Internet of Too Many Things: creating a database of common IoT files

Primary Author

Timothy Lesgaux

Faculty Mentor

Oren Upton


Internet of Things devices are an emerging space in digital forensics. IoT systems potentially contain a wealth of information that could be useful to investigators. However, IoT systems present a challenge primarily because the operating systems present on IoT devices are often very custom. While IoT devices usually run some type of Linux-based operating system, the specifics of how the filesystems are arranged and the file contents are non-standard. This makes determining which files are ‘interesting’ a challenge, because every IoT system is relatively unique. This also creates a challenge when establishing a framework for digital forensics investigations. Our efforts have been in the creation of a database in which we store files extracted from factory-default firmware images from multiple IoT devices to catalogue ‘known’ files. Using a script, we ingest unique files from a variety of factory-default firmware images into an Elastic search database. Investigators would be able to compare files found during their investigation to files in this database to determine which files are normal system files, and which files may have been introduced to the system at some later time. At present, the script has some manual interaction required, and we’d like to minimize this. Additionally, we would like to be able to extract other information useful in a forensics context and present them in a format useful to an investigator. Useful information could include personal information, credentials, credit card numbers, or geolocation data, as well as file metadata such as modification time and filetype. Presenting this data in a useful format would also be useful to investigators. We are hopeful that this database will prove useful to law enforcement personnel in digital forensics investigations involving IoT devices.