|Title||Becoming JUDAS: Correlating Users and Devices during a Digital Investigation|
|Publication Type||Journal Article|
|Year of Publication||2020|
|Journal||IEEE Transactions on Information Forensics & Security|
|Keywords||Alexa, Data Normalisation, Digital Investigation, IoT-Forensics, JSON, OSINT|
One of the biggest challenges in IoT-forensics is the analysis and correlation of heterogeneous digital evidence, to enable an effective understanding of complex scenarios. This paper defines a methodology for extracting unique objects (e.g., representing users or devices) from the files of a case, defining the context of the digital investigation and increasing the knowledge progressively, using additional files from the case (e.g. network captures). The solution includes external searches using open source intelligence (OSINT) sources when needed. In order to illustrate this approach, the proposed methodology is implemented in the JSON Users and Devices analysis (JUDAS) tool, which is able to generate the context from JSON files, complete it, and show the whole context using dynamic graphs. The approach is validated using the files in an IoT-Forensic digital investigation where an important set of potential digital evidence extracted from Amazon’s Alexa Cloud is analysed.
Becoming JUDAS: Correlating Users and Devices during a Digital Investigation
Supported by CyberSec4Europe