A Study on the Digital Forensic Investigation Method of Clever Malware in IoT Devices

As IoT devices are always connected to mobile devices or other computing devices via the Internet, clever malwares targeting IoT devices or other computing devices connected to IoT devices are emerging. Therefore, effective IoT security research is needed to respond to hacking attacks by these kinds of malware. This paper studied the method of identifying and analyzing malware combined with social engineering from the perspective of digital forensics. The paper classified and analyzed intelligent malware characteristics and proposed a method of quickly identifying and analyzing the malware that secretly intruded into the devices installed with Android, Linux OS, using digital forensics techniques. Moreover, this paper proved its effectiveness by applying this investigation method to two actual malware cases. The research outcomes will be useful in responding to increasingly clever malware attacking IoT devices.


I. INTRODUCTION
Many people today use computers and mobile devices such as smartphones, tablet PCs, smartwatches, smart cameras, navigation systems, and IoT devices such as smart TVs, AI speakers, robot vacuum cleaners, and various other home networking devices in their daily lives. Even electric cars like Tesla, which can be considered an IoT device, have recently been connected to the network. The number of IoT devices owned by individuals continues to increase; in fact, 13.6 IoT devices are expected to be owned per US citizen by 2022 [1].
As these various IoT devices are closely used in everyday life, various kinds of information are stored. In general, private information such as call history, messages, photos, and videos is stored in these embedded devices. Moreover, with the recent release of various health services and apps available on wearable devices, vital personal biometric information can also be stored.
In addition to this, the recent increase in telecommuting due to COVID-19 and the trend of Bring Your Own Device (BYOD) have led to a lot of work-related information being stored inside these devices. Therefore, there is a steady The associate editor coordinating the review of this manuscript and approving it for publication was Javier Lopez. increase in malware to attack IoT devices, smartphones, and wearable devices [2], [3]. Since they are becoming more intelligent combined with social engineering techniques, research on the prevention of malware and incident response in the IoT environment is needed [4].
We studied the incident response from a digital forensic perspective to detect and analyze effectively malware that use various social engineering techniques; the target of attacks was Android OS, which has the highest share of the global mobile operating system market (72.26%) [5] between 2019 and 2020. Intelligent malware, which uses social engineering techniques, generally has three characteristics that make incident response difficult: First, malware combine various social engineering techniques, such as phishing and smishing, to break into the device through various methods. Even after a successful intrusion, they continue to attack, such as phishing and vishing, to steal the personal and financial information of the device users. Therefore, it is difficult for investigators to analyze when and by what route this malware broke into the device. Second, malware also disguises itself as benign or downloads and installs additional malware in the process of breaking into the device and attacking it. Moreover, this lure users to delete the antivirus app, making it difficult for VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ investigators to analyze which of the apps installed on the device are malware or benign. And third, Malware mainly operates in the background and leaks users' private and financial information to a command and control server (C&C server) created by hackers to gather information from victims. Therefore, it is difficult to trace back a real hacker. Due to the characteristics above, the malware also leaves traces of file systems, system logs, and app logs when downloaded, installed, and operated on devices. Therefore, considering the characteristics of IoT malware combined with social engineering techniques and the method of investigating only existing app installation files, malware can be detected very effectively from a digital forensic perspective.
To this end, we analyzed the actual cases of accidents caused by malware that use social engineering techniques and leak various kinds of personal and financial information. As a result, we studied the investigation model for effective incident response from a digital forensic perspective. Our studies and contributions are as follows: 1) We propose the types of artifacts necessary for the investigation, such as file systems, system logs, app logs, etc. where traces of malware inevitably remain, including how to analyze them. As such, we contribute to suggesting new types of files needed to investigate malware that has not been studied before and to conduct efficient research. 2) We study how to analyze when and how malware penetrated devices by reversing the characteristics of social engineering techniques that can be used by malware.
Because malware uses apps such as SMS, messenger, and web browser to penetrate devices, we contribute to finding out much information that is hard to know by analyzing the behavior of the malware's installation files. 3) We study how to analyze the traces and timing of the installation of malware after it infiltrates the device. Even if the malware was downloaded to the device, it must be installed to perform malicious acts, making users use a phishing unknowingly. We can find out when and how users were tricked by malware into allowing it to be installed through our research. 4) We study the factors and methods of analysis that must be investigated to analyze the malware's malicious behavior. The malware that first penetrated the device often gets installed simply as a dropper and takes steps for the actual performance of malicious behavior. We propose a way to analyze these behaviors effectively. 5) We suggest how malware analyzes information from C&C server that leak information from stolen users and collect the information needed to trace back the hackers or groups of hackers that created the malware. The results can contribute to analyzing the actual location of hackers or groups of hackers, when malware was created, and so on.
The rest of this paper is organized as follows: Chapter 2 introduces the background and related research on IoT malware  analysis; Chapter 3 proposes a useful investigation model for  malware forensics investigation on IoT devices; Chapter 4 analyzes cases wherein accidents occurred due to malware combined with social engineering techniques from a digital forensic perspective; Chapter 5 is a discussion of our research; finally, Chapter 6 presents the conclusion and future work.

B. STUDIES ON MOBILE MALWARE ANALYSIS AND DETECTION: STATE-OF-THE-ART AND TRENDS
Since most IoT devices can use apps such as web browsers and messengers, the same methods of malware used in smartphones can be applied to various IoT devices; hence the need for the analysis of the existing mobile malware. Several studies have been conducted to analyze and classify various phishing techniques that can occur on mobile devices [7]- [10], including those carried out to analyze and classify attacks on social engineering techniques [11]. Several studies have been conducted to cope with the growing damage caused by the prevalence of smishing malware. Some of them used the Naive Bayesian classifier to detect suspected smishing [12], [13], which analyzes the characteristics of smishing characters and detects smishing characters using rule-based methods [14]. In addition, research was conducted to detect malware by analyzing the network traffic of apps [15] and combining permission information and API call [16].
Studies have been conducted to detect malware dynamically by applying taint analysis to Android malware [17]- [19]. Likewise, studies have been conducted to detect malware by analyzing the behavior of the app through data flow analysis [20]- [23]. There was also a study that comparatively analyzed the research results of the existing data flow analysis [24].
In order to analyze malware more effectively, PACE, an integrated solution that provides machine learning-based Android malware detection technology using REST API, web interface, and ADB interface, has been proposed [25]. Moreover, to overcome the shortcomings of malware detection in Android emulators, studies were conducted on dynamic analysis using machine learning for malware detection on real devices [26], [27].
There have been studies that proposed a method of detecting malware by applying data mining techniques to a signature-based, motion-based detection [28]. There was also a malware detection study based on permission usage analysis by mining information on the permissions of Android apps [29]. In this study, Significant Permission Identification (SigPID) was developed. SigPID detects malware by mining information on permissions; as a result of the experiments, it effectively detects new malware. Moreover, there was a study that developed an engine called DroidDetector to improve the detection function of malware through the effective extraction of the characteristics of malware by combining the features of static analysis and dynamic analysis of Android apps with deep learning technology [30]. There was also a study proposing a mobile forensic platform that detects and analyzes Android malware called ToR-SIM Platform [31].

C. DIGITAL FORENSIC INVESTIGATION FOR INCIDENT RESPONSE
There was a study that classified and analyzed representative cyber-attacks that occurred in industrial control systems and presented an incident response model in this environment [32]. Another study -in order to investigate cyberattacks -proposed a digital forensics framework by applying detailed instructional steps in the data inspection and analysis stages and demonstrated this through a real-world example of D4I [33]. Moreover, studies have been conducted to detect threats automatically and respond effectively to cyber-attacks on the Cloud storage system [34]. The study confirmed that its results could be used effectively in Amazon Web Services (AWS) and Google Cloud Platform (GCP). Moreover, studies have suggested methods for detecting Ransomware attacks and investigating digital forensics [35].
Research on malware in IoT devices from a digital forensic perspective has not been conducted much, however. As IoT devices are widely used in everyday life, research is needed to effectively investigate the malware that threatens them.

III. PROPOSED METHODOLOGY
In this chapter, we propose an investigation model, as shown in Figure 1, for an effective incident response that can detect, analyze, and track intelligent IoT malware combined with social engineering techniques from the perspective of a digital forensic investigation. Generally, people install and use numerous apps on IoT devices. In particular, on average, people in the United States, South Korea, and Japan install more than 100 apps and use 30 to 40 of them a month [36]. Therefore, it takes too much time to analyze all apps' behavior on IoT devices to detect malware.
For efficient incident response, we first analyze file system information, system log, and specific app log that inevitably leaves traces of IoT malware and investigate whether malware is installed or not. We then analyze how the malware broke into IoT devices as well as its malicious behavior including information on malware. The proposed investigation model consists of five phases (PHASE 1, 2, 3-1, 3-2, 4) and a total of seven phases in detail, and the contents for each step are as follows: 1) PHASE 1. Preprocessing: This step involves selecting and extracting the files to analyze essential information for investigation. These files, in detail, are equivalent to Table 1.
• File containing the file system information of all files in the /sdcard area from the flash memory of IoT device: This file contains the file system metadata information (filename, size, generation time, modification time, etc.) of all files in the /sdcard area. Malware, which penetrates the device with social engineering techniques such as phishing and smishing, inevitably has to download its installation files to the /sdcard area. Therefore, this file is required to analyze the presence of app installation files in the /sdcard area. For Android, VOLUME 8, 2020  this is the file corresponding to d 1 in Table 1. If these files do not exist, the investigator can analyze the metadata of the file system instead, such as inode table, and directory entry of the EXT file system.
• Installation files of all apps inside the IoT device: These are the files corresponding to d 2 of Table 1, which the investigator selects and analyzes in detail among files suspected to be malicious.
• File containing the metadata of apps installed on IoT devices: This file corresponds to d 3 in Table 1; for Android, it contains information such as the app's package name, app name, download time, installation time, last update time, and account used for download on Google Play.
• File containing the execution history of the components of the apps installed on the IoT device: This file is equivalent to Table 1's d 4 , containing information such as the last launch time, end time, background operation time, total launch count, and total usage time.
• Logs of all apps installed on IoT devices that can send and receive messages: These files correspond to d 5 in Table 1. They include details of users' history of SMS apps, social media apps such as Facebook or Instagram, and messenger apps such as Telegram, Naver Line, or Kakao Talk.
• Metadata area of the file system on IoT device: This data corresponds to d 6 in Table 1, such as inode table, directory entry, e.g., the EXT file system.
• Log of all apps installed on IoT devices for web browsing: These files correspond to d 7 in Table 1, storing the history of apps that offer web browsing features such as Chrome, Samsung browser, and Naver browser. 2) PHASE 2. Malware detection: This step involves checking for the presence of malware inside IoT devices. Apps downloaded to IoT devices through smishing and APT attacks without going through official app stores such as Google Play will generate installation files of the app in the /sdcard area. Therefore, the investigator can quickly detect malware by checking for the existence of the app installation file in the /sdcard area and analyze its malicious presence as applicable.
In this process, the following additional files can be analyzed for malware detection analysis. For detailed file system analysis, the metadata (d 6 : Inode, Directory Entry, etc.) of the EXT4 file system and the Android system log (d 1 : external.db) can be analyzed. Likewise, for the detailed analysis of apps installed on IoT devices, a file containing installation and update time (d 3 : localappstate.db) as well as files where the actions of the apps are stored (d 4 : dmapmgr.db) can also be analyzed. By analyzing these files, investigators can analyze when each app was installed and updated, and the accounts of Google Play that users used to install each app. 3) PHASE 3-1. Analysis of the invade method: This step is to analyze how the malware identified in PHASE 2. has invaded the smartphone.
If a text message containing the URL was received and then accessed the URL's web page via a web browser or web view, and the app installation file, an apk file, was created in the /sdcard area, this can be analyzed as smishing malware. And if the DNS server on the wireless router is tampered with and after accessing a specific web page, the app installation file is created in the /sdcard area; this is the phishing malware. This is discussed in 4.2 in more detail in a practical case. As a result of this analysis, the investigator can find out how malware are used to intrude on IoT devices (e.g., click malicious links included in SMS messages or automatically access specific web pages due to phishing) as well as their download methods (e.g., drive-by download). 4) PHASE 3-2. Analysis of malware behavior: This step involves analyzing the behavior of the malware found in PHASE 2. For Android, tools such as JEB are used to analyze executable files with built-in JAVA language [37], or tools such as IDA PRO are used to analyze library files in the ELF file format 38]. Moreover, the AndroidManifest.xml file can be used effectively to analyze the app's permission and settings information. 5) PHASE 4. Trace C&C server and Hacker: This step is to track where information was leaked due to malware, and the analysis results of PHASE 3-2 can be used. This analysis step allows investigators to find the information needed to track hackers or groups of hackers who have created and used malware. The investigator can get information from the C&C server by analyzing the behavior of malware sending out information, such as users' personal and financial information. In addition, analyzing the signature information of the app and the build information of the executable * .dex enables finding out when the corresponding malware was created. If a large quantity of malware is collected, it can also be used to group the malware.

IV. EXPERIMENTAL RESULTS
In this chapter, we make an incident response from a digital forensic perspective in two cases wherein an accident occurred due to malware combined with social engineering techniques. These cases are actually cases wherein we have been asked to investigate the forensics. There are two types of cases: the combination of smishing and vishing and the combination of phishing and APT attack. In particular, the second case involves a hacker first attacking a wireless router in the victim's home to attack the victim's smartphone and then planting the malware into the smartphone through phishing. In an interview with us, A said that the iPhone 6 purchased on December 15 was hacked, and that the hacking incident may have occurred through the financial information that leaked from the phone and the personal information leaked through voice phishing.
The evidence and request for analysis submitted by victim A are as follows: • E 1 : Apple iPhone 6 (iOS version 8.1.2), Analyzing whether there is a function that requires entering the entire number of the security card in the S Bank app and whether there is malware.

1) FORENSIC INVESTIGATION FOR iPhone 6
Victim A thought that the malware was installed on E 1 (iPhone 6), so we first collected data to analyze E 1 . It does not matter if the integrity of the iPhone 6 is compromised because evidence of this case is not submitted to court. Therefore, we used the jailbreaking technique to carry out data acquisition. We jailbroke E 1 using Taig with consent from A to collect data from E 1 [39]. After that, the installation file (ipa) of the S Bank app was decrypted using Clutch [30]. We then extracted the installation file (ipa) of the S-Bank app from E 1 using iTools [41] and reverse-engineered the installation file using IDA Pro. As a result of analyzing E 1 , the S-Bank app of E 1 was found to be a normal app with a function that requires the user to enter the full number of the bank security card. Therefore, we decided that E 1 contains no malware.

2) FORENSIC INVESTIGATION FOR GALAXY S3
We acquired data to analyze the Android smartphone E 2 for the second time. We imaged the flash memory of E 2 using Android Extractor with consent from A to acquire data from E 2 . After that, we extracted the data corresponding to Table 1 and analyzed the data in the following five steps. i) Search for recently installed apps: We analyzed the existence of the app installation file recently downloaded in the /sdcard area through d 1 and d6 to find traces of the malware installed on E2. Furthermore, we analyzed the types and information of recently installed and executed apps through d3 and d4. As a result of the analysis, SPAp.apk (13 December), gms.apk, and V3Plus.apk (14 December) app install files were found to have been downloaded to E2 and installed and executed. Moreover, we found that these apps were downloaded from outside, not from Google Play, and created and installed on /sdcard. We found these three files in E2 and selected them as potential malware. ii) Trace how suspicious apps are downloaded and installed: At the time A asked us to investigate this incident, there were many incidents of smishing malware in our country, so we first analyzed d5 to investigate if there were any text messages containing URLs since December 13. As a result, we found on December 13 at 21:58:19 that the SMS ''The prosecution: Report of suspects bit.ly/13jc0ms'' was received on E2 and analyzed this because we were suspicious of the shortened URL.
We analyzed d 2 , d 3 , and d 4 to find out what web browser app A was using to access this URL. As a result, we found out that Naver's web browser was used as the web browser app. Therefore, we selected the log of this app as d 7 . We analyzed through d7 that A accessed the ''bit.ly/13jc0ms (original URL: http://ukk.zspoea.com/search.asp?id=98746)'' included in the SMS on December 14 at 00:13:11. As a result, on December 14 at 00:13:59, the SPAp.apk, a malware installation file, was downloaded from the homepage to the /sdcard area of E2 through the drive-by download method. iii) Analysis of suspicious apps (1/3): We reverseengineered it using a JEB to analyze the installation files of suspicious apps in detail. SPAp.apk is a malware disguised as an app for searching for incidents through the prosecutor's office image files as in Figure 2(a). When the app is launched, a message as shown in Figure 2(b) informs the user that a ''new version of the app has been released'' and that the user ''needs to update the Google Play service for this.'' After that, it shows the image as shown in Figure 2(c) to the user and installs gms.apk, another malware installation file existing in the ''/res/raw/gms'' path inside the installation file of this app. iv) Analysis of suspicious apps (2/3): gms.apk is an installation file of an app that impersonates the Google Play services installed and executed from SPAp.apk. When this app is executed, it uses image files such as Figure 2(c) and Figure 3(a) to deceive the user. In addition, through the phrases in Figure 3(b), the user is informed that ''the new version of AhnLab V3 Mobile  PLUS 2.0 vaccine 1 must be updated to use the Google Play service.'' After that, the malware downloads, installs, and runs the V3Plus.apk file from the webserver. v) Analysis of suspicious apps (3/3): V3Plus.apk is a malware installation file that performs practical malicious actions to steal users' financial information. Since this malware contains image files to disguise them as various types of financial apps, it checks the types of financial apps installed on the user's smartphone, and then uses them as a disguise by displaying the same screen as the financial apps installed on the smartphone. Since the S-Bank app was installed in E 2 , this 1 AhnLab, a Korean antivirus company, has developed the V3 Mobile PLUS product, which occupies the largest share in Korea [42]. Most of Samsung's Android smartphones released in Korea have AhnLab's V3 Mobile PLUS vaccine installed. malware disguised itself as an S-Bank app. The malware requests the user to input the official certificate login password, account number, account password, security card number, transfer password, etc. through the phrases in Figure 4(b) and Figure 4(c). In addition, the malware compresses the accredited certificate (/sdcard/NPKI/ * ) existing in the /sdcard area of the smartphone into the filename of the smartphone device ID. Finally, the malware sends the financial information entered by the user and the compressed accredited certificate file to the C&C server. Below is the information on the C&C server that we analyzed. Through the analysis results of E 1 and E 2 , we found that A him/herself leaked personal information through voice phishing and that, in E 2 , the malware was installed through a smishing attack and various kinds of financial information were leaked through this. Table 2 shows the overall attack contents in chronological order.

B. MALWARE OF PHSHING & APT-ATTACKS
This is a case wherein hacker H installed malware on victim B's smartphone to steal financial and personal information such as accredited certificate, resident registration number, etc. and used this information to transact on a game item trading site in the name of B. In order to plant malware into B's smartphone, H first used APT attack techniques, such as modulating the DNS server by taking control of the wireless router installed in B's house. B asked us to analyze whether malware exists on his/her smartphone, and if so, when, where, and how it has invaded his/her smartphone and what malicious acts he/she has done. Here is what B explained about the case in an interview with us: B received an SMS related to i-PIN authentication on June 10, 2018 even though he did not apply for the issuance of i-PIN. A few days later, B suspected that his personal information might have been stolen and searched a website that was signed up in his/her name. As a result, B discovered that he was subscribed to a game item trading site that he did not sign up for and found out that someone had an item traded under his/her name. B said his/her smartphone seemed to have been infected with malicious code before June 10.
We first suspected a smishing accident and asked B if he had ever accessed a URL via SMS, but B said he had not. Therefore, we requested that the wireless router used by B at home be submitted for analysis to analyze accurately the path of infiltration by malware. The evidence and request for analysis submitted by B are as follows: We acquired data to analyze the Android smartphone E 1 . We imaged the flash memory of E 1 using Android Extractor with consent from B to acquire data from E 1 . After that, we extracted the data corresponding to Table 1 and analyzed the data in the following three steps. i) Search for recently installed apps: In order to find the trace of malware installed in E 1 , we analyzed the existence of the recently downloaded app installation file in the /sdcard area through d 1 and d 6 . After that, the types and information of recently installed and executed apps were analyzed through d 3 and d 4 . As a result, as shown in Table 3, we found that a total of 31 files suspected of malware installation files existed in the /sdcard area, and that only f9 of these files are installed in E1. Moreover, these app-installed files are changing the MD5 hash value and package name at regular intervals. We judged that this was intended to evade detection by antivirus engines that detect malware based on blacklists. ii) Trace how suspicious apps are downloaded and installed: We analyzed the SMS and web browser usage history of E 1 to analyze the download source of each file in Table 3 and sorted them by timeline. After that, we analyzed the web page information accessed by SMS or which B received before and after the creation time of each file. Nonetheless, we could not find any traces of SMS reception or suspicious homepages containing shortened URLs used in general smishing. We could find out why the files in Table 3 were downloaded to E 1 after analyzing E 2 . This is explained in detail later. iii) Analysis of suspicious apps: We performed reverse engineering using JEB to analyze the installation files of suspicious apps in detail. As a result, it was found that all apps differ only in signature value and package name, and that the internal functions are the same apps. We analyzed in detail the f 9 of Table 3, 28939WFFJ.apk. This is malware disguised as a Google chrome web browser app, and apkprotect is applied to prevent reverse analysis; it acquires device administrator privileges during installation, hides its icon, and makes it unrecognizable by the user. When this malware is executed, it shows the image like Figure 5(a) and Figure 5(b) to the user and tricks the user as if V3 Mobile PLUS works. After that, the malware tricks the user by disguising the malicious code as antivirus app installed on E 1 and instructing the user to delete it. The list of antivirus apps to be deleted is encoded and stored in the Config.xml file inside the app. As a result of decoding this list, it can be seen that it is a list for deleting antivirus apps from various countries as shown below.   The malware disguised as Chrome app removes the antivirus apps installed on the smartphone; when a user accesses Naver, a fake screen is displayed to induce the user into entering personal information such as name and resident registration number. After that, the malware compresses the public certificate file (/sdcard/NPKI/ * ) existing in the /sdcard area as shown in Figure 6 and sends them all to the C&C server. (IP address: 126.85.173.157, Location: Japan)

2) FORENSIC INVESTIGATION FOR EFM IPTIME N6004 (WIRELESS ROUTER)
We analyzed E 2 , which is a wireless router, to analyze the inflow path of the installation files of malware that entered E 1 . We imaged its flash memory through the JTAG interface. Then, using the binwalk [43], the kernel and ram disk areas were separated and analyzed from the firmware. As a result, the malware was not found in the kernel and ram disk areas, and it was found that the ID: ''admin'', PW: ''admin'', and system DNS server were manually set to the following addresses: • Main DNS Server: 174.139.145.214 (USA) • Sub DNS Server: 168.126.63.1 H took advantage of E 2 's weak authentication security, first seized B's E 2 , and tampered with the DNS server, which forced B to access the fake web page he/she wanted when using the Internet through a wireless router. Furthermore, the fake webpage forced E 1 to download malware installation files. B installed this by mistaking the malware installation file downloaded to E 1 for a normal chrome web browser, and this malware led to the removal of all antivirus apps installed on E 1 with device administrator privileges. After that, the malware stole personal information by having B enter his/her name and resident registration number when accessing the Naver portal website, compressing the accredited certificate installed in E 1 , and leaking it to the C&C server. H registered at the game item trading site using B's personal information and accredited certificate information, etc.; in the process, B received the SMS related to the i-PIN authentication sent by the item trading site. Table 4 shows the overall attack contents in chronological order.

V. DISCUSSION
Most of the existing malware detection and analysis studies only target app installation files. Therefore, it takes too much time to perform a static or dynamic analysis on all files or executable files present on the device. We proposed a model of investigation in digital forensics to detect and analyze IoT malware quickly and effectively. Unlike conventional methods, our model makes it possible to identify suspected malware without analyzing all executable files by analyzing file system metadata, operating system logs, application logs, etc. This will be useful for hacking incidents that require quick incident response and recovery.
It is also essential to determine when and how malware broke into the device in a hacking incident investigation. Considering the characteristics of malware, our model can analyze the timing and method of penetration of skillful malware using social engineering methods by comprehensively analyzing text messages, web browser logs, and the creation time of app installation files from a digital forensic perspective.
Besides, recent malware uses many droppers and uses clever methods to induce users to delete vaccines during the hacking process. We presented a response to how to analyze this malware through real-world case analysis.
Finally, hackers typically recycle existing code when developing malware. Therefore, we proposed a method of collecting information to track and group hacker groups through the similarity of logic, the hash value of essential libraries, information of executable files, information of C&C server, etc. through executable reverse engineering.
Our findings are expected to contribute to the efficient detection and analysis of malware applied with social engineering techniques -which have been occurring a lot in IoT devices and becoming a big issue nowadays -and to the detailed analysis of malicious behavior.

VI. CONCLUSION AND FUTURE WORK
Personal information such as call history, message records, web browser usage records, photos, financial information, and business-related information is stored in IoT devices.
Future wearable devices are also expected to store biometric information such as blood pressure, heart rate, and electrocardiogram. As these IoT devices increase, the number of malware stealing various kinds of information inside the devices is also increasing. Thus, there is an increasing need for a study on IoT devices' incident response from a digital forensic perspective.
We analyzed IoT devices equipped with Android, iOS, and Linux OS software involved in actual infringement accidents due to malware combined with social engineering techniques. As a result, we found out when and how this clever malware broke into devices and what malicious behavior it did and analyzed information that could track down hackers.
Furthermore, through the analysis results, we have created a digital forensics investigation model for effective incident response in the event of an infringement accident caused by malware on IoT devices. This model was developed to detect malware quickly by screening and analyzing artifacts that must be analyzed through malware characteristics among multiple files of IoT devices.
We focused on Android because many IoT devices now adopt the Android OS software. As more various IoT devices are expected to be released in the future, research on malware detection will also be needed on IoT devices with more diverse OS software such as Tizen, WebOS, and ROS. YI PAN (Senior Member, IEEE) received the B.Eng. and M.Eng. degrees in computer engineering from Tsinghua University, China, in 1982 and 1984, respectively, and the Ph.D. degree in computer science from the University of Pittsburgh, Pittsburgh, in 1991. He is the Chair and a Professor with the Department of Computer Science and a Professor with the Department of Computer Information Systems, Georgia State University, Atlanta. His research interests include parallel and distributed computing, networks, and bioinformatics. He has published more than 100 journal articles with 38 articles published in various IEEE journals. In addition, he has published more than 100 papers in refereed conferences. He has also authored/edited 34 books (including proceedings) and contributed many book chapters. He has organized several international conferences and workshops and has also served as a program committee member for several major international conferences, such as BIBE, BIBM, ISBRA, INFOCOM, GLOBECOM, ICC, IPDPS, and ICPP. He has delivered more than ten keynote speeches at many international conferences and is a speaker for several distinguished speaker series. He is listed in Men of Achievement, Who's Who in Midwest, Who's Who in America, Who's Who in American Education, Who's Who in Computational Science and Engineering, and Who's Who of Asian Americans. He has served as the editor-in-chief or an editorial board member of 15 journals, including six IEEE TRANSACTIONS, and a guest editor for ten journals, including the IEEE/ACM TRANSACTIONS ON  He has published about 200 research papers in international journals and conferences. His research interests include the IoT, human-centric ubiquitous computing, information security, digital forensics, vehicular cloud computing, and multimedia computing. He is a member of the IEEE Computer Society, KIPS, and KMMS. He received the best paper awards from ISA-08 and ITCS-11 conferences and the outstanding leadership awards from IEEE HPCC-09, ICA3PP-10, IEE ISPA-11, PDCAT-11, and IEEE AINA-15. He also received the outstanding research awards from SeoulTech, in 2014. He has been serving as the chair, program committee, and organizing committee chair for many international conferences and workshops. He is the steering chair of international conferences-MUE, FutureTech, CSA, CUTE, UCAWSN, and World IT Congress-Jeju. He is the Editor-in-Chief of Human-centric Computing and Information Sciences (HCIS) (Springer), The Journal of Information Processing Systems (JIPS) (KIPS), and Journal of Convergence (JoC) (KIPS CSWRG). He is an associate editor/editor of 14 international journals, including JoS, JNCA, SCN, and CJ. In addition, he has been serving as a guest editor for international journals by some publishers: Springer, Elsevier, Wiley, Oxford University Press, Emerald, Inderscience, and MDPI.