Authors: Jens-Petter Sandvik (National Criminal Investigation Service (Kripos) and NTNU), Katrin Franke (Norwegian University of Science and Technology and NTNU), Habtamu Abie (Norwegian Computing Centre), and Andre Årnes (NTNU and Telenor Group)



The ability to examine evidence and reconstruct files from novel IoT operating systems, such as Contiki with its Coffee File System, is becoming vital in digital forensic investigations. Two main challenges for an investigator facing such devices are that (i) the forensic artifacts of the file system are not well documented, and (ii) there is a lack of available forensic tools. To meet these challenges, we use code review and an emulator to gain insight into the Coffee file system, including its functionality, and implement reconstruction of deleted and modified data from extracted flash memory in software. We have integrated this into a forensic tool, COFFOR, and analyzed the Coffee File System to reconstruct deleted and modified files. This paper presents an overview of the artifacts in the file system and implements methods for the chronological ordering of the deleted file versions, and discusses these methods’ limitations. Our results demonstrate that forensic acquisition and analysis of devices running the Contiki operating system can reveal live and deleted files, as well as file version history. In some cases, a complete, chronological ordering of the version history can be reconstructed.