SESSION ID: LAW-W02 IoT Evidence Analysis and Preservation in Investigations and Litigation Erik Laykin Managing Director Duff & Phelps, LLC 310 245 2902 Erik.laykin@duffandphelps.com
An Example of IoT Evidence Determining the Outcome of an Investigation
Insurance Fraud and Insurance Fact A diamond ring is insured for $50,000 The owner suffers a break-in at her home, and the ring is stolen. She uses devices in her home as evidence and to file a claim: A video doorbell shows masked men entering Smart lightbulbs were turned on, showing activity in the home Cameras show her at her office during the break-in
Insurance Fraud and Insurance Fact Analysis by investigators showed: The smart door lock was unlocked with her phone An hour before the break-in, her phone disconnected from her insulin pump. The WiFi alarm system was disarmed with her code, and was not jammed. The Nest Thermostat in the upper area of the house, where the ring was kept, did not detect motion.
Epilogue The woman was stuck in a difficult divorce and needed to cover attorney s fees. She had her cousins fake a break-in to claim the insurance money. The insurance company denied the claim and brought charges for fraud. IoT Data provides historic and contemporary insights into each of our lives. Privacy is dead
A Day in your Life with Iot
Activity Monitoring Fitness Tracker (Fitbit) Motion Heart rate Location Activity Where is the subject? Is the subject awake? Is the subject moving?
Activity Monitoring - Evidence
IP Cameras Facial Recognition Object Recognition (backpacks, bicycles, etc.) License Plate Recognition Activity Recognition (walking from A to B, carrying a particular product) Profiling on Age/Gender/Ethnicity/Dress/Weight /time etc.
IP Cameras - Evidence
IP Cameras - Evidence
Automotive Passengers Location Speed / Direction Journey Start/End Full Telemetry Conversations
Automotive Evidence Tesla refutes a NYT reviewer who claimed that a Model S died, showing telemetry of the car being driven in circles in a parking lot.
Automotive Evidence
Home Automation Are people in the home? What appliances are on and off When are appliances used When were doors locked and unlocked? By whom? When were alarms armed and disarmed?
Home Automation - Evidence Nest Thermostat detects when you leave the home.
Virtual Assistants Voice Recording Records of actions taken searches Interface with other IoT devices Where is the data? Who owns the data?
Virtual Assistants - Evidence
Medical Devices Intrinsically linked to custodian Vital medical data High risk if compromised Wirelessly controlled
Implantable Medical Devices
Implantable Medical Devices
Data Ownership
Data in The Cloud to data centers all over the world Data flows from IoT devices.? to user devices... and to unknown places beyond.
Global Geography Amazon operates more than 42 data centers around the world
Data Ownership Data generated by IoT devices is typically stored in the cloud Can be in many geographic locations Can be very difficult to identify where data is or who controls it May be stored indefinitely May be local May be forwarded to a phone etc.
Data Uses Marketing build demographic profiles Artificial Intelligence research used to train next-generation AI. Every ten hours Tesla records one million miles of driving data Predictions Google can detect flu season before the CDC can Targeted advertising Political campaigns are tailoring messages to individuals based on data about them
Shodan 27
Thingful 28
Preserving, Collecting, and Analyzing Data
EDRM 30
Preservation Clients may be unaware that their IoT wearable and home devices may provide information that is relevant to an existing or anticipated lawsuit. Clients may expect that e.g. health information is protected, when it in fact may not be. Courts have not determined if 5 th amendment protections apply to such data. IoT devices are most commonly connected with 3 rd party service providers, and therefore the data they produce, such as activity data from a Fitbit, may reside in the cloud, on a platform operated by the service provider. Action by the consumer may be required to prevent destruction of relevant data. Upon receipt of a preservation notice, a custodian may overlook such platforms as a source of potentially relevant data. As with any cloud-stored evidence, authenticating the data and providing a clear chain of custody may be highly impracticable.
Collection Immediately upon receipt of a preservation notice or even upon reasonable anticipation of litigation, counsel should determine the likelihood that digital evidence created by IoT devices may be relevant. After determining that IoT-generated data is relevant, counsel should assess the storage location of the data, and determine which third party providers control retrieval and retention and serve a litigation hold notice as soon as practicable. Technical expertise is most often required to collect locally stored IoT data in a forensically sound manner.
Collection Sources Smartphones and Computers Devices which may have interacted with IoT devices Standard collection methodologies (Cellebrite, EnCase, etc.) May need to perform custom analysis of mobile apps to identify additional data Identify relevant IoT devices Custodian Interviews Actual walk-throughs of affected space Remember that some devices, such as cameras, may actually log data onto a recording device elsewhere in the facility. Identify which IoT devices may have on-device data Do not power off without technical guidance data may be lost Identify which IoT service providers may have data in the cloud Send preservation notices Follow-up with subpoena
Burden for Collection See Zubelake v. UBS Warburg, Judge Shira Sheindlin Rulings, the Sedona Conference and new Federal Rules of Civil Procedure related to ediscovery Obligations. In some cases an IoT device was not designed to provide data directly. May need to jailbreak device and have an expert extract data Very expensive process Whereas the service provider can simply export the relevant data into an Excel file Need to determine cost and identify whether plaintiff or defendant is responsible. Need to provide an appropriate unique ID for the data being requested. A provider may have multiple accounts under John Smith, and may require a username or device ID to provide relevant data.
Unanswered Questions In cases where IoT device data is run through large-scale analytics software, how can the analytics techniques be verified? Several cases have attempted to compare an individual s data to an overall average (e.g. to prove diminished physical capacity). Can an average activity level be meaningfully applied? Do individuals have a 5 th Amendment right against certain types of data being disclosed? Do individuals have a 6 th Amendment right to confront IoT devices testifying against them?
Limitations IoT devices have a very narrow worldview: they can only record what their sensors allow them to perceive. Much of the detailed data these devices produce comes from simple sensors. Small sensor errors can compound into massive data errors. Some Apple Watch users have complained that after sitting down and typing for 30 minutes the device lists them as asleep. Comparisons using analytics technology will require that the analytics algorithm and the data sources be validated. Data can be very ephemeral, some IoT devices were never designed to store data.
Analysis Create a timeline showing data from multiple devices Need to account for the native timezone of each data source Consolidate data from different formats Cell phone dumps Computer images Data from IoT service providers Data acquired directly from IoT devices Perform statistical or other analysis on bulk data
Analysis Graphs, charts, and timelines can shed light on data A timeline of activity tracker data over a 30 day period.
Analysis Common Tools: EnCase Computer forensics Blackbag Mac/iPhone forensics Relativity - ediscovery Cellebrite Phone forensics Recent Developments Berla ive Vehicle forensics Berla Blackthorn Forensics of GPS/navigation devices
Going Forward 40
Going Forward Take a minute to walk through your homes and offices and note where IoT devices are being used. Have an informal conversation with people to determine who sold/services the device and what information it collects. Ask yourself Where could I use that evidence? 41
Look around you 42
Look around you 43
Look around you 44
Look around you 45
SESSION ID: LAW-W02 THANK YOU IoT Evidence Analysis and Preservation in Investigations and Litigation Erik Laykin Managing Director Duff & Phelps, LLC 310 245 2902 Erik.laykin@duffandphelps.com