Providing Tamper-Resistant Audit Trails with Distributed Ledger based Solutions for Forensics of IoT Systems using Cloud Resources

A1 Journal article (refereed)

Internal Authors/Editors

Publication Details

List of Authors: Magnus Westerlund, Mats Neovius, Göran Pulkkis
Publisher: IARIA
Publication year: 2018
Journal: International Journal on Advances in Security
Volume number: 11
Issue number: 3&4
Start page: 288
End page: 300


Network and information security are often more challenging for current
IoT systems than for traditional networks. Cloud computing resources used by most
IoT systems are publicly accessible and thereby, through this availability,
increase the risk of intrusion. The increase in the processing of sensitive
data in IoT systems makes security challenges more noteworthy, particularly in
light of legal issues around cross-border transfers and data protection.
Technologies preventing intrusion are effective, yet not perfect. Once a system
is compromised, the intruder may start to delete and to modify audit trails and
system log files for covering-up the intrusion. Complete and untampered audit trails and log files are
essential for the legitimate owner of an IoT system using cloud resources to
estimate the losses, to reconstruct the data, to detect the origin of the
intrusion attack, and eventually in a court of law be able to prosecute the
attacker. Due to this, improved methods for performing forensics in IoT systems
are desperately needed.IoT forensics is mostly cloud forensics, since most IoT data is
currently stored in the cloud. Therefore, cloud
forensics is a key component in IoT forensics. The baseline for any forensic
investigation is assured data availability and integrity. In this paper, we
outline how forensic evidence data can be created for IoT systems using distributed
cloud resources and how the availability and integrity of this forensic data
can be assured by applying distributed ledger based solutions for storing audit
trails and log files securely. Given this approach, an attacker can neither delete,
nor modify past trails or logs but merely stop generating new data into log
files. The approach presented here is novel, yet light enough for practical

Last updated on 2020-05-08 at 06:00