Information Blog: IoT Internet of Things: Checklist for First Responders and Investigators

1. Initial safety and legal checks

Confirm scene safety (weapons, hazards, live electricity, gas, fire, chemical risks). interpol
Verify legal authority: warrant, consent, exigent circumstances; note any device that may be altering or deleting data in real time (e.g., cameras, cloud‑connected devices). ojp
Limit unnecessary handling of electronic/IoT devices until guidance from a digital evidence specialist is obtained. nij.ojp

Look for network infrastructure: wireless routers, mesh nodes, range extenders, cellular hotspots, powerline network adapters. swgde
Identify hubs and bridges: smart home hubs (e.g., branded home automation boxes), Zigbee/Z‑Wave hubs, security system control panels, smart TV boxes, game consoles. ojp
Note voice assistants and smart speakers: cylindrical or puck‑shaped devices with microphones and LEDs, often near kitchens, living rooms, bedrooms, or offices. nij.ojp

Survey exterior for cameras: doorbell cameras, floodlight cameras, bullet/dome cameras under eaves, in trees, or on fences; check neighboring properties with line‑of‑sight. swgde
Look for vehicle‑related IoT: connected vehicles, aftermarket GPS trackers under bumpers/dash, OBD‑II plug‑in devices, dashcams, telematics boxes in fleet or rental vehicles. interpol
Note infrastructure and environmental sensors: smart meters, irrigation controllers, connected thermostats on exterior walls, access control panels, smart locks and gates. ojp

Smart TVs and streaming boxes: TVs with network ports or Wi‑Fi, streaming sticks/boxes near HDMI ports or power outlets. nij.ojp
Security and automation: alarm keypads, wireless motion sensors, door/window sensors, glass‑break sensors, smart locks, garage door openers, smart light switches and bulbs. swgde
Voice/video devices: smart displays, nanny cams, baby monitors, intercoms, talking toys, pet cams or feeders that connect via Wi‑Fi. nij.ojp

Household appliances: smart refrigerators, ovens, microwaves, washing machines, dryers, robotic vacuums, smart air purifiers, connected HVAC thermostats and vents. swgde
Health and fitness IoT: smart scales, connected blood pressure cuffs, glucometers, pulse oximeters, pill dispensers, CPAP/BiPAP machines with Wi‑Fi/cellular modules. interpol
Other embedded devices: smart plugs, power strips, light strips, smart picture frames, connected coffee makers, smart blinds/curtain controllers. nij.ojp

Wearables: smartwatches, fitness bands, smart rings, body‑worn GPS trackers, health monitoring patches or pendants. interpol
Medical devices (if present and safe to handle): insulin pumps, neurostimulators, cardiac devices with companion hubs, fall‑detection pendants; coordinate with medical personnel before seizure. interpol
Clothing and accessories: Bluetooth‑enabled headphones, smart glasses, smart helmets, connected work gear, key fobs for vehicles with telematics apps. swgde

Smartphones and tablets: these often serve as the main controller for home or vehicle IoT; identify all phones and tablets in the environment. ojp
Laptops and computers: desktops, laptops, mini‑PCs, and NAS devices that may run automation software or store logs/video from IoT devices. nij.ojp
Remote controls and dedicated controllers: proprietary handheld controllers for drones, alarm systems, garage doors, home automation, and industrial equipment. interpol

Network identifiers: SSID names seen on labels of routers, mesh nodes, or written on notes; any visible default passwords or QR codes for Wi‑Fi setup. swgde
Hardware identifiers: photograph and record make, model, serial number, and MAC address for routers, hubs, cameras, and other IoT devices. ojp
Connectivity types: note whether devices use Wi‑Fi, Ethernet, cellular, Bluetooth, Zigbee, Z‑Wave, LoRa, or proprietary RF; photograph any external antennas or gateway boxes. interpol

Overall scene: wide photographs and video showing locations of IoT devices relative to key areas (entry points, victim, suspect, evidence). nij.ojp
Device close‑ups: power state, status lights, display screens, connected cables, network labels, ports, and any visible notifications or alerts. ojp
Configuration clues: screenshots or photos of posted passwords, QR codes, written router settings, printed user manuals, or quick‑start guides left near devices. swgde

Do not power off or disconnect IoT devices until consulting with a digital forensics point of contact, unless necessary for safety (fire, shock, life‑threatening risk). crime-scene-investigator
Preserve volatile data when authorized and trained personnel are available: consider photographing live screens and indicators before any power change. interpol
Package IoT devices carefully: label power supplies, cables, and associated controllers; avoid stacking items that may damage small sensors or alter switches. crime-scene-investigator

What IoT‑capable devices are present, where are they located, and who appears to control or own them (victim, suspect, third party, business)? nij.ojp
What networks are visible (names, apparent ISP, presence of guest networks, visible extenders or hotspots)? ojp
Are there neighboring or third‑party devices (next‑door cameras, commercial systems, vehicle telematics, employer‑owned devices) that might capture relevant data or logs? swgde

Account‑level info: usernames, email addresses, phone numbers, and service provider names visible in device interfaces or paperwork. interpol
Service providers: identify cloud platforms (e.g., camera, home automation, health, or vehicle OEM services) linked to devices and note any visible subscription info. nij.ojp
Time references: capture any device timestamps, time‑zone settings, or indications of last sync/last activity visible on screens at the scene. ojp