Introduction
This practical lab provides hands-on experience with IoT forensic techniques. You will learn to extract data from IoT devices, analyze network traffic using Wireshark, investigate smart device artifacts, and prepare forensic documentation.
By completing this lab, you will gain practical skills in IoT data extraction, network traffic capture and analysis, smart device artifact investigation, and forensic report preparation for IoT investigations.
Required Tools
Wireshark
Network protocol analyzer for capturing and analyzing IoT traffic. Free and open-source.
Mobile Forensic Tool
Autopsy, Cellebrite, or similar for extracting IoT app data from smartphones.
SQLite Browser
DB Browser for SQLite to examine IoT application databases.
JSON/XML Viewers
Tools to parse and analyze IoT configuration and log files.
Lab 1: IoT Network Traffic Capture
- Set up network capture for IoT devices
- Identify IoT protocols in captured traffic
- Extract device communications and commands
Configure your forensic workstation to capture IoT traffic. You can either:
- Set up a wireless access point and connect IoT devices to it
- Use ARP spoofing (in controlled lab environment only)
- Configure router port mirroring to capture all traffic
- Use a network tap device for passive capture
Launch Wireshark and begin capturing on the appropriate interface.
# Capture only traffic from specific IoT device
host 192.168.1.100
# Capture MQTT traffic (default port)
port 1883 or port 8883
# Capture HTTP/HTTPS from IoT devices
host 192.168.1.100 and (port 80 or port 443)
# Capture CoAP traffic
port 5683
Interact with IoT devices to generate traffic for capture:
- Turn smart lights on/off via app
- Issue voice commands to smart speakers
- Trigger motion sensors or cameras
- Adjust thermostat settings
Use Wireshark display filters to analyze specific protocols:
# Filter MQTT messages
mqtt
# Filter MQTT publish messages only
mqtt.msgtype == 3
# Filter DNS queries (shows cloud services contacted)
dns
# Filter HTTP requests
http.request
# Filter TLS Client Hello (shows server names)
tls.handshake.type == 1
# Search for specific strings in packets
frame contains "temperature"
Most modern IoT devices use TLS encryption. While you cannot decrypt the content without keys, you can still analyze: DNS queries (what servers are contacted), TLS SNI fields (server names), connection timing, data volumes, and IP addresses. Some older or cheap devices may still use unencrypted communications.
Lab 2: Smart Device App Analysis
- Extract data from IoT companion apps
- Analyze SQLite databases for device information
- Recover activity logs and user data
Using your mobile forensic tool, extract the application data for the target IoT app. For Android devices with ADB access:
# List installed IoT apps
adb shell pm list packages | grep -i "smart\|home\|nest\|ring"
# Create backup of specific app
adb backup -f smart_app.ab com.example.smarthome
# Pull app data directory (requires root)
adb pull /data/data/com.example.smarthome/ ./extracted_data/
Open extracted .db files in DB Browser for SQLite:
-- List all tables in database
SELECT name FROM sqlite_master WHERE type='table';
-- View device information
SELECT * FROM devices;
-- Extract activity/event logs
SELECT * FROM activity_log ORDER BY timestamp DESC;
-- Find user account information
SELECT * FROM users;
-- Search for timestamps and convert from Unix epoch
SELECT datetime(timestamp, 'unixepoch', 'localtime'), * FROM events;
Look for shared preferences (Android) or plists (iOS) containing device settings:
- shared_prefs/*.xml - App settings, tokens, device IDs
- cache/ - Temporary data, API responses
- files/ - Downloaded content, logs
Common IoT App Artifacts
| Artifact Type | Location | Information |
|---|---|---|
| Device List | databases/devices.db | Paired devices, MAC addresses, names, types |
| Activity History | databases/activity.db | Commands, events, timestamps |
| Auth Tokens | shared_prefs/auth.xml | OAuth tokens, session data, account info |
| Cached Data | cache/http/ | API responses, images, device states |
| Automation Rules | databases/routines.db | Schedules, triggers, actions |
Lab 3: Drone Flight Log Analysis
- Extract flight logs from DJI drone app
- Parse and analyze flight data
- Reconstruct flight paths on maps
DJI flight logs are stored in the mobile app data:
# Android - DJI Go 4
/data/data/dji.go.v4/files/FlightRecord/
- DJIFlightRecord_[timestamp]_[details].txt
# Android - DJI Fly
/data/data/dji.go.v5/files/FlightRecord/
# Drone SD Card (if accessible)
/MISC/FLY[XXX].DAT
Use tools to parse the encrypted flight logs:
- DatCon: Free tool for parsing DJI .DAT files
- Airdata UAV: Online service for flight analysis
- CsvView: Open-source DJI log parser
Extracted data includes GPS coordinates, altitude, speed, battery levels, and timestamps for the entire flight.
Export parsed data to KML format for viewing in Google Earth or convert to CSV for mapping:
timestamp,latitude,longitude,altitude,speed,heading
2025-01-15 10:30:00,28.6139,77.2090,50.0,5.2,180
2025-01-15 10:30:01,28.6138,77.2090,52.5,6.1,182
2025-01-15 10:30:02,28.6137,77.2089,55.0,7.0,185
...
Lab 4: MQTT Traffic Analysis
- Identify MQTT traffic in network captures
- Extract topics and message payloads
- Reconstruct device communications
# All MQTT traffic
mqtt
# MQTT CONNECT messages (client connections)
mqtt.msgtype == 1
# MQTT PUBLISH messages (data transmission)
mqtt.msgtype == 3
# MQTT SUBSCRIBE messages
mqtt.msgtype == 8
# Filter by specific topic
mqtt.topic contains "temperature"
For each MQTT PUBLISH message, examine:
- Topic: The message destination (e.g., home/livingroom/light)
- Payload: The actual data (often JSON formatted)
- QoS: Quality of Service level
- Retain Flag: Whether message is retained by broker
Use Wireshark's "Follow TCP Stream" feature to see complete conversations.
Export MQTT messages to CSV for timeline analysis:
- File > Export Packet Dissections > As CSV
- Include frame.time, mqtt.topic, mqtt.payload columns
- Import into spreadsheet for timeline visualization
Case Study: Smart Home Investigation
A burglary occurred at a residence equipped with smart home devices. The homeowner claims they were away on vacation when the incident happened. Investigators have access to: Amazon Echo (Alexa), Ring doorbell, smart lock (August), and the homeowner's smartphone. Your task is to develop an investigation plan and identify potential evidence.
Investigation Steps
- Document the Scene: Photograph all smart devices, note model numbers and serial numbers, document network equipment
- Preserve Evidence: Do not interact with devices, isolate from network if possible, seize associated smartphone
- Identify Data Sources:
- Ring doorbell - video recordings of entry points
- August smart lock - access logs with timestamps and method
- Amazon Echo - voice commands, routine triggers
- Smartphone apps - cached data, activity history
- Cloud accounts - comprehensive historical data
- Acquire Data:
- Request cloud data preservation from Amazon, Ring, August
- Extract mobile app data from smartphone
- Capture network traffic if devices still active
- Analyze Evidence:
- Review Ring footage for suspect identification
- Correlate smart lock access with doorbell footage
- Check Alexa for unusual commands or triggers
- Verify homeowner's alibi against device activity
- Document Findings: Prepare forensic report with timeline, Section 63 certificates for each data source
Expected Evidence Timeline
| Time | Source | Event |
|---|---|---|
| 14:23:15 | Ring Doorbell | Motion detected at front door |
| 14:23:47 | Ring Doorbell | Person visible, no doorbell press |
| 14:25:02 | August Lock | Manual unlock from inside (lock bumped) |
| 14:25:10 | Alexa | Motion sensor triggered (living room) |
| 14:45:33 | August Lock | Door opened from inside |
| 14:45:45 | Ring Doorbell | Person leaving with bag |
Forensic Report Template
IoT/Robot Forensic Examination Report
=====================================
1. EXECUTIVE SUMMARY
- Brief overview of investigation
- Key findings summary
2. CASE INFORMATION
- Case number, examiner details
- Date/time of examination
- Legal authorization reference
3. EVIDENCE DESCRIPTION
- Device inventory (make, model, serial)
- Associated accounts
- Cloud services involved
- Chain of custody documentation
4. ACQUISITION METHODOLOGY
- Tools used (versions)
- Acquisition methods for each source
- Hash values (MD5/SHA-256)
- Screenshots of acquisition process
5. EXAMINATION FINDINGS
- Device configuration analysis
- Activity timeline reconstruction
- User interaction history
- Network traffic analysis
- Cloud data analysis
6. TIMELINE OF EVENTS
- Chronological event sequence
- Correlated across multiple sources
7. CONCLUSIONS
- Summary of relevant findings
- Answers to investigative questions
8. APPENDICES
- Section 63 BSA Certificate(s)
- Hash verification logs
- Tool output reports
- Supporting screenshots
- Wireshark is essential for capturing and analyzing IoT network traffic using protocol-specific filters
- IoT companion apps store valuable data in SQLite databases and configuration files
- Drone flight logs can be extracted and parsed to reconstruct complete flight paths with GPS data
- MQTT protocol analysis reveals device communications, topics, and message payloads
- Smart home investigations require correlating data from multiple device types
- Comprehensive documentation and Section 63 BSA certificates are essential for court admissibility
- Timeline reconstruction across multiple IoT sources provides powerful investigative insights