Researchers at Linköping University are collaborating with the Swedish National Forensic Centre (NFC) to investigate how sensor data can be used in future digital crime investigations, referred to as digital forensics.
Most people probably think of mobile phones and computers when they hear the term digital forensics. In reality, however, today’s connected systems, often called the Internet of Things (IoT), make it possible to retrieve data from all sorts of objects, from smart lighting and thermostats to various types of motion sensors.
As a result, digital traces are playing an increasingly important role in criminal investigations. At the same time, they differ from traditional forensic evidence. Physical traces can be difficult to manipulate without leaving new traces, whereas digital information can, in some cases, be altered or erased.
“When it comes to digital traces, it’s a completely different matter. There, you can either falsify or erase evidence in ways that, in a worst-case scenario, are difficult to detect. However, it requires a considerable level of understanding to bypass a system and make yourself invisible. Most often, those who are unaware of how systems function will leave some form of digital trace that can be investigated,” says forensic specialist and industry-based doctoral student Johnny Bengtsson.
Connected buildings as a source of data
Through experiments, researchers have examined how sensor data can be used in forensic analysis – but also how such systems can be circumvented. For example, many sensors record data at intervals of several minutes, creating gaps in time.
“In this building, data is recorded once every ten minutes, I think. That may seem very slow, but it’s fast enough to manage a building. If you record at the level of seconds, you immediately see the effect, for example if carbon dioxide levels increase in a room.”
For example, if someone unauthorised is there?
“Yes, exactly, some kind of anomaly. But increasing the rate to one recording per second creates problems – it’s a huge amount of data to handle! And it’s not practically feasible in such systems.
At the same time, sensors can reveal a great deal. Temperature and carbon dioxide meters, for instance, can show how a fire has spread within a building and thus help reconstruct the sequence of events.
Collaboration and legal challenges
Simon Höckerbo
The research is conducted in collaboration between several partners. In addition to Linköping University and the Swedish National Forensic Centre, the project involves industry partners such as Sweco, Schneider Electric, Akademiska Hus and Sankt Kors.
These collaborations make it possible to test ideas in real-world environments and combine academic research with practical experience from criminal investigations and building systems.
“There are enormous amounts of data held by government agencies, property owners and telecom operators. But there is often no overall perspective on how the information could be used together in an investigation.”
At the same time, there are challenges. Legal issues relating to privacy and data sharing make it difficult to use information from different systems.
AI will play a greater role
In the future, artificial intelligence could play an important role in analysing sensor data. By training models on how people normally move within a building, systems can identify unusual behaviour.
For example, sensors and logs can show when people usually arrive at work, go for lunch or when premises are usually empty. If a system detects movement at unusual times, it may indicate that something is not as it should be.
“The technology already exists today. The challenge is rather to collect the right data and organise collaboration between all the actors who hold that information.”
Growing research area
Linköping University offers education in this field, including digital forensics as part of the Master’s Programme in Cybersecurity.
“The combination of practical cases and academic research is very valuable. Many research questions arise directly from real investigations, and the collaboration between the university and NFC allows us to examine them more systematically.”
