STITCHER: Correlating Digital Forensic Evidence on Internet-of-Things Devices

The increasing adoption of Internet-of-Things (IoT) devices present new challenges to digital forensic investigators and law enforcement agencies when investigation into cybercrime on these new platforms are required. However, there has been no formal study to document actual challenges faced by investigators and whether existing tools help them in their work. Prior issues such as the correlation and consistency problem in digital forensic evidence have also become a pressing concern in light of numerous evidence sources from IoT devices. Motivated by these observations, we conduct a user study with 39 digital forensic investigators from both public and private sectors to document the challenges they faced in traditional and IoT digital forensics. We also created a tool, STITCHER, that addresses the technical challenges faced by investigators when handling IoT digital forensics investigation. We simulated an IoT crime that mimics sophisticated cybercriminals and invited our user study participants to utilize STITCHER to investigate the crime. The efficacy of STITCHER is confirmed by our study results where 96.2% of users indicated that STITCHER assisted them in handling the crime, and 61.5% of users who used STITCHER with its full features solved the crime completely.