with its components, and improves the forensics imaging based on page/table mapping and PCI introspection.
In [145], Shashidhar et al. presented an approach that was aimed to target the potential value of a prefetch folder, along with the
prefetch folder itself. This is used to start-up and speed-up a window machine program. In [146], Latzo et al. surveyed the memory
forensics domain and presented a forensics memory acquisition taxonomy that is independent of the Operating System (OS) and the
Hardware Architecture (HA), and can also be deployed pre/post-incident.

3.5.3. Memory forensics tools

This paper summarizes the main different memory forensics tools that are presented and explained in [84,147]. For example,
PTFinder [148], which is a forensics toolkit, was used to allow the investigation of the main memory content. For further
clarification, these tools are summarized In the following Table 6.

3.6. Mobile forensics

IoT users can use mobile devices to connect to IoT application servers or even cloud. Therefore, as a result of ongoing
security incidents (i.e breaches, attacks, gaps) at the mobile device level, the mobile forensics was introduced as another key sub-
domain and part of IoT forensics. Furthermore, mobile forensics are classified as a new branch of digital forensics, which is about

17
J.-P.A. Yaacoub et al. Internet of Things 19 (2022) 100544

Fig. 9. Mobile Forensics Digital Artifacts (MFDA) suitable to investigate attacks on mobile devices.

Table 7
Description of a set of mobile forensics tools that can be useful for IoT-mobile investigations.
MFITs Definition Description Operating system(s) Maintained Type
OXYGEN N/A Extracts data from mobile devices and analyzes it, Blackberry/Symbian/ Yes Commercial
forensics KIT and ensures an efficient use and acquire of Android/iOS/
information Windows-based
Pilot-Link N/A Provides the means to find the logical device’s contents Palm/Linux-based No Open source
which can be examined manually by palm OS emulators [149]
OpenText N/A Stores the physical bit stream image of file for future use, Solaris/Mac/Linux/ Yes Commercial
EnCase can be viewed at anytime, and snaps physical/logical Windows-based
Forensic snapshots of the device’s current state
PDA Seizure Personal Digital Ensures a logical access to information through the BlackBerry/Palm/ No Commercial
Assistants use of API protocol to allow desktop applications to Poket PC/Linux-based
communicate with mobile devices
Paraben DS Paraben Device Acquires devices logically/physically, bypasses passwords, Android/iOS/Linux/ Yes Commercial
Seizure extracts file systems and automatically loads all drivers Windows-based
XRY N/A Used to analyze and recover crucial information from mobile Blackberry/Android/ Yes Commercial
devices, is made up of hardware device and software, iOS/Windows-based
and designed to recover data for analysis

analyzing mobile devices to retrieve and recover digital data serving as evidences. This is done by preserving the integrity of the
evidence in a un-contaminated and un-altered state [150,151]. Mobile forensics tools and techniques rely on quantitative analysis
approaches [152]. More precisely, this is due to the fact that mobile devices contain large amount of digital data and information
(i.e contacts, call logs, SMSs, Wi-Fi information, IP/MAC address, Global Positioning Systems (GPS) signals, Bluetooth, etc...) that
can serve as evidence.

• Locating Evidences: Locating evidences in mobile forensics is not an easy task, but it can be achieved. In [153], Chernyshev
et al. described the mobile phone evidences sources specifications. This includes the uniqueness and persistence of the devices
identifiers, as well as the network information, and personal local settings (i.e saved passwords, cookies, electronic documents,
web-browsing activities, etc...).
• Digital Artifacts: Before describing and classifying the mobile forensics tools, it is important to know what digital artifacts
can be retrieved first, including their types. For this reason, Fig. 9 was presented.

– Internal Memory: includes the NAND flash memory [154]. In such a memory type, many evidences can be found, such
as digital data, SMS, call logs and browser history.
– External Memory: includes the SIM card, where several evidences can also be found and retrieved, such as the
subscriber’s data, real-time location, and additional internal memory storage.
– Service Provider Logs: includes call logs, duration and usage that can be identified and retrieved even after deletion.

• Mobile Forensics Tools In recent years, mobile devices were involved in both crimes and cyber-crimes scenes alike as vital key
digital witnesses to investigate (digital) crimes involving mobile devices. For further technical explanation, Table 7 summarizes
the main mobile forensics tools.

As a result, these forensics tools are summarized in Fig. 10.

18
J.-P.A. Yaacoub et al. Internet of Things 19 (2022) 100544

Fig. 10. Example of possible forensics tools for IoT systems.

3.7. IoT forensics vs traditional forensics

In fact, Table 8 contains a comparison between traditional forensics and IoT forensics. Therefore, it is important to indicate that
an IoT forensics investigator should have skills and knowledge about all other types of digital forensics especially computer, network
and mobile forensics.
In the following, the IoT characteristics are detailed based on the comparison elements included in Table 8.

• Evidence Source: Identifying the source of evidence requires having the knowledge of the type of devices being in use (i.e
Software, Hardware and OS). Moreover, it also requires collecting the necessary forensics evidences from IoT-based and digital
cyber-crime scenes.
• Crucial Information: due to the increasing growth of the devices numbers, with more than trillions of interconnected devices
being operational on IoT networks [155], the aim is to locate and identify any available information that proves to be crucial

19
J.-P.A. Yaacoub et al. Internet of Things 19 (2022) 100544

Table 8
Traditional forensics Vs. IoT forensics.
Comparison Traditional forensics IoT Forensics
Ownership Individuals, companies, governments Individuals, companies, governments
Protocols Wire, Wireless Wireless (between IoT devices and gateways), wire(rare case)
Data size Terabytes Exabytes
Number of devices Billions 40+ Billions
Evidence source User/organization devices( Computer and servers), networks Devices (IoT end-devices, servers, gateway, user devices, networks
traffics
Evidence type Electronic documents, standard file formats Any available format

Fig. 11. IoT/digital forensics challenges.

for a given forensics investigation, despite the digital explosions in terms of data size on IoT platforms [156] which have
exceeded 40,000 Exabytes in 2020 [157].
• IoT Persistent Issues One of the main IoT forensics issues is the lack of a reliable IoT forensics application [158]. Moreover,
there is no existing digital forensics guidance that allows retrieving data from an IoT device, in case of an active forensics
investigation, or an occurring cyber-event. More precisely, the embedded technologies are challenging due to their reliance on
traditional computer OS or even magnetic data. Therefore in [158], Watson et al. introduced the need for an advanced data
recovery technique whenever a data acquisition from an embedded remote IoT device is required. In fact, it seems like the
digital forensics complexity is due to three main issues:

– Inaccessible Data Storage: On-board data storage cannot be accessible through the use of traditional digital forensics
methods.
– Dispersed Cumulative Data-sets: might exist in various yet different geographical locations.
– Unreadable Data: in case the data was acquired, the issue is that it cannot be readable or accessed with the available
tools.

4. IoT digital forensics challenges

So far, there are plenty of challenges and issues that surround the Forensics domain as whole [85,159]. As a result, digital
forensics challenges especially those surrounding the IoT forensics in particular can be divided into technical, operational, legal and
investigative challenges (see Fig. 11). This taxonomy is slightly similar to the one presented by Karie et al. in [160].

20
J.-P.A. Yaacoub et al. Internet of Things 19 (2022) 100544

4.1. Technical challenges

During a forensics investigation, different types of technical challenges that require dealing with cryptographic and non-
cryptographic data are encountered. This includes data size, data location, data hiding, data deletion, anti-forensics tools, and
incompatibility, which may result into hindering an investigation, or extreme consumption of resources and time.

• Cryptographic Challenges: The level of encryption plays a key role in a forensics investigation, since it can vary between
symmetric and asymmetric encryption techniques. In fact, hackers and cyber-criminals use it to preserve the privacy of their
data to avoid its capture. Hence, this explains their reliance on anonymity, homomorphic encryption [161–163], secret sharing
and differential privacy, along other encryption mechanisms to make it almost impossible for digital forensics investigators to
decrypt them.
• Data Size: Another technical challenge is related to the size of data (small data, medium data, big data [164,165]) that requires
to be retrieved, in addition to its volume, nature and type. This also includes seeking which data can be used as evidence, by
identifying what data is relevant and what data serves no purposes. Hence, cyber-criminals rely on covering their tracks and
leaving data that serves no purpose to waste the investigators time.
• Data Location: Locating where the data is stored is yet another challenge, since, it is not easy to know where the data is stored
and located. It is due to the fact that hackers use VPNs, proxies and TOR to perform their attacks anonymously without leaving
any trail or trace back, which limits the amount of data being recovered and analyzed for any possible trace or evidence.
• Data Wiping: Wiping or deleting data also became a serious challenge for forensics investigators, since hackers and cyber-
criminals kept on deleting their data beyond recovery. Thus, leaving forensics investigators with little or no evidences at all
to carry out with their digital investigation.
• Data Hiding: Hiding data is a popular technique used by both cyber-criminals and hackers alike. Such a technique relies on
steganography to hide data. In some cases, hackers also rely on hiding their data in volatile RAMs (Random Access Memory).
Therefore, once the power is off, the data is completely erased, and there is nothing that digital investigators can do to retrieve
it.
• Anti-Forensics Tools: Anti-forensics tools are in use due to their popularity and effectiveness to counter forensics investiga-
tions and eliminate any source of evidence that can be retrieved or/and traced back. In fact, these tools impose a serious risk
and threat to any digital investigation, since it is very easy to use them to erase data beyond recovery.
• Incompatibility: Due to the various techniques and technologies used by IoT devices, forensics tools are almost unreliable
when it comes to dealing with the different types of devices, especially counterfeit devices. This makes any data retrieval
process very difficult and almost impossible.
• RAID: The use of Redundant Array of Independent Disks (RAID) as a technology that combines different physical drives into a
single logical unit resulting into a data storage virtualization [11] is increasing. This technique mainly relies on arbitrary disk
order, stripe order, stripe size and block size, along with the use of uncommon RAID controllers to eliminate any evidence,
which is proving to be very difficult to recover them.
• Cloud Computing Storage: Due to the emergence of cloud computing [166], data is moved and outsourced to third parties.
Hence, a new challenge will be thrown against a forensics investigation process especially with untrusted and semi-trusted
third parties. Once the data is stored or transferred through cloud services, it can be transferred across different countries that
impose different regulations. This would seriously complicate and affect a given investigation.

4.2. Operational challenges

Aside technical challenges, operational challenges also present a serious threat to the forensics investigation process. This is due
to the lack of incident management, lack of standardized procedures, and lack of forensics readiness.

• Lack of Incident Management: Lack of incident management, is also known as lack of incident detection, response and
prevention. In other terms, digital forensics investigators are still incapable of detecting any incident. In fact, even if they
managed to detect an incident, they are either unable to respond to it in time, or they lack the ability to respond at all.
Furthermore, there is also the lack of tools to prevent an incident from occurring, even with the reliance on IDS/IPS hybrid
responses [167–169].
• Lack Of Standardized Procedures: Due to the lack of standardization of both procedures and policies, digital forensics
investigators are facing real challenges in acting and reacting in the right way when an incident occurs.
• Lack of Forensics Readiness: Due to the lack of incident management and standardized procedures, forensics investigators
severely lack of any sort of readiness to deal with a cyber-crime scene and retrieve forensics evidences. This makes it more
difficult to detect and trace back any digital evidence(s).

4.3. Legal challenges

After encountering technical and operational challenges, another type of challenges requires further attention to deal with and
overcome. This issue is based on legal challenges which includes lack of jurisdiction, lack of legal process, security issues, lack or
insufficient evidence, or/and insufficient support and privacy concerns [170].

21
J.-P.A. Yaacoub et al. Internet of Things 19 (2022) 100544

• Lack Of Jurisdiction: Lack of jurisdiction is due to the lack of the official power to make legal decisions and judgments. This
is caused by the tight human right constraints, which presents a serious challenge against forensics investigators to track down
and arrest hackers depending on the type of their committed crimes.
• Lack of Legal Process: Lack of legal process includes the lack of any criminal prosecution by the court to take the necessary
legal decision and judgment over a suspect that was proven to be guilty. Thus, lacking the knowledge of digital matters, with
no firm laws being applied by courts to prosecute cyber-criminals.
• Security Issues: Security issues are part of the legal challenges, especially with the victims’ concerns towards trust issues.
This also includes the accuracy and timeliness of the forensics investigation. More precisely, it is based on the level of trust
that victims have in the federal services, as well as the Degree of Freedom (DoF) to use their personal information, whilst also
providing them with details to track down and arrest cyber-criminals.
• Insufficient Support: Insufficient support is another challenge, consisting of the lack of funds, and the lack of public support.
In fact, the lack of trust and support from the public can result into the lack of confidence in the job performed by the forensics
investigators, making limited improvements and hindering further efforts.
• Preserving Users & Victims’ Privacy: the sharp rise of social engineering social-media based attacks is due to users’ excessive
online life sharing aspects on social media. However, due to users’ privacy fears and concerns from forensics investigators
breaching their privacy imposes a challenge, since an event and attack cannot be easily reconstructed without violating users’
privacy [171].
• Legitimation: still remains a challenge due to the shifting from modern infrastructure to fog computing and third parties such
as platform-as-a-service (PaaS) frameworks. Therefore, this offers a new complex and virtual issues. As a result, modern digital
forensics investigations must be executed legally and without violating laws in the borderless virtual cyber-world [171].
• Responsibility: due to the high rise and reliance on social media platforms (LinkedIn, Telegram, Twitter, Facebook, etc.)
and instant messaging applications (i.e Zello, WhatsApp, Tango, Instagram, TikTok, Messenger, Snapchat etc.), this move
granted access to both criminals and terrorists alike, to exploit these platforms differently. This was mainly achieved via
their continuous broadcast of propaganda spread. Thus, causing various negative effects aside fear including violence, hatred,
racism, online threats, recruitment and terrorism, as well as phishing and privacy attacks by stealing users’ credentials for the
purpose of blackmailing, forgery, fake identity or privacy breaches. Therefore, social media companies must allow and help
forensics investigators to take legal action and track down (i.e geo-locate) the source of any criminal or/and terrorist activity,
and prevent its spread by trying to halt it or contain the event to prevent it from further spreading [171].

4.4. Investigative challenges

Investigative challenges are usually caused by the lack of qualified forensics personnel, and the lack of forensics knowledge when
it comes to use forensics tools.

• Interoperability of Forensics Tools: since forensics tools store data in various different format types which vary between
different databases, datasets and data structures types, this still remains a real challenge and issue [172]. The lack of
standardization and uniformity, makes these digital forensics heterogeneous by nature. Therefore, there is urgent and persistent
need for a unified data format for the acquired forensics digital data.
• Lack of Qualified Forensics Personnel: Lack of qualified digital forensics personnel is a challenge in itself, especially with
the lack of training and experience in the forensics field. In fact, this is due to the lack of education, where many digital
forensics investigators operate without obtaining any official forensics certificate.
• Lack of Standardized Threshold: The lack of standardized threshold is due to the lack of issued certificates for forensics
investigators that allows them to be classified as authorized. Many investigators claim to be forensics investigators due to the
fact that they literally know/have details, or have an experience in the forensics domain. Therefore, the lack of a standardized
threshold to classify forensics investigators remains a consistent challenge.
• Lack of Forensics Knowledge: Despite the lack of experience, knowledge and skills, another challenge includes the lack of
proper/specialized forensics tools and kits. Moreover, in most cases, forensics investigators are incapable of using these tools
or these forensics kits due to the lack of expertise and skills. This might result into the loss, or damage of original data beyond
recovery.
• Lack of Forensics Investigative Skills: Another challenge is the lack of investigative skills. In fact, these skills can be classified
into soft investigative and hard investigative skills.

4.5. Mobile & device challenges

Smart and mobile devices along with computers, laptops, and tablets are part of the IoT world. As a result, forensics investigators
encounter many challenges when extracting data from these devices [173,174]. These challenges are listed in the following:

• Heterogeneous Nature: The heterogeneous nature of mobile, digital and IoT devices, especially with different hardware
and software configurations and components [175], is challenging for any digital forensics investigation. Therefore, different
forensics techniques and tools are needed to investigate and disassemble a given device to prevent the risk of destroying data.

22
J.-P.A. Yaacoub et al. Internet of Things 19 (2022) 100544

• Built-in Security Features: Built-in security features are capable of limiting the access to any device. These features are related
to authentication, identification and verification. Moreover, the use of biometrics imposes a serious challenge to the forensics
investigation process.
• Lack of Forensics Tools: In fact, there is a lack of forensics tools, kits and equipment that can be used for IoT devices forensics
investigation. Therefore, there is a limited chance of ensuring that data can be retrieved safely and carefully without risking
damage or destruction. In fact, the existing forensics tools are incompatible with the emerging IoT devices.
• Malicious Applications: Malicious applications are used by cyber-criminals to perform surveillance attacks. Once these
applications are installed, a Trojan or worm will be activated on a given device, capable of ensuring spyware, ransomware,
botnet or even DoS attack. This offers the ability to delete, alter, modify and even manipulate the device’s data, whilst gaining
an unauthorized privileged access.
• CTI Challenges: Due to the existing exploitable vulnerabilities and security gaps in any given system, cyber-criminals may
carry out their cyber-attack through infection and exploitation. In fact, attackers start using innovative methods to attack and
target their victims, by relying on spear-phishing and social/reverse engineering techniques [176]. Moreover, such attacks
can masquerade a given malware into any file type/format including a PDF file, image or even a video, that would run on
the victim’s machine [177] without his knowledge. Therefore, this would lead to another form of backdoor [10,178] to the
victim’s system.
• Legal Limitations: Since mobile devices are part of the IoT world, in case of an international crime, different laws and different
security measures can cause conflicts among different countries. In fact, it is due to the absence of a uniform jurisdiction and
legal processing systems that can be applied to ensure a better cooperation and collaboration between different peers.
• Devices Components: Device components can be divided into:

– Software components: are related to the use of different OSs and software (e.g. Apple, Android [179], etc. on
smartphones, Windows, Linux etc. on computers). Each OS operates differently, which presents a challenge for forensics
investigators, since this requires different investigation approaches.
– Hardware components: including the storage of data on volatile memories including RAMs, or on magnetic storage.
Thus, the smaller the physical size of a given storage area, the harder for forensics investigators to investigate it without
risking damaging it.

• Wireless Communications: It is also important to note that wireless communications impose a serious challenge to the
forensics investigators, especially when dealing with well-trained and well-experienced hackers (cyber-(industrial)-espionage,
advanced persistent threats) that cover their tracks aside the use proxies, VPNs and TOR [180–182] to hide their committed
moves. This eliminates and reduces possible evidences to avoid being detected and tracked down by forensics investigators.
• Devices Types: Another challenge arose, especially with the huge number of counterfeit devices including laptops, PCs,
smartphones and tablets being spread across the market. This is due to their cheap prices and their lack of security measures.
This made it extremely easier for an attacker to use them to bait his victims to install fake applications, or use them to hide
data and information. In many cases, these fake devices can serve as bots (zombies) and lead an anonymous attack on the
attacker’s behalf. This also includes their usage to easily logically destroy the data through the use of anti-forensics tools, or
through physical destruction. Unlike original devices, it is harder for forensics investigators to track a genuine device compared
to a counterfeit device.

4.6. Big data challenges

Although the big data challenge was briefly mentioned before, it is important to explain it in more details to highlight its
importance. Dealing with big data issues and challenges [13,183,184], requires extra efforts to achieve the intended results and
hunt down cyber-criminals. In [185], Adebayo classified these challenges depending on the data’s variability, velocity and volume.
In fact, other challenges related to the accuracy and heterogeneity, validity, and trustworthiness are discussed in the following:

• Lack Of Accuracy: due to the big data size, an accuracy issue related to the nature, source and value of the retrieved
evidence(s) arose. In most cases, big data offers zero or poor evidence. This is the reason why it presents a real problem
for forensics investigators by wasting their time searching for any useful information.
• Heterogeneous Data: data collected from different sources can either be structured, semi-structured, or non-structured. This
presents a serious problem that can tackle down the forensics investigation. In case the data was non-structured, there is no
format to support it properly, resulting into a waste of time and resources.
• Data Inconsistency: is related to the volume, velocity and variety of big data [185]. This presents an extra burden since
cyber-criminals rely on a high volume of big data which is in most case irrelevant and inconsistent. Moreover, the nature of
the retrieved data depends on whether it is structured or not-structured. This requires an additional time and resources to
reconstruct the data and analyze it.
• Data Validation: another challenge is related to the data validity, especially if dealing with metadata that serves for a short
amount of time. In this case, the challenge is to see how long the data can survive, especially on volatile memories such as
RAM.

23
J.-P.A. Yaacoub et al. Internet of Things 19 (2022) 100544

• Data Trust: data hiding, manipulation, and alteration, make it difficult for forensics investigators to prove that the retrieved
evidence is legitimate. This is due to the possibility that the collected data is modified or even altered. Therefore, it is
challenging to prove the legitimacy of the retrieved evidence to be justifiable, legal and usable in courts.
• Data Speed: data velocity or data speed is related to the speed of which the data is processed at [185]. In other terms, it is
the speed of generating or moving data around. In fact, big data velocity requires the need for data acquisition and analysis
at a higher scale to maximize the data value.
• Data Volume: can be defined as the amount of data generated, especially when dealing with big data, where a huge amount
of data is generated. Consequently, this requires ensuring the scalability of data storage, along with the need for a distributed
data processing approach. This presents a serious challenge for digital forensics investigators, especially if the data was hidden
in networks, clouds and memories, or even encrypted.

4.7. Educational challenges

Education also plays a key-role as the initial source of most of the occurring challenge, due to lack of training, experience, funding
and available personnel. Potential forensics investigators must undergo excessive forensics studies, courses and training, while also
being familiar with various forensics tools and aware of the most frequent anti-forensics activities. As a result, educational challenges
are presented as follows:

• Funding: the lack of or little funding by government such as rootme [186] in France or ENISA [187] in Europe, organizations
and enterprises render the forensics domain very limited in terms of capability-wise and performance-wise. Hence, it still
remains as a challenge [188]. Therefore, more funding is needed towards researching and developing digital forensics fields
to improve the collaboration among various forensics investigators and colleagues.
• Mindsets: the mindsets of many individuals including numerous universities, organizations and governments still believe that
the digital forensics domain is still not effective. It is clear that there is a huge funding, knowledge, and experience gaps
in this field, with many attacks remaining untraceable and anonymous. Therefore, most military, law enforcement, police
and governments mindsets are now shifting towards enhancing their forensics skills especially in the rise of cyber-terrorism
(i.e web defacement, leaking information, propaganda/fear spread, online recruit, and bitcoin money laundering) [189–192],
cyber-warfare [193,194], cyber-espionage [195] and cyber-politics [196] era.
• Liaison & Communication Support: the lack of support among communities is caused (aside funding) by the lack of proper
discussion, communication and liaison. This results into conflicts caused by a total lack of information or misinformation
being shared. As a result, more collaboration and encouragement between communities (mainly universities and institutions)
is required to share and enhance their forensics data sets for a better investigative outcome.
• Institutions Support: the lack of institutions’ support including universities is primary related to the high cost of available
education, tools, license and lack of skills to use them. Therefore, more fund, focus and education must be invested in
this forensics field which may include national/international competitions, collaborations, opportunities and exchange of
students [188], such as the ‘‘GenCyber’’ program [197].
• Standards Development: the lack of communication and collaboration between different national and international forensics
universities, facilities and organizations led to the creation of various software and hardware forensics tools that perform
the same task of artifacts collection, categorization and analysis. Therefore, proving to be a loss of time and resources alike.
Hence, research communities need to work and agree on a unified set of standards and formats and abstractions [171] to avoid
redundancy and collusion issues, with a focus on the timeliness of these standards, along their accuracy and effectiveness.

5. Anti-forensics sciences

Cyber-criminals are now excessively using new sophisticated methods to perform their attacks. These methods are based on
covering their tracks to avoid detection. This is achieved by using anti-forensics techniques and tools to alter and delete log and
audit files [176] to permanently delete or damage beyond recovery any possible evidence. As a result, Common Vulnerability Scoring
System (CVSS) [198], along with Static Malware Traffic Analysis (SMTA) [199] are not enough to mitigate this issue. Thus, anti-
forensics presents a seriously threatening challenge for the IoT domain that heavily relies on cloud computing services to store
and process big-data. Additionally, their use would drastically hinder the progress of forensics investigators by preventing them
from carrying out their investigations. Hence, it is essential to overcome the existing challenges and limitations that Cyber Threat
Intelligence (CTI) domains suffer from [200]. Anti forensics are also known as counter-forensics [201]. Their task is to disrupt a
given forensics investigation. Hence, different anti-forensics techniques, tools and approaches are being employed to evade detection
and avoid being caught. This section presents and discusses them in details to help identify them and protect digital evidence(s)
through mitigation and implementation of the right security measures.

5.1. Anti-forensics aspects

Anti-forensics are used to remove, alter, disrupt or illegally interfere with the evidences found on digital devices in a
digital/physical crime scene. Different anti-forensics aspects were discussed in [202]. This included the reliance on the Metasploit
anti-forensics project [203], which is an open source project used to provide pen testing, Intrusion Detection Systems (IDS),
information system exploit, and other services. Moreover, the Metasploit Anti-forensics Investigation Arsenal (MAFIA) has been
used to improve the digital forensics processes, while also validating the forensics tools. MAFIA included the following components:

24
J.-P.A. Yaacoub et al. Internet of Things 19 (2022) 100544

Fig. 12. Anti-Forensics techniques that can be employed against IoT systems: devices, servers, gateway and users devices.

• Transmogrify: aims to overcome the EnCase’s file signature detection. It is done by masquerading a file into another file type.
• Timestamp: as a program, it is capable of altering New Technology File System (NTFS) timestamp values. This is done through
the MAC file entry modification, and entry update. These tools help confuse forensics investigators and further complicate their
forensics investigation [204].
• Sam Juicer: is a program that compromises the hashes of a given security access manager file. In fact, Sam Juicer runs over a
memory/Image Local Security Authority Subsystem Service (LSASS) channel to store password hashes on a Windows system
without leaving any trace or signature on the disk. Thus, avoiding the risk of being detected.
• Slacker: is a program that allows cyber-criminals to hide their data within a slack space found in the memory. This slack space
is created when the file system (e.g. NTFS) allocates more space for a file, where the unused space is called a slack space.
Therefore, this space forms a perfect place for data hiding [204].

5.2. Anti-forensics techniques

As a result of the constantly increasing use of anti-forensics techniques, different anti-forensics approaches were presented to
show how easy it is to target and tackle down a given investigation. In [205], Peron et al. discussed the attacker’s aim when they
are using anti-forensics techniques and focused on how the attacker is capable of hiding, destroying, manipulating and/or even
preventing the creation of any given evidence. In [202,206], Kessler et al. and Wundram et al. presented four main categories of
anti-forensics approaches to provide artifact wiping, data hiding, trail obfuscation and other attacks against the computer forensics
tools and the forensics investigation process. In [207], Harris et al. presented a new method of data transformation which either
hides, destroys, eliminates or counterfeits the evidence and its source. In [208], Garfinkel combines the attack targets and goals to
present the already existing tools. In [206], Wundram et al. presented the integration and harmonization of existing classification
schemes into a single taxonomy with two dimensions respectively. The first dimension refers to the goal of the attacker who aims
to avoid or delay the investigation. The second dimension refers to the target of the attacker which can be one of the following:
the evidence, the forensics tool, or the investigator. In [209], Stamm et al. presented a temporal forensics approach for a motion
compensated video known as the ‘‘Game Theoretic Framework’’. The purpose was to identify the optimal set of actions for forensics
investigators and forgers alike. Their simulation results revealed that any false-alarm constraint is less or equal to 10%. Moreover,
forensics investigators have a 50% chance of detecting a video forgery, and in case the false alarm constraint was higher than
15%, the detection rate of video forgeries was equal to or higher than 85%. In [210], Baier et al. presented an approach called
Anti-Forensics of storage devices by alternative Use of Communication channels (AFAUC), which relies on reverse engineering of
the firmware commands to access a storage medium through the communication channel. In fact, the approach can be achieved
without expensive toolkits, with a lower risk of detection. In [209], Stamm et al. presented an approach based on the use of a game
theoretic framework to identify the optimal set of actions for both the forensics investigator and the forger model. This helped them

25
J.-P.A. Yaacoub et al. Internet of Things 19 (2022) 100544

design an anti-forensics technique with the ability to remove any frame fingerprint by deletion or addition. Moreover, the authors
showed that their presented anti-forensics technique can fool forensics techniques if applied at full strength.
In [211], Shirani et al. aim to hide the intrusion attempt. In [205], Peron et al. aimed to limit the collection, identification,
and validation of electronic data. Garfinkel [208] and Rogers [212] aimed to defeat any forensics analysis by limiting the quantity
and quality of forensics evidence. In [213], Foster and Liu managed to evade and avoid detection by leading anti-forensics attacks.
In [214], Dahbur et al. presented the use of scientific methods to confuse the forensics investigation in all its stages. In [215], Albano
et al. presented different methods to thwart a given digital investigation process. Another taxonomy to thwart forensics investigation
was also presented by Sremack and Antonov in [216]. In [217], Stamm et al. managed to disguise and manipulate, and falsify the
devices specific fingerprints once a digital file is formed.
Anti-Digital Forensics (ADF) consists of identifying any activity aiming to hide an attack’s trace(s) [218]. ADF is used by forensics
investigators, forensics researchers, and first (incident) responders. Their main anti-forensics techniques [202] are summarized in
Fig. 12, and are classified as follows:

• Hiding Data: encryption and steganography [219–221] are mainly used to hide any evidence and cover criminals tracks
to extremely complicate a forensics investigation. This includes encrypting data [222], encrypting disks, hiding data in the
network traffic or even in the memory, etc.
• Encrypting Data: encrypting data is the straightforward way to hide data from being easily disclosed. Encryption also prevents
any unauthorized access to the stored data. Cyber-criminals use the encryption to make it harder to investigate and extract
data. Therefore, leading to a total waste of time and resources to decrypt long keys that encrypt false data.
• Secure-Deletion: consists of removing the targeted data completely and permanently from the source system by overwriting
it with random data. This ensures that the data will not be recoverable anymore. However, most commercial secure-deletion
tools do not ensure a full deletion of data, as some parts of it might still be recovered [223].
• Hashing: is used by criminals to evade detection by preventing the validation of data integrity. In this regard, various
techniques were used including, fuzzy hashing [224], hash collision, MD5 [225] and SHA-1 [226]. The hash’s generated output
is unique and can be used as a biometric print for a given input file. Therefore, in case of a minor change in the original file,
the hash value is completely different. Resulting into the recovery of the original input file to become almost impossible.
• Encrypting Disks: different tools were developed to encrypt the full hard-drive’s volume. Thus, cyber-criminals employ disk
encryption to protect any data that may serve as evidence against them. This can be done by converting it into an unreadable
non-comprehensive form, or unsupported format. Making it difficult for digital forensics investigators to decipher it. Moreover,
disk encryption relies on encrypting software or/and hardware to encrypt every bit of data that exists on the hard disk [227].
• Encrypting Databases: due to the constant increase use of databases [228], database encryption became another popular
form of data hiding. This encryption also targets single users and multi-users’ files/folders. Database encryption [229] is based
on the process of converting data into a meaningless cipher text, including applications, emails, mobile devices, and cloud
services.
• Hardware Memory Encryption: the development towards this type of memory encryption helps criminals avoid access
hierarchies of a traditional memory. This will render any known memory acquisition form as infeasible [146].
• Steganography: cyber-criminals use steganography to hide data into digital multimedia elements. These elements include
image, video, audio, and text files, etc [230,231]. This also includes system files, as presented by Peron et al. in [205].
Steganography can be mitigated by relying on steganalysis methods and attacks [232–234].
• Data Contraception: This method was introduced by Conlan et al. [235], as a new way to hide data. In fact, it is classified
as an anti-forensics activity that leaves either little or no traceable digital evidence(s) to prevent its retrieval. In fact, data
contraception can deliberate file-systems and manipulate ‘‘in-use’’ hard-disks, by hiding any item on a given system or network.
• Zero-Footprinting: or disk cleaner is a new emerging anti-forensics tool [236] which is used to clean disk areas or completely
destroy the disk’s original content(s). Thus, making the attack completely undetectable. Zero-footprinting shows its usefulness
for legitimate or/and illegitimate purposes, due to its ability to un-link files and overwrite them with gibberish data.
• Timestamp Modification: or timestamp extraction is a critical task that requires an establishment of a forensics chain-
of-events investigation. However, hackers and cyber-criminals managed to modify timestamps of files and logs to mislead
investigators. For additional details, different timestamp modification tools are already mentioned in [237].
• File Signature Manipulation: A file signature exists at the beginning of each file to identify a given file type. Hackers usually
use anti-forensics tools to purposely change and manipulate a file signature to mislead forensics investigators [166].
• Hiding Network: networks were also used by the attackers to hide data. The aim of hiding data into networks is to ensure
that no traces are left behind the attackers. Thus, resulting into crippling the forensics investigation, especially due to the use
of VPNs, proxies or TOR.
• Artifact Wiping: Artifact Wiping [238] consists of the destruction of useful data that serves as a possible evidence [207].
Through the analysis of artifact wiping, many software tools exist and can be used to wipe different forms of data and metadata.
This includes files, disks, logs, audits and registers. In fact, various types of tools were built by combining different data wiping
forms.
• Trail obfuscation: is a deliberate activity to purposely disorient and divert a forensics investigation. It is based on the same
principles of steganography, or false data injection [239]. Trail obfuscation employs the Peer-to-Peer (P2P) protocols to perform
cyber-criminal activities. This helps cyber-criminals with mitigating their cyber biometric ‘‘fingerprints’’ to hide the evidences
and cover up their tracks.

26
J.-P.A. Yaacoub et al. Internet of Things 19 (2022) 100544

• Virtual System Execution: The execution of a malicious code or script can be either led from external or even remote
disk storage without leaving any trace(s) on the device. Moreover, in [239], Botas et al. presented different virtualization
mechanisms including USB boot devices and network boot devices.
• Content Compression: Saturation or content compression is aimed at infecting systems with unstable contents. This leads to
added latency and delays, which have a high negative impact on the forensics investigation process. Content compression can
be divided into two types: Compression Bombs or zip bombs [239], are designed to largely expand once decompressed, and
Regular Compression used to exploit regular compression implementations [240].
• Data Pooling: By using data pooling, attackers intend to keep their digital media including USB keys, CDs/DVDs, smartphones,
laptops, PCs and hard drives active. By doing so, investigators are lured to search all the collected data. As a result, such a search
can take from months to years, and may violate the suspect’s or victim’s privacy, which would result into legal conflicts [241].
Therefore, leading to a higher investigative cost, and longer investigation time.
• Loop References: are identified as default file paths lengths, which are restricted to 260 characters due to the Windows
Application Programming Interface (API) on New Technology File System (NTFS). However, various ways to initiate longer
paths exist. The most popular way is based on the use of Long Path Tool (LPT) [11]. Other ways also exist, including the use
of loop references where symbolic links can point to a parent folder. Thus, creating a recursive path, where malicious users
can safely store their data in these recursive nested files.
• Dummy Hard Disk: hackers and cyber-criminals use this method by keeping an unusable PC with a hard disk. This allows
the PC to be booted from a USB where the OS is stored, without using the hard disk itself. Therefore, data will be stored on
cloud services. Hackers might also try and simulate random writes on hard disks, to trick investigators into thinking that a
given hard disk has been recently used [16]. Therefore, this would result into a waste of time and resources.
• Anti-Forensics Malware: which were also used to perform an anti-forensics activity by wiping out all relevant data that serve
as a vital evidence to track down its source, structure and characteristics. Among these malware types we name Stuxnet 1–2,
Duqu, Duqu 2.0, Flame, Red October, Shamoon, Gauss, and Mahdi malware types [242–247], used for cyber-warfare [248],
cyber-terrorism [249,250], cyber-politics (hacktivism) [251,252] and cyber-(industrial)-espionage [253] purposes.

These anti-forensics techniques (implemented by tools) can be applied by any attacker who targets the IoT domain. Therefore,
to preserve the evidence and its integrity, IoT systems should mandatory require the use of anti-anti-forensics solutions to counter
the anti-forensics effect and impact, which will be further described in the next Section.

6. Anti-anti-forensics sciences

Categorizing anti-anti-digital forensics includes the classification, identification, characterization, and the differentiation between
digital forensics and anti-forensics techniques and tools [207]. In [205], the effectiveness level of anti-anti-forensics tools against
the use of the old fashion traditional anti-forensics tools was evaluated. As a result, different anti-anti-forensics approaches were
presented.

6.1. Anti-forensics prevention techniques

Anti-forensics prevention techniques were presented to counter the anti-forensics activities whilst also preserving the privacy of
both individuals and evidences. One key challenge in digital forensics is to protect the privacy of the digital evidences [254,255]
during a forensics investigation [256,257]. Thus, several forensics solutions have been developed to preserve the privacy of the
evidences, including digital files, emails or even documents. In [258], Goh et al. presented a secure indexing scheme used to
search for encrypted data and support advanced query searches [259]. This also included the Hash Message Authentication Code
(HMAC) and Advanced Encryption Standard (AES) stream cipher operations to ensure a high level of accuracy and efficiency, while
guaranteeing the admissibility of electronic evidence and the privacy of each individual. In [260], P. Stahlberg et al. investigated the
privacy threats that may possibly surround the database investigation and proposed a system transparency criteria set. This system
set is used to control the results of different queries, except for database searching and retrieval. In [261], S. Bottcher et al. presented
a detective database forensics approach to be capable of detecting any privacy leakage. This was done through the identification of
each party accessing the leaked information. In [262], Reddy et al. presented a theoretical forensics readiness framework, which can
be used exclusively for enterprises and organizations. This framework suggested a specific organizational structure used to minimize
the risk of possibly leaking private information in a given digital investigation case. In [263], Guo et al. defined general policies and
procedures for network forensics investigations. In [264], Pangalos et al. provide a description of the forensics readiness role when
it comes to optimizing the level of security and privacy of each organization. In [265], N.J. Croft et al. presented a sequential private
data release model which is based on the prior knowledge and proof of a given hypothesis used for forensics investigations. This
resulted into placing the less important data in less sensitive layers, allowing sensitive and important data to be made available only
in case of the knowledge of lower-level layers. This process was proven and demonstrated by the forensics investigators. In [257],
Law et al. presented several cryptographic models which can be employed into the already existing digital forensics processes to
ensure a higher level of data protection. In [266], S. Pearson developed a privacy model and language which can be incorporated
within a given company. This helps ensuring auditing and assurance of the employed mechanisms. In [267], Pooe et al. studied
a forensics policy specification to ensure a higher forensics readiness. In [268], S.Hou et al. investigated the legal and practical
privacy issues in a given forensics investigation and successfully presented a practical solution based on using homomorphic and

27
J.-P.A. Yaacoub et al. Internet of Things 19 (2022) 100544

communicative encryption techniques to limit the disclosure of data during a given forensics investigation. However, their solution
lacked the ability to identify malicious data from non-malicious data [269]. In [270], Gupta presented a framework called ‘‘Privacy
Preserving Efficient Digital Forensics’’ (PPEDF) to ensure an automated investigation through the reduction of the amount of data
being analyzed. In fact, PPEDF is compatible with the Encase Version 7.0, with a 100% accuracy when extracting evidence files.
In [271], Hou et al. presented another solution based on the use of the (t,n) sharing scheme as a data encryption method, to ensure
the integrity and authenticity through the appliance of homomorphic property of the (t,n) sharing scheme. In [272], Arrnknecht
et al. presented another privacy preserving mechanism for email data. This method is based on the combination of secret sharing and
encryption algorithms. In fact, it is based on two main schemes including protection and extraction. This ensures that the encrypted
data will only be decrypted upon its need. In [273], Afifah et al. revealed and alternative implementation of data protection presented
by Armknecht and Dewald. It was focused on preserving the privacy of disk image instead of email data. In [274], Nieto et al.
presented a solution named ‘‘Digital Witness’’, which is a personal device that identifies, collects, safeguards and communicates
digital evidences [275] as a member of Digital Chains of Custody in Internet of Things (DCoC-IoT) [276]. This was meant to support
eleven privacy principles included in several PRoFIT (Model The Privacy-aware IoT-Forensics) presented in [277]. Thus, ensuring
a better cooperation between citizens and digital forensics investigations.

6.2. Anti-forensics detection techniques

Anti-Anti-Forensics is a newly evolving technology that protects forensics against any anti-forensics attempt(s). Hence, it is
essential to maintain the right anti-forensics countermeasures to ensure a high detection rate of any anti-forensics activity or attack.
The file installation for cryptographic software indicated that the data could be possibly encrypted on a system which could lead
to the occurrence of a possible anti-digital forensics activity. Therefore in [235], Conlan et al. compared a hash data set against
NIST hashes, where unmatched hashes were possibly a sign of the existence of anti-forensics files or/and tools. This indicated the
possibility of the employment of anti-digital forensics tools to erase any evidence beyond recovery to cover all tracks. Disk-avoiding
using anti-forensics tools was addressed by the Garfinkel in [208]. The presented solution is built on existing anti-forensics detection
methods. In [278], Blunden examined the already existing approaches that might be used by a forensics investigator against the
malicious yet persistent use of rootkits, whilst identifying the anti-forensics possibilities that a rootkit might use or even employ.
To mitigate the use of anti-forensics activities, an enhanced protected forensics version is needed. Hence, the shifting is heading
towards an enhanced Anti-Anti-Forensics version [16]. In [235], a theoretical approach was presented by Conlan et al. to detect
the use of anti-digital forensics tools, and reporting them to digital investigators. This enhanced and improved the digital forensics
investigation to overcome an anti-forensics attack [279]. In [280,281], Geiger presented an approach that consists of the analysis
of five anti-forensics tools including: ‘‘Secure-Clean’’, ‘‘Evidence Eliminator’’, ‘‘Window Washer’’, ‘‘Cyber-Scrub Professional’’, and
‘‘Acronis Privacy Expert’’. This was done by using a Forensics Tool Kit (FTK). The approach revealed that an incomplete wiping of
unallocated space allowed the recovery of the right data containing the necessary evidences. In [282], Fairbanks et al. introduced a
forensics tool, that can extract and analyze the forensics data to allow the detection of anti-forensics attempts, whilst also capturing
unavailable forensics information. This facilitated a system’s recovery, and enhanced the digital forensics investigation.
Despite the challenges and limitations that forensics domains suffer from, machine learning came as a new early smart detection
method to sort the limitations of previous forensics and counter anti-forensics methods. As a result, a new machine-learning counter
anti-forensics-based branch was presented in [283–286] to detect any anti-forensics activity. In [176] Conti et al. revealed the
importance of implementing and applying Artificial Intelligence-Machine Learning (AI-ML) techniques in the cyber-security domain.
In [102]. Mukammala et al. presented a study based on the use of artificial intelligent techniques (Artificial Neural Networks
(ANNs) and Support Vector Machines (SVMs)) for offline intrusion analysis to maintain the integrity and confidentiality of the
information infrastructure. Based on their study, SVM outperformed ANN in terms of scalability and prediction accuracy, while
both methods produce largely consistent results. In [287], Yeow et al. designed and developed an Intelligent Forensic Autopsy
(of war victims) Report System (I-AuReSys) based on the Case-Based Reasoning (CBR) method, which is used to analyze forensic
evidence. I-AuReSys is used to extract features by using an information extraction (IE) technique from the already existing autopsy
reports, before analyzing any case similarities by coupling CBR technique with a Naïve Bayes learner for feature-weights learning.
Experimental results class as a practical viable alternative forensics method. The authors contributed to the Elliptic Data Set using
series graph of Bitcoin transactions (nodes), directed payment flows (edges), and node features, including ones based on non-public
data. Results revealed the superiority of Random Forest (RF) algorithm. In [288], Wang et al. presented a novel TKRD method named
Trusted Kernel Rootkit Detection for cyber-security of Virtual Machines (VM). TKRD is based on machine learning and memory
forensic analysis and is used to detect kernel rootkits in VMs from private cloud. Experimental results revealed that the RF classifier
has the best unknown kernel rootkits detection performance. In [289], Axenopoulos et al. presented a new framework which is
implemented in the context of the European Union-funded project LASIE. This framework is applied for large-scale exploitation of
forensic data acquired from different sources and in multiple formats, whilst several video analytics tools that performed automated
object (human, face, vehicle, logo) detection and tracking, video event detection and summarizing. Detection and tracking events are
also robust in low-resolution, low color quality, motion blur, and lighting variations. An evidence search engine was also presented
to offer various ways of retrieving relevant evidence. This framework was tested using real content (CCTV footage) provided by the
London Metropolitan Police (MET), and have shown promising results. In [290], Sun et al. presented a novel Convolutional Neural
Network-based (CNN-based) Contrast Enhancement (CE) forensics method, using the Gray-Level Co-occurrence Matrix (GLCM)
which contains traceable CE forensics features. Experimental results revealed that this method outperforms conventional forensics
methods in terms of forgery-detection accuracy, robustness and performance, especially when dealing with counter-forensic attacks.

28
J.-P.A. Yaacoub et al. Internet of Things 19 (2022) 100544

In [291], Yang et al. presented two effectively robust CE forensics algorithms based on deep learning. Their method achieves a
better end-to-end classification based on pixel and histogram domain. Experimental results revealed that this method achieves a
better detection performance than the other state-of-the-art algorithms, as well as it being robust against Pre-JPEG compression
and anti-forensics attacks. In [292], Shan et al. presented a JPEG-robust CE forensic method based on a modified CNN, adding
a GLCM layer and cropping layer ahead of a tailor-made CNN. Extensive experimental results revealed that this method achieves
significant improvements in terms of both global and local CE detection. In [293], Yu et al. presented a multi-purpose CNN-based
method to detect various anti-forensics activities, including the automatic features extraction and identification of the forged types.
This model can effectively detect various image anti-forensics in binary and multi-class decision. Experimental results revealed
that their methods achieves a better performance than other counter-anti-forensics methods in anti-forensics detection. In [294],
Chen et al. presented a new CNN approach for multi-purpose image detection and manipulations under anti-forensics activities, and
using a dense connectivity pattern for a better parameter efficiency. Experimental results revealed a better performance in terms of
accuracy detection of anti-forensics attacks, as well as enhanced robustness against JPEG compression. In [295], Li et al. presented a
3D Convolutional Neural Network architecture tailored for the spatial–temporal input to tackle the face spoofing detection problem.
Experimental results revealed that this method can learn discriminative and generalized information compared to with other deep
learning based biometric spoofing detection methods.
All the possible evidence sources in IoT devices, servers and networks should be safely collected in a periodic manner and
stored securely in well-protected distributed IoT systems. For this reason, a recent solution for IoT systems was presented in [46].
This solution uses a secret sharing variant to ensure evidences availability for IoT devices, and cipher scheme to ensure data
confidentiality, in addition to message authentication algorithm to ensure data integrity and source authentication. The uniqueness
of this approach is its ability to be applied at IoT servers or user devices.
In the next section, the main recommendations will be presented to ensure a much more suitable forensics solution to adhere
and overcome various forensics challenges and issues especially in terms of security and privacy-wise.

7. Suggestions & recommendations for IoT/digital forensics

Due to the increase number of data volume, type, size, structure and velocity, this paper suggests and recommends the following
solutions and measures:

• Smart automated evidences detection tools: further work needs to be done in terms of ensuring a higher accuracy and detec-
tion rates for evidence detection, which can also be based on the use of supervised and semi-supervised machine-learning-based
approaches.
• Counter Anti-Forensics: employing different evidences preserving solutions to prevent any evidence alteration caused by
anti-forensics activities, requires the need to define new lightweight anti-anti forensics solutions especially for limited and
resource-constrained (including battery-constrained) IoT devices. Recently, a cryptographic solution was presented in [46],
using a variety of cryptographic algorithms. Moreover, non-cryptographic solutions are not only recommended, but also re-
quired to disable the wiping option and reinforce the authentication process by using multi-factor biometric and non-biometric
authentication mechanisms.
• Enhancing the investigators skills: investigators must be legally certified by undergoing further ongoing constant training
to specialize in the cyber-security and digital forensics fields. As well as be more familiar with how to use forensics/counter
anti-forensics techniques and tools, to enhance their investigation and investigative skills. This will make it less complex and
less time consuming [296].
• Forensics Training/Testing Ground: is required and more funding is needed especially for the newly emerging forensics tools.
This would help ensure their accuracy, advantages, limitations and issues through forensics testing. Moreover, forensics and
digital forensics examination and educational grounds (low level/high level courses) need to be reconsidered and re-evaluated
to adhere to the modern constant growth in this domain.
• Raising Forensics Awareness: can be enhanced through constant workshops, and forensics-based events, as well as weekly,
monthly or yearly meetings and international conferences.
• Constant Alertness & Awareness: is required in order to monitor and shadow the newly or/and constantly emerging topics,
where forensics can play a key role to locate, identify, retrieve and protect evidences. This can be done by expanding the
range of forensics fields to cover every digital, real-life and IoT aspects.

8. Conclusion

The integration of forensics into the digital field and the IoT world led to its global spread and worldwide use and adoption to sort
IoT-related cyber and physical attacks (i.e crimes, terrorism, extremism, law enforcement, warfare, spying, etc.). However, in recent
years, there was a very remarkable rise in the number of anti-forensics activities to hide evidences and alter/delete them beyond
recovery to cover the attackers’ tracks and hinder the investigation’s ongoing process. For this reason, a new modern IoT forensics
analytical view is presented in this paper. An initial forensics background was also presented to include the forensics investigation
process, chain-of-custody and the structure of cyber crimes, while also classifying digital data and digital investigators types. Then,
digital forensics classes that we considered as sub-domains for IoT forensics (i.e computer, network, cloud and mobile forensics) were
discussed along with their different investigative forensics tools, techniques, and approaches. IoT Cyber-forensics challenges were

29
J.-P.A. Yaacoub et al. Internet of Things 19 (2022) 100544

also mentioned, discussed and detailed. Anti-forensics aspects and techniques were also highlighted, whilst counter anti-forensics
detection and prevention techniques were discussed and analyzed using either cryptographic solutions to preserve evidences and
preventing any evidence alteration, deletion or/and modification techniques and tools, or machine learning techniques to enhance
the detection accuracy and rate. On the other hand, this paper helps other fellow colleagues in their quest to further understand
the digital forensics domain especially in terms of IoT.
As part of future work, further research will be conducted and performed on the newly introduced counter anti-forensics or
anti-anti-forensics topic(s) especially in terms of enhancement in both detection, prevention, and preservation of key evidences
aspects in this new Internet of Forensics Things (IoFT) and Internet of Digital Forensics Things (IoDFT) domains.

Declaration of competing interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared
to influence the work reported in this paper.

Acknowledgments

This work has been funded by the EIPHI Graduate School (contract ‘‘ANR-17-EURE-0002’’), France.

References

[1] Emmanuel S. Pilli, Ramesh C. Joshi, Rajdeep Niyogi, Network forensic frameworks: Survey and research challenges, Digit. Investig. 7 (1–2) (2010) 14–27.
[2] Marcus K. Rogers, Kate Seigfried, The future of computer forensics: a needs analysis survey, Comput. Secur. 23 (1) (2004) 12–16.
[3] Shiuh-Jeng Wang, Measures of retaining digital evidence to prosecute computer-based cyber-crimes, Comput. Stand. Interfaces 29 (2) (2007) 216–223.
[4] Yanping Zhang, Yang Xiao, Kaveh Ghaboosi, Jingyuan Zhang, Hongmei Deng, A survey of cyber crimes, Secur. Commun. Netw. 5 (4) (2012) 422–437.
[5] Mohammed Al-Saleh, Ziad Al-Sharif, Ram forensics against cyber crimes involving files, in: The Second International Conference on Cyber Security, Cyber
Peacefare and Digital Forensic (CyberSec2013), 2013, pp. 189–197.
[6] O. Waziri Victor, N.O. Okongwu, Isah Audu, S. Adebayo Olawale, Mohammed Abdulhamid Shafi’í, Cyber crimes analysis based-on open source digital
forensics tools, 2013.
[7] Mohammad Wazid, Avita Katal, R.H. Goudar, Sreenivas Rao, Hacktivism trends, digital forensic tools and challenges: A survey, in: Information &
Communication Technologies (ICT), 2013 IEEE Conference on, IEEE, 2013, pp. 138–144.
[8] Bilal Alhayani, Husam Jasim Mohammed, Ibrahim Zeghaiton Chaloob, Jehan Saleh Ahmed, Effectiveness of artificial intelligence techniques against cyber
security risks apply of IT industry, Mater. Today: Proc. (2021).
[9] Binny Naik, Ashir Mehta, Hiteshri Yagnik, Manan Shah, The impacts of artificial intelligence techniques in augmentation of cybersecurity: a comprehensive
review, Complex Intell. Syst. (2021) 1–18.
[10] Adrienne Porter Felt, Matthew Finifter, Erika Chin, Steve Hanna, David Wagner, A survey of mobile malware in the wild, in: Proceedings of the 1st ACM
Workshop on Security and Privacy in Smartphones and Mobile Devices, ACM, 2011, pp. 3–14.
[11] Murat Gül, Emin Kugu, A survey on anti-forensics techniques, in: Artificial Intelligence and Data Processing Symposium (IDAP), 2017 International, IEEE,
2017, pp. 1–6.
[12] Lei Zhang, Shui Yu, Di Wu, Paul Watters, A survey on latest botnet attack and defense, in: Trust, Security and Privacy in Computing and Communications
(TrustCom), 2011 IEEE 10th International Conference on, IEEE, 2011, pp. 53–60.
[13] Min Chen, Shiwen Mao, Yunhao Liu, Big data: A survey, Mob. Netw. Appl. 19 (2) (2014) 171–209.
[14] Xiaohua Feng, Yuping Zhao, Digital forensics challenges to big data in the cloud, in: 2017 IEEE International Conference on Internet of Things (iThings)
and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData),
IEEE, 2017, pp. 858–862.
[15] Shams Zawoad, Ragib Hasan, Digital forensics in the age of big data: Challenges, approaches, and opportunities, in: 2015 IEEE 17th International
Conference on High Performance Computing and Communications, 2015 IEEE 7th International Symposium on Cyberspace Safety and Security, and 2015
IEEE 12th International Conference on Embedded Software and Systems, IEEE, 2015, pp. 1320–1325.
[16] Michael Perklin, Anti-forensics and anti-anti-forensics, in: Talk at DEF CON, Vol. 20, 2012.
[17] Jean-Paul A. Yaacoub, Mohamad Noura, Hassan N. Noura, Ola Salman, Elias Yaacoub, Raphaël Couturier, Ali Chehab, Securing internet of medical things
systems: limitations, issues and recommendations, Elsevier Future Gener. Comput. Syst. 105 (2020) 581–606.
[18] Jean-Paul Yaacoub, Hassan N. Noura, Ola Salman, Ali Chehab, Security analysis of drones systems: Attacks, limitations, and recommendations, Elsevier
Internet Things 11 (2020) 100218.
[19] Jean-Paul A. Yaacoub, Hassan N. Noura, Ola Salman, Ali Chehab, Robotics cyber security: vulnerabilities, attacks, countermeasures, and recommendations,
Springer Int. J. Inf. Secur. (2021) 1–44.
[20] Jean-Paul A. Yaacoub, Ola Salman, Hassan N. Noura, Nesrine Kaaniche, Ali Chehab, Mohamad Malli, Cyber-physical systems security: Limitations, issues
and future trends, Elsevier Microprocess. Microsyst. 77 (2020) 103201.
[21] Hassan N. Noura, Tarif Hatoum, Ola Salman, Jean-Paul Yaacoub, Ali Chehab, LoRaWAN security survey: Issues, threats and possible mitigation techniques,
Elsevier Internet Things (2020) 100303.
[22] Jean Paul A. Yaacoub, Javier Hernandez Fernandez, Hassan N. Noura, Ali Chehab, Security of power line communication systems: issues, limitations and
existing solutions, Elsevier Comput. Sci. Rev. 39 (2021) 100331.
[23] Stephen Russell, Tarek Abdelzaher, The internet of battlefield things: the next generation of command, control, communications and intelligence (C3I)
decision-making, in: MILCOM 2018-2018 IEEE Military Communications Conference (MILCOM), IEEE, 2018, pp. 737–742.
[24] Anuj Sehgal, Vladislav Perelman, Siarhei Kuryla, Jurgen Schonwalder, Management of resource constrained devices in the internet of things, IEEE Commun.
Mag. 50 (12) (2012) 144–149.
[25] Vineet Tambe, Gaurav Bansod, Soumya Khurana, Shardul Khandekar, Reliability and availability of IoT devices in resource constrained environments,
Int. J. Qual. Reliab. Manage. (2022).
[26] Donald Harriss, Enhancing IoT situational awareness: Connecting first responders to smart buildings.
[27] Jean-Paul A. Yaacoub, Mohamad Noura, Hassan N. Noura, Ola Salman, Elias Yaacoub, Raphaël Couturier, Ali Chehab, Securing internet of medical things
systems: Limitations, issues and recommendations, Elsevier Future Gener. Comput. Syst. (2019).

30
J.-P.A. Yaacoub et al. Internet of Things 19 (2022) 100544

[28] Dennis Broeders, Els de Busser, Fabio Cristiano, Tatiana Tropina, Revisiting past cyber operations in light of new cyber norms and interpretations of
international law: inching towards lines in the sand? J. Cyber Policy (2022) 1–39.
[29] Ruilong Deng, Peng Zhuang, Hao Liang, CCPA: Coordinated cyber-physical attacks and countermeasures in smart grid, IEEE Trans. Smart Grid 8 (5)
(2017) 2420–2430.
[30] Gaoqi Liang, Steven R. Weller, Junhua Zhao, Fengji Luo, Zhao Yang Dong, The 2015 ukraine blackout: Implications for false data injection attacks, IEEE
Trans. Power Syst. 32 (4) (2016) 3317–3318.
[31] Shreyas Kulkarni, Qinchen Gu, Eric Myers, Lalith Polepeddi, Szilárd Lipták, Raheem Beyah, Deepak Divan, Enabling a decentralized smart grid using
autonomous edge control devices, IEEE Internet Things J. 6 (5) (2019) 7406–7419.
[32] Fenghua Zhu, Yisheng Lv, Yuanyuan Chen, Xiao Wang, Gang Xiong, Fei-Yue Wang, Parallel transportation systems: Toward IoT-enabled smart urban
traffic control and management, IEEE Trans. Intell. Transp. Syst. 21 (10) (2019) 4063–4071.
[33] Sourav Banerjee, Chinmay Chakraborty, Sumit Chatterjee, A survey on IoT based traffic control and prediction mechanism, in: Internet of Things and
Big Data Analytics for Smart Generation, Springer, 2019, pp. 53–75.
[34] Jörn von Lucke, Borderlines for smart police work, in: EGOV-CeDEM-EPart-*, 2020, pp. 351–352.
[35] Mohd Javed, Hezbollah a state within a state: An overview, J. Homepage (ISSN: 2582-7421) www.ijrpr.com.
[36] Ian Slesinger, The limits of control: Technological agency, urban terrain, strategy and the state in the 2014 Gaza War, Political Geogr. 93 (2022) 102530.
[37] Mari Carmen Domingo, An overview of the internet of underwater things, J. Netw. Comput. Appl. 35 (6) (2012) 1879–1890.
[38] Xiuxia Cai, Haoyu Li, Sandong Guo, Intelligent camouflage pattern generating in internet of things, Internet Technol. Lett. e349.
[39] Rune Langleite, Carsten Griwodz, Frank T. Johnsen, Military applications of internet of things: Operational concerns explored in context of a prototype
wearable, 2021.
[40] Lin Zhu, Suryadipta Majumdar, Chinwe Ekenna, An invisible warfare with the internet of battlefield things: a literature review, Hum. Behav. Emerg.
Technol. 3 (2) (2021) 255–260.
[41] J. Walker, Search and rescue robots–current applications on land, sea, and air, 2019.
[42] Manju Payal, Pooja Dixit, T.V.M. Sairam, Nidhi Goyal, Robotics, AI, and the IoT in defense systems, in: AI and IoT-Based Intelligent Automation in
Robotics, Wiley Online Library, 2021, pp. 109–128.
[43] Melanie Schranz, Martina Umlauft, Micha Sende, Wilfried Elmenreich, Swarm robotic behaviors and current applications, Front. Robot. AI 7 (2020) 36.
[44] Pierre Thalamy, Benoit Piranda, Julien Bourgeois, Engineering efficient and massively parallel 3D self-reconfiguration using sandboxing, scaffolding and
coating, Robot. Auton. Syst. 146 (2021) 103875.
[45] Waleed Halboob, Ramlan Mahmod, Nur Izura Udzir, Mohd Taufik Abdullah, Privacy levels for computer forensics: Toward a more efficient
privacy-preserving investigation, Procedia Comput. Sci. 56 (2015) 370–375.
[46] Hassan N. Noura, Ola Salman, Ali Chehab, Raphaël Couturier, DistLog: A distributed logging scheme for IoT forensics, Ad Hoc Netw. 98 (2020) 102061.
[47] Ashley D. Maxie-Moreman, Brendesha M. Tynes, Exposure to online racial discrimination and traumatic events online in black adolescents and emerging
adults, J. Res. Adolesc. (2022).
[48] Elena Dal Santo, Elena D’Angelo, Relationship of online hate, radicalization, and terrorism, in: Indoctrination to Hate: Recruitment Techniques of Hate
Groups and how to Stop Them, ABC-CLIO, 2022, p. 152.
[49] Richard Donegan, Bullying and cyberbullying: History, statistics, law, prevention and analysis, Elon J. Undergrad. Res. Commun. 3 (1) (2012) 33–42.
[50] David Finkelhor, Richard Ormrod, Child pornography: Patterns from NIBRS, Juv. Justice Bull. (2004).
[51] Lakitta D. Johnson, Alfonso Haralson, Sierra Batts, Ebonie Brown, Cedric Collins, Adrian Van Buren-Travis, Melissa Spencer, Cyberbullying on social
media among college students, Vistas Online (2016) 1–8.
[52] Shaheen Shariff, Cyber-Bullying: Issues and Solutions for the School, the Classroom and the Home, Routledge, 2008.
[53] Peter K. Smith, Jess Mahdavi, Manuel Carvalho, Sonja Fisher, Shanette Russell, Neil Tippett, Cyberbullying: Its nature and impact in secondary school
pupils, J. Child Psychol. Psychiatry 49 (4) (2008) 376–385.
[54] Rosemary Stockdale, Craig Standing, Benefits and barriers of electronic marketplace participation: an SME perspective, J. Enterp. Inf. Manage. 17 (4)
(2004) 301–311.
[55] Katharina Krombholz, Heidelinde Hobel, Markus Huber, Edgar Weippl, Advanced social engineering attacks, J. Inf. Secur. Appl. 22 (2015) 113–122.
[56] JongHyup Lee, Thanassis Avgerinos, David Brumley, TIE: Principled reverse engineering of types in binary programs, in: NDSS, 2011.
[57] Mohamad Badra, Samer El-Sawda, Ibrahim Hajjeh, Phishing attacks and solutions, in: Proceedings of the 3rd International Conference on Mobile
Multimedia Communications, ICST (Institute for Computer Sciences, Social-Informatics and . . . , 2007, p. 42.
[58] Mohd Zaki Mas’ud, Aslinda Hassan, Wahidah Md Shah, Shekh Faisal Abdul-Latip, Rabiah Ahmad, Aswami Ariffin, Zahri Yunos, A review of digital
forensics framework for blockchain in cryptocurrency technology, in: 2021 3rd International Cyber Resilience Conference (CRC), IEEE, 2021, pp. 1–6.
[59] Dinesh P. Srivasthav, Lakshmi Padmaja Maddali, R. Vigneswaran, Study of blockchain forensics and analytics tools, in: 2021 3rd Conference on Blockchain
Research & Applications for Innovative Networks and Services (BRAINS), IEEE, 2021, pp. 39–40.
[60] Sergei Shevchenko, Adrian Nish, Cyber Heist Attribution, BAE Systems Threat Research Blog, 2016.
[61] Ivica Simonovski, Financial sector as an open field for cyber crime and fundraising of terrorist activities, Count. Terror. Act. Cyberspace 139 (2018) 121.
[62] Australia Attorney General, Commonwealth organised crime strategic framework, 2013.
[63] Mike Perry, Erinn Clark, Steven Murdoch, The design and implementation of the Tor Browser, Draft (2013) https://www.torproject.org/projects/
torbrowser/design/. The Tor Project.
[64] Hsinchun Chen, Wingyan Chung, Jialun Qin, Edna Reid, Marc Sageman, Gabriel Weimann, Uncovering the dark Web: A case study of Jihad on the Web,
J. Am. Soc. Inf. Sci. Technol. 59 (8) (2008) 1347–1359.
[65] Andy Greenberg, Hacker lexicon: what is the dark web? Wired 12 (3) (2014) 2016, Accessed on.
[66] Sven Botha, Suzanne E. Graham, (Counter-) terrorism in Africa: Reflections for a new decade, S. Afr. J. Int. Aff. 28 (2) (2021) 127–143.
[67] Maura Conway, Online extremism and terrorism research ethics: researcher safety, informed consent, and the need for tailored guidelines, Terror. Political
Violence 33 (2) (2021) 367–380.
[68] Miriam Fernandez, Harith Alani, Artificial intelligence and online extremism: Challenges and opportunities, 2021.
[69] Gary Stoneburner, Alice Y. Goguen, Alexis Feringa, Sp 800-30. risk management guide for information technology systems, 2002.
[70] Christopher Hargreaves, Jonathan Patterson, An automated timeline reconstruction approach for digital forensic investigations, Digit. Investig. 9 (2012)
S69–S79.
[71] Frank J. Donner, The Age of Surveillance: The Aims and Methods of America’s Political Intelligence System, Vintage, 1980.
[72] Mike Maguire, Policing by risks and targets: Some dimensions and implications of intelligence-led crime control, Polic. Soc.: Int. J. 9 (4) (2000) 315–336.
[73] Jacqueline E. Ross, The place of covert surveillance in democratic societies: a comparative study of the United States and Germany, Am. J. Comp. Law
55 (3) (2007) 493–579.
[74] Carles Fernández, Pau Baiget, F. Xavier Roca, Jordi Gonzàlez, Determining the best suited semantic events for cognitive surveillance, Expert Syst. Appl.
38 (4) (2011) 4068–4079.
[75] Paul Bernal, Data gathering, surveillance and human rights: recasting the debate, J. Cyber Policy 1 (2) (2016) 243–264.
[76] Mathieu Gorge, Lawful interception–key concepts, actors, trends and best practice considerations, Comput. Fraud Secur. 2007 (9) (2007) 10–14.
[77] Gregory Kipper, Wireless Crime and Forensic Investigation, Auerbach Publications, 2007.

31
J.-P.A. Yaacoub et al. Internet of Things 19 (2022) 100544

[78] Robin Bryant, Policing digital crime: the international and organisational context, in: Policing Digital Crime, Routledge, 2016, pp. 129–140.
[79] Jason M. Daniels, Forensic and anti-forensic techniques for OLE2-formatted documents, 2008.
[80] Jorge Benítez Abad, et al., Computer forensics: automatización con autopsy, 2018.
[81] Marcus K. Rogers, James Goldman, Rick Mislan, Timothy Wedge, Steve Debrota, Computer forensics field triage process model, J. Digit. Forensics Secur.
Law 1 (2) (2006) 2.
[82] Eoghan Casey, Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet, Academic Press, 2011.
[83] Yashwanth Reddy Kambalapalli, Different forensic tools on a single SSD and HDD, their differences and drawbacks, 2018.
[84] Andrew Zammit Tabona, Top 20 free digital forensic investigation tools for SysAdmins, in: TeckTalk Powered by GFI Software 2017, 2002.
[85] David Bennett, The challenges facing computer forensics investigators in obtaining information from mobile devices for use in criminal investigations,
Inf. Secur. J.: Glob. Perspect. 21 (3) (2012) 159–168.
[86] Douglas Schweitzer, Incident Response: Computer Forensics Toolkit, Wiley, New York, 2003.
[87] Alec Yasinsac, Robert F. Erbacher, Donald G. Marks, Mark M. Pollitt, Peter M. Sommer, Computer forensics education, IEEE Secur. Priv. 99 (4) (2003)
15–23.
[88] Noble Kumari, A.K. Mohapatra, An insight into digital forensics branches and tools, in: Computational Techniques in Information and Communication
Technologies (ICCTICT), 2016 International Conference on, IEEE, 2016, pp. 243–250.
[89] Nicole Lang Beebe, Jan Guynes Clark, A hierarchical, objectives-based framework for the digital investigations process, Digit. Investig. 2 (2) (2005)
147–167.
[90] Shadi Al Awawdeh, Ibrahim Baggili, Andrew Marrington, Farkhund Iqbal, CAT record (computer activity timeline record): a unified agent based approach
for real time computer forensic evidence collection, in: Systematic Approaches to Digital Forensic Engineering (SADFE), 2013 Eighth International
Workshop on, IEEE, 2013, pp. 1–8.
[91] Andrew Marrington, Ibrahim Baggili, George Mohay, Andrew Clark, CAT Detect (Computer Activity Timeline Detection): A tool for detecting inconsistency
in computer activity timelines, Digit. Investig. 8 (2011) S52–S61.
[92] Jens Olsson, Martin Boldt, Computer forensic timeline visualization tool, Digit. Investig. 6 (2009) S78–S87.
[93] Josiah Dykstra, Alan T. Sherman, Design and implementation of FROST: Digital forensic tools for the OpenStack cloud computing platform, Digit. Investig.
10 (2013) S87–S95.
[94] Edita Bajramović, et al., Challenges in mobile forensics technology, methodology, training, and expense, Int. J. Econ. Law 4 (12) (2014) 35–39.
[95] Demo Proposal Wei, Network forensics analysis with evidence graphs, 2005.
[96] Mohammed Alzaabi, Kamal Taha, Thomas Anthony Martin, Cisri: a crime investigation system using the relative importance of information spreaders in
networks depicting criminals communications, IEEE Trans. Inf. Forensics Secur. 10 (10) (2015) 2196–2211.
[97] Kemal Hajdarevic, Vahidin Dzaltur, An approach to digital evidence collection for successful forensic application: An investigation of blackmail case,
in: Information and Communication Technology, Electronics and Microelectronics (MIPRO), 2015 38th International Convention on, IEEE, 2015, pp.
1387–1392.
[98] Anchit Bijalwan, Mohammad Wazid, Emmanuel S. Pilli, Ramesh Chandra Joshi, Forensics of random-UDP flooding attacks, J. Netw. 10 (5) (2015) 287.
[99] Nickolaos Koroniotis, Nour Moustafa, Elena Sitnikova, Forensics and deep learning mechanisms for botnets in internet of things: A survey of challenges
and solutions, IEEE Access 7 (2019) 61764–61785.
[100] Ray Hunt, Sherali Zeadally, Network forensics–An analysis of techniques, tools, and trends, Computer (2012) 1.
[101] Sherri Davidoff, Jonathan Ham, Network Forensics: Tracking Hackers Through Cyberspace, Vol. 2014, Prentice hall, Upper Saddle River, 2012.
[102] Srinivas Mukkamala, Andrew H. Sung, Identifying significant features for network forensic analysis using artificial intelligent techniques, Int. J. Digit.
Evid. 1 (4) (2003) 1–17.
[103] William Yurcik, James Barlow, Kiran Lakkaraju, Mike Haberman, Two visual computer network security monitoring tools incorporating operator interface
requirements, in: ACM CHI Workshop on Human-Computer Interaction and Security Systems (HCISEC, Citeseer, 2003.
[104] Simson Garfinkel, Network forensics: Tapping the internet, IEEE Internet Comput. 6 (2002) 60–66.
[105] Simson Garfinkel, Gene Spafford, Web Security, Privacy & Commerce, " O’Reilly Media, Inc.", 2002.
[106] Rayan Mosli, Rui Li, Bo Yuan, Yin Pan, A behavior-based approach for malware detection, in: IFIP International Conference on Digital Forensics, Springer,
2017, pp. 187–201.
[107] Vicka Corey, Charles Peterman, Sybil Shearin, Michael S. Greenberg, James Van Bokkelen, Network forensics analysis, IEEE Internet Comput. 6 (6) (2002)
60–66.
[108] Gulshan Shrivastava, Network forensics: Methodical literature review, in: Computing for Sustainable Global Development (INDIACom), 2016 3rd
International Conference on, IEEE, 2016, pp. 2203–2208.
[109] Xath Cruz, The basics of cloud forensics, Cloud Times (2012).
[110] Keyun Ruan, Joe Carthy, Tahar Kechadi, Mark Crosbie, Cloud forensics, in: IFIP International Conference on Digital Forensics, Springer, 2011, pp. 35–46.
[111] Konstantinos Vlachopoulos, Emmanouil Magkos, Vassileios Chrissikopoulos, A model for hybrid evidence investigation, Int. J. Digit. Crime Forensics
(IJDCF) 4 (4) (2012) 47–62.
[112] Monali P. Mohite, S.B. Ardhapurkar, Design and implementation of a cloud based computer forensic tool, in: Communication Systems and Network
Technologies (CSNT), 2015 Fifth International Conference on, IEEE, 2015, pp. 1005–1009.
[113] Ronald L. Krutz, Russell Dean Vines, Cloud Security: A Comprehensive Guide to Secure Cloud Computing, Wiley Publishing, 2010.
[114] Sameena Naaz, Faizan Ahmad Siddiqui, Comparative study of cloud forensics tools, Commun. Appl. Electron. (CAE) (ISSN: 2394-4714).
[115] Andrew Hoog, Android Forensics: Investigation, Analysis and Mobile Security for Google Android, Elsevier, 2011.
[116] Jeff Lessard, Gary Kessler, Android forensics: Simplifying cell phone examinations, 2010.
[117] Francesco Di Cerbo, Andrea Girardello, Florian Michahelles, Svetlana Voronkova, Detection of malicious applications on android os, in: International
Workshop on Computational Forensics, Springer, 2010, pp. 138–149.
[118] Yajin Zhou, Zhi Wang, Wu Zhou, Xuxian Jiang, Hey, you, get off of my market: detecting malicious apps in official and alternative android markets.,
in: NDSS, Vol. 25, 2012, pp. 50–52.
[119] H.A. Boyes, P. Norris, I. Bryant, T. Watson, Trustworthy Software: lessons fromgoto fail’& Heartbleed bugs, 2014.
[120] Mubarak Al-Hadadi, Ali AlShidhani, Smartphone forensics analysis: A case study, Int. J. Comput. Electr. Eng. 5 (6) (2013) 576.
[121] Juanru Li, Dawu Gu, Yuhao Luo, Android malware forensics: Reconstruction of malicious events, in: Distributed Computing Systems Workshops (ICDCSW),
2012 32nd International Conference on, IEEE, 2012, pp. 552–558.
[122] Aubrey-Derrick Schmidt, Hans-Gunther Schmidt, Jan Clausen, Kamer A. Yuksel, Osman Kiraz, Ahmet Camtepe, Sahin Albayrak, Enhancing security of
linux-based android devices, in: Proceedings of 15th International Linux Kongress. Lehmann, 2008.
[123] Himanshu Khurana, Mark Hadley, Ning Lu, Deborah A. Frincke, Smart-grid security issues, IEEE Secur. Priv. 8 (1) (2010).
[124] Jayant Shukla, Application sandbox to detect, remove, and prevent malware, 2008, US Patent App. 11/769, 297.
[125] Ulrich Bayer, Andreas Moser, Christopher Kruegel, Engin Kirda, Dynamic analysis of malicious code, J. Comput. Virol. 2 (1) (2006) 67–77.
[126] Andrew Nicholson, Tim Watson, Peter Norris, Alistair Duffy, Roy Isbell, A taxonomy of technical attribution techniques for cyber attacks, in: European
Conference on Information Warfare and Security, 2012, p. 188.
[127] Allan Cook, Andrew Nicholson, Helge Janicke, Leandros Maglaras, Richard Smith, Attribution of cyber attacks on industrial control systems, 2016.

32
J.-P.A. Yaacoub et al. Internet of Things 19 (2022) 100544

[128] Chathuranga Rathnayaka, Aruna Jamdagni, An efficient approach for advanced malware analysis using memory forensic technique, in:
Trustcom/BigDataSE/ICESS, 2017 IEEE, IEEE, 2017, pp. 1145–1150.
[129] Michael I. Cohen, Darren Bilby, Germano Caronni, Distributed forensics and incident response in the enterprise, Digit. Investig. 8 (2011) S101–S110.
[130] Michael Ligh, Steven Adair, Blake Hartstein, Matthew Richard, Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code,
Wiley Publishing, 2010.
[131] Vaibhav Rastogi, Yan Chen, Xuxian Jiang, Droidchameleon: evaluating android anti-malware against transformation attacks, in: Proceedings of the 8th
ACM SIGSAC Symposium on Information, Computer and Communications Security, ACM, 2013, pp. 329–334.
[132] Alissa Torres, Building a World-Class Security Operations Center: A Roadmap, SANS Institute, 2015, May.
[133] Hajime Inoue, Frank Adelstein, Robert A. Joyce, Visualization in testing a volatile memory forensic tool, Digit. Investig. 8 (2011) S42–S51.
[134] Stefan Vömel, Felix C. Freiling, A survey of main memory acquisition and analysis techniques for the windows operating system, Digit. Investig. 8 (1)
(2011) 3–22.
[135] Bryan Ford, Godmar Back, Greg Benson, Jay Lepreau, Albert Lin, Olin Shivers, The Flux OSKit: A substrate for kernel and language research, in: ACM
SIGOPS Operating Systems Review, Vol. 31, ACM, 1997, pp. 38–51.
[136] William A. Arbaugh, David J. Farber, Jonathan M. Smith, A secure and reliable bootstrap architecture, in: Security and Privacy, 1997. Proceedings., 1997
IEEE Symposium on, IEEE, 1997, pp. 65–71.
[137] James T. Mihm, William R. Hannon, System and method for automating bios firmware image recovery using a non-host processor and platform policy
to select a donor system, 2010, US Patent 7, 809, 836.
[138] Michael Sikorski, Andrew Honig, Practical Malware Analysis: The Hands-on Guide to Dissecting Malicious Software, no starch Press, 2012.
[139] Ziad A. Al-Sharif, Mohammad I. Al-Saleh, Luay M. Alawneh, Yaser I. Jararweh, Brij Gupta, Live forensics of software attacks on cyber physical systems,
Future Gener. Comput. Syst. (2018).
[140] Vikram S. Harichandran, Daniel Walnycky, Ibrahim Baggili, Frank Breitinger, CuFA: A more formal definition for digital forensic artifacts, Digit. Investig.
18 (2016) S125–S137.
[141] Ahmed F. Shosha, Lee Tobin, Pavel Gladyshev, Digital forensic reconstruction of a program action, in: 2013 IEEE Security and Privacy Workshops, IEEE,
2013, pp. 119–122.
[142] Ellick Chan, Winston Wan, Amey Chaugule, Roy Campbell, A framework for volatile memory forensics, in: Proceedings of The16th ACM Conference on
Computer and Communications Security, 2009.
[143] Ellick Chan, Shivaram Venkataraman, Francis David, Amey Chaugule, Roy Campbell, Forenscope: A framework for live forensics, in: Proceedings of the
26th Annual Computer Security Applications Conference, ACM, 2010, pp. 307–316.
[144] Johannes Stüttgen, Stefan Vömel, Michael Denzel, Acquisition and analysis of compromised firmware using memory forensics, Digit. Investig. 12 (2015)
S50–S60.
[145] Narasimha Karpoor Shashidhar, Dylan Novak, Digital forensic analysis on prefetch files, Int. J. Inf. Secur. Sci. 4 (2) (2015) 39–49.
[146] Tobias Latzo, Ralph Palutke, Felix Freiling, A universal taxonomy and survey of forensic memory acquisition techniques, Digit. Investig. 28 (2019) 56–69.
[147] Kristine Amari, Techniques and Tools for Recovering and Analyzing Data from Volatile Memory, SANS Institute InfoSec Reading Room, 2009.
[148] Andreas Schuster, PTFinder version 0.3. 05. 2007.
[149] Wayne Jansen, Rick Ayers, An overview and analysis of PDA forensic tools, Digit. Investig. 2 (2) (2005) 120–132.
[150] Iosif I. Androulidakis, Mobile phone forensics, in: Mobile Phone Security and Forensics, Springer, 2012, pp. 75–99.
[151] Eoghan Casey, Michael Bann, John Doyle, Introduction to Windows Mobile Forensics, Elsevier, 2010.
[152] Fabio Marturana, Gianluigi Me, Rosamaria Berte, Simone Tacconi, A quantitative approach to triaging in mobile forensics, in: Trust, Security and Privacy
in Computing and Communications (TrustCom), 2011 IEEE 10th International Conference on, IEEE, 2011, pp. 582–588.
[153] Maxim Chernyshev, Sherali Zeadally, Zubair Baig, Andrew Woodward, Mobile forensics: Advances, challenges, and research opportunities, IEEE Secur.
Priv. 15 (6) (2017) 42–51.
[154] Jae-Duk Lee, Sung-Hoi Hur, Jung-Dal Choi, Effects of floating-gate interference on NAND flash memory cell operation, IEEE Electron Device Lett. 23 (5)
(2002) 264–266.
[155] Adam Dunkels, Rime-a lightweight layered communication stack for sensor networks, in: Proceedings of the European Conference on Wireless Sensor
Networks (EWSN), Poster/Demo Session, Delft, the Netherlands, 2007.
[156] Louis Coetzee, Guillaume Olivrin, Inclusion through the Internet of Things, in: Assistive Technologies, InTech, 2012.
[157] John Gantz, David Reinsel, The digital universe in 2020: Big data, bigger digital shadows, and biggest growth in the far east, IDC IView: IDC Anal.
Future 2007 (2012) (2012) 1–16.
[158] Steve Watson, Ali Dehghantanha, Digital forensics: the missing piece of the Internet of Things promise, Elsevier Comput. Fraud Secur. 2016 (6) (2016)
5–8.
[159] Vicki Miller Luoma, Computer forensics and electronic discovery: The new management challenge, Comput. Secur. 25 (2) (2006) 91–96.
[160] Nickson M. Karie, Hein S. Venter, Taxonomy of challenges for digital forensics, J. Forensic Sci. 60 (4) (2015) 885–893.
[161] Khalil Hariss, Hassan N. Noura, Abed Ellatif Samhat, Maroun Chamoun, Design and realization of a fully homomorphic encryption algorithm for cloud
applications, in: International Conference on Risks and Security of Internet and Systems, Springer, 2017, pp. 127–139.
[162] Khalil Hariss, Hassan N. Noura, Towards a fully homomorphic symmetric cipher scheme resistant to plain-text/cipher-text attacks, Multimedia Tools Appl.
81 (10) (2022) 14403–14449.
[163] Khalil Hariss, Hassan N. Noura, Abed Ellatif Samhat, An efficient fully homomorphic symmetric encryption algorithm, Multimedia Tools Appl. 79 (17)
(2020) 12139–12164.
[164] Alvaro A. Cardenas, Pratyusa K. Manadhata, Sreeranga P. Rajan, Big data analytics for security, IEEE Secur. Priv. 11 (6) (2013) 74–76.
[165] Andrii Shalaginov, Jan William Johnsen, Katrin Franke, Cyber crime investigations in the era of big data, in: Big Data (Big Data), 2017 IEEE International
Conference on, IEEE, 2017, pp. 3672–3676.
[166] Kamal Dahbur, Bassil Mohammad, The anti-forensics challenge, in: Proceedings of the 2011 International Conference on Intelligent Semantic Web-Services
and Applications, ACM, 2011, p. 14.
[167] M. Ali Aydın, A. Halim Zaim, K. Gökhan Ceylan, A hybrid intrusion detection system design for computer network security, Comput. Electr. Eng. 35 (3)
(2009) 517–526.
[168] Akash Garg, Prachi Maheshwari, A hybrid intrusion detection system: A review, in: Intelligent Systems and Control (ISCO), 2016 10th International
Conference on, IEEE, 2016, pp. 1–5.
[169] Megha Gupta, Hybrid intrusion detection system: Technology and development, Int. J. Comput. Appl. 115 (9) (2015).
[170] Suleman Khan, Ejaz Ahmad, Muhammad Shiraz, Abdullah Gani, Ainuddin Wahid Abdul Wahab, Mustapha Aminu Bagiwa, Forensic challenges in mobile
cloud computing, in: Computer, Communications, and Control Technology (I4CT), 2014 International Conference on, IEEE, 2014, pp. 343–347.
[171] Luca Caviglione, Steffen Wendzel, Wojciech Mazurczyk, The future of digital forensics: Challenges and the road ahead, IEEE Secur. Priv. 15 (6) (2017)
12–17.
[172] Konstantia Barmpatsalou, Tiago Cruz, Edmundo Monteiro, Paulo Simoes, Current and future trends in mobile device forensics: A survey, ACM Comput.
Surv. 51 (3) (2018) 46.

33
J.-P.A. Yaacoub et al. Internet of Things 19 (2022) 100544

[173] Mandar Jadhav, K.K. Joshi, Forensic investigation procedure for data acquisition and analysis of Firefox OS based mobile devices, in: Computing, Analytics
and Security Trends (CAST), International Conference on, IEEE, 2016, pp. 456–461.
[174] Dasari Manendra Sai, N.R.G.K. Prasad, Satish Dekka, The forensic process analysis of mobile device, Int. J. Comput. Sci. Inf. Technol. 6 (5) (2015)
4847–4850.
[175] Tor-Morten Gronli, Jarle Hansen, Gheorghita Ghinea, Muhammad Younas, Mobile application platform heterogeneity: Android vs Windows Phone vs iOS
vs Firefox OS, in: Advanced Information Networking and Applications (AINA), 2014 IEEE 28th International Conference on, IEEE, 2014, pp. 635–641.
[176] Mauro Conti, Tooska Dargahi, Ali Dehghantanha, Cyber threat intelligence: Challenges and opportunities, Cyber Threat Intell. (2018) 1–6.
[177] Michele Elingiusti, Leonardo Aniello, Leonardo Querzoni, Roberto Baldoni, Malware detection: A survey and taxonomy of current techniques, Cyber
Threat Intell. (2018) 169–191.
[178] Adam Young, Moti Yung, Backdoor attacks on black-box ciphers exploiting low-entropy plaintexts, in: Australasian Conference on Information Security
and Privacy, Springer, 2003, pp. 297–311.
[179] Justin Grover, Android forensics: Automated data collection and reporting from a mobile device, Digit. Investig. 10 (2013) S12–S20.
[180] Nguyen Phong Hoang, Davar Pishva, Anonymous communication and its importance in social networking, in: Advanced Communication Technology
(ICACT), 2014 16th International Conference on, IEEE, 2014, pp. 34–39.
[181] E. Ramadhani, Anonymity communication VPN and tor: a comparative study, in: Journal of Physics: Conference Series, Vol. 983, IOP Publishing, 2018,
012060.
[182] Ting-Fang Yen, Yinglian Xie, Fang Yu, Roger Peng Yu, Martin Abadi, Host fingerprinting and tracking on the web: Privacy and security implications, in:
NDSS, Vol. 62, Citeseer, 2012, p. 66.
[183] Wo L. Chang, NIST Big Data Interoperability Framework: Volume 1, Definitions, Technical report, 2015.
[184] Sam Madden, From databases to big data, IEEE Internet Comput. (3) (2012) 4–6.
[185] Oluwasola Mary Adedayo, Big data and digital forensics, in: Cybercrime and Computer Forensic (ICCCF), IEEE International Conference on, IEEE, 2016,
pp. 1–7.
[186] Root Me : plateforme d’apprentissage dédiée au Hacking et à la Sécurité de l’Information, 2019, https://www.root-me.org/.
[187] ENISA-The European Networks and Information Security Agency. https://www.enisa.europa.eu/.
[188] Ge Jin, Manghui Tu, Tae-Hoon Kim, Justin Heffron, Jonathan White, Game based cybersecurity training for high school students, in: Proceedings of the
49th ACM Technical Symposium on Computer Science Education, ACM, 2018, pp. 68–73.
[189] Nur Aziemah Azman, Underlying the islamic state (Is) propaganda, Count. Terror. Trends Anal. 14 (1) (2022) 113–120.
[190] Amie L. Haun, Madison Gaither, Joanie Sompayrac, The role of forensic accounting in US counterterrorism efforts, Coast. Bus. J. 16 (1) (2022) 3.
[191] Miron Lakomy, Let’s play a video game: Jihadi propaganda in the world of electronic entertainment, Stud. Confl. Terror. 42 (4) (2019) 383–406.
[192] Stuart S. Yeh, APUNCAC: An international convention to fight corruption, money laundering, and terrorist financing, Law Dev. Rev. 14 (2) (2021)
633–664.
[193] Daniel Hughes, Andrew Colarik, The hierarchy of cyber war definitions, in: Pacific-Asia Workshop on Intelligence and Security Informatics, Springer,
2017, pp. 15–33.
[194] Alexander Kosenkov, Cyber conflicts as a new global threat, Future Internet 8 (3) (2016) 45.
[195] Ralph Langner, Stuxnet: Dissecting a cyberwarfare weapon, IEEE Secur. Priv. 9 (3) (2011) 49–51.
[196] Manuel R. Torres Soriano, Internet as a driver of political change: cyber-pessimists and cyber-optimists, J. Span. Inst. Strateg. Stud. 1 (1) (2013) 332–352.
[197] Laoise Luciano, Ibrahim Baggili, Mateusz Topor, Peter Casey, Frank Breitinger, Digital forensics in the next five years, in: Proceedings of the 13th
International Conference on Availability, Reliability and Security, ACM, 2018, p. 46.
[198] Milda Petraityte, Ali Dehghantanha, Gregory Epiphaniou, A model for android and iOS applications risk calculation: CVSS analysis and enhancement
using case-control studies, Cyber Threat Intell. (2018) 219–237.
[199] Andrii Shalaginov, Sergii Banin, Ali Dehghantanha, Katrin Franke, Machine learning aided static malware analysis: A survey and tutorial, Cyber Threat
Intell. (2018) 7–45.
[200] Mudit Kalpesh Pandya, Sajad Homayoun, Ali Dehghantanha, Forensics investigation of OpenFlow-based SDN platforms, Cyber Threat Intell. (2018)
281–296.
[201] Kresimir Hausknecht, S. Gruičić, Anti-computer forensics, in: 2017 40th International Convention on Information and Communication Technology,
Electronics and Microelectronics (MIPRO), IEEE, 2017, pp. 1233–1240.
[202] Gary C. Kessler, Anti-forensics and the digital investigator, in: Australian Digital Forensics Conference, 2007, p. 1.
[203] LLC Metasploit, The metasploit framework, 2007.
[204] Sarah Hilley, Anti-forensics with a small army of exploits, Digit. Investig. 4 (1) (2007) 13–15.
[205] Christian S.J. Peron, Michael Legary, Digital anti-forensics: emerging trends in data transformation techniques, in: Proceedings of, 2005.
[206] Martin Wundram, Felix C. Freiling, Christian Moch, Anti-forensics: the next step in digital forensics tool testing, in: IT Security Incident Management
and IT Forensics (IMF), 2013 Seventh International Conference on, IEEE, 2013, pp. 83–97.
[207] Ryan Harris, Arriving at an anti-forensics consensus: Examining how to define and control the anti-forensics problem, Digit. Investig. 3 (2006) 44–49.
[208] Simson Garfinkel, Anti-forensics: Techniques, detection and countermeasures, in: 2nd International Conference on i-Warfare and Security, Vol. 20087,
2007, pp. 77–84.
[209] Matthew C. Stamm, W. Sabrina Lin, K.J. Ray Liu, Temporal forensics and anti-forensics for motion compensated video, IEEE Trans. Inf. Forensics Secur.
7 (4) (2012) 1315–1329.
[210] Harald Baier, Julian Knauer, AFAUC–anti-forensics of storage devices by alternative use of communication channels, in: IT Security Incident Management
& IT Forensics (IMF), 2014 Eighth International Conference on, IEEE, 2014, pp. 14–26.
[211] B. Shirani, Anti-Forensics, High Technology Crime Investigation Association, 2002, http://www.aversion.net/presentations/HTCIA-02/anti-forensics.ppt.
[212] Marcus K. Rogers, Anti-forensics: the coming wave in digital forensics, 2006, Retrieved September 7: 2008.
[213] Marcus K. Rogers, Anti-Forensics, Lockheed Martin, San Diego, California, 2005.
[214] Kamal Dahbur, Bassil Mohammad, Toward understanding the challenges and countermeasures in computer anti-forensics, in: Cloud Computing
Advancements in Design, Implementation, and Technologies, IGI Global, 2013, pp. 176–189.
[215] Pietro Albano, Aniello Castiglione, Giuseppe Cattaneo, Alfredo De Santis, A novel anti-forensics technique for the android OS, in: Broadband and Wireless
Computing, Communication and Applications (Bwcca), 2011 International Conference on, IEEE, 2011, pp. 380–385.
[216] Joseph C. Sremack, Alexandre V. Antonov, Taxonomy of anti-computer forensics threats, IMF 103 (2007) e12.
[217] Matthew C. Stamm, W. Sabrina Lin, K.J. Ray Liu, Forensics vs. anti-forensics: A decision and game theoretic framework, in: Acoustics, Speech and Signal
Processing (ICASSP), 2012 IEEE International Conference on, IEEE, 2012, pp. 1749–1752.
[218] Anthony Dekker, A taxonomy of network centric warfare architectures, Technical report, DEFENCE SCIENCE AND TECHNOLOGY ORGANISATION
CANBERRA (AUSTRALIA), 2008.
[219] Arvind Kumar, Km Pooja, Steganography-A data hiding technique, Int. J. Comput. Appl. 9 (7) (2010) 19–23.
[220] Mohamad Ahtisham Wani, Ali AlZahrani, Wasim Ahmad Bhat, File system anti-forensics–types, techniques and tools, Comput. Fraud Secur. 2020 (3)
(2020) 14–19.

34
J.-P.A. Yaacoub et al. Internet of Things 19 (2022) 100544

[221] Mukesh Dalal, Mamta Juneja, Steganography and steganalysis (in digital forensics): a cybersecurity guide, Multimedia Tools Appl. 80 (4) (2021)
5723–5771.
[222] Hassan N. Noura, Ali Chehab, Raphael Couturier, Efficient & secure cipher scheme with dynamic key-dependent mode of operation, Signal Process.,
Image Commun. 78 (2019) 448–464.
[223] S. Srinivasan, Security and privacy vs. computer forensics capabilities, Inf. Syst. Control J. 4 (2007) 1–3.
[224] Frank Breitinger, Harald Baier, A fuzzy hashing approach based on random sequences and hamming distance, 2012.
[225] Ronald Rivest, The MD5 Message-Digest Algorithm, Technical report, 1992.
[226] D. Eastlake 3rd, Paul Jones, US Secure Hash Algorithm 1 (SHA1), Technical report, 2001.
[227] Anthony J. Wasilewski, Retrieval and transfer of encrypted hard drive content from DVR set-top boxes, 2009, US Patent 7, 630, 499.
[228] George I. Davida, David L. Wells, John B. Kam, A database encryption system with subkeys, ACM Trans. Database Syst. 6 (2) (1981) 312–328.
[229] Rakesh Agrawal, Jerry Kiernan, Ramakrishnan Srikant, Yirong Xu, Order preserving encryption for numeric data, in: Proceedings of the 2004 ACM
SIGMOD International Conference on Management of Data, ACM, 2004, pp. 563–574.
[230] Richard Bergmair, Natural language steganography and an ‘‘AI-complete’’ security primitive, in: 21st Chaos Communication Congress, Berlin (December
2004), 2004.
[231] Józef Lubacz, Wojciech Mazurczyk, Krzysztof Szczypiorski, Vice over IP, IEEE Spectr. 47 (2) (2010).
[232] Huayong Ge, Mingsheng Huang, Qian Wang, Steganography and steganalysis based on digital image, in: 2011 4th International Congress on Image and
Signal Processing, Vol. 1, IEEE, 2011, pp. 252–255.
[233] Manveer Kaur, Gagandeep Kaur, Review of various steganalysis techniques, Int. J. Comput. Sci. Inf. Technol. 5 (2) (2014) 1744–1747.
[234] Natarajan Meghanathan, Lopamudra Nayak, Steganalysis algorithms for detecting the hidden information in image, audio and video cover media, Int. J.
Netw. Secur. Appl. (IJNSA) 2 (1) (2010) 43–55.
[235] Kevin Conlan, Ibrahim Baggili, Frank Breitinger, Anti-forensics: Furthering digital forensic science through a new extended, granular taxonomy, Digit.
Investig. 18 (2016) S66–S75.
[236] Bryan Sartin, ANTI-forensics–distorting the evidence, Comput. Fraud Secur. 2006 (5) (2006) 4–6.
[237] Xiaoyun Wang, Hongbo Yu, How to break MD5 and other hash functions, in: Annual International Conference on the Theory and Applications of
Cryptographic Techniques, Springer, 2005, pp. 19–35.
[238] Anu Jain, Gurpal Singh Chhabra, Anti-forensics techniques: An analytical review, in: Contemporary Computing (IC3), 2014 Seventh International
Conference on, IEEE, 2014, pp. 412–418.
[239] Alvaro Botas, Ricardo J. Rodríguez, Teemu Väisänen, Patrycjusz Zdzichowski, Counterfeiting and defending the digital forensic process, in: Computer
and Information Technology; Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and
Computing (CIT/IUCC/DASC/PICOM), 2015 IEEE International Conference on, IEEE, 2015, pp. 1966–1971.
[240] Ang Chen, Akshay Sriraman, Tavish Vaidya, Yuankai Zhang, Andreas Haeberlen, Boon Thau Loo, Linh Thi Xuan Phan, Micah Sherr, Clay Shields, Wenchao
Zhou, Dispersing asymmetric DDoS attacks with SplitStack, in: Proceedings of the 15th ACM Workshop on Hot Topics in Networks, ACM, 2016, pp.
197–203.
[241] Ahmed Alenezi, Hany F. Atlam, Reem Alsagri, Madini O. Alassafi, Gary B. Wills, IoT forensics: A state-of-the-art review, challenges and future directions.
[242] Boldizsar Bencsath, Duqu, flame, gauss: Followers of stuxnet, in: RSA Conference Europe 2012, 2012.
[243] Sean Collins, Stephen McCombie, Stuxnet: the emergence of a new cyber weapon and its implications, J. Polic. Intell. Count. Terror. 7 (1) (2012) 80–91.
[244] Zakariya Dehlawi, Norah Abokhodair, Saudi Arabia’s response to cyber conflict: A case study of the Shamoon malware incident, in: 2013 IEEE International
Conference on Intelligence and Security Informatics, IEEE, 2013, pp. 73–75.
[245] Nart Villeneuve, Ned Moran, Thoufique Haq, Mike Scott, Operation saffron rose, in: FireEye Special Report, 2013.
[246] K.L. Zao, Red october diplomatic cyber attacks investigation. Retrieved from.
[247] Sami Zhioua, The middle east under malware attack dissecting cyber weapons, in: 2013 IEEE 33rd International Conference on Distributed Computing
Systems Workshops, IEEE, 2013, pp. 11–16.
[248] Sarah P. White, Understanding Cyberwarfare: Lessons from the Russia-Georgia War, Modern War Institute at West Point, 2018.
[249] Mitko Bogdanoski, Drage Petreski, Cyber terrorism–global security threat, Contemp. Maced. Def.-Int. Sci. Def. Secur. Peace J. 13 (24) (2013) 59–73.
[250] James Andrew Lewis, Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber Threats, Center for Strategic & International Studies, Washington,
DC, 2002.
[251] Scott D. Applegate, Cybermilitias and political hackers: Use of irregular forces in cyberwarfare, IEEE Secur. Priv. (5) (2011) 16–22.
[252] Tim Jordan, Paul Taylor, Hacktivism and Cyberwars: Rebels with a Cause?, Routledge, 2004.
[253] Mark Button, Industrial espionage and information security.
[254] C. Benjamin, M. Fung, K. Wang, R. Chen, S. Philip, Yu Privacy-preserving data publishing: A survey of recent developments, ACM Comput. Surv. (2010)
1–53.
[255] Ali Dehghantanha, Katrin Franke, Privacy-respecting digital investigation, in: Privacy, Security and Trust (PST), 2014 Twelfth Annual International
Conference on, IEEE, 2014, pp. 129–138.
[256] Thomas Andl, Kyung Ahn, Alladin Kairo, Emily Y. Chu, Lara Wine-Lee, Seshamma T. Reddy, Nirvana J. Croft, Judith A. Cebra-Thomas, Daniel Metzger,
Pierre Chambon, et al., Epithelial Bmpr1a regulates differentiation and proliferation in postnatal hair follicles and is essential for tooth development,
Development 131 (10) (2004) 2257–2268.
[257] Frank Y.W. Law, Patrick P.F. Chan, Siu-Ming Yiu, Kam-Pui Chow, Michael Y.K. Kwan, K.S. Hayson, Pierre K.Y. Lai, Protecting digital data privacy in
computer forensic examination, in: Systematic Approaches to Digital Forensic Engineering (SADFE), 2011 IEEE Sixth International Workshop on, IEEE,
2011, pp. 1–6.
[258] Eu-Jin Goh, et al., Secure indexes, IACR Cryptol. ePrint Arch. 2003 (2003) 216.
[259] Dawn Xiaoding Song, David Wagner, Adrian Perrig, Practical techniques for searches on encrypted data, in: Security and Privacy, 2000. S&P 2000.
Proceedings. 2000 IEEE Symposium on, IEEE, 2000, pp. 44–55.
[260] Patrick Stahlberg, Gerome Miklau, Brian Neil Levine, Threats to privacy in the forensic analysis of database systems, in: Proceedings of the 2007 ACM
SIGMOD International Conference on Management of Data, ACM, 2007, pp. 91–102.
[261] Stefan Böttcher, Rita Hartel, Matthias Kirschner, Detecting suspicious relational database queries, in: Availability, Reliability and Security, 2008. ARES
08. Third International Conference on, IEEE, 2008, pp. 771–778.
[262] Kamil Reddy, Hein Venter, A forensic framework for handling information privacy incidents, in: IFIP International Conference on Digital Forensics,
Springer, 2009, pp. 143–155.
[263] Hong Guo, Bo Jin, Daoli Huang, Research and review on computer forensics, in: International Conference on Forensics in Telecommunications, Information,
and Multimedia, Springer, 2010, pp. 224–233.
[264] George Pangalos, Christos Ilioudis, Ioannis Pagkalos, The importance of corporate forensic readiness in the information security framework, in: Enabling
Technologies: Infrastructures for Collaborative Enterprises (WETICE), 2010 19th IEEE International Workshop on, IEEE, 2010, pp. 12–16.
[265] Neil J. Croft, Martin S. Olivier, Sequenced release of privacy-accurate information in a forensic investigation, Digit. Investig. 7 (1–2) (2010) 95–101.
[266] Siani Pearson, Privacy models and languages: assurance checking policies, in: Digital Privacy, Springer, 2011, pp. 363–375.

35
J.-P.A. Yaacoub et al. Internet of Things 19 (2022) 100544

[267] Antonio Pooe, Les Labuschagne, A conceptual model for digital forensic readiness, in: Information Security for South Africa (ISSA), 2012, IEEE, 2012,
pp. 1–8.
[268] Shuhui Hou, Tetsutaro Uehara, S.M. Yiu, Lucas C.K. Hui, K.P. Chow, Privacy preserving multiple keyword search for confidential investigation of remote
forensics, in: Multimedia Information Networking and Security (MINES), 2011 Third International Conference on, IEEE, 2011, pp. 595–599.
[269] Xiaodong Lin, Rongxing Lu, Kevin Foxton, Xuemin Sherman Shen, An efficient searchable encryption scheme and its application in network forensics,
in: International Conference on Forensics in Telecommunications, Information, and Multimedia, Springer, 2010, pp. 66–78.
[270] Anuradha Gupta, Privacy preserving efficient digital forensic investigation framework, in: Contemporary Computing (IC3), 2013 Sixth International
Conference on, IEEE, 2013, pp. 387–392.
[271] Shuhui Hou, Siu-Ming Yiuy, Tetsutaro Ueharaz, Ryoichi Sasakix, A privacy-preserving approach for collecting evidence in forensic investigation, Int. J.
Cyber-Secur. Digit. Forensics (IJCSDF) 2 (1) (2013) 70–78.
[272] Frederik Armknecht, Andreas Dewald, Privacy-preserving email forensics, Digit. Investig. 14 (2015) S127–S136.
[273] Khoirunnisa Afifah, Riza Satria Perdana, Development of search on encrypted data tools for privacy preserving in digital forensic, in: Data and Software
Engineering (ICoDSE), 2016 International Conference on, IEEE, 2016, pp. 1–6.
[274] Ana Nieto, Ruben Rios, Javier Lopez, IoT-forensics meets privacy: towards cooperative digital investigations, Sensors 18 (2) (2018) 492.
[275] Ana Nieto, Rodrigo Roman, Javier Lopez, Digital witness: Safeguarding digital evidence by using secure architectures in personal devices, IEEE Netw. 30
(6) (2016) 34–41.
[276] Yudi Prayudi, Azhari Sn, Digital chain of custody: State of the art, Int. J. Comput. Appl. 114 (5) (2015).
[277] Ana Nieto, Ruben Rios, Javier Lopez, A methodology for privacy-aware IoT-forensics, in: Proceedings of the 2017 IEEE Conference on
Trustcom/BigDataSE/ICESS, Sydney, NSW, Australia, 2017, pp. 1–4.
[278] Bill Blunden, Anti-forensics: the rootkit connection, in: Black Hat USA 2009 Conference Proceedings, 2009, p. 10.
[279] Slim Rekhis, Noureddine Boudriga, A system for formal digital forensic investigation aware of anti-forensic attacks, IEEE Trans. Inf. Forensics Secur. 7
(2) (2012) 635–650.
[280] Matthew Geiger, Evaluating commercial counter-forensic tools, in: DFRWS, 2005.
[281] Matthew Geiger, Lorrie Faith Cranor, et al., Counter-forensic privacy tools, Priv. Electron. Soc. (2005).
[282] Kevin D. Fairbanks, Christopher P. Lee, Ying H. Xia, Henry L. Owen, Timekeeper: a metadata archiving method for honeypot forensics, in: Information
Assurance and Security Workshop, 2007. IAW’07. IEEE SMC, IEEE, 2007, pp. 114–118.
[283] Greg Allen, Taniel Chan, Artificial Intelligence and National Security, Belfer Center for Science and International Affairs, Cambridge, MA, 2017.
[284] Bruno W.P. Hoelz, Célia Ghedini Ralha, Rajiv Geeverghese, Artificial intelligence applied to computer forensics, in: Proceedings of the 2009 ACM
Symposium on Applied Computing, ACM, 2009, pp. 883–888.
[285] Faye Mitchell, The use of artificial intelligence in digital forensics: An introduction, Digit. Evid. Elec. Signat. L. Rev. 7 (2010) 35.
[286] Parag H. Rughani, Prerak Bhatt, Machine learning forensics: a new branch of digital forensics, Int. J. Adv. Res. Comput. Sci. 8 (8) (2017).
[287] Wei Liang Yeow, Rohana Mahmud, Ram Gopal Raj, An application of case-based reasoning with machine learning for forensic autopsy, Expert Syst. Appl.
41 (7) (2014) 3497–3505.
[288] Xiao Wang, Jianbiao Zhang, Ai Zhang, Jinchang Ren, TKRD: Trusted kernel rootkit detection for cybersecurity of VMs based on machine learning and
memory forensic analysis, Math. Biosci. Eng. 16 (4) (2019) 2650–2667.
[289] Apostolos Axenopoulos, Volker Eiselein, Antonio Penta, Eugenia Koblents, Ernesto La Mattina, Petros Daras, A framework for large-scale analysis of video
in the wild to assist digital forensic examination, IEEE Secur. Priv. 17 (1) (2019) 23–33.
[290] Jee-Young Sun, Seung-Wook Kim, Sang-Won Lee, Sung-Jea Ko, A novel contrast enhancement forensics based on convolutional neural networks, Signal
Process., Image Commun. 63 (2018) 149–160.
[291] Gang Cao, Haorui Wu, Wei Zhao, Robust contrast enhancement forensics using convolutional neural networks, 2018.
[292] Wuyang Shan, Yaohua Yi, Ronggang Huang, Yong Xie, Robust contrast enhancement forensics based on convolutional neural networks, Signal Process.,
Image Commun. 71 (2019) 138–146.
[293] Jingjing Yu, Yifeng Zhan, Jianhua Yang, Xiangui Kang, A multi-purpose image counter-anti-forensic method using convolutional neural networks, in:
International Workshop on Digital Watermarking, Springer, 2016, pp. 3–15.
[294] Yifang Chen, Xiangui Kang, Z. Jane Wang, Qiong Zhan, Densely connected convolutional neural network for multi-purpose image forensics under
anti-forensic attacks, in: Proceedings of the 6th ACM Workshop on Information Hiding and Multimedia Security, ACM, 2018, pp. 91–96.
[295] Haoliang Li, Peisong He, Shiqi Wang, Anderson Rocha, Xinghao Jiang, Alex C. Kot, Learning generalized deep feature representation for face anti-spoofing,
IEEE Trans. Inf. Forensics Secur. 13 (10) (2018) 2639–2652.
[296] Erik Laykin, Investigative Computer Forensics: The Practical Guide for Lawyers, Accountants, Investigators, and Business Executives, John Wiley & Sons,
2013.

36