Extraction and analysis of non-volatile memory of the ZW0301 module, a Z-Wave transceiver

Z-Wave is an implementation of home automation, under the broad category of Internet of Things (IoT). To date, the ability to perform forensic investigations on Z-Wave devices has largely been ignored; however, the placement of these devices in homes and industrial facilities makes them valuable ass...

Full description

Saved in:
Bibliographic Details
Published in:Digital investigation 2016-06, Vol.17, p.14-27
Main Authors: Badenhop, Christopher W., Ramsey, Benjamin W., Mullins, Barry E., Mailloux, Logan O.
Format: Article
Language:English
Subjects:
Building automation
Computer forensics
Computer memory
Embedded systems
Internet of Things
Internet of Things forensic analysis
IoT forensics
Wireless
Wireless communications
Z-Wave
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Z-Wave is an implementation of home automation, under the broad category of Internet of Things (IoT). To date, the ability to perform forensic investigations on Z-Wave devices has largely been ignored; however, the placement of these devices in homes and industrial facilities makes them valuable assets for the investigation of criminal and adversarial actors. Z-Wave devices consist of sensors and actuators, which can be connected to the Internet via a gateway. Therefore, their memory contents may contain sensor reports of criminal activity or, more indirectly, provide evidence that the devices have been manipulated to achieve physical or cyber access. This paper provides details on extracting and programming the Flash and EEPROM memory of the ZW0301, which is a common Z-Wave transceiver module found on many Z-Wave devices. Specifically, the memory usage is characterized and several artifacts are identified. The feasibility of conducting a firmware modification attack on the ZW0301 is also explored. The results of this work identify several data structures including the node protocol information table and node adjacency table. The compiler and coding language used for the firmware image are also fingerprinted.
ISSN:1742-2876
1873-202X
DOI:10.1016/j.diin.2016.02.002