Authors: Vijay Kumar, George Oikonomou, Theo Tryfonas, Dan Page, Iain Phillips
DFRWS USA 2014
Developments in the field of Wireless Sensor Networks (WSNs) and the Internet of Things (IoT) mean that sensor devices can now be uniquely identified using an IPv6 address and, if suitably connected, can be directly reached from the Internet. This has a series of advantages but also introduces new security vulnerabilities and exposes sensor deployments to attack. A compromised Internet host can send malicious information to the system and trigger incorrect actions. Should an attack take place, post-incident analysis can reveal information about the state of the network at the time of the attack and ultimately provide clues about the tools used to implement it, or about the attacker’s identity. In this paper, we critically assess and analyze information retrieved from a device used for IoT networking, in order to identify the factors which may have contributed to a security breach. To achieve this, we present an approach for the extraction of RAM and flash contents from a sensor node. Subsequently, we analyze extracted network connectivity information and we investigate the possibility of correlating information gathered from multiple devices in order to reconstruct the network topology. Further, we discuss experiments and analyze how much information can be retrieved in different scenarios. Our major contribution is a mechanism for the extraction, analysis, and correlation of forensic data for IPv6-based WSN deployments, accompanied by a tool which can analyze RAM dumps from devices running the Contiki Operating System (OS) and powered by 8051-based, 8-bit micro-controllers.