Maximilian Eichhorn (Friedrich-Alexander-Universitat Erlangen-Nurnberg), Andreas Hammer (Friedrich-Alexander-Universitat Erlangen-Nurnberg), Gaston Pugliese (Friedrich-Alexander-Universitat Erlangen-Nurnberg), Felix Freiling (Friedrich-Alexander-Universitat Erlangen-Nurnberg)
Evidence from digital devices in general, and Internet of Things (IoT) and embedded devices in particular, plays an increasing role in modern investigations. Yet their diversity in hardware and software encumbers their analysis and analysis results appear fragmented and hard to assess. Investigators, therefore, face the challenge of finding and interpreting relevant digital evidence stored on these devices. In order to standardize the forensic analysis of digital devices and structure research results, we present the User–Device Interaction Model (UDIM), a device-centric formal model that is based on the types of interaction between a device, users, and other devices across interaction types and locations. By integrating the analysis results of 42 IoT devices from the literature, we show how UDIM supports standardized analysis, and helps law enforcement agencies prioritize resources during seizures. Furthermore, the model can be used to assess the coverage of forensic examinations, to ensure thoroughness and completeness of investigations.