Phdthesis
Electromagnetic Side-Channel Analysis Methods for Digital Forensics on Internet of Things
Contribution Summary
This thesis addresses the challenge of IoT forensics by exploring the potential of leveraging Electromagnetic Side-Channel Analysis (EM-SCA) as a forensic evidence acquisition method for Internet of Things (IoT) devices. A model for IoT forensics using EM-SCA methods is formulated, enabling investigators to perform complex forensic insight-gathering procedures without expertise in EM-SCA. A proof-of-concept, EMvidence, is implemented as an open-source software framework, utilizing a modular architecture to extract specific forensic insights from IoT devices. The thesis presents methods for acquiring forensic insights, including detecting cryptography-related events, firmware version, and malicious modifications to the firmware. Machine Learning algorithms are used to automatically identify known patterns of EM radiation with over 90% accuracy. The thesis also explores two approaches to reduce the computational overheads associated with processing EM data: reducing the sample rate and selecting useful channels. The findings of this thesis pave the way for non-invasive forensic insight acquisition from IoT devices, with the potential to become the lifeline of future digital forensic investigations.
Keywords: Electromagnetic Side-Channel Analysis; Internet of Things; Digital Forensics; Machine Learning; IoT Forensics; EM-SCA; Forensic Evidence Acquisition; Non-invasive Forensic Insight Acquisition
Abstract
Modern legal and corporate investigations heavily rely on the field of digital forensics to uncover vital evidence. The dawn of the IoT devices has expanded this horizon by providing new kinds of evidence sources that were not available in traditional digital forensics. However, unlike desktop and laptop computers, the bespoke hardware and software employed on most IoT devices obstructs the use of classical digital forensic evidence acquisition methods. This situation demands alternative approaches to forensically inspect IoT devices. EMSA is a branch in information security that exploits EM radiation of computers to eavesdrop and exfiltrate sensitive information. A multitude of EMSCA methods have been demonstrated to be effective in attacking computing systems under various circumstances. The objective of this thesis is to explore the potential of leveraging EMSCA as a forensic evidence acquisition method for IoT devices. Towards this objective, this thesis formulates a model for IoT forensics that uses EMSCA methods. The design of the proposed model enables the investigators to perform complex forensic insight-gathering procedures without having expertise in the field of EMSCA. In order to demonstrate the function of the proposed model, a proof-of-concept was implemented as an open-source software framework called EMvidence. This framework utilises a modular architecture following a Unix philosophy; where each module is kept minimalist and focused on extracting a specific forensic insight from a specific IoT device. By doing so, the burden of dealing with the diversity of the IoT ecosystem is distributed from a central point into individual modules. Under the proposed model, this thesis presents the design, the implementation, and the evaluation of a collection of methods that can be used to acquire forensic insights from IoT devices using their EM radiation patterns. These forensic insights include detecting cryptography-related events, firmware version, malicious modifications to the firmware, and internal forensic state of the IoT devices. The designed methods utilise supervised ML algorithms at their core to automatically identify known patterns of EM radiation with over 90% accuracy. In practice, the forensic inspection of IoT devices using EMSCA methods may often be conducted during triage examination phase using moderately-resourced computers, such as laptops carried by the investigators. However, the scale of the EM data generation with fast sample rates and the dimensionality of EM data due to large bandwidths necessitate rich computational resources to process EM datasets. This thesis explores two approaches to reduce such overheads. Firstly, a careful reduction of the sample rate is found to be reducing the generated EM data up to 80%. Secondly, an intelligent channel selection method is presented that drastically reduces the dimensionality of EM data by selecting 500 dimensions out of 20,000.The findings of this thesis paves the way to the noninvasive forensic insight acquisition from IoT devices. With IoT systems increasingly blending into the day-to-day life, the proposed methodology has the potential to become the lifeline of future digital forensic investigations. A multitude of research directions are outlined, which can strengthen this novel approach in the future.
BibTeX
@phdthesis{sayakkara2020PhDEMSideChannelIoT,
title="{Electromagnetic Side-Channel Analysis Methods for Digital Forensics on Internet of Things}",
author={Sayakkara, Asanka},
school={School of Computer Science, University College Dublin},
month=09,
year=2020,
address={Dublin, Ireland},
abstract={Modern legal and corporate investigations heavily rely on the field of digital forensics to uncover vital evidence. The dawn of the IoT devices has expanded this horizon by providing new kinds of evidence sources that were not available in traditional digital forensics. However, unlike desktop and laptop computers, the bespoke hardware and software employed on most IoT devices obstructs the use of classical digital forensic evidence acquisition methods. This situation demands alternative approaches to forensically inspect IoT devices. EMSA is a branch in information security that exploits EM radiation of computers to eavesdrop and exfiltrate sensitive information. A multitude of EMSCA methods have been demonstrated to be effective in attacking computing systems under various circumstances. The objective of this thesis is to explore the potential of leveraging EMSCA as a forensic evidence acquisition method for IoT devices. Towards this objective, this thesis formulates a model for IoT forensics that uses EMSCA methods. The design of the proposed model enables the investigators to perform complex forensic insight-gathering procedures without having expertise in the field of EMSCA. In order to demonstrate the function of the proposed model, a proof-of-concept was implemented as an open-source software framework called EMvidence. This framework utilises a modular architecture following a Unix philosophy; where each module is kept minimalist and focused on extracting a specific forensic insight from a specific IoT device. By doing so, the burden of dealing with the diversity of the IoT ecosystem is distributed from a central point into individual modules. Under the proposed model, this thesis presents the design, the implementation, and the evaluation of a collection of methods that can be used to acquire forensic insights from IoT devices using their EM radiation patterns. These forensic insights include detecting cryptography-related events, firmware version, malicious modifications to the firmware, and internal forensic state of the IoT devices. The designed methods utilise supervised ML algorithms at their core to automatically identify known patterns of EM radiation with over 90% accuracy. In practice, the forensic inspection of IoT devices using EMSCA methods may often be conducted during triage examination phase using moderately-resourced computers, such as laptops carried by the investigators. However, the scale of the EM data generation with fast sample rates and the dimensionality of EM data due to large bandwidths necessitate rich computational resources to process EM datasets. This thesis explores two approaches to reduce such overheads. Firstly, a careful reduction of the sample rate is found to be reducing the generated EM data up to 80%. Secondly, an intelligent channel selection method is presented that drastically reduces the dimensionality of EM data by selecting 500 dimensions out of 20,000.The findings of this thesis paves the way to the noninvasive forensic insight acquisition from IoT devices. With IoT systems increasingly blending into the day-to-day life, the proposed methodology has the potential to become the lifeline of future digital forensic investigations. A multitude of research directions are outlined, which can strengthen this novel approach in the future.}
}