A Forensic Analysis of Home Automation Devices (FAHAD) Model: Kasa Smart Light Bulb and Eufy Floodlight Camera as Case Studies

The adoption of Internet of Things (IoT) devices is rapidly increasing with the advancement of network technology, these devices carry sensitive data that require adherence to minimum security practices. The adoption of smart devices to migrate homeowners from traditional homes to smart homes has been noticeable. These smart devices share value with and are of potential interest to digital forensic investigators, as well. Therefore, in this paper we conduct a comprehensive security and forensic analysis to contribute to both fields—targeting a security enhancement of the selected IoT devices and assisting the current IoT forensics approaches. Our work follows several techniques such as forensic analysis of identifiable information, including connected devices and sensor data. Furthermore, we perform security assessment exploring insecure communication protocols, plain text credentials, and sensitive information. This will include reverse engineering some binary files and manual analysis techniques. The analysis includes a data-set of home automation devices provided by the VTO labs: (1) the eufy floodlight camera, and (2) the Kasa smart light bulb. The main goal of the technical experiment in this research is to support the proposed model.


Introduction
The Internet of Things (IoT) has powered many fields today as it boosts the economy by adding convenience to the customer experience (Mattern & Floerkemeier, 2010;Satoh, 2012;Evans, 2011). By 2020, there will be about twenty billion IoTconnected devices in the world (Hung, 2017). From automobiles to smart homes, the modern style of homes will deploy IoT devices to automate home-based tasks. These tasks include devices such as light bulbs, security cameras, coffee machines, etc. Today, there are a number of IoT devices that carry large volumes of data, which poses challenges to the traditional digital forensic processes, and creates additional attack vectors for adversaries to exploit. In this paper, we address security forensics challenges related to smart devices. The contributions of this paper are: • A technical analysis of two smart devices.
• Proposal of an investigative model for forensic analysis of home automation devices that follows a non-traditional digital forensics approach. This paper is structured as follows: In Section 2, we will discuss previous studies regarding IoT security and forensics. Section 3 will explore the methodology used in this paper, and Section 4 will demonstrate the technical experiment as a proof of concept (POC) that supports the proposed model. Lastly, we will conclude with directions for future research in Section 5.

Literature Review
Applying digital forensics tools and techniques to IoT devices might not always work (Watson & Dehghantanha, 2016). These smart devices share a large volume of data and follow a cheap design and technology, which both increase the chances of complexity. Also, the increased number of available IoT devices and the migration from a normal home to a smart home requires investigators to have updated knowledgeable of these technologies.
Recently, these devices have been a target for bad actors, who have been performing denial-of-service (DoS) attacks, installing ransomware, and spying on the privacy of others (Yaqoob et al., 2017;Azmoodeh, Dehghantanha, Conti, & Choo, 2018;S. R. Zahra & Chishti, 2019;A. Zahra & Shah, 2017). There are several components that must be secure, such as the used communication protocols, services, controllers, and endpoints (Alrawi, Lever, Antonakakis, & Monrose, 2019). Most IoT devices rely on cloud-based connect and are controlled either via mobile device or a smart hub. These components are targeted by malicious actors for several reasons. One is to initiate a reconnaissance attack for information gathering, and two is to target the user privacy for financial gain. However, another interesting reason might be data tampering with digital evidence.
Researchers in the paper by (Mundt, Dahn,¨ & Glock, 2014) have conducted an experiment to interfere with IoT devices targeting the behavior of people, while (Awasthi, Read, Xynos, & Sutherland, 2018) presented forensic data acquisition of a smart home hub environment. A conceptual model was developed by (Plachkinova, Vo, & Alluhaidan, 2016) demonstrating security and privacy issues related to smart home devices. The authors included device risks, infrastructure vulnerabilities, privacy violations, and remote breaches in their model. Moreover, research questions regarding the type of data that can be recovered from smart home devices and best practices in collecting and analyzing these devices, were raised by (Hutchinson, Yoon, Shantaram, & Karabiyik, n.d.). This work mainly focuses on studying a standard approach that can be adopted by cyber forensic investigators. An interesting piece of work by (Servida & Casey, 2019) has contributed by extending the current extraction and analysis approaches; however, we argue that the understanding of each process in terms of traditional digital forensics has to be enhanced to minimize the current challenges related to IoT forensics. Therefore, we work on enhancing all processes together considering the fact that IoT devices carry numerous metadata, which require some reconstruction techniques.
Alternatively, a comprehensive analysis of IoT devices (e.g., Google Nest Hub, Google Duo, TP-Link, and Samsung SmartThings) have been performed with identifying relative forensic evidence by employing the association between several factors (Kim, Park, Lee, & Kim, 2020). In addition, researchers have proposed a workflow pertained to smart home forensic investigating, which includes multiple stages (e., experiment, acquisition, analysis, and application). Each stage holds a specific function related to the functions of smart home devices. A generic IoT forensic model has been proposed by (Li, Choo, Sun, Buchanan, & Cao, 2019) as a result of analyzing Amazon Echo considering multiple crime scenarios. The presented model categorized IoT crime scenarios into three classifications IoT as tool, IoT as target, and IoT as witness emphasizing on several elements within the traditional digital forensics process. In the identification phase, researchers suggested a comprehensive list of items related to the identification of IoT devices in a crime scene. For instance, identifying all connected networks and internal/external access points. On the other side, research by (Karabiyik & Akkaya, 2019) has discussed challenges and potential evidence sources in IoT. The categorized expected sources of evidence in IoT fall into several logs of data (i.e., network, web, cloud, and sensor), which mostly require some reconstruction of these recovered metadata.

Methodology
The selected methodology of this research is based on several techniques such as reverse analysis, forensic examination, and manual carving analysis. These analyses will be performed using firmware extraction tool Binwalk created in 2010 by ReFirm Lab (refirm, n.d.), digital forensics platform Autopsy led by Brian Carrier, and strings command. The theoretical philosophy in this work discusses the differences between traditional and non-traditional digital forensics. Both Figures 6 and 7 illustrate the process of digital evidence. When it comes to the traditional technique, there should not be any reconstruction required to transform metadata to data and then to information that can be logged and reported as a piece of digital evidence. This is because most emerging technology devices share a large volume of data and rely on different communication protocols. Also, some of these devices have different hardware, software, and sensors. An investigator needs to be knowledgeable enough to respond to such an incident, and perform the reconstruction safely without compromising the integrity of data. The acquisition of the selected IoT devices was based on the device architecture and data storage. In the Forensic Analysis of Home Automation Devices Model 4.4, we go through the traditional digital forensics procedures (i.e., identification, preservation, analysis, presentation, and documentation); however, the design and architecture of IoT devices pose some limitations to the analysis phase, where not all digital evidence is accessible on certain tools. Therefore, we perform the analysis on two different software tools to report any limitations.

Findings
The analysis follows two approaches here. Firstly, we perform a forensic analysis of each smart device acquired by the VTO lab, and secondly, we conduct a security assessment to report any issues.

Forensic Analysis of Eufy Floodlight Camera (EFC)
The forensic image of the eufy Floodlight Camera (EFC) device was acquired from the embedded Multi-Media Controller (eMMC) for data storage purposes. Loading the forensic image to Autopsy 4.16.0 reconstructed 585 files with data that was reassembled from the unallocated space of the memory. To break this down, we explored and investigated the 585 files based on their file format, and found that there were 11 images, 14 audios, 6 archives, 0 databases, 110 text, 69 (Executable and Linkable Forma) ELF executables, and 256 octet-streams, respectively. The eMMC has a built-in controller that stores chunk of data when deleted. The analysis led us to the discovery of artifacts stored in text files in the following format fxxxxxxx, where 'x's represent a randomly generated number.
• Logs pertained to internal and external WiFi connections, and WiFi Received Signal Strength Indicator (RSSI).
• Timestamps of all connections including setup.
• Information related to system size (free and used).
• A peer-to-peer (P2P) network connection reporting each detection with the value 10142.
• Lights and motion sensors status with timestamps, with an event ID = 355.
• The camera type, which is Hisi. The parameter hisi_camera_wifi_data_Assignment with an ID of 788 and 794 identifies the wifi name, and bssid, respectively. For instance, in our analysis we discovered that the wifi name is NETGEAR05 and the bssis is 10:da:43:6f:67:28. • The serial number of the connected mobile device. • File path of stored video streams and pictures. Importantly, the smart cam stores all videos and pictures on the mobile app in the following format \mnt\data\camera00\year month day\220731.dat. The file extension indicates that these videos were stored in an encrypted format. Also, the log files include the P2P connection activity, showing remote address, local area network (LAN), and wireless local area network (WLAN) IP addresses. These metadata aid an investigator when linking supportive information with data acquired from the mobile device. Conducting a forensic analysis on the mobile app is out of the scope of this research, as our concern here is to walk through the digital investigation process of smart devices-not mobile apps. The process of mobile app forensics should not be challenging and might not be of interest to the investigators. The analyzed logs pro-vide extensive information related to integrity and validity of recorded media files by the smart cam. It is very important to ensure that these data have not been tempered with and they are accurate should they be presented in court. When a snapshot is taken by the smart cam, the logs show the full path of the image including the device serial number as follows /mnt/data/video/T8420H01194807F2_20200403230525.jpeg. When motion is detected, the assigned ID number is 131076. This connectivity is based on cloud storage and network; therefore, the logs might include IP addresses relevant to the cloud storage device.

Security and Reverse Engineering Analysis
Using Binwalk, we extracted the binary file stored in the unallocated space, revealing data such as security certificates and system configuration.
We were able to recover the password in plain text format from several paths. One of them was the unallocated space recovered from the wpa supplicant configration file. The password was 12345678 under the etc/wpa_suplicant folder

Forensic Anlysis of the Kasa Smart Light Bulb
The chip-off data recovery does not hold any invaluable data that can be beneficial for the investigation. The mobile app analysis has led us to the discovery of a database file called iot.db that has five tables including accounts, devices, locations, scenes, and device groups, respectively. The following list discusses the data that this database carries: • Accounts: device ID, creation time, updated time, email, password, token, refresh token, first and last names • Devices: device ID, creation time, updated time, IP address, software and hardware versions, cloud status, and RSSI • Locations: device ID, account ID, creation time, updated time, timezone, latitude, longitude, and home settings • Scenes: device ID, account ID, image URL, and usage count • Device ID, account ID, creation time, updated time, and type Due to the limitation of data population, the analysis revealed that only the location table holds data. For instance, the latitude and longitude of the IoT device stored in base64 format XVZJ9gJ60LooZlDzd/o1eA==, when decoding the base64 value, we got 39.7392 (See Figure 5).

Forensic Analysis of Home Automation Devices (FAHAD) Model
The proposed model follows multi-faceted approach, targeting both responding to an incident and clarifying investigative techniques in the absence of some connected devices such smartphones. Sometimes an investigator investigates an incident that has many missing elements; therefore, this model concentrates on these types of incidents to update the current IoT forensic procedures. To this end, we emphasize the importance of setting up strong credentials when creating usernames and passwords for these devices, as bad actors might be able to sniff the network capture and brute force login to the device and gain access to the system. These behaviors might also lead to tampering with evidence data leaving, false or no traces of the attempts. Moreover, the integrity of recorded videos should match the logs we illustrated in this research. An investigator should verify the logs of all streamed data. When it comes to devices such as the smart light bulb, a good amount of information can be retrieved from these devices in order to clarify many clues related to a crime-for instance, connected device ID, timestamps, and account ID. These might lead to a better understanding of who is controlling these devices at home, and provide a meaningful trace of their activities. At the same time, the security of these devices is very important, and it seems to be neglected by individuals and manufacturers. The eufy Floodlight Camera has the password and other credentials in plain text, as well as an access to the file system, which contains sensitive data. Factors of IoT devices influencing traditional digital forensics have been discussed in the paper by Yagoob et al. (Yaqoob, Hashem, Ahmed, Kazmi, & Hong, 2019). In our study, we encountered some of these factors (i.e., limited visibility, short survival period, and lack of logs). A framework was proposed by Kim et al. (Kim et al., 2020) that demonstrates phases of smart home forensic investigation. In this work, we propose a non-traditional model 8 that demystifies important processes during identification, examination, and presentation of smart home forensic investigation. The app of Kasa cam contains thumbnails that can be preserved from the following path /cache/image manager disk cache/32bytes hex value.0 (Kim et al., 2020). Also, the authors claimed that the Android app stores an XML file that contains information such as device ID, device model, locations, accounts, and hardware and software versions. In our work, we conduct our analysis on the iOS app, which contains similar artifacts such as the iot.db database file, but the app stores information in a group.tplink.Kasa.plist file. A discussion on IoT features and architecture pertained to security, cybercrime, and digital forensics enhance the overall application of smart things (Atlam, Alenezi, Alassafi, Alshdadi, & Wills, 2020). The proposed model in figure 8 emphasizes the importance of a non-traditional approach in responding to cybercrimes related to home automated devices. Basically, the model begins with a process that distinguishes traditional versus nontraditional methods. For instance, if an investigator determines that timeline-related and user-identifiable evidence is important, along with absence of the remote control device (e.g., smartphone or smart hub), a non-traditional digital forensic technique should be adopted-along with validating the outcome of the examination. Moreover, sometimes the examination process encounters an encrypted piece of data, which requires an investigator to seek available decoding techniques. Therefore, each process of the non-traditional approach is slightly different from the known processes of digital forensics. For instance, identification and acquisition processes might pose a challenge to an investigator, leading to failure in acquiring the data. It is crucial to identify all possible connected devices, chips, and electronic sensors, and to be able to select the correct acquisition methodology. The analysis process is completely different from what is currently known. We insist on the need for an incident response mindset when investigating smart devices. As mentioned earlier, these devices share a large volume of data, and a traditional investigation will not result in a good conclusion. Today, these devices might be hacked and tampered with; therefore, the accurate digital evidence should answer all of the six key questions (who, when, why, where, what, and how). For an investigator to be able to answer these questions, it is not similar to the examination of computer forensics. Thus, one needs to be able to manually carve data and analyze available logs to be correlated with other events (i.e., sensor and system logs). Finally, the validation process ensures that the investigation followed accurate procedures and met the digital forensics and data integrity standards.

Conclusion
This research analyzed two smart devices targeting a generalized model that can be applied to other IoT devices. The model concentrates on non-traditional techniques, and all phases of the model were supported by the conducted technical experiment. This model does not cover the security aspect of IoT devices; therefore, we plan to include incident response and variance attack vectors into the model for future work.

Declaration of Conflicting Interest
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding
The author(s) declared no financial support for the research, authorship, and/or publication of this article.