Feature-Sniffer: Enabling IoT Forensics in OpenWrt based Wi-Fi Access Points

TL;DR

Feature-Sniffer is a tool integrated into OpenWrt access points that enables real-time extraction of IoT device traffic features, facilitating forensic investigations without storing large data files.

Contribution

The paper introduces Feature-Sniffer, a novel add-on for OpenWrt access points that simplifies IoT traffic analysis for forensic purposes in smart environments.

Findings

Effective device identification from encrypted traffic

Real-time feature extraction without large data storage

Practical application in activity classification

Abstract

The Internet of Things is in constant growth, with millions of devices used every day in our homes and workplaces to ease our lives. Such a strict coexistence between humans and smart devices makes the latter digital witnesses of our every-day lives through their sensor systems. This opens up to a new area of digital investigation named IoT Forensics, where digital traces produced by smart devices (network traffic, in primis) are leveraged as evidences for forensic purposes. It is therefore important to create tools able to capture, store and possibly analyse easily such digital traces to ease the job of forensic investigators. This work presents one of such tools, named Feature-Sniffer, which is thought explicitly for Wi-Fi enabled smart devices used in Smart Building/Smart Home scenarios. Feature-Sniffer is an add-on for OpenWrt-based access points and allows to easily perform online traffic feature extraction, avoiding to store large PCAP files. We present Feature-Sniffer with an accurate description of the implementation details, and we show its possible uses with practical examples for device identification and activity classification from encrypted traffic produced by IoT cameras. We release Feature-Sniffer publicly for reproducible research.