Chapter 34 — Key Takeaways
The big idea
The world is now instrumented with small, continuous witnesses — in the home, on the body, and in the car — and your access to what they recorded is governed less by technique than by authority, because the richest data is almost always third-party cloud data behind a warrant. This is the Internet of Evidence. The skills from the rest of the book still apply — image first, hash, analyze the copy, document everything — but the terrain is a swarm of tiny, proprietary, cloud-tethered devices instead of a single removable drive. The devices are disposable and the catalog turns over yearly; the method is permanent: identify every device in scope, classify its data across three tiers, determine your authority for each, acquire the most perishable data first, normalize every clock to a common reference, and state exactly what each sensor proves and no more.
The three tiers (and who controls them)
| Tier | Where | Holds | Access |
|---|---|---|---|
| 1 — Device | the "thing" | firmware, configs, Wi-Fi keys, small ring buffers, account binding | physical possession + chip-off/UART/JTAG/SPI; volatile |
| 2 — Companion app | phone/PC | cached records, tokens, SQLite DBs, thumbnails, last-sync data | the phone/PC (Ch. 11, 16, 24) |
| 3 — Vendor cloud | provider servers | the mother lode: voice history, full video, health & trip history | legal process or the owner's consent/credentials |
The shift to carry: the data you most want is usually not on the device in your hand. Send the preservation letter and legal process to the provider early — retention timers delete evidence you could have saved.
Five unifying challenges
- Proprietary, undocumented formats — you will reverse-engineer schemas no one published, and they change between firmware versions.
- No standard tooling — a few commercial tools cover high-value targets (Berla iVe for vehicles); the long tail needs a logic analyzer, a chip programmer,
binwalk, and your own scripts. - Volatile, perishable data — RAM, ring buffers, and cloud retention timers; hesitation costs evidence.
- Cloud dependence / third-party control — SCA, MLAT, the CLOUD Act, and end-to-end encryption can put data beyond even the provider; legal speed matters as much as technical speed.
- Churn, and you cannot write-block soldered storage — when non-alteration cannot be guaranteed mechanically, your documentation carries the weight the write-blocker normally would.
The four domains at a glance
- Smart home: voice assistants (Alexa/Echo, Google) store transcriptions + recordings in the cloud, bind to a named account via the app; cameras/doorbells (Ring) hold video in the cloud only with a subscription and only if E2EE is off; smart locks log who entered and when; thermostats record occupancy; Home Assistant's local
home-assistant_v2.dbis the no-warrant goldmine. - Wearables: Fitbit, Apple Watch (iPhone
healthdb_secure.sqlite), and Garmin (FIT files) record steps, heart rate, sleep, and GPS — and have broken real alibis by showing when a body was moving and when it stopped. - Vehicle — three distinct systems: infotainment/telematics (Berla iVe — tracklogs + paired-phone contacts/call logs), the EDR black box (Bosch CDR, ~5 s of crash dynamics, 49 CFR Part 563), and the connected-car cloud (legal process to the maker).
- Embedded/firmware: UART (often a root shell), JTAG boundary scan, SPI flash read in-circuit (clip +
flashrom), eMMC chip-off; analyze withbinwalk,unsquashfs,strings.
Time is a minefield — normalize everything to UTC
| Source | Epoch / format | Convert |
|---|---|---|
| Smart locks, Home Assistant, most IoT | Unix seconds | direct |
| Alexa, Fitbit cloud | Unix milliseconds | ÷ 1,000 |
| Apple Health / Watch | 2001 (Mac absolute) | + 978,307,200 |
| Garmin FIT | 1989 | + 631,065,600 |
| Windows artifacts | FILETIME (1601) | ÷ 10 → µs from 1601 |
Garmin positions are semicircles (° = semi × 180 / 2³¹); raw GPS time runs ~18 leap seconds ahead of UTC. A botched conversion shifts a timeline by 31 years (obvious) or one hour (dangerous).
Say what the device proves
A wearable shows a heart rate, not who wore it; a tracklog shows where the car went, not who drove; a lock log shows a badge, not a person. IoT evidence is powerful because it is granular and continuous — but it is circumstantial, and the leap from "this device recorded this" to "this person did this" must be argued and corroborated, never asserted.
You can now…
- ☐ Classify any IoT, wearable, or vehicle source across the three tiers and identify the authority each requires.
- ☐ Locate and interpret smart-home evidence — voice history, camera/doorbell video, lock and thermostat logs, and the local Home Assistant database — under the correct legal posture.
- ☐ Extract and analyze wearable evidence (Fitbit, Apple Watch Health, Garmin FIT), converting each device's epoch correctly.
- ☐ Distinguish a vehicle's three data systems and choose the right tool for each — iVe, Bosch CDR, and legal process.
- ☐ Perform hardware-level extraction (UART, JTAG, SPI, eMMC chip-off) and turn a firmware blob into evidence with
binwalk,unsquashfs, andstrings.
Looking ahead
Chapter 35 — AI-Assisted Forensics and Deepfake Detection. When machine learning helps you triage the oceans of IoT and disk data faster than any human could — and when the same technology fabricates the photos, voices, and videos you are asked to authenticate — the examiner must prove not just what a file says, but whether it is real at all.
One sentence to carry forward: The devices are disposable and proprietary, but the method is permanent — classify the tiers, secure the authority, normalize the clocks, and testify only to what the sensor actually recorded.