ON INFORMATICS

— The increasing utilization of IoT technology in various fields creates opportunities and risks for investigating all cybercrimes. At the same time, many research studies have concentrated on security and forensic investigations to collect digital evidence on IoT devices. However, until now, the IoT platform has not fully evolved to adjust the tools, methods, and procedures of IoT forensic investigations. The main reasons for investigators are the characteristics and infrastructure of IoT devices. For example, device number variations, heterogeneity, distribution of protocols used, data duplication, complexity, limited memory, etc. As a result, resulting is a tough challenge to identify, collect, examine, analyze, and present potential IoT digital evidence for forensic investigative processes effectively and efficiently. Indeed, there is not fully used and adapted international standard for the perfect IoT forensic investigation framework. In the research method, a literature review has been carried out by producing previous research studies that have contributed to further facing challenges. To keep the quality of the literature review, research questions (RQ) were conducted for all studies related to the IoT forensic investigation framework between 2015-2022. This research results highlight and provides a comprehensive overview of the twenty current IoT forensic investigation framework that has been proposed. Then, a summary or contribution is presented focusing on the latest research, grouping the forensic phases, and evaluating essential frameworks in the IoT forensic investigation process to obtain digital evidence. Finally, open research issues are presented for further research in developing IoT forensic investigative framework.


I. INTRODUCTION
The Internet of Things (IoT) is an architecture that connects many smart devices in today's modern global network system [1], [2], [3]. Thousands of devices are connected to the internet daily to exchange information [4]. The utilization of IoT technology is implemented in various fields and locations, such as smart cities, smart homes, manufacturing, healthcare, education, etc. Basically, IoT is a set of tiny devices with very limited data storage and processing power, including reliability, performance, protection, and privacy [5]. IoT has also become one of the fastest-growing innovations in the world with the introduction of new applications that enable people to exchange and synchronize information across various IoT platforms and devices. The presence of Internet of Things (IoT) with technology continuously updated and developing very rapidly and used with extensive utilization in a wide variety of fields is a daily necessity and cannot be avoided from human life today [6].
By 2021, Gartner estimates that around 20.4 billion IoT devices can be integrated. Currently, according to estimates by the International Data Corporation (IDC) that by 2022 devices will have exceeded $1.2 trillion. Following the massive and growing development of IoT devices, it is currently required to face the birth of new challenges and security as a cybercrime network that continues to increase. IoT has penetrated our daily lives making us increasingly dependent on various types of intelligent IoT networks and activities to track other IoT devices. The diverse digital footprint archives on IoT devices provide information on a person's daily activities [7], [8].
One of the reasons for the difficulty of defending against a variety of remarkably diverse cyberattacks is the lack of standardization used in the design of IoT devices [4]. This has an impact on the interaction of various protocols in IoT applications which increased complexity and heterogeneity with very limited storage capacity and performance processing [9], [10], [11]. With the characteristics of IoT like that, investigators must find development solutions for forensic investigation frameworks effectively and efficiently in tracking, detecting, and collecting digital evidence on IoT networks [12].
Although many forensic investigation frameworks have been developed to solve the complex characteristics of the IoT forensic process, many unresolved challenges still exist [13], [14]. For example, Major innovations have been made with the IoT forensic investigation framework and the DFIF-IoT framework [15], [16] in finding solutions for collecting digital evidence on IoT forensic investigation, preservation evidence, chain-of-custody, and reporting stages in the process of investigating cybercrime incidents. However, the very limited computational capabilities of IoT devices in data processing and storage present complex and unique challenges in the forensic investigation process [17]. So that investigators are required to develop a forensic investigation process specifically for IoT by utilizing and developing the techniques and methods used in obtaining digital evidence from various IoT devices.
On the other hand, some studies with experimentally tested models are specific to certain scenarios, meaning they cannot be used for IoT forensic investigation processes in general [18]. As a comparison, the information shows that the paradigm in IoT forensic investigations is related to implementing digital forensic domains like smart homes, smart health, intelligent vehicles, smart wearables, smart cities, etc [19], [20]. The three layers of IoT forensic investigations are cloud, network, and device [21]. Forensic investigation techniques for securing digital evidence include Collection, Examination, Analysis, and Reporting. Fortunately, the limitations of the IoT forensic investigative research framework include computing resources. In most cases, smart devices and IoT product architectures are cloudbased. Forensic data storage in IoT devices still provides insufficient space and low data processing speed.
In general, the complexity of IoT systems with different standards and IoT devices' limited computing resource capability hinders the forensic investigation process and require a lot of time to analyze it [22]. This results in a slow forensic examination process that complicates and makes it difficult, especially in collecting data from the cloud, which can be stored in scattered locations. In addition, in many cases, smart devices and IoT product architectures are cloudbased, so with the emergence of these IoT products massively using cloud computing platforms [23], [24], it is necessary to find solutions that can help the forensic investigation process quickly.
Based on these issues, this research contributes to describing and identifying gaps in the development of the current IoT forensic investigation framework, which is constantly developing. This research finds and discusses the existing IoT forensic framework, analyzes the core and essential phases of the framework, and evaluates the forensic investigation phases process. Finally, several further open research opportunities were found in developing the IoT forensic investigation framework so that the forensic investigation process in complex and heterogeneous IoT environments can be carried out effectively and efficiently.
There are four sections below, which are arranged as follows. First, the introduction section. Second, the methodology section. Third, the results and findings section include recent studies on forensic investigation frameworks on IoT and the open research problem section. Fourth, the section discusses the conclusions of the research.

II. MATERIALS AND METHOD
A literature review was carried out in this research is expected to produce previous research studies that have contributed to previous research to face further challenges in subsequent research [25], [26]. To maintain the quality of the literature review, research questions (RQ) were conducted for all studies related to the IoT forensic investigative framework between 2015-2022. Table I below summarizes the research questions and motivations discussed in this literature review. To investigate and analyze stateof-the-art contributions from the IoT forensic investigative framework.

RQ2
What are the critical processes or phases of the IoT framework forensic investigation?
To identify critical phases within the IoT forensic investigation framework.

RQ3
How to evaluate existing processes from the phases of the IoT forensic investigation framework?
To identify the process of evaluation phases of an existing IoT forensic investigation framework that can be developed.

RQ4
What is the open research's focusing on IoT forensic investigation framework?
To identify open research on development IoT forensic investigation framework.
A list of literature research studies can be found by generating sophisticated string search strategies using library databases of reputable journals or conference proceedings. String search strategies can be combined using the Boolean AND and OR. However, the search word string terms must be defined first before formulating string search words. Based on the research questions, string search words can be defined as shown in table II. After the search string is determined, then all search strings will be formulated as follows: ("internet-of-things" OR "internet of things" OR IoT) AND (forensic OR "forensic investigation" OR "digital evidence") AND (framework OR model OR procedure OR process) The string search formula above will be applied in each reputation journal literature database and conference proceedings. The formula is combined with a limited publication time between 2015-2022. String searches are performed on online journal databases. From these outcomes, many keywords found from the titles are scanned to separate irrelevant articles. Search engines analyzed abstracts and full-text readings using inclusion and exclusion criteria to refine the findings further. The elimination step includes publications that are not peerreviewed, as well as low-quality papers that look without scientific foundation. The inclusion criteria are according to online journal publications between 2015 to 2022 and research in the IoT forensics investigation framework field. The following exception attempts to improve results was made on non-English articles. Figure 2 below illustrates a flowchart explaining the applied search process.  Table III informs the publication search results obtained from the five journal databases used, and it is according to the exclusion and inclusion qualifications accepted in this paper. Moreover, shows the distribution of research articles over time based on the evaluation process of scientific publishers such as ACM Library, IEE, Science Direct, Springer Link, and Wiley Library. For its database classification, the papers produced to use and refer to the online database according to Table III below.

A. RQ1: Current IoT Forensic Investigation Frameworks
Previous research has created an IoT forensic investigation framework. Table IV summarizes several previous studies that discuss the IoT forensic investigation framework. There are many challenges to IoT forensic investigations that are ideally suited to complex and heterogeneous IoT environments [27], [28]. On the other hand, there is much digital evidence contained in IoT, but the problems faced are the small device storage memory and data detection in a distributed environment from devices infected by attacks [29]. The current findings of IoT forensic investigations are summarized in this section, and the resulting framework can be used by digital investigators and digital forensic experts in uncovering cybercrime cases in the IoT environment. Several researchers have developed complex IoT forensic investigation frameworks but still, need development for the effectiveness of readiness in collecting digital evidence from IoT devices.
As a case example, Oriwoh et al. [30] and Atlam et al. [31] present IoT-based fraud committed by attackers. First, scenarios classify potential digital evidence through the IoT environment. After that, the researcher created three Zones: Zone 1 defines as around the network, Zone 2 covers the network and hardware area, and Zone 3 covers software and hardware outside the corporate network. Researchers divided the attack area into 3 parts to facilitate and speed up the investigation.
Perumal et al. [32] established a top-down address to investigate IoT forensic investigations. An IoT forensic investigation starts with planning and authorization by integrating machine-to-machine (M2M) with connectivity and integrated 1-2-3 zones. At the same time, this paper explores a complete model for IoT forensic investigations that depend on identification without interacting with evaluation and other procedures. Furthermore, Kebande and Ray [15] have suggested a framework for investigating cybercrimes against IoT that functions as Digital Forensic Preparedness (DFR) in preparing and planning to deal with cybercrimes against IoT in the future. The author claims the current incident response scheme complies with ISO/IEC 27043:2015.
Rahman et al. [33] also outline the value of forensic investigation readiness and recommend a forensic process design concept for cyber-physical cloud systems (CPCS) based on ISO/IEC 27043:2015. The standard setting for forensic investigative activities includes six components. First, the principles and practices of risk control. Second, the principles and practices of forensic preparation. Third, the principles and practices of incident handling. Fourth, laws and rules. Fifth, CPCS hardware and software specifications. Sixth, industry-specific specifications.
Zia et al. [7] introduced an analysis of the IoT forensic investigation framework. The authors conclude that the investigative model that has been proposed will facilitate the compilation, review, interpretation, and reporting of digital information in specific IoT applications. Zulkipli et al. [19] also suggested a real-time investigation paradigm to complete IoT forensic investigations. The author's method is used to protect the facts under examination and discuss the importance of IoT at the pre-investigation stage. Likewise, Meffert et al. [9], and Atlam et al. [31] describe a framework for investigating evidence in acquisition with the FSAIoT concept. Communicate with the FSA via OpenHAB and custom scripts. The author demonstrates the ability to efficiently collect IoT data using three different types of connectivity: cloud-based, device-based, and controller-tocontroller.
Other researchers have concentrated on creating IoT with a forensic acquisition model. For example, the IoT forensic investigation framework for the IoT domain was proposed by Sathwara and Pricop , [34] to track challenges in defining and quantifying the various elements and potential methods needed to gather evidence in the IoT ecosystem. Extraction of distinct digital footprints of various IoT artifacts and smart home wearables, which can be collected and analyzed. Likewise, Harbawi and Varol [18] presented an IoT forensic investigation benchmark for collecting digital evidence. The authors suggest a theoretical method for implementing an IoT investigative forensic concept that solves the collection problem addressed previously. Machine-to-machine (M2M) framework proposed for an automated forensic analysis and investigation mechanism to detect attacks made against IoT devices.
In addition, Shin et al. [48] discuss the latest IoT data collection approaches for home routers, Z-wave, and Amazon Echo. The collection illustrates the different types of information obtained and the different acquisition strategies used to extract the data. Finally, the author proposes a research opportunity to develop Google Nested and Amazon Echo digital forensic research. In IoT forensic investigations, confident analysts have expressed concern about the privacy implications of the Internet of Things [49]. For example, during the IoT-based forensic investigation phase, research [50] proposed the PROFIT method (Privacy-Aware IoT-Forensic Model) to use the privacy features of ISO/IEC 29100:2011. Their method was tested against a case scenario of IoT-enabled malware deployment in a cafe shop.
In comparison, Zawoad and Hasan [35] divided the Forensic-Aware IoT (FAIoT) framework into three levels: device, network, and cloud. Its architecture involves two key elements: secure origin and proper preservation of evidence. Safe custody ensures and maintains evidence's integrity and is key to preserving and confirming evidence. For example, the notion of automated forensics proposed by Oriwoh and Sant [51] presents three essential parts in a Forensic Edge Management System (FEMS): perception, network, and application. Sensor data is collected at the perceptual stage. At the device level, the network user interface is displayed. Data transfer is done through the network level between the application and perception levels. The main objective of the proposed FEMS is to collect and store evidence during the investigative process for a specified period.
In the ISO/IEC 27043 standard, a holistic forensic model for the IoT environment was proposed Sadineni et al. [40]. This model consists of three main phases: forensic readiness (proactive), initialization (incident), and forensic investigation (reactive). The model proposed by researchers can be adapted to interact with various IoT applications. Islam et al. [41] proposed improving the IoT forensic investigation process system to serve forensic practitioners and experts easily understand. Additionally, investigations are currently underway to remove reliance on cloud service providers (CSPs). In addition, the use of the Data Provider Zone (DPZ) in the DFIM model [42] is proposed to group data collected from sensor nodes into one group.
Research by Fagbola and Venter [46] developed an IoT forensic investigative readiness model for shadow device networks with the aim of forensic collection and readiness in the event of a security or privacy breach on the IoT network. In addition, the M2M framework [47] and Particle Deep Framework [43] were developed to detect attack types in IoT digital evidence acquisition coupled with ML algorithms.
Table IV describes the current study work in terms of an overview of the IoT forensic investigation framework, the process phases, and a summary of the annual contribution of the IoT forensic investigation framework.

B. RQ2: Core and Essential Phase of IoT Forensics
Investigation Framework. Essential processes are considered important to the acceptability, credibility, and integrity of the data collected during the forensic investigation process. Figure 2 describes the five main and essential processes involved in IoT forensic investigations: preparation, collection, examination, analysis, and reporting. In the IoT forensic preparation process, the preparation phase includes many actions such as oversight of authorizations and resources for management to obtain authorization to carry out investigations [9], ensuring the capacity of activities and facilities to assist with investigations, determining investigative requirements [15], planning how to collect the necessary information. Required from within the investigative organization and outside [35], determine existing policies, strategies, and investigations [50], remove all user confidential information and classify IoT environments containing data with potential protection [15].
In the context of the collection process, this stage is a process of extracting evidence based on various platforms, sources, and types of data evidence. Many studies reveal that in the IoT forensic investigation phase, the process of identifying possible data sources [32], [35], [18], determines the physical location of evidence [52] duplication of digital evidence for validated processes [53], and assumes the integrity and validity of digital evidence [32], [15], [52], [54].
In the examination process, two main objectives must be achieved during the IoT forensic investigation process: identifying and validating procedures for finding and analyzing sensitive data [53], [7], extraction of hidden data, identification of complex data and pattern matching [9], [52]. However, some of the additional tasks that are specifically performed during the IoT investigation process include determining how data was collected, where and by whom, identifying visible digital evidence, analyzing the ability levels of suspects, and transforming data to a size and type that is more accessible for analysis [9], [52].
The research by Kebande [53] identified several activities carried out in the Analysis Phase of IoT forensic investigations. The activities of making detailed research documents and assessments based on the evidence that has been explored, examining the significant evidence found, and organizing the results of the analysis based on the physical and digital evidence collected [52]. In addition, creating a timeline for classifying and finding possible evidence in unexpected areas [9], building theories about what happened and equating the extracted data, as well as using the information contained in the results of forensic investigations to build relationships between sequences of events [52], [53]. Finally, allowing digital evidence is to be viewed in agreed file formats and organized as reporting of the results of IoT forensic investigations, and all steps are taken.
The reporting phase is the final process that is responsible for producing a summary of the results of IoT forensic investigations that are presented to the highest authorities so that they can make decisions on reported cybercrime actions. All these processes are implemented at the respective layers of the IoT: device, network, and cloud. In fact, the Preservation process in IoT forensic investigations is executed in every process to determine the credibility of digital evidence. The large amount of literature that discusses the readiness and collection of digital evidence shows that the process of collection and readiness is the process that is most frequently studied, and this indicates that the two processes are important and crucial elements in the IoT forensic investigation process  (2015) x

C. RQ3: Evaluation Process Phases of IoT Forensic Investigation Framework.
Based on the characteristics of IoT data generated from various devices [55] that are very large and easily lost [56], the researchers evaluated the process of the stages proposed by previous researchers and found gaps to be developed in reviewing the IoT forensic investigative framework. The IoT forensic investigation process is divided into several phases, each determining the required preparation, analysis, and investigative action processes. These phases are preparation, collection, examination, analysis, and reporting. The author groups it into the first two phases into the Readiness Phase category, determining access to incident processing and its activities as forensic preparation. Beginning with identifying and detecting potential sources of evidence, then collecting them in a place that allows data preservation and can be monitored. In the next three phases, entering the Investigation Phase category, digital evidence data that has been collected in the previous stage is processed for examination. After that, the digital evidence is analyzed to conclude cybercrime. Finally, the results of the forensic investigation are compiled and presented in more detail as digital evidence from IoT devices so that they can be used in court as evidence for cybercrimes. The preservation process is carried out in both phases of the IoT forensic investigation. In this research, as a comparison, the 20 IoT forensic investigation frameworks in Table V have been evaluated and grouped into three main phases, namely Readiness, Investigative, and Preservation.
All these frameworks have their advantages. However, until now, no single framework can be used as a single guideline for IoT forensic investigations in all incident cases.
For example, for the IoT forensic investigation stage in the current framework, development is still needed to collect and store IoT digital evidence in a digital evidence repository at the forensic readiness stage in a smart, accurate, and efficient manner. In the previous IoT forensic investigation framework [32], [57], [46], researchers place the IoT digital evidence storage process at the end of the investigative process. So, investigators repeatedly experience difficulties in preparing digital evidence when carrying out the forensic investigation process. Researcher [15] places storage at the start, but it is not accurate and efficient. The rest, the framework that has been described in this paper, does not find stages of storing digital evidence from IoT forensic investigations in the repository. In addition, the evaluation that needs to be given for the development of the framework is the integration of IoT digital evidence at the device, network, and cloud levels that have been collected in a digital evidence repository. So that when there is a criminal attack on IoT, investigators can immediately identify and collect digital evidence and analyze the correlation of IoT digital evidence on the three layers of IoT.

D. RQ4: Open Research on Development IoT Forensic Investigation Framework.
While previous research efforts have been made to solve problems in the context of forensic investigations in the IoT environment, certain challenges remain and must be overcome. To provide recommendations to new researchers in solving these problems and challenges, this section presents some open issues and potential directions as challenges for future research on IoT forensic investigation frameworks.

1) Development IoT Forensic Investigation Framework:
Several characteristics of the IoT platform in the form of heterogeneity, flexibility, different data, and limited storage require IoT forensic investigations to carry out the process accurately and efficiently for collecting and managing digital evidence [58]. Currently, several IoT forensic investigation frameworks have been proposed by many researchers. However, it is still necessary to develop an in-depth framework for more comprehensive IoT forensic investigations in the readiness and collection of digital evidence in the IoT environment [59]. The development of this framework is very important in the effort to prepare and collect IoT digital evidence as a top priority, given the volatility, complexity, and difficulty of maintaining the authenticity of digital evidence values.

2) IoT Digital Evidence Repository at Readiness Phase:
In many previous IoT forensic investigation frameworks, several researchers focused on the readiness stages of IoT forensic investigations. However, at the existing IoT forensic investigation framework stage, there is no process for collecting and storing IoT digital evidence in a repository processed at the forensic readiness stage. In the previous IoT forensic investigation framework, researchers placed the IoT digital evidence storage process at the end of the process at the investigative stage. So, investigators experience difficulties in preparing digital evidence when going to reexamine. The integration of IoT digital evidence at the device, network, and cloud level has been aggregated and stored in the repository as the resulting set of IoT digital evidence.
Thus, when a criminal attack occurs on the IoT network, investigators can immediately identify and collect digital evidence and analyze possible correlations of IoT digital evidence on the three layers of the IoT.

3) Timeline Integration, Correlation, and Reconstruction during Forensic Investigation:
Integration and combining lots of information from multiple data sources can help offer a better understanding of data collection. Although, analyzing several different devices is nothing new in IoT forensic investigative analysis. In contrast, when the boundaries of IoT-based cases are distorted, it becomes more difficult to classify all sources of digital evidence completely. Another difficulty within the IoT forensic investigation framework is establishing digital evidence correlations between increasing volumes of data and considerable time costs [60]. The time parameter is also very important for the correlation of facts from multiple sources and allows for a sequence of related events. However, many IoT devices are not timely because they are in different periods, causing difficulties in reconstructing the timeline of forensic investigations [61].

4) Utilization of artificial intelligence in the automation of IoT forensic investigations:
Many attempts have been made to transform artificial intelligence in security activities and digital forensic investigations in recent years (including machine learning and deep learning). Intelligence approaches are used to identify anomalies [62], forensic investigative analysis on videos [63], regulatory extracts [64], and intrusion classification [65]. For example, Buczak and Guven [66] published a literature survey based on data mining methods to detect intrusions and address implementation areas using various intelligent methods.

5) Automation of Big Data analysis on IoT systems for forensic investigation:
The analysis process in BigData IoT refers to large amounts of data using conventional data analysis methods, both organized and unstructured. Large amounts of data generated from various IoT devices make IoT systems one of the main sources of Big Data. Despite the large storage capacity in cloud infrastructure, data collection, and processing remain a major concern [6], [67]. Big data collected from IoT devices creates challenges for IoT forensic investigations. Researchers analyze and review certain volumes of data with the aim of seeing what data is available to support decision-making. The scalability of computational algorithms is another challenge in forensic investigations, making it difficult to facilitate timely investigations. To produce good and timely reports, researchers focus on providing new solutions for analyzing data generated from IoT devices.

6) Smart data anomaly detection IoT forensics investigation:
The size of the network on billions of devices based on the IoT platform certainly produces very large amounts of data that cannot be accessed using conventional methods [68], [69]. In this case, processing digital evidence automatically can be one of the new challenges that can be used to deal with the problem of IoT forensic investigations. The automated processing of digital evidence allows the collection of digital evidence to be compared with a variety of digital evidence sources. IoT forensic investigative investigators must be competent in managing the multiple complexities, distribution, and heterogeneity-dependent aspects of IoT systems with a view to the development of forensically acceptable and legally justifiable digital evidence. Automation at the acquisition stage can be applied to digital evidence collection. For example, IoT sensors can be used for pattern recognition on power profiles to detect suspicious circumstances based on node power traces [70].

7)
Investigation of Interconnectivity Sources: The process of investigating the source of digital evidence from multiple layers across devices, networks, and the cloud. The next framework development that can be done is to narrow the search area and explore the interconnectivity of generated and hidden data. Then create a new scenario for in-depth investigation of interconnectivity. So that the stages of the process in developing this framework are able to reduce sources of digital evidence that might be lost compared to the previous ones.

IV. CONCLUSION
The Internet of Things has been exploited and used in human life today, including smart homes, manufacturing, health monitoring, education systems, transportation, and others. In addition to the many benefits that IoT has, many challenges must be faced, one of which is security and privacy. A large number of different devices and huge volumes of data are a concern and a prime target for many attackers. So that under these conditions, the IoT security system is very important and has the potential to protect many people from malicious attacks. Accurate and fast IoT forensic investigative analysis is needed in the IoT environment to monitor and secure digital data exploitation from hacker attacks. This research presents an overview of the IoT forensic investigation framework. In addition, it provides an overview of cutting-edge and up to date IoT forensic investigation framework studies and sets the stage for a discussion of potential research and development directions for IoT forensic investigation frameworks. The IoT forensic investigation framework still has open issues that require further research. The various issues raised in this paper really help researchers understand the problem and find relevant solutions. Based on this research, developing an IoT forensic investigation framework is necessary to execute efficiently with a very large volume of IoT device data, its volatility, and limited data storage. In addition, the readiness of IoT forensic investigations is the main focus in developing a framework focused on the readiness to collect and correlate digital evidence sources on IoT devices.