Becoming JUDAS: Correlating Users and Devices during a Digital Investigation

TitleBecoming JUDAS: Correlating Users and Devices during a Digital Investigation
Publication TypeJournal Article
Year of Publication2020
AuthorsA. Nieto
JournalIEEE Transactions on Information Forensics & Security
Date Published17/04/2020
ISSN Number1556-6013
KeywordsAlexa, Data Normalisation, Digital Investigation, IoT-Forensics, JSON, OSINT

One of the biggest challenges in IoT-forensics is the analysis and correlation of heterogeneous digital evidence, to enable an effective understanding of complex scenarios. This paper defines a methodology for extracting unique objects (e.g., representing users or devices) from the files of a case, defining the context of the digital investigation and increasing the knowledge progressively, using additional files from the case (e.g. network captures). The solution includes external searches using open source intelligence (OSINT) sources when needed. In order to illustrate this approach, the proposed methodology is implemented in the JSON Users and Devices analysis (JUDAS) tool, which is able to generate the context from JSON files, complete it, and show the whole context using dynamic graphs. The approach is validated using the files in an IoT-Forensic digital investigation where an important set of potential digital evidence extracted from Amazon’s Alexa Cloud is analysed.

Citation KeyJUDAS2020
Paper File:

Supported by CyberSec4Europe