Feature-Sniffer: Enabling IoT Forensics in OpenWrt based Wi-Fi Access Points

Abstract

The Internet of Things is in constant growth, with millions of devices used every day in our homes and workplaces to ease our lives. Such a strict coexistence between humans and smart devices makes the latter digital witnesses of our everyday lives through their sensor systems. This opens up to a new area of digital investigation named IoT Forensics, where digital traces produced by smart devices (network traffic, in primis) are leveraged as evidences for forensic purposes. It is therefore important to create tools able to capture, store and possibly analyse easily such digital traces to ease the job of forensic investigators. This work presents one of such tools, named Feature-Sniffer, which is thought explicitly for Wi-Fi enabled smart devices used in Smart Building/Smart Home scenarios. Feature-Sniffer is an add-on for OpenWrt-based access points and allows to easily perform online traffic feature extraction, avoiding to store large PCAP files. We present Feature-Sniffer with an accurate description of the implementation details, and we show its possible uses with practical examples for device identification and activity classification from encrypted traffic produced by IoT cameras. We release Feature-Sniffer publicly for reproducible research.