Legal and ethical issues of pre-incident forensic analysis.




Forensic practitioners, legal issues, vulnerability research


Investigators searching for digital evidence may encounter a variety of different IoT (Internet of Things) devices. Data in such devices and their environments can be both valuable, but also highly volatile. To meet best practices and to process these devices in an expeditious and forensically-sound manner, an investigator should have a predefined plan. Developing such plans requires prior knowledge developed through the exploration and experimentation of the “target” devices. The expanding variety, number, and pervasiveness of IoT devices means there is an increasing need for pre-incident analysis to ensure forensic tools and techniques acquire, preserve and document evidence appropriately. Many of these IoT devices have proprietary file- and operating-systems and may employ mechanisms to protect intellectual property by limiting or preventing access by researchers. Disassembly of the device and circumventing these mechanisms may be restricted by contract, end-user licence agreement (EULA) or legislation regarding intellectual-property rights. Legislative exclusions exist for security research, in some jurisdictions, permitting legitimate analyses. The pre-incident analyses of hardware to establish a forensic process bear some similarity to vulnerability and security research, however there are distinct differences in their end goals. This paper discusses the legal and ethical issues that may be encountered when conducting pre-incident forensics analyses focussing on IoT hardware. It highlights areas of particular concern, identifies best practice and subjects requiring future work as presented in the literature before providing a series of recommendations for forensics investigators processing these types of devices.

Author Biographies

Dr Iain Sutherland, Noroff University College

Dr Iain Sutherland is Professor of Digital Forensics and Head of Research at Noroff University College in Kristiansand, Norway,  A university he helped to establish in 2012. A recognised expert in computer forensics, he has supervised several PhD students and provided evidence as an expert witness. He has authored articles ranging from forensics practice and procedure to network security.

Dr Matthew Bovee, Norwich University

Dr Matthew Bovee is former Director of the Senator Patrick Leahy School of Cybersecurity and Advanced Computing, Norwich University, Vermont, USA. Awarded many competitive grants, he also led recent School recertification as an NSA Center of Academic Excellence, managed the School’s one-of-a-kind high-profile “Super Bowl 50” live-fire cybersecurity project, mentors student cybersecurity research, and teaches digital forensics and computer science.

Dr Konstantinos Xynos, Mycenx Consultancy Services

Dr. Konstantinos Xynos has a strong interest in embedded devices, IoT and games consoles. Not only does he observe a device’s security aspects but also its potential value in the realm of digital forensics. When not working as a cyber security consultant, he continues to pursue an active research role investigating hardware and software challenges that encompass these devices and their technological advances.

Dr Huw O. L. Read, Norwich University

Dr. Huw O.L. Read is Charles A. Dana Professor of Digital Forensics and the Director of the Centre of Cybersecurity and Forensics Education and Research (CyFER) at Norwich University, Vermont, USA. For over 15 years, he has taught in several countries, authored over 20 peer-reviewed publications in the field and has been awarded numerous competitive grants.