Proactive Forensics: Building Digital Forensic Readiness in IoT-Enabled Organisations for Real- Time Incident Response

preprint OA: closed
Full text JSON View at publisher

Abstract

Abstract The lightning-fast spread of the Internet of Things (IoT) devices in the environment of the most vital infrastructure and systems (healthcare, smart cities, and industrial systems) has led to an increase in the volume of the attack surface of cyber threats to a critical mass. Conventional digital forensic methods are fundamentally reactive, distributed, and cannot cater to the real-time, distributed, and privacy-conscious events in IoT ecosystems. This study introduces a new federated online reinforcement learning system, FOR-IoTNet, which enables proactive forensic readiness within IoT-ramped organisations. FOR-IoTNet utilises Federated Edge Anomaly Learners (FEAL) for local anomaly detection, leveraging deep autoencoders or LSTM networks. This approach enables operation without data sharing, ensuring privacy preservation. Anomalies occur and prompt interventions through a centralised Online Reinforcement Forensics Agent (ORFA), which is optimised using the Proximal Policy Optimisation (PPO) algorithm. ORFA actively selects the best forensically initiated actions, such as isolating a compromised device, invoking secure log capture, or escalating an alert, and dynamically routes them according to context parameters and historical results stored in a Forensic Policy Knowledge Base (FPKB). The framework has been applied and experimented with in simulated IoT, including various attack scenarios such as DoS attacks, firmware hacks, and lateral mobility. The framework has been deployed and evaluated in synthetic IoT scenarios under various attack conditions, including DoS, firmware tampering, and lateral movement, among others. By comparing it to traditional centralised forensics and a rule-based non-learning system, it is evident that FOR-IoTNet offers several advantages, including a lower average detection time of 2.37 seconds, 98.8% accuracy, and enhanced evidence completeness. It reduces the false positive rate to 3.47 and also reduces resource consumption by 28.4% in CPU, 450 MB in memory, and 31.9 MB/min in bandwidth compared to using baseline methods. The outcomes of the RL training show an even more improved policy, where, at episode 500, the percentage of correct decisions reaches 98.4% with an average reward of 0.81. The outcomes indicate that FOR-IoTNet represents a significant improvement in terms of forensic preparedness, response time, and protection of privacy laws through the non-centralisation of raw data. The research has developed a forensic model that can scale in next-generation IoT environments, enabling the integration of intelligent, autonomous, legally compliant, and explainable forensic systems into cyber-physical infrastructures.
Full text 131,938 characters · extracted from preprint-html · click to expand
Proactive Forensics: Building Digital Forensic Readiness in IoT-Enabled Organisations for Real- Time Incident Response | Research Square window.SnipcartSettings = { analytics: { enabled: false } }; (function() { var accessVector = localStorage.getItem('access_vector') || ''; window.dataLayer = window.dataLayer || []; if (accessVector) { window.dataLayer.push({ user: { profile: { profileInfo: { snid: accessVector } } } }); } })(); (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-K279D39R'); Browse Preprints In Review Journals COVID-19 Preprints AJE Video Bytes Research Tools Research Promotion AJE Professional Editing AJE Rubriq About Preprint Platform In Review Editorial Policies Our Team Advisory Board Help Center Sign In Submit a Preprint Cite Share Download PDF Research Article Proactive Forensics: Building Digital Forensic Readiness in IoT-Enabled Organisations for Real- Time Incident Response Oyeyemi Kuku, Alexandros Chrysikos, Shahram Salekzamankhani This is a preprint; it has not been peer reviewed by a journal. https://doi.org/ 10.21203/rs.3.rs-7959169/v1 This work is licensed under a CC BY 4.0 License Status: Under Review Version 1 posted 6 You are reading this latest preprint version Abstract The lightning-fast spread of the Internet of Things (IoT) devices in the environment of the most vital infrastructure and systems (healthcare, smart cities, and industrial systems) has led to an increase in the volume of the attack surface of cyber threats to a critical mass. Conventional digital forensic methods are fundamentally reactive, distributed, and cannot cater to the real-time, distributed, and privacy-conscious events in IoT ecosystems. This study introduces a new federated online reinforcement learning system, FOR-IoTNet, which enables proactive forensic readiness within IoT-ramped organisations. FOR-IoTNet utilises Federated Edge Anomaly Learners (FEAL) for local anomaly detection, leveraging deep autoencoders or LSTM networks. This approach enables operation without data sharing, ensuring privacy preservation. Anomalies occur and prompt interventions through a centralised Online Reinforcement Forensics Agent (ORFA), which is optimised using the Proximal Policy Optimisation (PPO) algorithm. ORFA actively selects the best forensically initiated actions, such as isolating a compromised device, invoking secure log capture, or escalating an alert, and dynamically routes them according to context parameters and historical results stored in a Forensic Policy Knowledge Base (FPKB). The framework has been applied and experimented with in simulated IoT, including various attack scenarios such as DoS attacks, firmware hacks, and lateral mobility. The framework has been deployed and evaluated in synthetic IoT scenarios under various attack conditions, including DoS, firmware tampering, and lateral movement, among others. By comparing it to traditional centralised forensics and a rule-based non-learning system, it is evident that FOR-IoTNet offers several advantages, including a lower average detection time of 2.37 seconds, 98.8% accuracy, and enhanced evidence completeness. It reduces the false positive rate to 3.47 and also reduces resource consumption by 28.4% in CPU, 450 MB in memory, and 31.9 MB/min in bandwidth compared to using baseline methods. The outcomes of the RL training show an even more improved policy, where, at episode 500, the percentage of correct decisions reaches 98.4% with an average reward of 0.81. The outcomes indicate that FOR-IoTNet represents a significant improvement in terms of forensic preparedness, response time, and protection of privacy laws through the non-centralisation of raw data. The research has developed a forensic model that can scale in next-generation IoT environments, enabling the integration of intelligent, autonomous, legally compliant, and explainable forensic systems into cyber-physical infrastructures. Digital Forensics IoT Security Federated Learning Reinforcement Learning Anomaly Detection Proactive Incident Response Privacy Preservation Smart Environments Cyber Resilience Forensic Readiness Figures Figure 1 Figure 2 Figure 3 Figure 4 Figure 5 Figure 6 Figure 7 1. Introduction The Internet of Things (IoT) has become one of the most transformative developments in recent technological history over the last decade, connecting hundreds of billions of devices across various fields, including smart cities, healthcare, industrial automation, and critical infrastructure. In the case of smart cities, sensor networks enable real-time traffic management, environmental monitoring, and enhanced public safety. In healthcare, wearable medical sensors and remote monitoring systems facilitate round-the-clock patient support[ 1 ]. Predictive maintenance, automation of processes, and supply chain management, among other things, have transformed the manufacturing sector with the help of industrial IoT (IIoT), and now many critical infrastructure sectors, such as energy grids and water treatment plants, rely on their IoT-enabled systems for operational reliability and efficiency[ 2 ]. Though such advancements have resulted in more benefits than ever before, the cyber-attack surface has increased tremendously, introducing new vulnerabilities and adding a layer of sophistication to the threat[ 3 ]. Due to the presence of a broad range of IoT devices and their resultant variety in communication protocols, combined with the limited computing resources available on hardware, security and forensic preparedness pose unique problems [ 4 ]. Attackers are exploiting these vulnerabilities to execute ransomware on industrial controllers, conduct wide-scale Distributed Denial of Service (DDoS) attacks using botnets, and tamper with data integrity in sensors through man-in-the-middle intrusions[ 5 ]. Digital forensics, which involves methodically gathering, storing, analysing, and presenting electronic evidence, proves to be crucial in examining these events. Nonetheless, with legacy IT setups, forensic activities will be largely centralised and reactive, getting into action only once a breach has been realised[ 6 ],[ 7 ]. Such an approach is not appropriate in the IoT, where the scale of deployment is larger, data is volatile, and devices are heterogeneous and distributed, which necessitates a more dynamic methodology[ 8 ]. Volatile memory states, fleeting log entries and transitory network flows are just a few examples of the forensic evidence that is lost on IoT networks within seconds unless action is taken. Moreover, a large number of IoT devices have low processing capability, storage, and even energy supplies, rendering them unrealistic to run conventional forensics tools that essentially interfere with their intended main tasks[ 9 ]. Evidence handling is further complicated by legal and regulatory complexities, as well as cross-boundary deployments of IoT that may introduce jurisdiction-specific needs for data integrity and chain-of-custody verification. As a result, there is a high possibility that the traditional forensic models will fail to capture critical transient evidence in real time, it remains impossible to adapt to changing trends of attacks, and it is likely to increase the time spent on detecting and responding to Incidents, worsening operational and legal risks[ 10 ]. With these drawbacks, a proactive, distributed, and intelligence-driven forensic preparedness model is needed that can work synchronously and transfer efforts in a resource-scarce, diverse, and legally restrictive IoT setting. This paradigm needs to facilitate the ongoing collection of evidence, instantaneous detection of anomalies, and decision-making with guarantees of privacy and compliance with legal regulations, while causing minimal interference with the regular operations of services. The study presents a joint hybrid framework, FOR-IoTNet, which combines federated and reinforcement learning to provide a more robust digital forensic preparedness in settings that incorporate IoT. The framework supports the privacy regulations of the distributed evidence collection, where no raw logs are transferred, thus maintaining the data locality of the evidence collection. Its decision-making using adaptive RL complements this by fueling incident response faster, and with better quality and applicable evidence gathered. Moreover, FOR-IoTNet is designed to form a legally admissible chain of custody in decentralised networks, and leaves digital evidence intact as credible evidence that can be used by law enforcement and regulatory operations. This study aims to: Develop a federated learning-based framework for decentralised anomaly detection in IoT environments. Integrate an online reinforcement learning (RL) agent that autonomously selects optimal forensic response actions based on threat context. Ensure the framework supports real-time, privacy-preserving, and legally compliant forensic readiness across diverse IoT ecosystems. The remaining sections of this paper are as follows: Section 2 reviews the related works and research gaps, while Section 3 presents the proposed framework and methodology of FOR-IoTNet. Section 4 presents the experimental setup, datasets, and results, and compares them. Section 5 provides the conclusion and outlines future directions to follow. 2. Literature Review A conceptual model for carrying out digital forensics (DF) in the context of IoT infrastructures has also been introduced in research [ 11 ]. This design was known as the Forensics-aware IoT (FAIoT) framework, which was developed to ensure that successful forensic examinations can take place in IoT settings. It is divided into three main modules: secure evidence preservation, secure provenance and API-based evidence access. The secure evidence preservation module will continuously monitor IoT devices and securely log forensic information. Data privacy and preservation of the chain of custody are achieved through the secure provenance module. The API module enables safe, but read-only access to the authorised law enforcement agencies and/or in the course of investigation [ 12 ]. Although the model has proven to be a breakthrough in digital forensics of IoT, it has not involved the organisational perspective of digital forensic readiness (DFR) in the use of IoT. Similarly, [ 13 ] developed a paradigm tailored to smart homes. This model, comprising five layers, was compared to the ISO/IEC 27043 standard, utilising a collection of observed rules of abnormal behaviour to detect potential threats in a regular home-user environment. Simulation results have shown that such regulations have the potential to expose security issues in smart homes. Furthermore, the implementation of DFR processes into such environments is capable of revealing indicators of compromise (IoCs), which can be included in the triggers of security alerts. In a similar research study by [ 14 ], the researchers developed a smart device, the Forensic Edge Management System (FEMS), which offers both security and forensic functionalities in an IoT-based smart home. Although FEMS is a method for addressing home IoT app security issues and aiding investigations, it is place-focused rather than organisation-oriented. This means it does not meet the broader needs of an organisation in terms of fulfilling legal requirements, regulatory body demands, or formal forensic policies. Additionally, there is no international standard to which it is aligned. Also, [ 15 ] introduced the Digital Forensic Investigation Framework of IoT (DFIF-IoT), which was implemented according to the ISO/IEC 27043 standard. This framework consists of three modules: the proactive processes, IoT-specific forensic processes and reactive processes. Although DFIF-IoT aligns closely with the proactive-based IoT-Forensic Readiness (IoT-FR) approach outlined in the paper, it fails to capture organisation-wide processes that constitute a significant element of comprehensive digital forensic readiness. In a different direction, [ 16 ] proposed a wireless DFR model that implements and emphasises the monitoring, logging and retention of the network traffic. Its principle of wireless network monitoring is applicable in an IoT-enabled deployment, even though it was not explicitly aimed at IoT. Nonetheless, it lacks an organisational or security management process. Lastly, [ 17 ] suggested a combined lightweight blockchain solution for the forensic usage of connected vehicles equipped with IoT sensors. This architecture utilises a blockchain ledger maintained by permissioned members to facilitate secure end-to-end communication and data transfer. An additional aspect of the framework involves a lightweight and secure ledger, utilised in sensitive matters, such as forensic investigations, to ensure participants have access to only relevant information. Although this strategy targets organisational preparedness and incorporates security mechanisms, it does not conform to any international guide or accepted forensic models. 2.1 Research Gap Although both federated learning and reinforcement learning have significant promises in cybersecurity and IoT solutions, there is still no cohesive framework which could tie these advantages together to allow proactive digital forensic preparedness[ 18 ]. The current methods tend to either concentrate on distributive learning to detect anomalies or on adaptive policy optimisation without considering the necessity to have a decentralised, forensic evidence gathering and analysis in real time without centralisation[ 19 ]. In addition, existing solutions typically lack legality, chain-of-custody and forensic soundness in large-scale IoT scenarios where jurisdiction and privacy requirements are of great importance[ 20 ]. Also significant is the fact that solutions to the trade-off between forensic performance and systematic costs (such as bandwidth and CPU utilisation, and energy costs), without compromising privacy assurances of sensitive IoT data, have not been thoroughly investigated. This disconnection highlights the need to develop a forensic framework based on federated reinforcement learning, which can be utilised to securely address truly multi-tenant, resource-constrained, and legally regulated IoT ecosystems. 3. Research Methodology In this research, the Design Science Research (DSR) methodology is employed, where the primary limitations of existing forensic approaches applicable in the IoT domain are identified, including, but not limited to, a slow evidence-gathering process, excessive data transfer overhead, and limited adaptivity. The FOR-IoTNet framework was developed to fill these gaps and contains three building blocks: (i) Federated Edge Anomaly Learners (FEAL), which uses lightweight Autoencoders models or LSTM models on edge devices themselves (i.e., simply a program running on the device) and learns the behavioral patterns of the device; (ii) the Online Reinforcement Forensic Agent (ORFA), which uses the Proximal Policy Optimization (PPO) algorithm to select optimal forensic actions, such as evidence logging or device isolation in real time; and (iii) The platform runs tests on simulated systems, such as smart home content environments, or industrial factories or the IoT environment in a hospital, fabricated on NS3 or IoT-LAB. Several attack vectors are introduced into this environment, such as Denial of Service (DoS), firmware tampering, and unauthorised access/data exfiltration. Logging and data communication are facilitated through MQTT and Zeek, while TensorFlow Federated provides the framework for the federated learning pipeline. The PPO agent is implemented using Stable Baselines 3. The behavior of the framework is benchmarked on a set of metrics: Detection Latency (ms) the timeline between anomaly-detection and forensic response; Evidence Quality Score deriving the degree of completeness and chain-of-custody compliance of evidence collected; Policy Decision accuracy determining correctness of actions by RL-selected actions; Communication Overhead (KB/device) a comparison of the new-size of FL updates to raw-log fragment transfers; System Performance overhead (%) the calculated overhead on edge devices in terms of CPU workload and RAM usage. 3.1 Dataset Description The data used in the work was obtained from a live enterprise network continuously over 10 days (May 14, 2024, to May 23, 2024). It experiences both normal and malicious traffic, and there have been reported attacks, including Distributed Denial of Service (DDoS), Denial of Service (DoS), brute force, and SQL injection. The monitoring of network activity was complete, based on WAZUH server-client settings, logs of IoT devices available in the cited 192.168.0.x subnet, firewall logs, and Cloudflare logs, thus providing multi-source visibility to potential security occurrences. Such sources harvested necessary metadata, which included IP addresses, port numbers, flow durations, packet sizes, and the inter-arrivals of packets. A total of 79 different features were extracted, including flow-level statistics, packet-level characteristics, and counts of TCP flags. The raw traffic data, with more than 18,000 labelled samples, was preprocessed through a rigorous phase of noise removal, normalisation, and rearranged in a different format. The cleaned data were saved in the form of CSV files, which were easy to read and could be used to train the machine learning model or for later evaluation. 3.2 FOR-IoTNet Framework Design The proposed FOR-IoTNet framework employs a layered architecture that facilitates proactive and adaptive digital forensic preparedness in IoT-enabled organisations. IoT nodes at the edge layer, such as smart sensors, cameras, and controllers, apply lightweight anomaly learners, e.g., Autoencoders or LSTM models, trained based on locally captured network traffic. It contains both benign and malicious traffic, including DDoS attacks, DoS attacks, brute force, and SQL injection, during the study period of the dataset collection (May 14–23, 2024). Features such as IP addresses, port numbers, flow duration, packet sizes, counts of TCP flag information, and packet inter-arrival times are all processed on each node, allowing for specific modelling of device behaviour. The Online Reinforcement Forensic Agent (ORFA), implemented with the PPO algorithm, receives anomaly alerts and calculates optimal forensic measures, which may include logging evidence, isolating devices, or escalating operands to administrators. This forms a feedback loop in which the so-called results of these actions are returned to the RL model to update its policy in near real-time. Federated learning aggregation is a periodically repeated event where the model weights trained on multiple edge nodes are collected and used to enhance the global detection accuracy at the cost of transmitting raw, sensitive logs, thereby maintaining privacy. This architecture guarantees that decision-making is not only data-driven, but also context-aware, and communication flows, local learning, policy decision loops, and federated aggregation become an integrated on-demand (real-time) forensics pipeline. 3.2.1 Federated Anomaly Detection at Edge The Federated Anomaly Detection layer of FOR-IoTNet conducts on-device behavioural modelling, local forensic triggering and keeps raw data traffic to a minimum. It is organized around three closely integrated tasks: (A) preprocessing and feature engineering the study dataset (79 features; flow/packet statistics, TCP flags, IP/port, inter-arrival, times) on-device, (B) the creation of lightweight sequencing-based anomaly modelling (LSTM auto-encoder) that can be trained and updated even on constrained hardware, and (C) two-way confidential federated training and secure exchanges of updates with the controller. A combination of these activities permits device-specific detection with low latency, capturing evidence without centralising network logs, and doing so quickly. A. On-device preprocessing and feature engineering On-device preprocessing and feature engineering are performed as the proposed framework is optimised to minimise latency and resource load on IoT edge nodes, which ultimately must remain forensic-ready. A sliding window technique is used by each edge device to create small temporal collucts of flow and packet properties, generally of 1–10 seconds or a known number of recent flows. These time series are fed as input to the lightweight LSTM autoencoder, which is deployed and constructed at the extraction of 79 dataset features, including the duration of the flow, the number of bytes generated, the number of packets, the average packet size, inter-arrival statistics, TCP flags, and protocol identifiers. Continuous characteristics are normalised on the device using running mean-standard deviation statistics or min-max scaling developed during an initial calibration period, to provide comparable results regardless of the traffic pattern carried by the device. Categorical features, such as protocol types and port ranges, are effectively represented as short one-hot vectors or learned embeddings to maintain low-dimensional input features. Additional computational overhead in terms of runtime can be reduced by selecting essential features locally at each node, rather than transferring the entire feature set as is usually done. At each node, lightweight feature selection is performed on the local features, where only the most informative features (e.g., the top 20) detected during the offline training phase, using methods such as Recursive Feature Elimination (RFE) or mutual information ranking, are transferred to the next node. These ranked lists of features are served alongside the global federated model; each node can avoid recomputing duplicates during inference. Additionally, the circular forensic buffer stores new raw packets or parsed flow summaries in a configurable time window, enabling the immediate recovery of any valuable PCAP or flow evidence in the event of an anomaly. This layout allows for quick preprocessing, both in terms of memory and in line with real-time detection requirements, as well as forensic capture requirements. B. On-device anomaly model (Lightweight LSTM Autoencoder) The on-device anomaly detection model trains a lightweight LSTM autoencoder, where the sequence is compressed by a 12-layer LSTM encoder (with 32–128 units) into a bottleneck vector and subsequently recovered by a corresponding LSTM decoder. The mean squared error (MSE) is used as the loss function. This small model design strikes a balance between detection performance and computational cost, allowing us to utilise alternative design choices, such as shallow dense autoencoders, temporal convolutional networks (TCNs), or tiny RNNs on ultra-low-power/space devices. Common hyperparameters include a sequence length of 10–50 timesteps, a batch size of 8–64, 1–5 local epochs per federated round, and a learning rate of 1e-3 to 5e-4, with models quantised to 8-bit and deployed through TensorFlow Lite/TinyML for efficient inference. Anomalies are detected when the value of reconstruction error exceeds a dynamically adjusted threshold, which is optimised using ROC-based validation. This threshold is subsequently tuned on-device to account for changes due to diurnal and concept drift, such as through the EWMA technique or sliding percentiles. Such lightweight incremental learning naturally enables fine-tuning with new normal data periodically, making it adaptable while avoiding massive catastrophic forgetting, with the hope that federated updates will be available shortly. C. Federated training & secure parameter exchange Within any encrypted FL cycle, the server (ORFA/cloud) organises the rounds, choosing some clients, broadcasting the current global model, requesting selected devices to train on stored benign and near-real-time data on the device for E epochs, and uploading model additions. To boost communication efficiency, updates are delta-encoded, sparsified (top-k), and quantised, while gateways merge sensor updates before the uplink. The frequency of aggregation can also be controlled (e.g., 5, 10, 20 minutes) depending on the network conditions and threat level. Privacy & security protections Secure aggregation (cryptographic) is used so the server cannot see individual updates. Differential privacy: clients optionally clip gradients and add calibrated Gaussian noise to updates before transmission to provide formal privacy guarantees (with tunable ε). Transport security: MQTT/TLS or mTLS for channel encryption and client authentication. Remote attestation/device identity: evidence and updates are signed using device keys (TPM or secure element) to prevent spoofing. The aggregation strategy used by FOR-IoTNet is flexible, initially assembling FedAvg, but allowing other notable alternatives, such as trimmed mean, median, Krum, and reputation-based aggregation, to be used, thereby alleviating the effects of poisoned updates or Byzantine updates. The controller can block suspicious participants by detecting changes to their clients, based on high statistics that are not in the vicinity of the median. The framework enables asynchronous participation, allowing devices to wait to update in cases of poor connectivity. Hierarchical FL utilises edge gateways to combine data generated by numerous low-power sensors locally before sending it to the central controller, thereby reducing traffic overhead and achieving faster convergence on estimates. The local forensic trigger is activated when the anomaly score within the regional system exceeds its pre-set threshold, triggering an immediate alert to the ORFA and storing key metadata, while retaining the current buffer of packets/flows. In under a second, the device preserves encrypted evidence, destroys all physical access, calculates a SHA-256 hash, signs it with the device key, and captures the system context (firmware, logs, and process list). Subsequent optional containment measures (such as traffic rate-limiting, IP blocking) can be implemented. Raw logs are not uploaded; only signed metadata and raw flow summaries (containing minimal information) are uploaded to the Forensic Policy Knowledge Base (FPKB). Full artefacts are sent on request only. Any activity is documented and maintained in a chain of custody, which can be achieved by cryptographically attaching it to a tamper-evident ledger. The model poisoning identification includes effective thresholds that are adaptive with checks on an ensemble to manage false positives, and drift detection to seal the model change adequately. Optimisation of resources is achieved through compression, knowledge distillation, and gateway offloading of constrained nodes. An assessment of the May 14–23, 2024 dataset evaluates local detection accuracy, FL convergence, anomaly-to-evidence latency, and communication cost, with ablations of the effects of privacy, aggregation, and participation rate. 3.3 Central Reinforcement Forensic Controller The decision-making core of FOR-IoTNet is the Online Reinforcement Forensic Agent (ORFA). ORFA is placed at the controller/cloud layer, where it takes in compact, signed metadata and anomaly notifications generated by Federated Edge Anomaly Learners (FEAL) and arbitrarily decides in real-time which evidence-based actions to take that optimise forensic utility versus operational expense and privacy disclosure. ORFA is a policy/value agent trained using Proximal Policy Optimisation (PPO) and targeting partially observable, safety-critical applications. Role and high-level behaviour The goals of ORFA are three times: (1) determine whether and how much forensic evidence to save or collect; (2) choose containment or mitigation measures that preserve the integrity of the evidence (e.g., isolate instead of rate-limit); and (3) adjustments to policy as needs evolve through memory stored in the Forensic Policy Knowledge Base (FPKB). A trade-off between five competing goals, evidence completeness, legal admissibility, device availability, privacy, and bandwidth, is necessary in the decision-making process; therefore, the trade-off is explicitly coded directly into the objective reward ORFA provides. State representation (input) ORFA operates on a compact, time-indexed state vector formed from: Anomaly metadata: anomaly_score, model_id, local confidence, suspected attack class (if available). Device/context: device_type, device_reputation (historical FP/FN rates), firmware_version, location/VLAN. Recent telemetry summary: aggregated flow statistics (last T seconds), packet counts, peak throughput. Network context: upstream load, gateway availability, reachable storage endpoints. Forensic context from FPKB: past action outcomes for similar incidents, policy constraints (legal/organisational). Temporal/contextual info: time of day, current FL round, and last action taken. Because edge messages are succinct, ORFA often faces partial observability; therefore, the policy may incorporate memory (an LSTM embedding) to infer the latent state. Action space ORFA’s action space is hybrid (discrete + parameterised continuous): Discrete actions: NO_OP — monitor only. LOG_METADATA — store/anchor metadata in FPKB. CAPTURE_SNIPPET — request edge node to preserve local buffer (short PCAP/flows). REQUEST_RAW_UPLOAD — request complete artefact upload (subject to privacy policy). ISOLATE_DEVICE — place device in quarantine VLAN. RATE_LIMIT — throttle device outbound traffic. ESCALATE — notify human operator. Parameterised actions: SET_CAPTURE_DURATION(t) — how many seconds of buffer to persist. SET_UPLOAD_PRIORITY(p) — bandwidth priority for artefact upload. Actions are masked by policy constraints (e.g., legal/policy rules may forbid REQUEST_RAW_UPLOAD for some device types). Reward design (shaping the objective) The reward function must quantify the forensic utility in relation to the cost. A typical composite reward at time \(\:t\) : $$\:{R}_{t}=\alpha\:\bullet\:{Q}_{evidence}\left(t\right)-\beta\:\bullet\:{C}_{overhead}\left(t\right)-\gamma\:\bullet\:{C}_{availability}\left(t\right)-\delta\:\bullet\:{1}_{illegeal}\left(t\right)-\eta\:\bullet\:F{P}_{penalty}$$ 1 Where: \(\:{Q}_{evidence}\) = estimated evidence quality/completeness (improved when capture yields high-information artefacts, validated later by FPKB). \(\:{C}_{overhead}\) = bandwidth + storage cost. CavailabilityC_{availability}Cavailability​ = operational impact (penalty if isolation causes service disruption). \(\:{1}_{illegeal}\) ​ = indicator if action violates policy/regulation (hard constraint — heavy penalty). \(\:F{P}_{penalty}\) = penalty for false positive-induced disruptive actions. Coefficients \(\:\alpha\:,\beta\:,\gamma\:,\delta\:,\eta\:\) are tuned via simulation to reflect organisational priorities (privacy first vs. evidence-first). The Online Reinforcement Forensic Agent (ORFA) uses an actor-critic PPO implementation with a lightweight memory-augmented encoder, which is safe and adaptively makes decisions based on FEAL metadata and legal, privacy, and safety constraints of FPKB are integrated. Using offline pretraining, sim-to-real curricula, and conservative online fine-tuning, ORFA is trained to be safe and compliant with laws by employing entropy regularisation to constrain action selection and action masking, and incorporating human-in-the-loop oversight to filter out unsafe and illegal actions. The immutable traces of decisions can guarantee auditability, resiliency, and adaptability, as well as adversarial robustness levels and the detection of drifts. The long-term effectiveness of forensic response can be enhanced through continuous learning from feedback from FPKB. 3.4 Forensic Policy Knowledge Base (FPKB) The Forensic Policy Knowledge Base (FPKB) is the heart of the intelligence-making systems that comprise the forensic readiness suite, maintaining a detailed historical record of all forensic actions occurring at all IoT elements of the edge, along with their contextual metadata, results, and any applicable legal or policy restrictions. Each entry then records not just the action itself (e.g. device isolation, evidence logging, raw data retrieval) but also the characteristics of the anomaly that triggered the action, the operating environment, the confidence score (when the decision was made) and the final usefulness rating (determined by human analysts or automated triage systems as time permitted). In addition to serving as a passive archive, the FPKB enables the reinforcement learning of the agent over time by feeding this experience back into its reinforcement learning pipeline, allowing the agent to improve its estimation of reward and action-selection policy with time. It encodes the effectiveness metrics used in policy, assisting the system in balancing the trade-offs in speed, accuracy, privacy and cost. Moreover, FPKB utilises legal principles, compliance, and privacy regulations as structured constraints, ensuring that all operations suggested by ORFA comply with jurisdictional regulations and organisational guidelines. The FPKB stores immutable, cryptographically signed decision logs to ensure audibility and can be optionally anchored to a tamper-evident ledger. This qualifies it as both a resource of knowledge and a credible forensic record, capable of standing in legal courts. Additionally, FPKB will enable semantic querying and policy simulation, allowing security teams to analyse historical trends, run a forensic-like equivalent of the what-if scenario, and proactively revise strategies before new threats are identified. 4. Implementation & Evaluation In this section, the research presents the experimental results of the proposed FOR-IoTNet framework in comparison to two other approaches: a classical centralised forensics approach and a rule-based non-learning system, under various IoT attack conditions in smart home, industrial, and healthcare environments. The output is evaluated based on the accuracy of the detection, evidence coverage, resource utilisation, and flexibility. Quantification is done based on statistics such as the time taken to detect, accuracy, false positives and the number of resources utilised, which are then followed by the reinforcement learning performance curve to annotate the learning curve of the system. It is better to compare such characteristics with visual plots and scales on a table, so that we can conclude that FOR-IoTNet is faster in real-life responsiveness as well as in its forensic readiness, with low overhead resource costs. Table 1 — Detection & Evidence Gathering Performance Scenario (Attack) Framework Avg. Detection Time (s) Detection Accuracy (%) Evidence Completeness (%) False Positive Rate (%) Smart Home – Tampered Thermostat Centralized Forensics 5.8 91.2 68.5 6.4 Rule-based 4.9 88.0 72.3 9.8 FOR-IoTNet 2.1 96.4 92.7 3.2 Factory – Unauthorised Sensor Control Centralized Forensics 6.5 89.5 65.2 7.0 Rule-based 5.2 86.1 70.8 8.9 FOR-IoTNet 2.4 95.2 90.3 3.7 Hospital – Access Control Manipulation Centralized Forensics 7.1 88.8 66.9 6.8 Rule-based 5.8 85.4 71.5 9.4 FOR-IoTNet 2.6 98.8 97.1 3.5 Figure 4 and Table 1 illustrate that, compared to centralised forensics and the rule-based non-learning system, FOR-IoTNet consistently recorded uniformly high results in preventing all attacks. The smart home example sets the detection time to 2.1 seconds in FOR-IoTNet, which is less than half the time required in the centralised approach, and the detection rate increases to 96.4 per cent with an evidence completeness of 92.7 per cent. Parallel patterns can be observed in the industrial and hospital cases, where detection times are less than 2.6 seconds and accuracy is higher than 95%, resulting in a significant increase in the completeness of forensic evidence. Additionally, the false positive rate of FOR-IoTNet is the lowest (3–4), in contrast to centralised and rule-based systems. These findings indicate the capacity of this framework to provide quicker, more accurate, and inclusive forensic preparedness with a reduced risk of misclassification. Figure 5 illustrates the resource efficacy of the proposed FOR-IoTNet framework in comparison to more traditional forms of centralised forensics and the rule-based method. The least amount of CPU usage is observed in FOR-IoTNet (28.4%), which is significantly lower than in centralised forensics (42.5%) and comparable to the rule-based system (39.7%). The memory requirement pattern is also similar, and FOR-IoTNet has a much smaller memory usage need (450 MB) than the other two frameworks. It also reduces consumption of its network bandwidth, where 31.9 MB/min in FOR-IoTNet is contrasted with more than 45 MB/min in alternatives, which proves its efficient communication design. Most importantly, energy use is minimised to 210 J, resulting in a significant reduction in energy consumption, which is crucial in IoT settings where devices are limited by their power requirements. These results suggest that the proposed solution, FOR-IoTNet, not only expands forensic capabilities but also operates at a reduced resource cost that is more than suitable for large, heterogeneous IoT installations. The performance of the proposed FOR-IoTNet framework on the reinforcement learning (RL) training task, consisting of 500 training episodes, is shown in Fig. 6 . The outcomes indicate an apparent cumulative increase in both the average reward and the accuracy of policy choices as training progresses. At the early stage (episodes 0 to 100), the system receives an average reward of 0.25 and a decision accuracy of 72.3%, indicating an initial learning process where the policy is not yet optimised. The values of reward increase and reach 0.51 in episodes 101–200, and the accuracy rates also increase, reaching 83.4%, which demonstrates the RL agent's capability to employ effective forensic actions. Halfway through training (201–300 episodes), performance increases even further, to 0.68 reward and 90.1% accuracy, and more stable policy behaviours tend to emerge. At near convergence (301–400 episodes), the system achieves 92.6% accuracy, an average reward of 0.74, and the steps to converge to optimal decisions are approximately 380. During the last stage (401–500 episodes), the agent achieves its best performance level, with an average reward of 0.81 and 95.4% accuracy. This suggests that further refinement of the policy will lead to highly responsible and successful forensic decisions in the IoT environment. Figure 7 summarises the three assessed forensic frameworks comparatively and shows the high running scores of the proposed FOR-IoTNet in all fields considered in this paper. Regarding the rate of detection, FOR-IoTNet has an average detection speed of 2.37 seconds, which is significantly faster than that of centralised forensics (6.47 seconds) and the rule-based method (5.3 seconds). The framework is also proven to have the maximum average detection accuracy (98.8%), whereas in centralised forensics and the rule-based system, it was found to be 89.8% and 86.5%, respectively. The complement of the evidence (another key aspect) is also high, reaching 91.37 per cent, which is considerably higher than that of the centralised systems (centralised systems deal with 66.87 per cent of the evidence, and rule-based ones with 71.53 per cent). Moreover, the false positive rate of the proposed system is the lowest (3.47%), equaling almost half of the centralised forensics (6.73%) and significantly lower than the rule-based approach (9.37%). From a resource efficiency point of view, FOR-IoTNet consumes the least CPU (28.4 per cent) compared to centralised forensics (42.5 per cent) and rule-based systems (39.7 per cent), due to the optimised use and distributed nature of its processing capability. The overall effect of these findings is to show that FOR-IoTNet can not only increase the accuracy of detection and solve the forensic completeness problem, but also achieve a quicker response and minimal resource consumption, thus indicating its perfect suitability as an IoT-enabled organisation. 5. Conclusion and Future Work The paper introduced FOR-IoTNet as a Federated Online Reinforcement Learning (Federated-RL) framework, serving to facilitate Proactive Digital Forensic Readiness within IoT-enabled environments. The proposed system addresses the key issues of evidence gathering, privacy, and adaptive decision-making in real-time settings with heterogeneous IoT infrastructures. The framework eliminates the need to centralise raw data through federated learning, making it more privacy-friendly and less communication-overhead-intensive. Additionally, reinforcement learning enables the continuous optimisation of forensic response policies to adapt to changing threat landscapes. The results of experimental assessments in various IoT settings, namely smart homes, industrial environments, and healthcare environments, proved that FOR-IoTNet systematically outperformed centralised and rule-based forensic implementations. It had an average detection accuracy of 98.8%, evidence completeness (91.37%), and the least false positive rate (3.47% percent) with a significantly decreased average detection time of only 2.37 seconds. The efficiency of resources could also be seen, as CPU utilisation was 28.4 per cent, and 31.9 MB/min bandwidth was consumed, with a lower energy overhead than the current methods. These findings confirm that FOR-IoTNet has the potential to deliver efficient forensic preparedness as quickly and precisely, as resource-effective, in the real-world development of IoT. System architecture proves to be suitable for the implementation of smart cities, hospitals, and industrial Internet of Things applications, where captured incidents and evidence have been essential in ensuring operational flow and mitigating legal repercussions. It is designed, which means that locally sensitive information is not exposed; nevertheless, local data contributes to a globally trained model of forensic intelligence. In the future, it is possible to conduct research on the integration of Explainable AI (XAI) to make results of RL used in forensic decisions more understandable, the implementation of mechanisms of federated learning based on differential privacy or blockchain to protect model updates, and the development of regulatory procedures of cross-jurisdictional data sharing of forensic data to provide cooperation between investigators across jurisdictions. Such a path will allow the proposed system to be robust, transparent, and capable of operating in a dynamic threat environment. Declarations Financial interests The authors declare they have no financial interests. Author Contribution O.K., A.C. and S.S. wrote the main manuscript text.All authors prepared all the figures and reviewed the manuscript. References Nguyen, H., Nawara, D., Kashef, R.: Connecting the indispensable roles of IoT and artificial intelligence in smart cities: A survey. J. Inform. Intell. 2 (3), 261–285 (May 2024). 10.1016/j.jiixd.2024.01.003 Afrin, S., et al.: Industrial Internet of Things: Implementations, challenges, and potential solutions across various industries. Comput. Ind. 170 , 104317 (Sep. 2025). 10.1016/j.compind.2025.104317 Farooq, O., Martin, I.: Cybersecurity challenges in the era of digital transformation. J. Emerg. Technol. Digit. Transformation. 2 (2), 102–113 (2023) Kornaros, G.: Hardware-Assisted Machine Learning in Resource-Constrained IoT Environments for Security: Review and Future Prospective. IEEE Access. 10 , 58603–58622 (2022). 10.1109/ACCESS.2022.3179047 Tsiknas, K., Taketzis, D., Demertzis, K., Skianis, C.: Cyber Threats to Industrial IoT: A Survey on Attacks and Countermeasures, IoT , vol. 2, no. 1, pp. 163–186, Mar. (2021). 10.3390/iot2010009 Hagan, D.K.: Digital Forensics -The Processes and Some Forensic Tools Digital Forensics, Unpublished . (2021). 10.13140/RG.2.2.23879.10402 Jones, R., Davies, H.: High-Performance Digital Forensic Framework for Anomalous Ransomware Detection in File System Log Data, Accessed: Aug. 10, 2025. [Online]. (2024). Available: https://www.authorea.com/doi/full/10.36227/techrxiv.172599923.38750111?commit=46ef88c480fb0e445ada932577d99bd0e355fe38 Bakhsh, S.A., Khan, M.A., Ahmed, F., Alshehri, M.S., Ali, H., Ahmad, J.: Enhancing IoT network security through deep learning-powered Intrusion Detection System. Internet Things. 24 , 100936 (Dec. 2023). 10.1016/j.iot.2023.100936 Ahmed, A.A., Farhan, K., Jabbar, W.A., Al-Othmani, A., Abdulrahman, A.G.: IoT Forensics: Current Perspectives and Future Directions. Sensors. 24 (16), 5210 (Jan. 2024). 10.3390/s24165210 Ndibe, O.S.: AI-Driven Forensic Systems for Real-Time Anomaly Detection and Threat Mitigation in Cybersecurity Infrastructures. Int. J. Res. Publ Rev. 6 (5), 389–411 (May 2025). 10.55248/gengpi.6.0525.1991 Itodo, C., Varlioglu, S., Elsayed, N., Digital Forensics and Incident Response (DFIR) Challenges in IoT Platforms, in: 4th International Conference on Information and Computer Technologies (ICICT) , Mar. 2021, pp. 199–203. (2021). 10.1109/ICICT52872.2021.00040 AlShaer, M., AlShehhi, K., Abdulla, S.: The Internet of Things (IoT) Forensic Investigation Process: A State-of-the-Art Review, Challenges and Future Directions, Accessed: Aug. 10, 2025. [Online]. (2023). Available: https://repository.nauss.edu.sa/handle/123456789/67321 Philomin, S., Singh, A., Ikuesan, A., Venter, H.: Digital forensic readiness framework for smart homes, in International Conference on Cyber Warfare and Security , Academic Conferences International Limited, p. 627–XVIII. (2020) Kaushik, K., Bhardwaj, A., Dahiya, S.: Smart Home IoT Forensics: Current Status, Challenges, and Future Directions, in International Conference on Advancement in Computation & Computer Technologies (InCACCT) , May 2023, pp. 716–721. (2023). 10.1109/InCACCT57535.2023.10141730 Jacob, R., Nisbet, A.: A forensic investigation framework for Internet of Things monitoring. Forensic Sci. International: Digit. Invest. 42–43 (Oct. 2022). 10.1016/j.fsidi.2022.301482 Mpungu, C., George, C., Mapp, G.: Developing a Novel Digital Forensics Readiness Framework for Wireless Medical Networks Using Specialised Logging. In: Jahankhani, H. (ed.) in Cybersecurity in the Age of Smart Societies, pp. 203–226. Springer International Publishing, Cham (2023). 10.1007/978-3-031-20160-8_12 Conti, M., Kumar, G., Lal, C., Saha, R.: Blockchain-Based Distributed and Secure Digital Forensic Investigation Systems. In: Ruj, S., Kanhere, S.S., Conti, M. (eds.) Blockchains: A Handbook on Fundamentals, Platforms and Applications, pp. 337–362. Springer International Publishing, Cham (2024). 10.1007/978-3-031-32146-7_11 Papadopoulos, C., Kollias, K.-F., Fragulis, G.F.: Recent Advancements in Federated Learning: State of the Art, Fundamentals, Principles, IoT Applications and Future Trends. Future Internet. 16 (11), 415 (Nov. 2024). 10.3390/fi16110415 Moriano, P., Hespeler, S.C., Li, M., Mahbub, M.: Adaptive anomaly detection for identifying attacks in cyber-physical systems: A systematic literature review. Artif. Intell. Rev. 58 (9), 283 (Jun. 2025). 10.1007/s10462-025-11292-w Igonor, O.S., Amin, M.B., Garg, S.: The Application of Blockchain Technology in the Field of Digital Forensics: A Literature Review, Blockchains , vol. 3, no. 1, p. 5, Mar. (2025). 10.3390/blockchains3010005 Additional Declarations No competing interests reported. Cite Share Download PDF Status: Under Review Version 1 posted Reviews received at journal 04 May, 2026 Reviewers agreed at journal 23 Apr, 2026 Reviewers invited by journal 18 Apr, 2026 Editor assigned by journal 30 Oct, 2025 Submission checks completed at journal 30 Oct, 2025 First submitted to journal 27 Oct, 2025 You are reading this latest preprint version Research Square lets you share your work early, gain feedback from the community, and start making changes to your manuscript prior to peer review in a journal. As a division of Research Square Company, we’re committed to making research communication faster, fairer, and more useful. We do this by developing innovative software and high quality services for the global research community. Our growing team is made up of researchers and industry professionals working together to solve the most critical problems facing scientific publishing. Also discoverable on Platform About Our Team In Review Editorial Policies Advisory Board Help Center Resources Author Services Accessibility API Access RSS feed Manage Cookie Preferences © Research Square 2026 | ISSN 2693-5015 (online) Privacy Policy Terms of Service Do Not Sell My Personal Information {"props":{"pageProps":{"initialData":{"identity":"rs-7959169","acceptedTermsAndConditions":true,"allowDirectSubmit":false,"archivedVersions":[],"articleType":"Research Article","associatedPublications":[],"authors":[{"id":549367043,"identity":"a47401ed-51ad-427d-9e8e-559470b4c10d","order_by":0,"name":"Oyeyemi Kuku","email":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAZAAAAAyAQMAAABI0h/eAAAABlBMVEX///8AAABVwtN+AAAACXBIWXMAAA7EAAAOxAGVKw4bAAABEklEQVRIie3RMUvDQBTA8RcCcYmmkzQI8Su8I1CRSj/LhcDdUtEP4HBTJnFO8TMITsXxwkG7RFwLWc7F+bI4STWKxVCS6uhw/+lx4ce9IwA227/MA0nxLGomRwK4rS9+L3G0uWTx57ghjviFuCQ3KhF/JsGQsSMfXX6XU5D1wzg6OVRLDVcTwFJ2kjBni4Z45/MVhWJW8vj0ljVXLlLAR9FJcMWzhvhfRO1nKrmvpkSAJwGfuhf7JkM++iEXtYD1LsIUyRFpi0wd4WSyd7Hw+iXRBimZl8+imGU8xoqRPLlJ/bDn+cEeQ0nf3o9Hy7TQdTaOsEq1Ma+T6KCk3ZsNNueDpLUH3fEjIZDbg81ms9m2+gBWL2oLL3lVlgAAAABJRU5ErkJggg==","orcid":"","institution":"London Metropolitan University","correspondingAuthor":true,"prefix":"","firstName":"Oyeyemi","middleName":"","lastName":"Kuku","suffix":""},{"id":549367045,"identity":"798fd889-60c9-4dca-9beb-2e0432d5acdf","order_by":1,"name":"Alexandros Chrysikos","email":"","orcid":"","institution":"London Metropolitan University","correspondingAuthor":false,"prefix":"","firstName":"Alexandros","middleName":"","lastName":"Chrysikos","suffix":""},{"id":549367046,"identity":"4a84e8df-1c53-4bd1-be0a-6c6d5b959c5f","order_by":2,"name":"Shahram Salekzamankhani","email":"","orcid":"","institution":"London Metropolitan University","correspondingAuthor":false,"prefix":"","firstName":"Shahram","middleName":"","lastName":"Salekzamankhani","suffix":""}],"badges":[],"createdAt":"2025-10-27 12:43:50","currentVersionCode":1,"declarations":"","doi":"10.21203/rs.3.rs-7959169/v1","doiUrl":"https://doi.org/10.21203/rs.3.rs-7959169/v1","draftVersion":[],"editorialEvents":[],"editorialNote":"","failedWorkflow":false,"files":[{"id":100497808,"identity":"52bb497d-2675-4ab8-83c1-43c2856e3535","added_by":"auto","created_at":"2026-01-18 04:29:37","extension":"docx","order_by":0,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":4294399,"visible":true,"origin":"","legend":"","description":"","filename":"JournalProactiveForensicsFR.docx","url":"https://assets-eu.researchsquare.com/files/rs-7959169/v1/442b2f4487318c79cbae41ca.docx"},{"id":100547943,"identity":"1cbcf5b5-36c7-4f32-9658-d5c380e75431","added_by":"auto","created_at":"2026-01-19 08:17:03","extension":"json","order_by":1,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":6226,"visible":true,"origin":"","legend":"","description":"","filename":"75385eefb785467b8b604fc411d9e978.json","url":"https://assets-eu.researchsquare.com/files/rs-7959169/v1/136e9f6a3db79068ac44f58b.json"},{"id":100497802,"identity":"91c754ef-5dd6-498f-9c3c-190a1afc52f7","added_by":"auto","created_at":"2026-01-18 04:29:37","extension":"xml","order_by":2,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":90042,"visible":true,"origin":"","legend":"","description":"","filename":"75385eefb785467b8b604fc411d9e9781enriched.xml","url":"https://assets-eu.researchsquare.com/files/rs-7959169/v1/a42c2e5defb3af1ffe706168.xml"},{"id":100547754,"identity":"9a96790a-66f3-4269-8d16-aa60c6b0b349","added_by":"auto","created_at":"2026-01-19 08:16:32","extension":"png","order_by":10,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":50324,"visible":true,"origin":"","legend":"","description":"","filename":"Onlinefloatimage1.png","url":"https://assets-eu.researchsquare.com/files/rs-7959169/v1/9a4805dc7bf1df77c24b8e7b.png"},{"id":100548185,"identity":"ff14ceb4-3424-4542-8159-9891ad62413d","added_by":"auto","created_at":"2026-01-19 08:17:46","extension":"png","order_by":11,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":62064,"visible":true,"origin":"","legend":"","description":"","filename":"Onlinefloatimage2.png","url":"https://assets-eu.researchsquare.com/files/rs-7959169/v1/88583c4dbc95461be59de44d.png"},{"id":100548316,"identity":"d5d3fe15-902f-4416-a2c7-62d0bdd47ba2","added_by":"auto","created_at":"2026-01-19 08:18:13","extension":"png","order_by":12,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":114558,"visible":true,"origin":"","legend":"","description":"","filename":"Onlinefloatimage3.png","url":"https://assets-eu.researchsquare.com/files/rs-7959169/v1/032359b4f107ce122ea3012f.png"},{"id":100548336,"identity":"e0cf4506-6b1e-4efc-87d2-dff736ce17fc","added_by":"auto","created_at":"2026-01-19 08:18:16","extension":"png","order_by":13,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":26301,"visible":true,"origin":"","legend":"","description":"","filename":"Onlinefloatimage4.png","url":"https://assets-eu.researchsquare.com/files/rs-7959169/v1/8f6174ffd59b2156eb65c975.png"},{"id":100497812,"identity":"4f235f7a-248a-44b6-b9eb-cfbb78384bf0","added_by":"auto","created_at":"2026-01-18 04:29:37","extension":"png","order_by":14,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":12462,"visible":true,"origin":"","legend":"","description":"","filename":"Onlinefloatimage5.png","url":"https://assets-eu.researchsquare.com/files/rs-7959169/v1/5facb110290b71d34778006c.png"},{"id":100497809,"identity":"1a62f986-96a5-450c-a77c-9eff52e79c03","added_by":"auto","created_at":"2026-01-18 04:29:37","extension":"png","order_by":15,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":10782,"visible":true,"origin":"","legend":"","description":"","filename":"Onlinefloatimage6.png","url":"https://assets-eu.researchsquare.com/files/rs-7959169/v1/5c6b6c0c494629730ed1c202.png"},{"id":100497815,"identity":"148a4db5-4a79-43bc-9454-40ca904870ba","added_by":"auto","created_at":"2026-01-18 04:29:37","extension":"png","order_by":16,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":30557,"visible":true,"origin":"","legend":"","description":"","filename":"Onlinefloatimage7.png","url":"https://assets-eu.researchsquare.com/files/rs-7959169/v1/d9c73d0e0e90b9f7098f2578.png"},{"id":100497814,"identity":"f7b0c991-5498-4a45-b4f0-6d8e1885387c","added_by":"auto","created_at":"2026-01-18 04:29:37","extension":"xml","order_by":17,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":88588,"visible":true,"origin":"","legend":"","description":"","filename":"75385eefb785467b8b604fc411d9e9781structuring.xml","url":"https://assets-eu.researchsquare.com/files/rs-7959169/v1/8009065026dc2590dc3d0dec.xml"},{"id":100497816,"identity":"dcfc04b6-0497-4873-be9e-78cd28937c48","added_by":"auto","created_at":"2026-01-18 04:29:37","extension":"html","order_by":18,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":99209,"visible":true,"origin":"","legend":"","description":"","filename":"earlyproof.html","url":"https://assets-eu.researchsquare.com/files/rs-7959169/v1/810f974b44e9896336d2eb00.html"},{"id":100548255,"identity":"b21dae81-0b2a-479d-b8c8-303f6528ddc8","added_by":"auto","created_at":"2026-01-19 08:17:57","extension":"png","order_by":1,"title":"Figure 1","display":"","copyAsset":false,"role":"figure","size":1076865,"visible":true,"origin":"","legend":"\u003cp\u003e\u003cem\u003e\u003cstrong\u003eProposed Framework\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e","description":"","filename":"floatimage1.png","url":"https://assets-eu.researchsquare.com/files/rs-7959169/v1/924a386da7904ba178886401.png"},{"id":100549015,"identity":"1bdbadea-1d3f-48ea-bfb3-be1391deaa49","added_by":"auto","created_at":"2026-01-19 08:22:03","extension":"png","order_by":2,"title":"Figure 2","display":"","copyAsset":false,"role":"figure","size":1381465,"visible":true,"origin":"","legend":"\u003cp\u003e\u003cem\u003e\u003cstrong\u003eWorking Process of Reinforcement Forensic Controller\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e","description":"","filename":"floatimage2.png","url":"https://assets-eu.researchsquare.com/files/rs-7959169/v1/1bf5248998a01308e15021e2.png"},{"id":100497806,"identity":"e59d7116-d943-4274-b56b-96c5aac61940","added_by":"auto","created_at":"2026-01-18 04:29:37","extension":"png","order_by":3,"title":"Figure 3","display":"","copyAsset":false,"role":"figure","size":1489753,"visible":true,"origin":"","legend":"\u003cp\u003e\u003cem\u003e\u003cstrong\u003eProposed FOR-IoTNet Architecture\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e","description":"","filename":"floatimage3.png","url":"https://assets-eu.researchsquare.com/files/rs-7959169/v1/8df84c7e17d2c4a1cb009c88.png"},{"id":100497798,"identity":"bcf553a6-b04a-4854-9f94-d55ff16bada1","added_by":"auto","created_at":"2026-01-18 04:29:37","extension":"png","order_by":4,"title":"Figure 4","display":"","copyAsset":false,"role":"figure","size":74477,"visible":true,"origin":"","legend":"\u003cp\u003e\u003cem\u003e\u003cstrong\u003eDetection \u0026amp; Evidence analysis\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e","description":"","filename":"floatimage4.png","url":"https://assets-eu.researchsquare.com/files/rs-7959169/v1/7d7387a8670b4a35cdad1a5b.png"},{"id":100548240,"identity":"b1b56dab-d52b-4ea1-8fdf-48af9ea51d7d","added_by":"auto","created_at":"2026-01-19 08:17:55","extension":"png","order_by":5,"title":"Figure 5","display":"","copyAsset":false,"role":"figure","size":35190,"visible":true,"origin":"","legend":"\u003cp\u003e\u003cem\u003e\u003cstrong\u003eResource Consumption analysis\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e","description":"","filename":"floatimage5.png","url":"https://assets-eu.researchsquare.com/files/rs-7959169/v1/e1a04c432122d422a4948454.png"},{"id":100548096,"identity":"17df7503-b82c-430a-9c3c-5446147bb4ae","added_by":"auto","created_at":"2026-01-19 08:17:30","extension":"png","order_by":6,"title":"Figure 6","display":"","copyAsset":false,"role":"figure","size":36393,"visible":true,"origin":"","legend":"\u003cp\u003e\u003cem\u003e\u003cstrong\u003eRL Training Performance\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e","description":"","filename":"floatimage6.png","url":"https://assets-eu.researchsquare.com/files/rs-7959169/v1/5f4291e8a250e5e662a7a354.png"},{"id":100548216,"identity":"b200a11e-3a33-4f5e-979c-d4f62c0f206f","added_by":"auto","created_at":"2026-01-19 08:17:52","extension":"png","order_by":7,"title":"Figure 7","display":"","copyAsset":false,"role":"figure","size":134463,"visible":true,"origin":"","legend":"\u003cp\u003e\u003cem\u003e\u003cstrong\u003eComparative Analysis of the Suggested Framework\u003c/strong\u003e\u003c/em\u003e\u003c/p\u003e","description":"","filename":"floatimage7.png","url":"https://assets-eu.researchsquare.com/files/rs-7959169/v1/6642b7948c50370e5b604e49.png"},{"id":100857683,"identity":"98b5b000-0189-4cbb-a8f1-89d1d0a986e7","added_by":"auto","created_at":"2026-01-22 07:19:53","extension":"pdf","order_by":0,"title":"","display":"","copyAsset":false,"role":"manuscript-pdf","size":4642539,"visible":true,"origin":"","legend":"","description":"","filename":"manuscript.pdf","url":"https://assets-eu.researchsquare.com/files/rs-7959169/v1/4bfe0256-8dd8-41c2-9875-a743c03081a3.pdf"}],"financialInterests":"No competing interests reported.","formattedTitle":"Proactive Forensics: Building Digital Forensic Readiness in IoT-Enabled Organisations for Real- Time Incident Response","fulltext":[{"header":"1. Introduction","content":"\u003cp\u003eThe Internet of Things (IoT) has become one of the most transformative developments in recent technological history over the last decade, connecting hundreds of billions of devices across various fields, including smart cities, healthcare, industrial automation, and critical infrastructure. In the case of smart cities, sensor networks enable real-time traffic management, environmental monitoring, and enhanced public safety. In healthcare, wearable medical sensors and remote monitoring systems facilitate round-the-clock patient support[\u003cspan citationid=\"CR1\" class=\"CitationRef\"\u003e1\u003c/span\u003e]. Predictive maintenance, automation of processes, and supply chain management, among other things, have transformed the manufacturing sector with the help of industrial IoT (IIoT), and now many critical infrastructure sectors, such as energy grids and water treatment plants, rely on their IoT-enabled systems for operational reliability and efficiency[\u003cspan citationid=\"CR2\" class=\"CitationRef\"\u003e2\u003c/span\u003e]. Though such advancements have resulted in more benefits than ever before, the cyber-attack surface has increased tremendously, introducing new vulnerabilities and adding a layer of sophistication to the threat[\u003cspan citationid=\"CR3\" class=\"CitationRef\"\u003e3\u003c/span\u003e]. Due to the presence of a broad range of IoT devices and their resultant variety in communication protocols, combined with the limited computing resources available on hardware, security and forensic preparedness pose unique problems [\u003cspan citationid=\"CR4\" class=\"CitationRef\"\u003e4\u003c/span\u003e]. Attackers are exploiting these vulnerabilities to execute ransomware on industrial controllers, conduct wide-scale Distributed Denial of Service (DDoS) attacks using botnets, and tamper with data integrity in sensors through man-in-the-middle intrusions[\u003cspan citationid=\"CR5\" class=\"CitationRef\"\u003e5\u003c/span\u003e].\u003c/p\u003e \u003cp\u003eDigital forensics, which involves methodically gathering, storing, analysing, and presenting electronic evidence, proves to be crucial in examining these events. Nonetheless, with legacy IT setups, forensic activities will be largely centralised and reactive, getting into action only once a breach has been realised[\u003cspan citationid=\"CR6\" class=\"CitationRef\"\u003e6\u003c/span\u003e],[\u003cspan citationid=\"CR7\" class=\"CitationRef\"\u003e7\u003c/span\u003e]. Such an approach is not appropriate in the IoT, where the scale of deployment is larger, data is volatile, and devices are heterogeneous and distributed, which necessitates a more dynamic methodology[\u003cspan citationid=\"CR8\" class=\"CitationRef\"\u003e8\u003c/span\u003e]. Volatile memory states, fleeting log entries and transitory network flows are just a few examples of the forensic evidence that is lost on IoT networks within seconds unless action is taken. Moreover, a large number of IoT devices have low processing capability, storage, and even energy supplies, rendering them unrealistic to run conventional forensics tools that essentially interfere with their intended main tasks[\u003cspan citationid=\"CR9\" class=\"CitationRef\"\u003e9\u003c/span\u003e]. Evidence handling is further complicated by legal and regulatory complexities, as well as cross-boundary deployments of IoT that may introduce jurisdiction-specific needs for data integrity and chain-of-custody verification. As a result, there is a high possibility that the traditional forensic models will fail to capture critical transient evidence in real time, it remains impossible to adapt to changing trends of attacks, and it is likely to increase the time spent on detecting and responding to Incidents, worsening operational and legal risks[\u003cspan citationid=\"CR10\" class=\"CitationRef\"\u003e10\u003c/span\u003e]. With these drawbacks, a proactive, distributed, and intelligence-driven forensic preparedness model is needed that can work synchronously and transfer efforts in a resource-scarce, diverse, and legally restrictive IoT setting. This paradigm needs to facilitate the ongoing collection of evidence, instantaneous detection of anomalies, and decision-making with guarantees of privacy and compliance with legal regulations, while causing minimal interference with the regular operations of services. The study presents a joint hybrid framework, FOR-IoTNet, which combines federated and reinforcement learning to provide a more robust digital forensic preparedness in settings that incorporate IoT. The framework supports the privacy regulations of the distributed evidence collection, where no raw logs are transferred, thus maintaining the data locality of the evidence collection. Its decision-making using adaptive RL complements this by fueling incident response faster, and with better quality and applicable evidence gathered. Moreover, FOR-IoTNet is designed to form a legally admissible chain of custody in decentralised networks, and leaves digital evidence intact as credible evidence that can be used by law enforcement and regulatory operations. This study aims to:\u003c/p\u003e \u003cp\u003e \u003col\u003e \u003cspan\u003e \u003cli\u003e \u003cp\u003eDevelop a federated learning-based framework for decentralised anomaly detection in IoT environments.\u003c/p\u003e \u003c/li\u003e \u003c/span\u003e \u003cspan\u003e \u003cli\u003e \u003cp\u003eIntegrate an online reinforcement learning (RL) agent that autonomously selects optimal forensic response actions based on threat context.\u003c/p\u003e \u003c/li\u003e \u003c/span\u003e \u003cspan\u003e \u003cli\u003e \u003cp\u003eEnsure the framework supports real-time, privacy-preserving, and legally compliant forensic readiness across diverse IoT ecosystems.\u003c/p\u003e \u003c/li\u003e \u003c/span\u003e \u003c/ol\u003e \u003c/p\u003e \u003cp\u003eThe remaining sections of this paper are as follows: Section \u003cspan refid=\"Sec2\" class=\"InternalRef\"\u003e2\u003c/span\u003e reviews the related works and research gaps, while Section \u003cspan refid=\"Sec4\" class=\"InternalRef\"\u003e3\u003c/span\u003e presents the proposed framework and methodology of FOR-IoTNet. Section \u003cspan refid=\"Sec10\" class=\"InternalRef\"\u003e4\u003c/span\u003e presents the experimental setup, datasets, and results, and compares them. Section \u003cspan refid=\"Sec11\" class=\"InternalRef\"\u003e5\u003c/span\u003e provides the conclusion and outlines future directions to follow.\u003c/p\u003e"},{"header":"2. Literature Review","content":"\u003cp\u003eA conceptual model for carrying out digital forensics (DF) in the context of IoT infrastructures has also been introduced in research [\u003cspan citationid=\"CR11\" class=\"CitationRef\"\u003e11\u003c/span\u003e]. This design was known as the Forensics-aware IoT (FAIoT) framework, which was developed to ensure that successful forensic examinations can take place in IoT settings. It is divided into three main modules: secure evidence preservation, secure provenance and API-based evidence access. The secure evidence preservation module will continuously monitor IoT devices and securely log forensic information. Data privacy and preservation of the chain of custody are achieved through the secure provenance module. The API module enables safe, but read-only access to the authorised law enforcement agencies and/or in the course of investigation [\u003cspan citationid=\"CR12\" class=\"CitationRef\"\u003e12\u003c/span\u003e]. Although the model has proven to be a breakthrough in digital forensics of IoT, it has not involved the organisational perspective of digital forensic readiness (DFR) in the use of IoT. Similarly, [\u003cspan citationid=\"CR13\" class=\"CitationRef\"\u003e13\u003c/span\u003e] developed a paradigm tailored to smart homes. This model, comprising five layers, was compared to the ISO/IEC 27043 standard, utilising a collection of observed rules of abnormal behaviour to detect potential threats in a regular home-user environment. Simulation results have shown that such regulations have the potential to expose security issues in smart homes. Furthermore, the implementation of DFR processes into such environments is capable of revealing indicators of compromise (IoCs), which can be included in the triggers of security alerts. In a similar research study by [\u003cspan citationid=\"CR14\" class=\"CitationRef\"\u003e14\u003c/span\u003e], the researchers developed a smart device, the Forensic Edge Management System (FEMS), which offers both security and forensic functionalities in an IoT-based smart home. Although FEMS is a method for addressing home IoT app security issues and aiding investigations, it is place-focused rather than organisation-oriented. This means it does not meet the broader needs of an organisation in terms of fulfilling legal requirements, regulatory body demands, or formal forensic policies. Additionally, there is no international standard to which it is aligned.\u003c/p\u003e \u003cp\u003eAlso, [\u003cspan citationid=\"CR15\" class=\"CitationRef\"\u003e15\u003c/span\u003e] introduced the Digital Forensic Investigation Framework of IoT (DFIF-IoT), which was implemented according to the ISO/IEC 27043 standard. This framework consists of three modules: the proactive processes, IoT-specific forensic processes and reactive processes. Although DFIF-IoT aligns closely with the proactive-based IoT-Forensic Readiness (IoT-FR) approach outlined in the paper, it fails to capture organisation-wide processes that constitute a significant element of comprehensive digital forensic readiness. In a different direction, [\u003cspan citationid=\"CR16\" class=\"CitationRef\"\u003e16\u003c/span\u003e] proposed a wireless DFR model that implements and emphasises the monitoring, logging and retention of the network traffic. Its principle of wireless network monitoring is applicable in an IoT-enabled deployment, even though it was not explicitly aimed at IoT. Nonetheless, it lacks an organisational or security management process. Lastly, [\u003cspan citationid=\"CR17\" class=\"CitationRef\"\u003e17\u003c/span\u003e] suggested a combined lightweight blockchain solution for the forensic usage of connected vehicles equipped with IoT sensors. This architecture utilises a blockchain ledger maintained by permissioned members to facilitate secure end-to-end communication and data transfer. An additional aspect of the framework involves a lightweight and secure ledger, utilised in sensitive matters, such as forensic investigations, to ensure participants have access to only relevant information. Although this strategy targets organisational preparedness and incorporates security mechanisms, it does not conform to any international guide or accepted forensic models.\u003c/p\u003e \u003cdiv id=\"Sec3\" class=\"Section2\"\u003e \u003ch2\u003e2.1 Research Gap\u003c/h2\u003e \u003cp\u003eAlthough both federated learning and reinforcement learning have significant promises in cybersecurity and IoT solutions, there is still no cohesive framework which could tie these advantages together to allow proactive digital forensic preparedness[\u003cspan citationid=\"CR18\" class=\"CitationRef\"\u003e18\u003c/span\u003e]. The current methods tend to either concentrate on distributive learning to detect anomalies or on adaptive policy optimisation without considering the necessity to have a decentralised, forensic evidence gathering and analysis in real time without centralisation[\u003cspan citationid=\"CR19\" class=\"CitationRef\"\u003e19\u003c/span\u003e]. In addition, existing solutions typically lack legality, chain-of-custody and forensic soundness in large-scale IoT scenarios where jurisdiction and privacy requirements are of great importance[\u003cspan citationid=\"CR20\" class=\"CitationRef\"\u003e20\u003c/span\u003e]. Also significant is the fact that solutions to the trade-off between forensic performance and systematic costs (such as bandwidth and CPU utilisation, and energy costs), without compromising privacy assurances of sensitive IoT data, have not been thoroughly investigated. This disconnection highlights the need to develop a forensic framework based on federated reinforcement learning, which can be utilised to securely address truly multi-tenant, resource-constrained, and legally regulated IoT ecosystems.\u003c/p\u003e \u003c/div\u003e"},{"header":"3. Research Methodology","content":"\u003cp\u003eIn this research, the Design Science Research (DSR) methodology is employed, where the primary limitations of existing forensic approaches applicable in the IoT domain are identified, including, but not limited to, a slow evidence-gathering process, excessive data transfer overhead, and limited adaptivity. The FOR-IoTNet framework was developed to fill these gaps and contains three building blocks: (i) Federated Edge Anomaly Learners (FEAL), which uses lightweight Autoencoders models or LSTM models on edge devices themselves (i.e., simply a program running on the device) and learns the behavioral patterns of the device; (ii) the Online Reinforcement Forensic Agent (ORFA), which uses the Proximal Policy Optimization (PPO) algorithm to select optimal forensic actions, such as evidence logging or device isolation in real time; and (iii) The platform runs tests on simulated systems, such as smart home content environments, or industrial factories or the IoT environment in a hospital, fabricated on NS3 or IoT-LAB. Several attack vectors are introduced into this environment, such as Denial of Service (DoS), firmware tampering, and unauthorised access/data exfiltration. Logging and data communication are facilitated through MQTT and Zeek, while TensorFlow Federated provides the framework for the federated learning pipeline. The PPO agent is implemented using Stable Baselines 3. The behavior of the framework is benchmarked on a set of metrics: Detection Latency (ms) the timeline between anomaly-detection and forensic response; Evidence Quality Score deriving the degree of completeness and chain-of-custody compliance of evidence collected; Policy Decision accuracy determining correctness of actions by RL-selected actions; Communication Overhead (KB/device) a comparison of the new-size of FL updates to raw-log fragment transfers; System Performance overhead (%) the calculated overhead on edge devices in terms of CPU workload and RAM usage.\u003c/p\u003e \u003cdiv id=\"Sec5\" class=\"Section2\"\u003e \u003ch2\u003e3.1 Dataset Description\u003c/h2\u003e \u003cp\u003eThe data used in the work was obtained from a live enterprise network continuously over 10 days (May 14, 2024, to May 23, 2024). It experiences both normal and malicious traffic, and there have been reported attacks, including Distributed Denial of Service (DDoS), Denial of Service (DoS), brute force, and SQL injection. The monitoring of network activity was complete, based on WAZUH server-client settings, logs of IoT devices available in the cited 192.168.0.x subnet, firewall logs, and Cloudflare logs, thus providing multi-source visibility to potential security occurrences. Such sources harvested necessary metadata, which included IP addresses, port numbers, flow durations, packet sizes, and the inter-arrivals of packets. A total of 79 different features were extracted, including flow-level statistics, packet-level characteristics, and counts of TCP flags. The raw traffic data, with more than 18,000 labelled samples, was preprocessed through a rigorous phase of noise removal, normalisation, and rearranged in a different format. The cleaned data were saved in the form of CSV files, which were easy to read and could be used to train the machine learning model or for later evaluation.\u003c/p\u003e \u003c/div\u003e \u003cdiv id=\"Sec6\" class=\"Section2\"\u003e \u003ch2\u003e3.2 FOR-IoTNet Framework Design\u003c/h2\u003e \u003cp\u003eThe proposed FOR-IoTNet framework employs a layered architecture that facilitates proactive and adaptive digital forensic preparedness in IoT-enabled organisations. IoT nodes at the edge layer, such as smart sensors, cameras, and controllers, apply lightweight anomaly learners, e.g., Autoencoders or LSTM models, trained based on locally captured network traffic. It contains both benign and malicious traffic, including DDoS attacks, DoS attacks, brute force, and SQL injection, during the study period of the dataset collection (May 14\u0026ndash;23, 2024). Features such as IP addresses, port numbers, flow duration, packet sizes, counts of TCP flag information, and packet inter-arrival times are all processed on each node, allowing for specific modelling of device behaviour. The Online Reinforcement Forensic Agent (ORFA), implemented with the PPO algorithm, receives anomaly alerts and calculates optimal forensic measures, which may include logging evidence, isolating devices, or escalating operands to administrators. This forms a feedback loop in which the so-called results of these actions are returned to the RL model to update its policy in near real-time. Federated learning aggregation is a periodically repeated event where the model weights trained on multiple edge nodes are collected and used to enhance the global detection accuracy at the cost of transmitting raw, sensitive logs, thereby maintaining privacy. This architecture guarantees that decision-making is not only data-driven, but also context-aware, and communication flows, local learning, policy decision loops, and federated aggregation become an integrated on-demand (real-time) forensics pipeline.\u003c/p\u003e \u003cp\u003e \u003c/p\u003e \u003cdiv id=\"Sec7\" class=\"Section3\"\u003e \u003ch2\u003e3.2.1 Federated Anomaly Detection at Edge\u003c/h2\u003e \u003cp\u003eThe Federated Anomaly Detection layer of FOR-IoTNet conducts on-device behavioural modelling, local forensic triggering and keeps raw data traffic to a minimum. It is organized around three closely integrated tasks: (A) preprocessing and feature engineering the study dataset (79 features; flow/packet statistics, TCP flags, IP/port, inter-arrival, times) on-device, (B) the creation of lightweight sequencing-based anomaly modelling (LSTM auto-encoder) that can be trained and updated even on constrained hardware, and (C) two-way confidential federated training and secure exchanges of updates with the controller. A combination of these activities permits device-specific detection with low latency, capturing evidence without centralising network logs, and doing so quickly.\u003c/p\u003e \u003cp\u003e \u003cb\u003eA. On-device preprocessing and feature engineering\u003c/b\u003e \u003c/p\u003e \u003cp\u003eOn-device preprocessing and feature engineering are performed as the proposed framework is optimised to minimise latency and resource load on IoT edge nodes, which ultimately must remain forensic-ready. A sliding window technique is used by each edge device to create small temporal collucts of flow and packet properties, generally of 1\u0026ndash;10 seconds or a known number of recent flows. These time series are fed as input to the lightweight LSTM autoencoder, which is deployed and constructed at the extraction of 79 dataset features, including the duration of the flow, the number of bytes generated, the number of packets, the average packet size, inter-arrival statistics, TCP flags, and protocol identifiers. Continuous characteristics are normalised on the device using running mean-standard deviation statistics or min-max scaling developed during an initial calibration period, to provide comparable results regardless of the traffic pattern carried by the device. Categorical features, such as protocol types and port ranges, are effectively represented as short one-hot vectors or learned embeddings to maintain low-dimensional input features. Additional computational overhead in terms of runtime can be reduced by selecting essential features locally at each node, rather than transferring the entire feature set as is usually done. At each node, lightweight feature selection is performed on the local features, where only the most informative features (e.g., the top 20) detected during the offline training phase, using methods such as Recursive Feature Elimination (RFE) or mutual information ranking, are transferred to the next node. These ranked lists of features are served alongside the global federated model; each node can avoid recomputing duplicates during inference. Additionally, the circular forensic buffer stores new raw packets or parsed flow summaries in a configurable time window, enabling the immediate recovery of any valuable PCAP or flow evidence in the event of an anomaly. This layout allows for quick preprocessing, both in terms of memory and in line with real-time detection requirements, as well as forensic capture requirements.\u003c/p\u003e \u003cp\u003e \u003cb\u003eB. On-device anomaly model (Lightweight LSTM Autoencoder)\u003c/b\u003e \u003c/p\u003e \u003cp\u003eThe on-device anomaly detection model trains a lightweight LSTM autoencoder, where the sequence is compressed by a 12-layer LSTM encoder (with 32\u0026ndash;128 units) into a bottleneck vector and subsequently recovered by a corresponding LSTM decoder. The mean squared error (MSE) is used as the loss function. This small model design strikes a balance between detection performance and computational cost, allowing us to utilise alternative design choices, such as shallow dense autoencoders, temporal convolutional networks (TCNs), or tiny RNNs on ultra-low-power/space devices. Common hyperparameters include a sequence length of 10\u0026ndash;50 timesteps, a batch size of 8\u0026ndash;64, 1\u0026ndash;5 local epochs per federated round, and a learning rate of 1e-3 to 5e-4, with models quantised to 8-bit and deployed through TensorFlow Lite/TinyML for efficient inference. Anomalies are detected when the value of reconstruction error exceeds a dynamically adjusted threshold, which is optimised using ROC-based validation. This threshold is subsequently tuned on-device to account for changes due to diurnal and concept drift, such as through the EWMA technique or sliding percentiles. Such lightweight incremental learning naturally enables fine-tuning with new normal data periodically, making it adaptable while avoiding massive catastrophic forgetting, with the hope that federated updates will be available shortly.\u003c/p\u003e \u003cp\u003e \u003cb\u003eC. Federated training \u0026amp; secure parameter exchange\u003c/b\u003e \u003c/p\u003e \u003cp\u003eWithin any encrypted FL cycle, the server (ORFA/cloud) organises the rounds, choosing some clients, broadcasting the current global model, requesting selected devices to train on stored benign and near-real-time data on the device for E epochs, and uploading model additions. To boost communication efficiency, updates are delta-encoded, sparsified (top-k), and quantised, while gateways merge sensor updates before the uplink. The frequency of aggregation can also be controlled (e.g., 5, 10, 20 minutes) depending on the network conditions and threat level.\u003c/p\u003e \u003cp\u003e \u003cb\u003ePrivacy \u0026amp; security protections\u003c/b\u003e \u003c/p\u003e \u003cp\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003eSecure aggregation (cryptographic) is used so the server cannot see individual updates.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003eDifferential privacy: clients optionally clip gradients and add calibrated Gaussian noise to updates before transmission to provide formal privacy guarantees (with tunable ε).\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003eTransport security: MQTT/TLS or mTLS for channel encryption and client authentication.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003eRemote attestation/device identity: evidence and updates are signed using device keys (TPM or secure element) to prevent spoofing.\u003c/p\u003e \u003c/li\u003e \u003c/ul\u003e \u003c/p\u003e \u003cp\u003eThe aggregation strategy used by FOR-IoTNet is flexible, initially assembling FedAvg, but allowing other notable alternatives, such as trimmed mean, median, Krum, and reputation-based aggregation, to be used, thereby alleviating the effects of poisoned updates or Byzantine updates. The controller can block suspicious participants by detecting changes to their clients, based on high statistics that are not in the vicinity of the median. The framework enables asynchronous participation, allowing devices to wait to update in cases of poor connectivity. Hierarchical FL utilises edge gateways to combine data generated by numerous low-power sensors locally before sending it to the central controller, thereby reducing traffic overhead and achieving faster convergence on estimates.\u003c/p\u003e \u003cp\u003eThe local forensic trigger is activated when the anomaly score within the regional system exceeds its pre-set threshold, triggering an immediate alert to the ORFA and storing key metadata, while retaining the current buffer of packets/flows. In under a second, the device preserves encrypted evidence, destroys all physical access, calculates a SHA-256 hash, signs it with the device key, and captures the system context (firmware, logs, and process list). Subsequent optional containment measures (such as traffic rate-limiting, IP blocking) can be implemented. Raw logs are not uploaded; only signed metadata and raw flow summaries (containing minimal information) are uploaded to the Forensic Policy Knowledge Base (FPKB). Full artefacts are sent on request only. Any activity is documented and maintained in a chain of custody, which can be achieved by cryptographically attaching it to a tamper-evident ledger. The model poisoning identification includes effective thresholds that are adaptive with checks on an ensemble to manage false positives, and drift detection to seal the model change adequately. Optimisation of resources is achieved through compression, knowledge distillation, and gateway offloading of constrained nodes. An assessment of the May 14\u0026ndash;23, 2024 dataset evaluates local detection accuracy, FL convergence, anomaly-to-evidence latency, and communication cost, with ablations of the effects of privacy, aggregation, and participation rate.\u003c/p\u003e \u003c/div\u003e \u003c/div\u003e \u003cdiv id=\"Sec8\" class=\"Section2\"\u003e \u003ch2\u003e3.3 Central Reinforcement Forensic Controller\u003c/h2\u003e \u003cp\u003eThe decision-making core of FOR-IoTNet is the Online Reinforcement Forensic Agent (ORFA). ORFA is placed at the controller/cloud layer, where it takes in compact, signed metadata and anomaly notifications generated by Federated Edge Anomaly Learners (FEAL) and arbitrarily decides in real-time which evidence-based actions to take that optimise forensic utility versus operational expense and privacy disclosure. ORFA is a policy/value agent trained using Proximal Policy Optimisation (PPO) and targeting partially observable, safety-critical applications.\u003c/p\u003e \u003cp\u003e \u003c/p\u003e \u003cp\u003e \u003cb\u003eRole and high-level behaviour\u003c/b\u003e \u003c/p\u003e \u003cp\u003eThe goals of ORFA are three times: (1) determine whether and how much forensic evidence to save or collect; (2) choose containment or mitigation measures that preserve the integrity of the evidence (e.g., isolate instead of rate-limit); and (3) adjustments to policy as needs evolve through memory stored in the Forensic Policy Knowledge Base (FPKB). A trade-off between five competing goals, evidence completeness, legal admissibility, device availability, privacy, and bandwidth, is necessary in the decision-making process; therefore, the trade-off is explicitly coded directly into the objective reward ORFA provides.\u003c/p\u003e \u003cp\u003e \u003cb\u003eState representation (input)\u003c/b\u003e \u003c/p\u003e \u003cp\u003eORFA operates on a compact, time-indexed state vector formed from:\u003c/p\u003e \u003cp\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003eAnomaly metadata: anomaly_score, model_id, local confidence, suspected attack class (if available).\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003eDevice/context: device_type, device_reputation (historical FP/FN rates), firmware_version, location/VLAN.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003eRecent telemetry summary: aggregated flow statistics (last T seconds), packet counts, peak throughput.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003eNetwork context: upstream load, gateway availability, reachable storage endpoints.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003eForensic context from FPKB: past action outcomes for similar incidents, policy constraints (legal/organisational).\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003eTemporal/contextual info: time of day, current FL round, and last action taken.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003eBecause edge messages are succinct, ORFA often faces partial observability; therefore, the policy may incorporate memory (an LSTM embedding) to infer the latent state.\u003c/p\u003e \u003c/li\u003e \u003c/ul\u003e \u003c/p\u003e \u003cp\u003e \u003cb\u003eAction space\u003c/b\u003e \u003c/p\u003e \u003cp\u003eORFA\u0026rsquo;s action space is hybrid (discrete\u0026thinsp;+\u0026thinsp;parameterised continuous):\u003c/p\u003e \u003cp\u003eDiscrete actions:\u003c/p\u003e \u003cp\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003eNO_OP \u0026mdash; monitor only.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003eLOG_METADATA \u0026mdash; store/anchor metadata in FPKB.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003eCAPTURE_SNIPPET \u0026mdash; request edge node to preserve local buffer (short PCAP/flows).\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003eREQUEST_RAW_UPLOAD \u0026mdash; request complete artefact upload (subject to privacy policy).\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003eISOLATE_DEVICE \u0026mdash; place device in quarantine VLAN.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003eRATE_LIMIT \u0026mdash; throttle device outbound traffic.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003eESCALATE \u0026mdash; notify human operator.\u003c/p\u003e \u003c/li\u003e \u003c/ul\u003e \u003c/p\u003e \u003cp\u003eParameterised actions:\u003c/p\u003e \u003cp\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003eSET_CAPTURE_DURATION(t) \u0026mdash; how many seconds of buffer to persist.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003eSET_UPLOAD_PRIORITY(p) \u0026mdash; bandwidth priority for artefact upload.\u003c/p\u003e \u003c/li\u003e \u003c/ul\u003e \u003c/p\u003e \u003cp\u003eActions are masked by policy constraints (e.g., legal/policy rules may forbid REQUEST_RAW_UPLOAD for some device types).\u003c/p\u003e \u003cp\u003e \u003cb\u003eReward design (shaping the objective)\u003c/b\u003e \u003c/p\u003e \u003cp\u003eThe reward function must quantify the forensic utility in relation to the cost. A typical composite reward at time \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:t\\)\u003c/span\u003e\u003c/span\u003e:\u003cdiv id=\"Equ1\" class=\"Equation\"\u003e\u003cdiv format=\"TEX\" class=\"mathdisplay\" id=\"FileID_Equ1\" name=\"EquationSource\"\u003e\n$$\\:{R}_{t}=\\alpha\\:\\bullet\\:{Q}_{evidence}\\left(t\\right)-\\beta\\:\\bullet\\:{C}_{overhead}\\left(t\\right)-\\gamma\\:\\bullet\\:{C}_{availability}\\left(t\\right)-\\delta\\:\\bullet\\:{1}_{illegeal}\\left(t\\right)-\\eta\\:\\bullet\\:F{P}_{penalty}$$\u003c/div\u003e\u003cdiv class=\"EquationNumber\"\u003e1\u003c/div\u003e\u003c/div\u003e\u003c/p\u003e \u003cp\u003eWhere:\u003c/p\u003e \u003cp\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003e \u003cspan class=\"InlineEquation\"\u003e \u003cspan class=\"mathinline\"\u003e\\(\\:{Q}_{evidence}\\)\u003c/span\u003e \u003c/span\u003e = estimated evidence quality/completeness (improved when capture yields high-information artefacts, validated later by FPKB).\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003e \u003cspan class=\"InlineEquation\"\u003e \u003cspan class=\"mathinline\"\u003e\\(\\:{C}_{overhead}\\)\u003c/span\u003e \u003c/span\u003e = bandwidth + storage cost.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003eCavailabilityC_{availability}Cavailability​ = operational impact (penalty if isolation causes service disruption).\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003e \u003cspan class=\"InlineEquation\"\u003e \u003cspan class=\"mathinline\"\u003e\\(\\:{1}_{illegeal}\\)\u003c/span\u003e \u003c/span\u003e​ = indicator if action violates policy/regulation (hard constraint \u0026mdash; heavy penalty).\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003e \u003cspan class=\"InlineEquation\"\u003e \u003cspan class=\"mathinline\"\u003e\\(\\:F{P}_{penalty}\\)\u003c/span\u003e \u003c/span\u003e = penalty for false positive-induced disruptive actions.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003eCoefficients \u003cspan class=\"InlineEquation\"\u003e\u003cspan class=\"mathinline\"\u003e\\(\\:\\alpha\\:,\\beta\\:,\\gamma\\:,\\delta\\:,\\eta\\:\\)\u003c/span\u003e\u003c/span\u003e are tuned via simulation to reflect organisational priorities (privacy first vs. evidence-first).\u003c/p\u003e \u003c/li\u003e \u003c/ul\u003e \u003c/p\u003e \u003cp\u003eThe Online Reinforcement Forensic Agent (ORFA) uses an actor-critic PPO implementation with a lightweight memory-augmented encoder, which is safe and adaptively makes decisions based on FEAL metadata and legal, privacy, and safety constraints of FPKB are integrated. Using offline pretraining, sim-to-real curricula, and conservative online fine-tuning, ORFA is trained to be safe and compliant with laws by employing entropy regularisation to constrain action selection and action masking, and incorporating human-in-the-loop oversight to filter out unsafe and illegal actions. The immutable traces of decisions can guarantee auditability, resiliency, and adaptability, as well as adversarial robustness levels and the detection of drifts. The long-term effectiveness of forensic response can be enhanced through continuous learning from feedback from FPKB.\u003c/p\u003e \u003c/div\u003e \u003cdiv id=\"Sec9\" class=\"Section2\"\u003e \u003ch2\u003e3.4 Forensic Policy Knowledge Base (FPKB)\u003c/h2\u003e \u003cp\u003eThe Forensic Policy Knowledge Base (FPKB) is the heart of the intelligence-making systems that comprise the forensic readiness suite, maintaining a detailed historical record of all forensic actions occurring at all IoT elements of the edge, along with their contextual metadata, results, and any applicable legal or policy restrictions. Each entry then records not just the action itself (e.g. device isolation, evidence logging, raw data retrieval) but also the characteristics of the anomaly that triggered the action, the operating environment, the confidence score (when the decision was made) and the final usefulness rating (determined by human analysts or automated triage systems as time permitted). In addition to serving as a passive archive, the FPKB enables the reinforcement learning of the agent over time by feeding this experience back into its reinforcement learning pipeline, allowing the agent to improve its estimation of reward and action-selection policy with time. It encodes the effectiveness metrics used in policy, assisting the system in balancing the trade-offs in speed, accuracy, privacy and cost. Moreover, FPKB utilises legal principles, compliance, and privacy regulations as structured constraints, ensuring that all operations suggested by ORFA comply with jurisdictional regulations and organisational guidelines. The FPKB stores immutable, cryptographically signed decision logs to ensure audibility and can be optionally anchored to a tamper-evident ledger. This qualifies it as both a resource of knowledge and a credible forensic record, capable of standing in legal courts. Additionally, FPKB will enable semantic querying and policy simulation, allowing security teams to analyse historical trends, run a forensic-like equivalent of the what-if scenario, and proactively revise strategies before new threats are identified.\u003c/p\u003e \u003cp\u003e \u003c/p\u003e \u003c/div\u003e"},{"header":"4. Implementation \u0026 Evaluation","content":"\u003cp\u003eIn this section, the research presents the experimental results of the proposed FOR-IoTNet framework in comparison to two other approaches: a classical centralised forensics approach and a rule-based non-learning system, under various IoT attack conditions in smart home, industrial, and healthcare environments. The output is evaluated based on the accuracy of the detection, evidence coverage, resource utilisation, and flexibility. Quantification is done based on statistics such as the time taken to detect, accuracy, false positives and the number of resources utilised, which are then followed by the reinforcement learning performance curve to annotate the learning curve of the system. It is better to compare such characteristics with visual plots and scales on a table, so that we can conclude that FOR-IoTNet is faster in real-life responsiveness as well as in its forensic readiness, with low overhead resource costs.\u003c/p\u003e \u003cp\u003e \u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"Yes\" id=\"Tab1\" border=\"1\"\u003e \u003ccaption language=\"En\"\u003e \u003cdiv class=\"CaptionNumber\"\u003eTable 1\u003c/div\u003e \u003cdiv class=\"CaptionContent\"\u003e \u003cp\u003e\u0026mdash; Detection \u0026amp; Evidence Gathering Performance\u003c/p\u003e \u003c/div\u003e \u003c/caption\u003e \u003ccolgroup cols=\"6\"\u003e \u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e \u003cdiv align=\"left\" class=\"colspec\" colname=\"c2\" colnum=\"2\"\u003e\u003c/div\u003e \u003cdiv align=\"char\" char=\".\" class=\"colspec\" colname=\"c3\" colnum=\"3\"\u003e\u003c/div\u003e \u003cdiv align=\"char\" char=\".\" class=\"colspec\" colname=\"c4\" colnum=\"4\"\u003e\u003c/div\u003e \u003cdiv align=\"char\" char=\".\" class=\"colspec\" colname=\"c5\" colnum=\"5\"\u003e\u003c/div\u003e \u003cdiv align=\"char\" char=\".\" class=\"colspec\" colname=\"c6\" colnum=\"6\"\u003e\u003c/div\u003e \u003cthead\u003e \u003ctr\u003e \u003cth align=\"left\" colname=\"c1\"\u003e \u003cp\u003eScenario (Attack)\u003c/p\u003e \u003c/th\u003e \u003cth align=\"left\" colname=\"c2\"\u003e \u003cp\u003eFramework\u003c/p\u003e \u003c/th\u003e \u003cth align=\"left\" colname=\"c3\"\u003e \u003cp\u003eAvg. Detection Time (s)\u003c/p\u003e \u003c/th\u003e \u003cth align=\"left\" colname=\"c4\"\u003e \u003cp\u003eDetection Accuracy (%)\u003c/p\u003e \u003c/th\u003e \u003cth align=\"left\" colname=\"c5\"\u003e \u003cp\u003eEvidence Completeness (%)\u003c/p\u003e \u003c/th\u003e \u003cth align=\"left\" colname=\"c6\"\u003e \u003cp\u003eFalse Positive Rate (%)\u003c/p\u003e \u003c/th\u003e \u003c/tr\u003e \u003c/thead\u003e \u003ctbody\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eSmart Home \u0026ndash; Tampered Thermostat\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eCentralized Forensics\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c3\"\u003e \u003cp\u003e5.8\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c4\"\u003e \u003cp\u003e91.2\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c5\"\u003e \u003cp\u003e68.5\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c6\"\u003e \u003cp\u003e6.4\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e\u0026nbsp;\u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eRule-based\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c3\"\u003e \u003cp\u003e4.9\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c4\"\u003e \u003cp\u003e88.0\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c5\"\u003e \u003cp\u003e72.3\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c6\"\u003e \u003cp\u003e9.8\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e\u0026nbsp;\u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003e\u003cb\u003eFOR-IoTNet\u003c/b\u003e\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c3\"\u003e \u003cp\u003e\u003cb\u003e2.1\u003c/b\u003e\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c4\"\u003e \u003cp\u003e\u003cb\u003e96.4\u003c/b\u003e\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c5\"\u003e \u003cp\u003e\u003cb\u003e92.7\u003c/b\u003e\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c6\"\u003e \u003cp\u003e\u003cb\u003e3.2\u003c/b\u003e\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eFactory \u0026ndash; Unauthorised Sensor Control\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eCentralized Forensics\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c3\"\u003e \u003cp\u003e6.5\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c4\"\u003e \u003cp\u003e89.5\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c5\"\u003e \u003cp\u003e65.2\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c6\"\u003e \u003cp\u003e7.0\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e\u0026nbsp;\u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eRule-based\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c3\"\u003e \u003cp\u003e5.2\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c4\"\u003e \u003cp\u003e86.1\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c5\"\u003e \u003cp\u003e70.8\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c6\"\u003e \u003cp\u003e8.9\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e\u0026nbsp;\u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003e\u003cb\u003eFOR-IoTNet\u003c/b\u003e\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c3\"\u003e \u003cp\u003e\u003cb\u003e2.4\u003c/b\u003e\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c4\"\u003e \u003cp\u003e\u003cb\u003e95.2\u003c/b\u003e\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c5\"\u003e \u003cp\u003e\u003cb\u003e90.3\u003c/b\u003e\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c6\"\u003e \u003cp\u003e\u003cb\u003e3.7\u003c/b\u003e\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e \u003cp\u003eHospital \u0026ndash; Access Control Manipulation\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eCentralized Forensics\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c3\"\u003e \u003cp\u003e7.1\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c4\"\u003e \u003cp\u003e88.8\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c5\"\u003e \u003cp\u003e66.9\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c6\"\u003e \u003cp\u003e6.8\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e\u0026nbsp;\u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003eRule-based\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c3\"\u003e \u003cp\u003e5.8\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c4\"\u003e \u003cp\u003e85.4\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c5\"\u003e \u003cp\u003e71.5\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c6\"\u003e \u003cp\u003e9.4\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003ctr\u003e \u003ctd align=\"left\" colname=\"c1\"\u003e\u0026nbsp;\u003c/td\u003e \u003ctd align=\"left\" colname=\"c2\"\u003e \u003cp\u003e\u003cb\u003eFOR-IoTNet\u003c/b\u003e\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c3\"\u003e \u003cp\u003e\u003cb\u003e2.6\u003c/b\u003e\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c4\"\u003e \u003cp\u003e\u003cb\u003e98.8\u003c/b\u003e\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c5\"\u003e \u003cp\u003e\u003cb\u003e97.1\u003c/b\u003e\u003c/p\u003e \u003c/td\u003e \u003ctd align=\"char\" char=\".\" colname=\"c6\"\u003e \u003cp\u003e\u003cb\u003e3.5\u003c/b\u003e\u003c/p\u003e \u003c/td\u003e \u003c/tr\u003e \u003c/tbody\u003e \u003c/colgroup\u003e \u003c/table\u003e\u003c/div\u003e \u003c/p\u003e \u003cp\u003eFigure \u003cspan refid=\"Fig4\" class=\"InternalRef\"\u003e4\u003c/span\u003e and Table\u0026nbsp;\u003cspan refid=\"Tab1\" class=\"InternalRef\"\u003e1\u003c/span\u003e illustrate that, compared to centralised forensics and the rule-based non-learning system, FOR-IoTNet consistently recorded uniformly high results in preventing all attacks. The smart home example sets the detection time to 2.1 seconds in FOR-IoTNet, which is less than half the time required in the centralised approach, and the detection rate increases to 96.4 per cent with an evidence completeness of 92.7 per cent. Parallel patterns can be observed in the industrial and hospital cases, where detection times are less than 2.6 seconds and accuracy is higher than 95%, resulting in a significant increase in the completeness of forensic evidence. Additionally, the false positive rate of FOR-IoTNet is the lowest (3\u0026ndash;4), in contrast to centralised and rule-based systems. These findings indicate the capacity of this framework to provide quicker, more accurate, and inclusive forensic preparedness with a reduced risk of misclassification.\u003c/p\u003e \u003cp\u003e \u003c/p\u003e \u003cp\u003eFigure \u003cspan refid=\"Fig5\" class=\"InternalRef\"\u003e5\u003c/span\u003e illustrates the resource efficacy of the proposed FOR-IoTNet framework in comparison to more traditional forms of centralised forensics and the rule-based method. The least amount of CPU usage is observed in FOR-IoTNet (28.4%), which is significantly lower than in centralised forensics (42.5%) and comparable to the rule-based system (39.7%). The memory requirement pattern is also similar, and FOR-IoTNet has a much smaller memory usage need (450 MB) than the other two frameworks. It also reduces consumption of its network bandwidth, where 31.9 MB/min in FOR-IoTNet is contrasted with more than 45 MB/min in alternatives, which proves its efficient communication design. Most importantly, energy use is minimised to 210 J, resulting in a significant reduction in energy consumption, which is crucial in IoT settings where devices are limited by their power requirements. These results suggest that the proposed solution, FOR-IoTNet, not only expands forensic capabilities but also operates at a reduced resource cost that is more than suitable for large, heterogeneous IoT installations.\u003c/p\u003e \u003cp\u003e \u003c/p\u003e \u003cp\u003eThe performance of the proposed FOR-IoTNet framework on the reinforcement learning (RL) training task, consisting of 500 training episodes, is shown in Fig.\u0026nbsp;\u003cspan refid=\"Fig6\" class=\"InternalRef\"\u003e6\u003c/span\u003e. The outcomes indicate an apparent cumulative increase in both the average reward and the accuracy of policy choices as training progresses. At the early stage (episodes 0 to 100), the system receives an average reward of 0.25 and a decision accuracy of 72.3%, indicating an initial learning process where the policy is not yet optimised. The values of reward increase and reach 0.51 in episodes 101\u0026ndash;200, and the accuracy rates also increase, reaching 83.4%, which demonstrates the RL agent's capability to employ effective forensic actions. Halfway through training (201\u0026ndash;300 episodes), performance increases even further, to 0.68 reward and 90.1% accuracy, and more stable policy behaviours tend to emerge. At near convergence (301\u0026ndash;400 episodes), the system achieves 92.6% accuracy, an average reward of 0.74, and the steps to converge to optimal decisions are approximately 380. During the last stage (401\u0026ndash;500 episodes), the agent achieves its best performance level, with an average reward of 0.81 and 95.4% accuracy. This suggests that further refinement of the policy will lead to highly responsible and successful forensic decisions in the IoT environment.\u003c/p\u003e \u003cp\u003e \u003c/p\u003e \u003cp\u003eFigure \u003cspan refid=\"Fig7\" class=\"InternalRef\"\u003e7\u003c/span\u003e summarises the three assessed forensic frameworks comparatively and shows the high running scores of the proposed FOR-IoTNet in all fields considered in this paper. Regarding the rate of detection, FOR-IoTNet has an average detection speed of 2.37 seconds, which is significantly faster than that of centralised forensics (6.47 seconds) and the rule-based method (5.3 seconds). The framework is also proven to have the maximum average detection accuracy (98.8%), whereas in centralised forensics and the rule-based system, it was found to be 89.8% and 86.5%, respectively. The complement of the evidence (another key aspect) is also high, reaching 91.37 per cent, which is considerably higher than that of the centralised systems (centralised systems deal with 66.87 per cent of the evidence, and rule-based ones with 71.53 per cent). Moreover, the false positive rate of the proposed system is the lowest (3.47%), equaling almost half of the centralised forensics (6.73%) and significantly lower than the rule-based approach (9.37%). From a resource efficiency point of view, FOR-IoTNet consumes the least CPU (28.4 per cent) compared to centralised forensics (42.5 per cent) and rule-based systems (39.7 per cent), due to the optimised use and distributed nature of its processing capability. The overall effect of these findings is to show that FOR-IoTNet can not only increase the accuracy of detection and solve the forensic completeness problem, but also achieve a quicker response and minimal resource consumption, thus indicating its perfect suitability as an IoT-enabled organisation.\u003c/p\u003e \u003cp\u003e \u003c/p\u003e"},{"header":"5. Conclusion and Future Work","content":"\u003cp\u003eThe paper introduced FOR-IoTNet as a Federated Online Reinforcement Learning (Federated-RL) framework, serving to facilitate Proactive Digital Forensic Readiness within IoT-enabled environments. The proposed system addresses the key issues of evidence gathering, privacy, and adaptive decision-making in real-time settings with heterogeneous IoT infrastructures. The framework eliminates the need to centralise raw data through federated learning, making it more privacy-friendly and less communication-overhead-intensive. Additionally, reinforcement learning enables the continuous optimisation of forensic response policies to adapt to changing threat landscapes. The results of experimental assessments in various IoT settings, namely smart homes, industrial environments, and healthcare environments, proved that FOR-IoTNet systematically outperformed centralised and rule-based forensic implementations. It had an average detection accuracy of 98.8%, evidence completeness (91.37%), and the least false positive rate (3.47% percent) with a significantly decreased average detection time of only 2.37 seconds. The efficiency of resources could also be seen, as CPU utilisation was 28.4 per cent, and 31.9 MB/min bandwidth was consumed, with a lower energy overhead than the current methods. These findings confirm that FOR-IoTNet has the potential to deliver efficient forensic preparedness as quickly and precisely, as resource-effective, in the real-world development of IoT. System architecture proves to be suitable for the implementation of smart cities, hospitals, and industrial Internet of Things applications, where captured incidents and evidence have been essential in ensuring operational flow and mitigating legal repercussions. It is designed, which means that locally sensitive information is not exposed; nevertheless, local data contributes to a globally trained model of forensic intelligence. In the future, it is possible to conduct research on the integration of Explainable AI (XAI) to make results of RL used in forensic decisions more understandable, the implementation of mechanisms of federated learning based on differential privacy or blockchain to protect model updates, and the development of regulatory procedures of cross-jurisdictional data sharing of forensic data to provide cooperation between investigators across jurisdictions. Such a path will allow the proposed system to be robust, transparent, and capable of operating in a dynamic threat environment.\u003c/p\u003e"},{"header":"Declarations","content":"\u003cp\u003e \u003ch2\u003eFinancial interests\u003c/h2\u003e \u003cp\u003eThe authors declare they have no financial interests.\u003c/p\u003e \u003c/p\u003e\u003ch2\u003eAuthor Contribution\u003c/h2\u003e\u003cp\u003eO.K., A.C. and S.S. wrote the main manuscript text.All authors prepared all the figures and reviewed the manuscript.\u003c/p\u003e"},{"header":"References","content":"\u003col\u003e\u003cli\u003e\u003cspan\u003eNguyen, H., Nawara, D., Kashef, R.: Connecting the indispensable roles of IoT and artificial intelligence in smart cities: A survey. J. Inform. Intell. \u003cb\u003e2\u003c/b\u003e(3), 261\u0026ndash;285 (May 2024). \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003e10.1016/j.jiixd.2024.01.003\u003c/span\u003e\u003cspan address=\"10.1016/j.jiixd.2024.01.003\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eAfrin, S., et al.: Industrial Internet of Things: Implementations, challenges, and potential solutions across various industries. Comput. Ind. \u003cb\u003e170\u003c/b\u003e, 104317 (Sep. 2025). \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003e10.1016/j.compind.2025.104317\u003c/span\u003e\u003cspan address=\"10.1016/j.compind.2025.104317\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eFarooq, O., Martin, I.: Cybersecurity challenges in the era of digital transformation. J. Emerg. Technol. Digit. Transformation. \u003cb\u003e2\u003c/b\u003e(2), 102\u0026ndash;113 (2023)\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eKornaros, G.: Hardware-Assisted Machine Learning in Resource-Constrained IoT Environments for Security: Review and Future Prospective. IEEE Access. \u003cb\u003e10\u003c/b\u003e, 58603\u0026ndash;58622 (2022). \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003e10.1109/ACCESS.2022.3179047\u003c/span\u003e\u003cspan address=\"10.1109/ACCESS.2022.3179047\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eTsiknas, K., Taketzis, D., Demertzis, K., Skianis, C.: Cyber Threats to Industrial IoT: A Survey on Attacks and Countermeasures, \u003cem\u003eIoT\u003c/em\u003e, vol. 2, no. 1, pp. 163\u0026ndash;186, Mar. (2021). \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003e10.3390/iot2010009\u003c/span\u003e\u003cspan address=\"10.3390/iot2010009\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eHagan, D.K.: Digital Forensics -The Processes and Some Forensic Tools Digital Forensics, \u003cem\u003eUnpublished\u003c/em\u003e. (2021). \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003e10.13140/RG.2.2.23879.10402\u003c/span\u003e\u003cspan address=\"10.13140/RG.2.2.23879.10402\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eJones, R., Davies, H.: High-Performance Digital Forensic Framework for Anomalous Ransomware Detection in File System Log Data, Accessed: Aug. 10, 2025. [Online]. (2024). Available: \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttps://www.authorea.com/doi/full/10.36227/techrxiv.172599923.38750111?commit=46ef88c480fb0e445ada932577d99bd0e355fe38\u003c/span\u003e\u003cspan address=\"https://www.authorea.com/doi/full/10.36227/techrxiv.172599923.38750111?commit=46ef88c480fb0e445ada932577d99bd0e355fe38\" targettype=\"URL\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eBakhsh, S.A., Khan, M.A., Ahmed, F., Alshehri, M.S., Ali, H., Ahmad, J.: Enhancing IoT network security through deep learning-powered Intrusion Detection System. Internet Things. \u003cb\u003e24\u003c/b\u003e, 100936 (Dec. 2023). \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003e10.1016/j.iot.2023.100936\u003c/span\u003e\u003cspan address=\"10.1016/j.iot.2023.100936\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eAhmed, A.A., Farhan, K., Jabbar, W.A., Al-Othmani, A., Abdulrahman, A.G.: IoT Forensics: Current Perspectives and Future Directions. Sensors. \u003cb\u003e24\u003c/b\u003e(16), 5210 (Jan. 2024). \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003e10.3390/s24165210\u003c/span\u003e\u003cspan address=\"10.3390/s24165210\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eNdibe, O.S.: AI-Driven Forensic Systems for Real-Time Anomaly Detection and Threat Mitigation in Cybersecurity Infrastructures. Int. J. Res. Publ Rev. \u003cb\u003e6\u003c/b\u003e(5), 389\u0026ndash;411 (May 2025). \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003e10.55248/gengpi.6.0525.1991\u003c/span\u003e\u003cspan address=\"10.55248/gengpi.6.0525.1991\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eItodo, C., Varlioglu, S., Elsayed, N., Digital Forensics and Incident Response (DFIR) Challenges in IoT Platforms, in: \u003cem\u003e4th International Conference on Information and Computer\u003c/em\u003e Technologies \u003cem\u003e(ICICT)\u003c/em\u003e, Mar. 2021, pp. 199\u0026ndash;203. (2021). \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003e10.1109/ICICT52872.2021.00040\u003c/span\u003e\u003cspan address=\"10.1109/ICICT52872.2021.00040\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eAlShaer, M., AlShehhi, K., Abdulla, S.: The Internet of Things (IoT) Forensic Investigation Process: A State-of-the-Art Review, Challenges and Future Directions, Accessed: Aug. 10, 2025. [Online]. (2023). Available: \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttps://repository.nauss.edu.sa/handle/123456789/67321\u003c/span\u003e\u003cspan address=\"https://repository.nauss.edu.sa/handle/123456789/67321\" targettype=\"URL\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003ePhilomin, S., Singh, A., Ikuesan, A., Venter, H.: Digital forensic readiness framework for smart homes, in \u003cem\u003eInternational Conference on Cyber Warfare and Security\u003c/em\u003e, Academic Conferences International Limited, p. 627\u0026ndash;XVIII. (2020)\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eKaushik, K., Bhardwaj, A., Dahiya, S.: Smart Home IoT Forensics: Current Status, Challenges, and Future Directions, in \u003cem\u003eInternational Conference on Advancement in Computation \u0026amp; Computer Technologies (InCACCT)\u003c/em\u003e, May 2023, pp. 716\u0026ndash;721. (2023). \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003e10.1109/InCACCT57535.2023.10141730\u003c/span\u003e\u003cspan address=\"10.1109/InCACCT57535.2023.10141730\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eJacob, R., Nisbet, A.: A forensic investigation framework for Internet of Things monitoring. Forensic Sci. International: Digit. Invest. 42\u0026ndash;43 (Oct. 2022). \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003e10.1016/j.fsidi.2022.301482\u003c/span\u003e\u003cspan address=\"10.1016/j.fsidi.2022.301482\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eMpungu, C., George, C., Mapp, G.: Developing a Novel Digital Forensics Readiness Framework for Wireless Medical Networks Using Specialised Logging. In: Jahankhani, H. (ed.) in Cybersecurity in the Age of Smart Societies, pp. 203\u0026ndash;226. Springer International Publishing, Cham (2023). \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003e10.1007/978-3-031-20160-8_12\u003c/span\u003e\u003cspan address=\"10.1007/978-3-031-20160-8_12\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eConti, M., Kumar, G., Lal, C., Saha, R.: Blockchain-Based Distributed and Secure Digital Forensic Investigation Systems. In: Ruj, S., Kanhere, S.S., Conti, M. (eds.) Blockchains: A Handbook on Fundamentals, Platforms and Applications, pp. 337\u0026ndash;362. Springer International Publishing, Cham (2024). \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003e10.1007/978-3-031-32146-7_11\u003c/span\u003e\u003cspan address=\"10.1007/978-3-031-32146-7_11\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003ePapadopoulos, C., Kollias, K.-F., Fragulis, G.F.: Recent Advancements in Federated Learning: State of the Art, Fundamentals, Principles, IoT Applications and Future Trends. Future Internet. \u003cb\u003e16\u003c/b\u003e(11), 415 (Nov. 2024). \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003e10.3390/fi16110415\u003c/span\u003e\u003cspan address=\"10.3390/fi16110415\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eMoriano, P., Hespeler, S.C., Li, M., Mahbub, M.: Adaptive anomaly detection for identifying attacks in cyber-physical systems: A systematic literature review. Artif. Intell. Rev. \u003cb\u003e58\u003c/b\u003e(9), 283 (Jun. 2025). \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003e10.1007/s10462-025-11292-w\u003c/span\u003e\u003cspan address=\"10.1007/s10462-025-11292-w\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eIgonor, O.S., Amin, M.B., Garg, S.: The Application of Blockchain Technology in the Field of Digital Forensics: A Literature Review, \u003cem\u003eBlockchains\u003c/em\u003e, vol. 3, no. 1, p. 5, Mar. (2025). \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003e10.3390/blockchains3010005\u003c/span\u003e\u003cspan address=\"10.3390/blockchains3010005\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e\u003c/ol\u003e"}],"fulltextSource":"","fullText":"","funders":[],"hasAdminPriorityOnWorkflow":false,"hasManuscriptDocX":true,"hasOptedInToPreprint":true,"hasPassedJournalQc":"","hasAnyPriority":true,"hideJournal":false,"highlight":"","institution":"","isAcceptedByJournal":false,"isAuthorSuppliedPdf":false,"isDeskRejected":"","isHiddenFromSearch":false,"isInQc":false,"isInWorkflow":false,"isPdf":false,"isPdfUpToDate":true,"isWithdrawnOrRetracted":false,"journal":{"display":true,"email":"[email protected]","identity":"international-journal-of-information-security","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":false,"externalIdentity":"ijis","sideBox":"Learn more about [International Journal of Information Security](http://link.springer.com/journal/10207)","snPcode":"10207","submissionUrl":"https://submission.nature.com/new-submission/10207/3","title":"International Journal of Information Security","twitterHandle":"","acdcEnabled":true,"dfaEnabled":true,"editorialSystem":"em","reportingPortfolio":"Springer Hybrid","inReviewEnabled":true,"inReviewRevisionsEnabled":false},"keywords":"Digital Forensics, IoT Security, Federated Learning, Reinforcement Learning, Anomaly Detection, Proactive Incident Response, Privacy Preservation, Smart Environments, Cyber Resilience, Forensic Readiness","lastPublishedDoi":"10.21203/rs.3.rs-7959169/v1","lastPublishedDoiUrl":"https://doi.org/10.21203/rs.3.rs-7959169/v1","license":{"name":"CC BY 4.0","url":"https://creativecommons.org/licenses/by/4.0/"},"manuscriptAbstract":"\u003cp\u003eThe lightning-fast spread of the Internet of Things (IoT) devices in the environment of the most vital infrastructure and systems (healthcare, smart cities, and industrial systems) has led to an increase in the volume of the attack surface of cyber threats to a critical mass. Conventional digital forensic methods are fundamentally reactive, distributed, and cannot cater to the real-time, distributed, and privacy-conscious events in IoT ecosystems. This study introduces a new federated online reinforcement learning system, FOR-IoTNet, which enables proactive forensic readiness within IoT-ramped organisations. FOR-IoTNet utilises Federated Edge Anomaly Learners (FEAL) for local anomaly detection, leveraging deep autoencoders or LSTM networks. This approach enables operation without data sharing, ensuring privacy preservation. Anomalies occur and prompt interventions through a centralised Online Reinforcement Forensics Agent (ORFA), which is optimised using the Proximal Policy Optimisation (PPO) algorithm. ORFA actively selects the best forensically initiated actions, such as isolating a compromised device, invoking secure log capture, or escalating an alert, and dynamically routes them according to context parameters and historical results stored in a Forensic Policy Knowledge Base (FPKB). The framework has been applied and experimented with in simulated IoT, including various attack scenarios such as DoS attacks, firmware hacks, and lateral mobility. The framework has been deployed and evaluated in synthetic IoT scenarios under various attack conditions, including DoS, firmware tampering, and lateral movement, among others. By comparing it to traditional centralised forensics and a rule-based non-learning system, it is evident that FOR-IoTNet offers several advantages, including a lower average detection time of 2.37 seconds, 98.8% accuracy, and enhanced evidence completeness. It reduces the false positive rate to 3.47 and also reduces resource consumption by 28.4% in CPU, 450 MB in memory, and 31.9 MB/min in bandwidth compared to using baseline methods. The outcomes of the RL training show an even more improved policy, where, at episode 500, the percentage of correct decisions reaches 98.4% with an average reward of 0.81. The outcomes indicate that FOR-IoTNet represents a significant improvement in terms of forensic preparedness, response time, and protection of privacy laws through the non-centralisation of raw data. The research has developed a forensic model that can scale in next-generation IoT environments, enabling the integration of intelligent, autonomous, legally compliant, and explainable forensic systems into cyber-physical infrastructures.\u003c/p\u003e","manuscriptTitle":"Proactive Forensics: Building Digital Forensic Readiness in IoT-Enabled Organisations for Real- Time Incident Response","msid":"","msnumber":"","nonDraftVersions":[{"code":1,"date":"2026-01-18 04:29:32","doi":"10.21203/rs.3.rs-7959169/v1","editorialEvents":[{"type":"communityComments","content":0},{"type":"editorInvitedReview","content":"","date":"2026-05-04T13:44:40+00:00","index":"hide","fulltext":""},{"type":"reviewerAgreed","content":"97960166751492463668919096530724063658","date":"2026-04-23T12:08:39+00:00","index":"hide","fulltext":""},{"type":"reviewersInvited","content":"","date":"2026-04-18T08:19:27+00:00","index":"","fulltext":""},{"type":"editorAssigned","content":"","date":"2025-10-30T04:57:26+00:00","index":"","fulltext":""},{"type":"checksComplete","content":"","date":"2025-10-30T04:57:21+00:00","index":"","fulltext":""},{"type":"submitted","content":"International Journal of Information Security","date":"2025-10-27T08:48:00+00:00","index":"","fulltext":""}],"status":"published","journal":{"display":true,"email":"[email protected]","identity":"international-journal-of-information-security","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":false,"externalIdentity":"ijis","sideBox":"Learn more about [International Journal of Information Security](http://link.springer.com/journal/10207)","snPcode":"10207","submissionUrl":"https://submission.nature.com/new-submission/10207/3","title":"International Journal of Information Security","twitterHandle":"","acdcEnabled":true,"dfaEnabled":true,"editorialSystem":"em","reportingPortfolio":"Springer Hybrid","inReviewEnabled":true,"inReviewRevisionsEnabled":false}}],"origin":"","ownerIdentity":"ca9b85ef-44b4-4c5b-8715-66be7e46a6a3","owner":[],"postedDate":"January 18th, 2026","published":true,"recentEditorialEvents":[{"type":"editorInvitedReview","content":"","date":"2026-05-04T13:44:40+00:00","index":19,"fulltext":""}],"rejectedJournal":[],"revision":"","amendment":"","status":"under-review","subjectAreas":[],"tags":[],"updatedAt":"2026-04-18T08:23:19+00:00","versionOfRecord":[],"versionCreatedAt":"2026-01-18 04:29:32","video":"","vorDoi":"","vorDoiUrl":"","workflowStages":[]},"version":"v1","identity":"rs-7959169","journalConfig":"researchsquare"},"__N_SSP":true},"page":"/article/[identity]/[[...version]]","query":{"redirect":"/article/rs-7959169","identity":"rs-7959169","version":["v1"]},"buildId":"XKTyCvWXoU3ODBz1xrDgd","isFallback":false,"isExperimentalCompile":false,"dynamicIds":[84888],"gssp":true,"scriptLoader":[]}

Text is read by the "Ask this paper" AI Q&A widget below. Extraction quality varies by source — PMC NXML preserves structure cleanly, OA-HTML may include some navigation residue, and OA-PDF can have broken hyphenation. The publisher copy (via DOI) is the canonical version.

My notes (saved in your browser only)

Ask this paper AI returns verbatim quotes from the full text · source: preprint-html

Answers must be backed by verbatim quotes from this paper's full text. Hallucinated quotes are dropped automatically; if no verbatim passage answers the question, we say so. How this works

Citation neighborhood (no data yet)

We don't have any in-corpus citations linked to this paper yet. This is a recent paper (2026) — citers typically take a year or two to land, and the OpenAlex reference graph may still be filling in.

Source provenance

europepmc
last seen: 2026-05-20T01:45:00.602351+00:00