Chapter 34 — Key Takeaways

The big idea

The world is now instrumented with small, continuous witnesses — in the home, on the body, and in the car — and your access to what they recorded is governed less by technique than by authority, because the richest data is almost always third-party cloud data behind a warrant. This is the Internet of Evidence. The skills from the rest of the book still apply — image first, hash, analyze the copy, document everything — but the terrain is a swarm of tiny, proprietary, cloud-tethered devices instead of a single removable drive. The devices are disposable and the catalog turns over yearly; the method is permanent: identify every device in scope, classify its data across three tiers, determine your authority for each, acquire the most perishable data first, normalize every clock to a common reference, and state exactly what each sensor proves and no more.

The three tiers (and who controls them)

Tier Where Holds Access
1 — Device the "thing" firmware, configs, Wi-Fi keys, small ring buffers, account binding physical possession + chip-off/UART/JTAG/SPI; volatile
2 — Companion app phone/PC cached records, tokens, SQLite DBs, thumbnails, last-sync data the phone/PC (Ch. 11, 16, 24)
3 — Vendor cloud provider servers the mother lode: voice history, full video, health & trip history legal process or the owner's consent/credentials

The shift to carry: the data you most want is usually not on the device in your hand. Send the preservation letter and legal process to the provider early — retention timers delete evidence you could have saved.

Five unifying challenges

  • Proprietary, undocumented formats — you will reverse-engineer schemas no one published, and they change between firmware versions.
  • No standard tooling — a few commercial tools cover high-value targets (Berla iVe for vehicles); the long tail needs a logic analyzer, a chip programmer, binwalk, and your own scripts.
  • Volatile, perishable data — RAM, ring buffers, and cloud retention timers; hesitation costs evidence.
  • Cloud dependence / third-party control — SCA, MLAT, the CLOUD Act, and end-to-end encryption can put data beyond even the provider; legal speed matters as much as technical speed.
  • Churn, and you cannot write-block soldered storage — when non-alteration cannot be guaranteed mechanically, your documentation carries the weight the write-blocker normally would.

The four domains at a glance

  • Smart home: voice assistants (Alexa/Echo, Google) store transcriptions + recordings in the cloud, bind to a named account via the app; cameras/doorbells (Ring) hold video in the cloud only with a subscription and only if E2EE is off; smart locks log who entered and when; thermostats record occupancy; Home Assistant's local home-assistant_v2.db is the no-warrant goldmine.
  • Wearables: Fitbit, Apple Watch (iPhone healthdb_secure.sqlite), and Garmin (FIT files) record steps, heart rate, sleep, and GPS — and have broken real alibis by showing when a body was moving and when it stopped.
  • Vehicle — three distinct systems: infotainment/telematics (Berla iVe — tracklogs + paired-phone contacts/call logs), the EDR black box (Bosch CDR, ~5 s of crash dynamics, 49 CFR Part 563), and the connected-car cloud (legal process to the maker).
  • Embedded/firmware: UART (often a root shell), JTAG boundary scan, SPI flash read in-circuit (clip + flashrom), eMMC chip-off; analyze with binwalk, unsquashfs, strings.

Time is a minefield — normalize everything to UTC

Source Epoch / format Convert
Smart locks, Home Assistant, most IoT Unix seconds direct
Alexa, Fitbit cloud Unix milliseconds ÷ 1,000
Apple Health / Watch 2001 (Mac absolute) + 978,307,200
Garmin FIT 1989 + 631,065,600
Windows artifacts FILETIME (1601) ÷ 10 → µs from 1601

Garmin positions are semicircles (° = semi × 180 / 2³¹); raw GPS time runs ~18 leap seconds ahead of UTC. A botched conversion shifts a timeline by 31 years (obvious) or one hour (dangerous).

Say what the device proves

A wearable shows a heart rate, not who wore it; a tracklog shows where the car went, not who drove; a lock log shows a badge, not a person. IoT evidence is powerful because it is granular and continuous — but it is circumstantial, and the leap from "this device recorded this" to "this person did this" must be argued and corroborated, never asserted.

You can now…

  • ☐ Classify any IoT, wearable, or vehicle source across the three tiers and identify the authority each requires.
  • ☐ Locate and interpret smart-home evidence — voice history, camera/doorbell video, lock and thermostat logs, and the local Home Assistant database — under the correct legal posture.
  • ☐ Extract and analyze wearable evidence (Fitbit, Apple Watch Health, Garmin FIT), converting each device's epoch correctly.
  • ☐ Distinguish a vehicle's three data systems and choose the right tool for each — iVe, Bosch CDR, and legal process.
  • ☐ Perform hardware-level extraction (UART, JTAG, SPI, eMMC chip-off) and turn a firmware blob into evidence with binwalk, unsquashfs, and strings.

Looking ahead

Chapter 35 — AI-Assisted Forensics and Deepfake Detection. When machine learning helps you triage the oceans of IoT and disk data faster than any human could — and when the same technology fabricates the photos, voices, and videos you are asked to authenticate — the examiner must prove not just what a file says, but whether it is real at all.

One sentence to carry forward: The devices are disposable and proprietary, but the method is permanent — classify the tiers, secure the authority, normalize the clocks, and testify only to what the sensor actually recorded.