E-IoT Device Digital Forensics in Smart Cities

Introduction

The Saudi Arabian government formally revealed the concept of the "The Line" smart city project as part of the Neom project in July 2022. The goal of Neom City is to use artificial intelligence (AI) technology to provide an optimal environment and to replace fossil energy with green energy. Other than planned settlements, the transition to green energy has happened. The global growth in electric vehicle usage, the expansion of the renewable energy market, and the demise of the coal sector are all part of attempts to achieve city decarbonization. Around the world, national energy regulations and government backing are being tightened. The shift from fossil to renewable energy has resulted in higher demand of electricity.

As a result, the transmission and distribution infrastructure for power has changed. The development of 5G communication technology and the growth of infrastructure have resulted in the application of modern information and communications technology (ICT) in power systems. Traditional power systems are centralized and consist of one-way sequential processes from power generation and transmission through conversion and consumption. The smart grid with ICT, on the other hand, consists of a ring structure with an energy management system, an energy storage system (ESS), and advanced measurement infrastructure (AMI). It is more efficient than traditional energy management systems because it can adjust the functionality of each stage based on sent information and services.

Energy data is gathered and analyzed using IoT devices in smart grids by placing sensors and communication modules at power transmission and distribution stations. In contrast to traditional power systems, where energy measurements are saved in the device's internal storage, energy measurements in smart grids are stored on servers. Power providers evaluate the acquired data and utilize it for prediction and monitoring to keep the system stable; for example, power demand forecasting, energy efficiency improvement, and failure avoidance. In addition to IoT devices administered by power companies, their application for energy management in houses has recently expanded.

E-IoT systems offer the benefit of being able to efficiently manage data. However, because all of the devices are networked for energy management in households and businesses, they pose several security risks [4,5]. If malicious malware or hacking is performed on one of the system's E-IoT devices, the entire system might become paralyzed. Attacks on E-IoT devices can disrupt the functioning of smart cities and smart households, as well as the city's entire manufacturing operations. Furthermore, assaults can take the form of influencing energy use or obtaining personal information, which can then be utilized for secondary attacks such as identity theft.

Furthermore, if an attacker analyzes energy use data to predict the activity time of power managers and users, cyber-attacks can escalate to physical attacks. As a result, in this work, we use digital forensics to E-IoT to anticipate vulnerabilities and respond rapidly to security incidents.

We investigate the likelihood of vulnerability and personal information leakage by applying digital forensics to E-IoT devices. An E-IoT test bed is developed utilizing AMI devices, home energy IoT, and home appliances to apply digital forensics to E-IoT devices. To provide digital forensic methods that may be best applied to E-IoT settings, we build a test bed analogous to genuine E-IoT environments. We employ genuine E-IoT devices in the execution of this technique. The following are the study's contributions:

A test bed for implementing E-IoT digital forensics was constructed, and E-IoT-specific methodology was developed. DCUs and smart meters, which are AMI devices used in Korean electricity systems, were employed in a real-world scenario.

To create the test bed, an E-IoT system environment was set up. E-IoT devices were grouped into three categories to examine the E-IoT system environment: (1) AMI device, (2) home-energy IoT, and (3) home appliance, and equipped with an H-IoT system environment.

Data capture and analysis methodologies for E-IoT digital forensics were presented. (1) network packet data analysis, (2) hardware interface analysis, and (3) a mobile device coupled with E-IoT methodologies comprised the approach.

The methodology was applied to DCUs and smart meters, which are AMI devices, smart plugs and smart heating controllers, which are part of the home energy IoT, and smart microwaves and smart monitoring systems, which are home appliances, for the experiments on actual E-IoT devices. The device vulnerabilities and potential for personal information exposure were identified.

Smart Homes and Cities with Electric Power and Energy-Related IoT

E-IoT devices, like AMI devices, have been created in response to the rise of smart cities in order to efficiently manage energy and analyze energy data. E-IoT devices use wired and wireless connectivity to communicate and manage data to servers. Smart plugs and energy control technologies are examples of home-energy IoT devices that have been created for energy management and reduction. Real-time energy management is possible with home IoT. Energy management services for several smart home gadgets are available to track their energy use. The home energy IoT system, AMI devices, and smart home appliances were all included in the E-IoT system that was taken into consideration. The H-IoT system's environment was also examined.

E-IoT and H-IoT

Figure 1 depicts the composition of E-IoT and H-IoT. H-IoT and E-IoT devices are classed as smart home appliances, home E-IoT, and AMI devices. Smart home appliances include the use of IoT for user services at home. Smart home appliances include smart TVs, smart home cameras, smart microwaves, and smart humidifiers. Recently, smart-home IoT manufacturers have introduced services and functionalities for energy management to H-IoT and made them available to consumers via the manufacturer's platform. Figure 2 depicts the Samsung SmartThings platform, which manufactures smart home equipment.

The energy consumption of the smart home appliance may be monitored using the mobile device platform that is linked to the smart home appliance. Some IoT devices can both regulate and monitor energy use. In this study, these H-IoT devices are classified as home-energy IoT. The Internet of Things (IoT) in the home is used to regulate or monitor energy in order to save energy and manage energy effectively. It consists of smart plugs, smart switches, and so on. Furthermore, home-energy IoT may be utilized to operate IoT devices and monitor energy use via associated smartphones. AMI devices are used to remotely assess energy use at home using an energy management server. DCUs and smart meters are examples of AMI devices. Smart meters collect data on household energy consumption and transmit it to DCUs. The data acquired in the DCU is transmitted to the server, where it is maintained.

Figure 1 depicts the configuration of E-IoT and H-IoT devices as AMI devices, home-energy IoT devices, and smart home appliances.

Figure 2: Samsung's SmartThings Energy included service [14].

H-IoT and E-IoT share smart home appliances and home-energy IoT because they give services to consumers and may be used to assess energy use. AMI devices are classified as E-IoT devices. The environment of the E-IoT and H-IoT systems is examined based on this setup.

3.2. E-IoT System Environment Analysis

Table 1 provides a comparison of the environments of E-IoT and H-IoT systems. The environment was divided into communication, protocol, operating system (OS), hardware, and data priority groups for the analysis.

3.2.1. Communication

When interacting with a smartphone or a cloud server, the H-IoT trades user and system data. Because the user data shared between the H-IoT and the server contains personal information, it is sent over secure transport layer security (TLS) connection. To offer consumers with a high-quality service, the response time while interacting with the server must be reliable, and high-performance communication is necessary due to the vast volume of the picture or speech data delivered.

Because it exchanges data of a lower size than user data, which consists of video and speech data, the E-IoT sends data using the recommended standard (RS) serial communication with a basic structure.

Because minimal amounts of data are transferred, there is low reaction time. Real-time responsiveness is vital in E-IoT devices since it is necessary to retain and capture data over time. In other words, while real-time performance and data response are critical, a communication latency is undesirable

3.2.2. Protocol

While most of the time the H-IoT links with cellphones, it can occasionally connect directly to cloud servers without the need for them. In order to connect with smartphones, the H-IoT employs IEEE 802.11 (Wi-Fi) or IEEE 802.15 (Bluetooth) protocols; some smaller H-IoT devices also use low-power protocols like Zigbee. The Health Information and Analytics (H-IoT) can be wired or wirelessly connected to a PC or other devices through USB or Wi-Fi. Data from the Internet of Things may be retrieved from a PC and sent from a PC to an IoT device when the two are linked via a USB. Certain E-IoT devices may send and receive data over the same protocol as H-IoT devices.

Certain E-IoT devices can connect with other nearby IoT devices through the Zigbee protocol, and they can send and receive data using the same protocol as H-IoT in houses. The requirement that data be received over a large range in order to transfer data to the server is one of the most important distinctions between H-IoT and E-IoT. Therefore, the long-range wide area (LoRa) protocol is used by E-IoT devices that make use of a huge region for data transmission and reception. Due to its low power and cheap cost, the LoRa protocol is utilized for sending and receiving sensor data from the Internet of Things. Furthermore, because E-IoT devices employ specific protocols like IEEE 1815.1, non-administrators are unreachable and hard to detect.

3.2.3. Hardware

Most of the Internet of Things' devices are small. Their CPUs, sensors, and memory are constrained because to the downsized device's small printed circuit board (PCB). The H-IoT has a short replacement cycle of three to five years since it uses less hardware, which leads to a shorter replacement cycle. A joint test action group (JTAG) or universal asynchronous receiver-transmitter (UART) port might be a hardware interface found on some H-IoT devices. During manufacture, the JTAG/UART interface is utilized for standard booting or debugging. Nevertheless, a large number of H-IoT devices lack JTAG/UART interfaces due to their shrinking sizes.

E-IoT devices may accommodate a variety of sensors and processors since they are larger than H-IoT devices. In the E-IoT, precise sensors are employed to improve data accuracy. Because only specific elements can be changed in the event of a device failure and because replacement requires significant effort and money, e-IoT devices have a lengthy replacement cycle of 15 to 20 years. Hardware interfaces on E-IoT devices are JTAG/UART ports, much like on H-IoT devices. The E-IoT also features a serial connection for RS connectivity.

3.2.4. System of Operation

Because they are made by different manufacturers and have varied functionalities in each device, H-IoT devices have diverse operating systems. The most common operating systems are Linux and Android. But because the system needed changes according to the purpose, manufacturers occasionally create custom operating systems for every IoT device.

E-IoT devices primarily consist of data transmission and energy measuring functions, as opposed to H-IoT devices, which need a variety of functionalities in order to offer services to customers. As a result of their low capability needs, they usually do not require various operating systems customized for different manufacturers. Because E-IoT is utilized by administrators, an embedded Linux-based operating system is generally used.

3.2.5. Priority of Data

H-IoT's primary goal is to fulfill user requests for services. When transferring service data, H-IoT devices employ secure connection to safeguard the information. To maintain data confidentiality, user data is safeguarded. Since user data makes up a larger portion of H-IoT data than system data, data confidentiality is more important to preserve than data availability or integrity.

E-IoT is designed to gather and process energy consumption data from residences and businesses. In other words, the primary data is energy utilization, which is made up of system data. In this instance, user data is more essential than secrecy because there is less personal information in the system data. On the other hand, data availability and integrity are crucial.

4. E-IoT Data Acquisition

A methodology for data collecting and analysis was presented for the digital forensics of Internet of Things devices. There were three procedures in all that made up the suggested methodology. Data collection techniques for E-IoT digital forensics included three approaches. The programs utilized in E-IoT data collecting techniques are listed in Table 2. The initial technique was network packet data analysis, which uses a network packet capture tool to obtain packets that are transmitted between servers and the Internet of Things. Depending on whether encryption is present or not, network protocol analysis tools and web proxy tools are used to get packet data from E-IoT devices.

Table 2 shows the program that was utilized in the E-IoT data gathering process.

The second technique included monitoring hardware interfaces such as data storage chips and serial ports on E-IoT devices to collect data. Among the physical hardware interfaces, it entailed locating a port that could be linked to a PC or locating a memory chip for chip-off. PuTTy is used to dump internal data pictures if serial ports are discovered in the hardware interface since most E-IoT devices receive data via serial connection.

As home-energy IoT and smart home appliances (excluding AMI devices) may be coupled with mobile devices, the third way was to evaluate the data saved in associated mobile devices and gather app data relevant to E-IoT devices. To evaluate the data structure of mobile devices, the FTK Imager tool must be utilized. as most

4.1. Analyzing Network Packet Data

To safeguard data, E-IoT devices connect with servers through TLS. Because device data, system data, and user-sensitive information are sent, the collection of packet data between the E-IoT and servers is critical. We obtained and analyzed unencrypted and encrypted packets in our work utilizing network protocol analysis tools and web proxy technologies.

Wireshark, a network protocol analysis tool, was utilized in this study to collect packet data from E-IoT devices. Wireshark is available for a variety of operating systems, including Windows, Linux, and macOS, and it can inspect network protocols such as hypertext transfer protocol (HTTP) and user datagram protocol. It can also collect data such as Ethernet and Bluetooth.

Wi-Fi created by a PC was connected to E-IoT devices in the study to capture packets in the immediate vicinity. Although network protocol analysis tools such as Wireshark may obtain encrypted packets, the contents of the encrypted packets cannot be studied.

Unanalyzed encrypted packets on E-IoT devices were studied using web proxy software. A web proxy tool use the man-in-the-middle approach to intercept and analyze encrypted TLS traffic via proxy settings. In other words, the web proxy tool works as a proxy between the user's computer and the server to debug HTTP traffic. Fiddler, Charles Proxy, and Buff Suite are examples of common web proxy tools. In this paper, we use encryption to get encrypted packets from E-IoT devices.

we use Burp Suite, which supports TLS 1.3, to obtain encrypted packets from E-IoT devices. Burp Suite can analyze HTTP communication in all browsers as well as HTTP secure (HTTPS) communication by installing the certificate authority on the device. Burp Suite provides a selection of TLS versions and encryption configurations, allowing it to capture just the necessary packets.

To analyze encrypted packets from E-IoT devices, the web proxy must be trusted by installing a web proxy tool certificate on the E-IoT devices. However, putting certificates directly on E-IoT devices has restrictions due to issues like as rework and memory capacity. Instead, a certificate was loaded on a smartphone connected to E-IoT in order to obtain and analyze packets from E-IoT devices.

4.2. Hardware Interface Analysis

Many E-IoT gadgets, unlike smartphones and other devices, do not have PC connectivity. However, interfaces like as serial ports, UART, and JTAG on a PCB obtained by dismantling an E-IoT device can be used to connect to a PC. UART/JTAG interfaces are utilized during manufacture to check normal booting or to debug E-IoT devices. However, for security reasons, most manufacturers conceal the implemented debugging port or delete the indicated port. E-IoT devices were dismantled in this investigation to evaluate whether the port existed and, if so, in what manner it is deployed. If no such port could be identified, the option of chip-off was explored.

When getting internal data at the software or hardware level is challenging, chip-off is employed. Chip-off is the physical acquisition of NAND flash memory chips from a PCB and the acquisition of data. This strategy needed a thorough grasp of several pieces of technology and gear. The NAND flash memory chip acquired during chip-off may store data in the form of a RAW picture. However, because many E-IoT devices store data on cloud servers, this solution proved difficult to implement because the NAND flash memory chip was not available in such circumstances.

4.3. Mobile Devices in Partnership with E-IoT Devices

Mobile devices may be associated with E-IoT devices throughout the use process to remotely operate E-IoT equipment. The data of E-IoT devices may be obtained by examining the internal data of mobile devices coupled with E-IoT devices. To collect data from mobile devices connected to E-IoT devices, the operating system and file system of the mobile devices must be examined. E-IoT devices were linked with Samsung smartphones in this investigation. Samsung cellphones run the Android operating system, and the vast majority of them use the extended file system 4 (Ext4).

To obtain E-IoT data from mobile device data, user data partitions, which hold user-installed programs and user data, must be dumped. To access the user data partition on the mobile device, administrator privileges must be gained. In this investigation, the mobile device's user data partition was dumped, however the image was encrypted, therefore the dump image was decrypted using Kim's findings.

Kim presented a method for deciphering the whole disk encryption used in Android 10 as well as analyzing the ext4 file system. Figure 3 depicts a 'fstab' file that was evaluated in Kim's work to decrypt Android 10, and it was decrypted by altering 'forceencrypt=f', one of the file's system data. The FTK Imager tool was used to examine the user data partition's file storage structure and extract E-IoT device app data, and the data on the E-IoT device app was studied using the DB browser for SQLite application.

Figure 3: 'fstab' files studied in Kim's work to decrypt Android 10.

5. E-IoT Digital Forensics

Table 3 outlines the equipment utilized in E-IoT digital forensics. There were two types of AMI devices, two types of home-energy IoT devices, and two types of home appliances. In addition, E-IoT devices were used in an experiment using Samsung cellphones and an LG PC. Because the E-IoT devices were pre-analyzed, devices other than AMI devices were associated with mobile devices, and (low power) Wi-Fi was employed. Each E-IoT's PCB was examined to explore the hardware interface of the E-IoT devices. The DCU featured a serial communication port and a 256-MB K9F2G08UOC NAND flash memory chip, however the other E-IoT devices did not have a NAND flash chip or a communication connection.

Figure 4 depicts a test bed built with six E-IoT devices. Each gadget was linked to a PC-generated Wi-Fi network. Wi-Fi was used to wirelessly couple home-energy IoT and home appliance devices with mobile devices and a PC, and AMI devices were tethered to the PC through local area network (LAN) cables. Each E-IoT device was subjected to network packet data analysis and hardware interface inspection. E-IoT linked with a mobile device was used to evaluate E-IoT data saved in a mobile device's internal data. This section highlights the key artifacts discovered during data collecting and processing for E-IoT devices.

Figure 4 shows a test bed setup with E-IoT devices.

Table 3: Device specifications coupled with E-IoT devices utilized in the experiment.

5.1. Analysis of Network Packet Data

5.1.1 DCU and Smart Meter

The PC must be connected to the DCU before collecting network packet data. Based on the testbed arrangement shown in Figure 4, Figure 5 depicts a DCU and smart meter linked to a PC. An RS-232 cable was used to link the DCU and smart meter, and a LAN cable with an access point was used to connect the DCU and PC. The smart meter's data was condensed in the DCU and saved on the server. Wireshark, a network protocol analysis tool, was utilized at the DCU to capture and analyze network packet data.

Figure 5: DCU and smart meter linked to PC through test bed configuration.

Figure 6 shows some of the DCU packets, and Figure 7 shows a representation of the communication between the DCU and server based on Figure 6. To send inquiry messages around it, the DCU use the multicast domain name system (MDNS). MDNS is a protocol that is used in small networks to replace DNS servers. The MDNS protocol revealed the names of the devices that share the router with DCU: TestICS, DESKTOP-PNFGI6H, and NPI01852B. To control communication, the DCU employed a network management system (NMS). TestICS and DESKTOP-PNFGI6H were the names of PCs that shared the DCU's router. The NPI01852B gadget was unverified. NPI was an acronym for the NMS protocol identification, which was deduced from the NPI01852B name.

The NPI01852B moniker was an acronym for the NMS protocol identification, which was assumed to represent the identifier of a DCU-managed smart meter. As a result, the names of the devices that shared the router with the DCU were obtained. The network protocol analyzer validated the DCU's communication topology, which searches for smart meters using MDNS protocols and administers smart meters with NPI via NMS.

Figure 6: MDNS protocol query messages issued from DCU to PCs.

Figure 7 depicts a diagram of AMI devices connecting with the server.

To examine encrypted traffic in the DCU, we attempted to install a certificate of Burp Suite, a web proxy application. However, because administrator credentials were necessary to access the DCU directory, a certificate could not be put on the DCU. The DCU's communication structure was detected using network packet data analysis, however the encrypted packet could not be studied since the certificate could not be loaded in the DCU. It is required to conduct more research on the procedures for gaining administrator access and installing certificates.

5.1.2. Smart Microwave

The smart microwave was linked to a mobile device so that it could be controlled and recorded remotely. As a result of analyzing the packets obtained from the smart microwave, the bulk of the packets could only offer basic information such as the date, TLS version, and Session ID, as shown in Figure 8. As a result, the encrypted communication of the smart microwave was examined using the web proxy application.

Figure 8: Acquired time and session ID from network packets created when the smart microwave talks with the server.

A Burp Suite certificate was placed on a linked smartphone in order to utilize it in a smart microwave. Following that, the encrypted communication of the smart microwave was examined. Access tokens, cookies, and data inferred based on power consumption could all be acquired. Figure 9 depicts the cookies produced by the smart microwave. Figure 10 depicts some of the information retrieved from the encrypted packet, and this [1656642651819000, 0, 0] data was derived from the power measured in the smart microwave.

At 2:30:51 on July 1, 2022, the Unix timestamp value "1656642651819000" was translated to GMT. Figure 11 shows how we used the mobile platform application to verify the quantity of electricity—the date was July 1st, and the amount of power was 0 Wh. The only packet having an application access time and a 0 value among the collected packets was the one. It was calculated to represent the quantity of power (0 Wh) measured at the moment. Simple communication information and power consumption were acquired by applying network packet data analysis to smart microwaves.

Figure 9: Cookies obtained from network packets sent by the smart microwave when it communicated with the server.

Figure 10: Power use data extrapolated from network packets created while the smart microwave communicated with the server.

Figure 11: Mobile screen during packet capture from smart microwave.

5.1.3. Intelligent Monitoring System

When the smart monitoring system acquired and analyzed network packet data using the network protocol analysis tool, it was discovered that the majority of the acquired packets were encrypted, and thus only basic information such as the TLS 1.3 version and session ID could be obtained from the smart microwave. As a result, we used web proxy technologies to examine the network interactions of smart monitoring systems. Thus, paired mobile device data, cookies, time logs, and user account emails were collected. Figure 12 depicts the cookies and user information acquired from the monitoring system's packets. The user-specified name and account email address were obtained. Furthermore, the URL was used to retrieve the user's profile image as well as their account email ID. Communication and user information were acquired by applying network packet data analysis to the smart monitoring system.

Figure 12: Time and user account obtained from network packets sent by the monitoring system when it communicates with the server.

Patches were necessary for the account email IDs and profile images, as an attacker may exploit these to perpetrate additional crimes such as stealing or deepfake.

5.1.4 Network Packet Data Analysis Attack Scenario

Through denial of service (DoS) attacks, an attacker can prohibit valid E-IoT packets and inject malicious information. A DoS attack on an E-IoT system may disrupt electricity services. Because electricity services are linked by huge systems and networks, an assault on one system may have an impact on other systems. When an attacker steals packets, it is quite likely that the attacker will discover the user's personal information and life habits. Furthermore, if an attacker manipulates a packet's power use and transmits it to a server, consumers may be wrongly charged a greater amount. Alternatively, among the assessed life patterns, physical attacks, such as gadget damage, may occur while the user is not there.

5.2. Hardware Interface Evaluation

5.2.1 DCU and Smart Meter

The DCU and smart meter PCBs were examined to see whether a memory chip or connector could be linked to a PC. Figure 13 depicts the DCU's PCB. A NAND flash memory chip and a port supporting several communication protocols were discovered. The DCU employed a 256 MB "K9F2G08UOC" NAND flash memory chip, and the PCB had RS-232 connectors. The DCU connected with the PC through a serial port discovered during the DCU hardware interface investigation. Figure 14 depicts the smart meter's PCB.

Other than the processor, no serial port or flash memory chip was detected on the smart meter's PCB. Because the smart meter has a poor performance and provides data to the DCU, there appeared to be no separate storage.

Figure 13: DCU PCB (NAND flash memory chip and RS-232 serial connection port are indicated by yellow and red squares, respectively).

Figure 14: Smart meter PCB.

PuTTy, a terminal application, was used to accomplish serial communication. Data were output normally throughout the connection, however access to the shell required an administrator account. A login attempt was made using a common ID/password (ID/PW) combination for the administrator account, i.e., root/admin. After gaining access to the shell, the DCU internal storage directory was searched. Figure 15 depicts a search of the DCU's internal directory, which revealed that the DCU runs Linux 2.6.39 with the file systems JFFS2 and UBIFS.

Data were extracted using PuTTy's log storage capability and the hex dump command. As illustrated in Figure 16, the DCU's internal storage had a log file, and the date and time were accessed via the DCU.

Figure 15: DCU's file system and operating system.

Figure 16: DCU use log files retrieved by DCU hardware interface examination.

When the DCU was subjected to hardware interface examination, a serial port was discovered on the PCB and the internal storage data was leaked. Although no administrator account information was retrieved, an administrator account may be gained using a commonly used combination. It is critical to alter the default login combination if the default ID/PW is not changed, because an attacker can steal the device's rights. When installing certificates on DCUs, this administrator account may be valuable in future network packet data analysis research.

5.2.2 Hardware Interface Analysis Attack Scenario

Physically acquiring E-IoT devices is more challenging for an attacker than acquiring network packets. However, if an attacker physically obtained an E-IoT device, he or she may be able to access more exact log data than the network packet analysis. An attacker might replace a piece of hardware or modify its access rights, rendering it unavailable to an administrator. Physical assaults can potentially have an impact on higher communication tiers.

5.3. Mobile Devices with E-IoT Devices

5.3.1. Smart Plug

Power is controlled via smart plugs through buttons or associated mobile devices. Data were collected when cellphones were linked to smart plugs. The app data of the smart plug was confirmed to be saved in the directory "/data/data/com.dawon.aipm/." as a result of examining the data of the mobile device. Figure 17 shows the login, Wi-Fi information, email ID, and password from the "heritPreference.xml" file found after analyzing the directory. The PW and email ID, which are user-sensitive data, are saved in plaintext.

Figure 17: The user email ID and password were collected from the "heritPreference.xml" file.

The app package data of the smart plug might be acquired by connecting the mobile device to the E-IoT device. Analyzing the smart plug's app package yielded an email ID and password. Because the login email and password are maintained in plaintext, sensitive personal information can be accessible to attackers, resulting in major privacy risks. PWs should thus be encrypted so that attackers cannot get them.

5.3.2 Smart Heat Controller

A smart heat controller is an IoT control system that regulates room temperature. A linked mobile device can be used to regulate the temperature remotely. The Garam heat controller app data was confirmed to be saved in the "/data/data/kr.co.karam.bos" directory after examining the data of the associated mobile device. Figure 18 depicts the user and energy statistics collected by examining the "database.db" file. User email IDs, registration timings, room temperature, and humidity were all collected. Although there were no sensors on the smart heat controller to monitor temperature and humidity, the temperature and humidity information acquired by the thermometer coupled with the heat controller were retrieved.

Figure 18: User data (left) and room temperature/humidity data (right) acquired from the "database.db" file.

5.3.3. Smart Microwave

The smart microwave may be controlled and recorded remotely via a linked mobile device. The app data of the smart microwave was discovered to be saved in the "/data/data/com.samsung.android.oneconnect" directory after examining the data of the associated mobile device. Analyzing the directory yielded user and energy data."com.samsung.android.pluginplatform.pluginbase.sdk.PluginDataStorageImpl.d94e8ce8-bf6e-4c62-b58e-3b3542ebde07.xml" file received from the "shared_prefs" directory is shown in Figure 19. The name of the gadget used to measure the energy (Microwave) and the quantity of power utilized (0) were recorded.

The quantity of power used was recorded up to the device's total use (thisMonthTotalUsage). Furthermore, the saved energy and percentage were recorded, allowing the past power consumption to be deduced. The "PUBLIC_DR_4c803bc6-22cb-48f5-9b53-5cb5f885bbf1.txt" file obtained from the "cache" directory is shown in Figure 20. This file enabled the identification of energy usage (this month) and costs (0) based on use.

Figure 19: Energy measuring devices and use information obtained from the "shared_prefs" directory.

Figure 20. Cost calculated based on energy use obtained from the "cache" directory.

The app data of the smart microwave was retrieved via the linked mobile device after applying the technique of the mobile device coupled with the E-IoT device to the smart microwave. The app data was analyzed to obtain the energy use data. This took time since the majority of the data gathered from the smart microwave and smart heat controller used in the experiment was saved as database files. As a result, future work will require the development of a program that can readily extract E-IoT-related information from database files.

5.3.4. Mobile Device Attack Scenario with E-IoT Devices

If an attacker obtains the user's email address and password via a mobile device connected to E-IoT devices, the attacker will have access to the user's sensitive information. Additional personal information leaks may occur if the user uses the same or similar password in another account. Furthermore, because it is usual to save card information in an online account recently, card information and financial leakage may occur.

4allengineers

E-IoT Device Digital Forensics in Smart Cities