Designing a Forensic-ready Wi-Fi Access Point for the Internet of Things

Recent advances in the Internet of Things are leading to a proliferation of smart devices in our daily life. Having so many connected devices around us potentially introduces new witnesses that can be a reference for forensic investigations. For these reasons, IoT Forensics has become a popular research area with the goal of extracting information from IoT devices to be used as potential evidence. This work presents Feature-Sniffer, a framework to be installed in Wi-Fi Access Points with the aim of facilitating the extraction of network traffic information from IoT devices, to be later used for forensic purposes. The tool allows the on-the-fly computation of traffic features from connected IoT devices by using a simple user interface for its configuration. After presenting the tool logic and its implementation details, we present an accurate analysis of the tool computational impact on two different consumer Wi-Fi access points. Finally, we present four different IoT forensics use cases, in which network traffic features extracted with the proposed tool from consumer IoT devices are analyzed with Machine Learning techniques with the goal of (i) identifying the device producing the traffic, (ii) recognizing the activity performed by the user, (iii) detecting the user's passage through a room door, and (iv) detecting and classifying user interactions with a smart speaker. We conclude the work by presenting an analysis of possible storage optimization for evidence preservation with the use of lossy compression techniques.