Digital forensics and incident response management model for IoT based agriculture - Nature

Abstract The Internet of Things (IoT) has been revolutionizing the agricultural industry by providing farmers with unprecedented opportunities to monitor and control their crops, livestock, and farm equipment in real-time, which is named as IoT based Agriculture (Ag-IoT). Ag-IoT relies on the use of communication technology, internet, and other wireless technologies which makes it prone to various cyber attack and cyber crimes. To address the growing security and forensic challenges in Ag-IoT, we propose a Digital Forensics and Incident Response Management Model (DFIRMM). The proposed model focuses on the identification, analysis, and mitigation of security incidents, along with support for the investigation of digital forensics tailored to the unique requirements of Ag-IoT. The proposed model is validated through a case study on MQTT enabled smart agriculture network with machine learning based analysis. We believe this proposed model will redefine how security incidents are handled in smart agriculture industries and impact their growth. Similar content being viewed by others A novel cyber threat intelligence platform for evaluating the risk associated with smart agriculture Article Open access 31 January 2025 An online tool based on the Internet of Things and intelligent blockchain technology for data privacy and security in rural and agricultural development Article Open access 27 July 2025 The influence mechanism analysis on the farmers’ intention to adopt Internet of Things based on UTAUT-TOE model Article Open access 01 July 2024 Introduction The Internet of Things (IoT) contributes to the development of a more resilient and sustainable agricultural sector1,2. The use of digital technology in agriculture involves the use of IoT, artificial intelligence, robotics, and unmanned aerial vehicles3 is known as IoT based agriculture (Ag-IoT). Ag-IoT uses IoT to collect data from sensors installed in agriculture fields to collect information about soil conditions, weather patterns, crop health, and livestock behavior. It processes the data and makes smart decisions on irrigation, fertilization, pest control, and other agricultural practices4. It offers real-time monitoring and control, enabling efficient resource management, improved livestock management, and data-driven decision-making. These benefits of Ag-IoT include increased productivity, resource efficiency, sustainability, and improved food supply chain5. Though Ag-IoT offer various benefits it poses different cyber attack and cybercrime (CACC) challenges6. Physical security risks at Ag-IoT is a significant challenge, as IoT devices deployed in remote areas or exposed environments are susceptible to theft, tampering, or physical damage. Due to its open access, Ag-IoT is vulnerable to emerging attacks by misusing the UART port7. Attacks such as DDoS can disrupt Ag-IoT, affecting productivity and functionality. The limited computing resources, outdated software, and hardware or software vulnerabilities can lead to unauthorized access, data manipulation, and disruption of Ag-IoT systems8. The lack of standardized security practices introduces challenges for stakeholders, as different security implementations across different devices, platforms, and vendors can lead to inconsistencies and hinder interoperability. Insider threats and social engineering attacks also cause human-centric security risks, the consequences can be CACC on Ag-IoT9. In the past years, the food supply chain has faced several cyber attacks and agribusiness has been affected in different ways. The world’s largest meat processing company, JBS Foods10, was attacked by REvil ransomware in the supply chain by a ransomware attack in May 2021, causing a loss in business of million dollars11. An Iowa agriculture cooperation was hit by ransomware that disrupted networks and was responsible for the feeding schedules of chickens, hogs, and cattle, which caused problems in the food supply chain12. The facility was shut down due to a malware attack on wool sales by an Australian and New Zealand company13. The digital agriculture market is growing rapidly. In 2025, Ag-IoT has the potential to create an annual economic impact ranging from 50 to 200 billion dollars14. The global market value of smart agriculture is projected to increase from approximately 15 billion US dollars in 2022 to 33 billion US dollars in 202715. It can be a lure for attackers, and the consequences of those attacks can be disruption in agribusiness, economic loss, and impact on the food supply chain. Jonathan Braley, a security expert and the director of threat intelligence at IT-ISAC says that food and agriculture industry is hypothetically at risk due to increasing cyberattacks on IoT, OT and IIOT16. It is an urgent requirement to design and employ the DFIRMM to make the agricultural industry more secure and sustainable. It helps maintain business continuity by addressing incidents, restoring normal operations, and minimizing downtime. Building stakeholder trust is crucial to the success of agricultural businesses. Developing a DFIRMM can improve security controls, update policies, and share best practices within the agricultural community, contributing to continuous improvement and collective knowledge. The primary objectives of this research are as follows. To present a comprehensive review of existing DFIR models and investigate the potential sources for digital evidence in an Ag-IoT environment. To propose a digital forensics incident response management model tailored to Ag-IoT. To present a case study on real-world scenarios to demonstrate the effectiveness and applicability of the proposed model in Ag-IoT. This article is organized as follows. Section “Literature review” presents relevant studies on existing digital forensic techniques and incident response management models. Section “DFIRMM for Ag-IoT” describes the proposed DFIRMM for Ag-IoT. Section “Experimental evaluation and results” presents an experimental evaluation of the proposed model through a case study on MQTT enabled smart agriculture network. Section “Conclusion” concludes the article. Literature review The use of Ag-IoT is increased recently in agricultural industry; consequently, it has increased the rate of cyber attacks and cyber crime; which demands a specific DFIRMM for Ag-IoT. Very few articles have been based on a specific DFIRMM on Ag-IoT, which calls for the proposal of a specific DFIRMM as paramount. According to IBM Web Article 2022, organizations that have an incident response model can reduce costs of data breaches by $2.66 million compared to organizations without a DFIRMM17. The 2014 Federal Information Security Modernization Act (FISMA)18 characterizes an incident as an event that puts the confidentiality, integrity, or availability of information at risk without proper authorization or that breaches laws, security protocols, or acceptable usage policies. There are different incident response models available; few of those are combined with digital forensics. National Institute of Standards and Technology (NIST 2012)19 published a guide for handling computer security incidents. This model provides a structured approach to incident response that includes four abstract stages, i.e., preparation, detection, analysis, containment, eradication, and recovery. It also provides limited legal and regulatory advice and requires a lot of resources to implement. The IR management handbook20 is designed to provide IT professionals and managers with the knowledge necessary to establish incident response policies, standards, and teams in their organizations. It contains six steps and gives an overview of all the stages. It contains a checklist for incident handlers to ensure the correct execution of incident response procedures. ISO/IEC 27035:202321 provides additional advice on the management of incidents in response to the specific risks that an organization is experiencing. It provides guidance to IT organizations to strategize and prepare for the management of information security incidents. This includes developing policies, organizing teams, creating plans, receiving technical assistance, and providing awareness and skills training. It involves continuously monitoring and improving system vulnerabilities, prompt responses to information security incidents, and taking actions to prevent, eradicate, and recover from any impacts on the system. In addition, it emphasizes the importance of learning from each incident. ENISA22, an agency of the European Union for cyber security, designed a CERT guide (Computer Emergency Response Team) to handle incidents related to computer network and information security. It elaborates on different phases of incident management. This guide contains the details that define constituency and roles, incident handling, policies, different corporations in the world working in IRM, outsourcing, presentation, and management. ENISA also23 developed a Security Incident Maturity Model (SIM3), suggesting a regular check and update of the incident response handling model. Few incident management frameworks include forensic investigation. The DFIR management model should be very specific and dedicated to different industries due to the different causes of its specific properties, such as hardware and software involved in the different types of industry, and the priority criteria for deciding incident can be different. NIST24 proposed a specific DFIR framework in relation to Operational Technology (OT). This framework improves the conventional technical procedures of IR in IT organizations by introducing incident response strategies focused on event escalation and offers strategies for digital forensics in OT. The DFIRM models mentioned above are discussed in Table 1. The emergency to recover IoT networks after attacks necessitates the development of suitable DFIR models tailored to the constrained environments. This reduces the potential loss and risk in the sensitive applications such as smart agriculture. The scarce literature and resources on Ag-IoT forensics and incident response demand the attention of researchers to propose new methodologies tailored for smart agriculture technology. Ag-IoT encompasses a wide spectrum of applications, including precision agriculture, livestock monitoring, supply chain management, and environmental sensing, all of which are based on interconnected sensors, actuators, and control systems. Attacking the agriculture sector is cheap, but protecting it is very expensive, according to the Internet Security Alliance (ISA)25. Many industries have their own specific DFIRMM due to its distinct implementation of the system and the wide variety of equipment used in that. An operational technology system follows a specific DFIRMM24,26. A specialized DFIRMM is crucial for Ag-IoT. Ag-IoT integrates IoT technology into agriculture, using devices such as sensors, drones, and automated machinery to improve agriculture. Ag-IoT includes numerous devices, such as soil sensors, climate monitors, and drones, each with its own data formats and protocols. Ag-IoT functions in real-time, demanding rapid incident handling. Ag-IoT collects critical data on crop health and soil conditions. The model addresses data breaches and unauthorized access. Ag-IoT ranges from small farms to extensive operations, according to which DFIRMM should be adjusted to different scales. Incident handling in Ag-IoT requires knowledge of agriculture and IoT. The model involves experts equipped with the necessary expertise. As Ag-IoT evolves, so do threats. The DFIR model is updated to address new challenges, maintaining effective response practices. A comparison between the existing models and the proposed model is given in Table 2. DFIRMM for Ag-IoT We propose a DFIRMM for Ag-IoT as an extended version of our previous study27, and its architecture is represented in Fig. 1. This model guides incident response and forensic investigation teams in making decisions to identify evidence, eradicate, recover, and investigate the incident encountered in smart agriculture. DFIRMM merges conventional incident response tasks such as planning and practice, documenting IT setups, and creating action plans with specialized digital forensic methods. The proposed DFIRMM consists of four main phases. The first phase is pre-incident, which defines the preparation before any incident occurs; second phase is incident, where any cyber security incidents takes place; third phase is post-incident, in which the incident response is to be performed. The fourth and last phase involves an investigation in which the examination and analysis of preserved evidence is performed. Fig. 1 Digital forensics and incident response management model for Ag-IoT. Full size image Table 1 Literature review on DFIR management model. Full size table Table 2 Summary of DFIR models comparison. Full size table The methodology of the proposed DFIRMM is described in Algorithm 1. Algorithm 1 Digital Forensics and Incident Response Management Model for Ag-IoT Systems. Full size image Pre-incident The Pre-Incident phase defines the proactive preparedness for any security incidents in Ag-IoT. It includes designing policies in the context of technical and management and developing a comprehensive and proactive strategy to reduce the likelihood of security breaches. The pre-incident phase is classified into two parts, technical and management as presented. Technical The technical phase contains all technical details about the Ag-IoT system and its functionality, probable different incident list, data sources or assets at risk, and the security policy framework. The possible list of incidents, data sources, and security policies will help the DFIR team to design cost-effective and time-effective strategies for containment, eradication, or investigation. Incidents list: The list of incidents covers incidents that could be occurring due to cyberattacks and anomalies that can potentially affect the security goals of smart agricultural data and activities. These incidents can range from external adversities by malicious individuals to internal problems such as human errors, system malfunctions, sabotage, or other relative affect such as jeopardize. The list of various attacks is discussed in6 and30. The list of most relevant incidents pertaining to different layers of Ag-IoT application stack is listed in Table 4. Data Sources: The data sources in Ag-IoT can be available in a memory, storage media, flash memory and computing source. These sources are prone to threats and can become target points for attackers while very significant for the investigation purposes. Data sources at risk should be identified first, so they must be targeted to restrict them from corruption and data loss. The list of these sources may also be useful for identification and preservation in an incident. The list of different data sources in Ag-IoT31,32,33 are categorized in Table 5. Security Policies: Security policies establish a systematic approach to safeguarding confidential information, ensuring reliability, identifying and mitigating possible weaknesses, and efficiently reacting to security breaches in Ag-IoT. It includes policies on access control, data protection and privacy, network security, physical security, device security, third-party security, backup and recovery, software and application security, compliance and legal, and others. The security policies and its aim and method is discussed in Table 3. Table 3 Security policies. Full size table Table 4 List of Security Incidents in Ag-IoT6. Full size table Table 5 Ag-IoT assets and data sources. Full size table Management In the management phase, it is necessary to define the procedure, policies within the Ag-IoT environment, incident response strategy, communication channel, IR team specification, jump bag specification and training or IR team, and awareness for the stakeholders34. Procedure: Procedures should incorporate clearly outlined communication and notification protocols, as well as documentation and reporting requirements. These elements are essential to ensure the smooth flow of information during an incident, ensure that stakeholders receive proper updates, and maintain a record of all activities for legal, regulatory, and enhancement objectives. Different factors should be followed as a part of preparedness, as shown in Fig. 2. Fig. 2 Procedure during preparation phase in DFIR. Full size image The response strategy should define the priority of incidents based on their impact on the Ag-IoT environment depending on the frequency of containment, impact ratio, and the area of disruption of agricultural operations. There should be established predetermined communication channels that are reliable and secure. It is important to clearly identify both internal and external stakeholders who need to be informed in case of an incident. Notification templates should be created to communicate with different parties to speed up information exchange, which can communicate the required information effectively. There must be deployed an Incident Command System (ICS) to consolidate communication and decision-making processes to define roles and duties, guaranteeing that all communication is well-coordinated and uniform. A structured document must be defined to maintain all information about the incidents. It may include time, date, current status of the machine, and last operation instructed to the system, number of people present during incident, incident observed by whom, and changes in the operation in the Ag-IoT functionality. Roles and Responsibilities: It is vital to ensure that all individuals understand their responsibilities in maintaining the efficiency and security of these systems. In the field of Ag-IoT, the DFIRMM requires a multidisciplinary approach due to the complex nature of Ag-IoT systems. The Ag-IoT combines cyber and physical components in different agricultural environments, and each member of the team contributes different skills and points of view that are crucial to the effective handling and reduction of incidents. The different roles and responsibilities are categorized in Table 6. Table 6 Roles and responsibility. Full size table Incident An incident is an event that has been intentionally initiated in the digital world to cause harmful outcomes for a specific entity35,36. In the context of Ag-IoT, interruption in the usual functioning of Ag-IoT operations or its malfunction is a cause of cyberattack on its devices, data, memory, or any computing resources. The incident phase contains two steps: detection and notification of the stakeholders. Detection: The farm’s security team notices abnormal network activity and dubious behavior within the IoT device management system. The IDS, IPS, and antivirus help the system to prevent attacks from effecting the functioning of the system. However, the Ag-IoT system may fail due to the high impact of the security attacks. The IR-Team should determine the actual cause behind the non-functioning of the Ag-IoT system, as it may fail due to other reasons than cyber attacks such as failure of the power supply, and disconnectivity of the machines, climate disaster. The Ag-IoT administrator must detect the incident and confirm it. The transition from normal operation to an incident state involves few critical steps. These steps are to verify that observed indicators constitute a security or operational incident that requires a response, to assess the scope, impact, and severity of the incident, and to mobilize the incident response team (IRT) and activate incident response plans customized to the nature of the incident. Notify Stakeholder: Once the Incident is detected, it should be notified to the stakeholder. The stakeholders can be farmers, agribusiness companies, Ag-IoT Device manufacturers, or software and platform providers. Post-incident The Incident response team gets activated to settle the incident, is a post-incident phase. This phase consists of two parts: Digital Forensics Phase I (DF-I) and Incident Response. The proposed DFIRMM is responsible for Digital Forensics parallel to the incident response. For this reason, DF-I plays a crucial role in evidence collection and preservation during incident response. DF-I is very significant as the effectiveness of subsequent forensic investigations will be directly affected if any data is overlooked. DF-I comprises two stages: collection and preservation. Collection At first, the process involves recognizing possible sources of digital evidence that can help in the investigation. The identification process must be performed meticulously by a technical expert specializing in IoT devices, microcontrollers, networks, cloud computing, a programmer, or computers. Failure to uncover crucial evidence during the identification phase can make it challenging to trace the perpetrator and discern their intentions. For Ag-IoT, this might include information from sensors, gadgets, networking tools, and even cloud platforms that retain or handle agricultural data. Possible data sources in Ag-IoT are discussed in Table 5 that could be used to identify evidence. The collection phase ensures that digital evidences are clearly identified and collected accurately and thoroughly in a way that maintains its integrity, allowing efficient analysis at a later stage of the incident response procedure. The collection process includes recognizing, tagging, documenting, and obtaining data from various possible sources of pertinent information. This encompasses digital gadgets, storage devices, and network data while adhering to protocols for collecting data from both volatile and non-volatile data sources. The Request for Comments (RFC) 322737 document presents a sample of volatile data in order to standard systems. The collection in Ag-IoT includes the following mandatory tasks that must be followed. Volatility Order: There are specific protocols for the collection of volatile evidence, with an emphasis on following the order-of-volatility principle, where the most volatile evidence is prioritized for collection before less volatile evidence. The volatility of digital evidence in Ag-IoT is discussed in Table 6. Evidence that is higher in volatility must be targeted to identify, collect, and preserve first. Actions to Refrain from: Few actions are prohibited during the collection phase, which can affect the evidence or loss of the integrity of the evidence. The prohibited actions can be such as not powering off the system before finishing the collection of evidence, not relying on the software installed on the system, And executing programs that alter the access time of all files within the system. Collection Procedure: Collection Procedure must be comprehensive and thorough. Some significant questions must be considered during the collection procedure. These questions are: list out the systems involved in the event and specify the sources from which evidence will be collected; determine what is probable to be pertinent and acceptable; for each system, determine the appropriate level of volatility and collect evidence based on volatility; what other types of evidence could be identified as you progress through the collection procedures? Recall to consider the individuals involved in the incident. Chain of Custody: Documentation for evidence handling should include details on the location, date, and individual responsible for the discovery and collection of evidence. It should also specify the place, date, and person involved in handling or examining the evidence. Furthermore, it should describe the custodian of the evidence, the duration of custody, and the storage method used. Additionally, it should describe the process and date of transfer of custody, including any relevant information, such as shipping numbers. The Archive: During the collection process, a large amount of external storage should be kept. The storage medium might be required to store the image of the collected evidence. Required Tools: The tools used for collection should be authentic and reliable. The table containing the tools is discussed in Table 7. Data Acquisition: After collecting potential evidence devices, the next stage involves obtaining data from these sources. This process can involve physically accessing devices to retrieve data, collecting data remotely from network devices, or requesting data logs from cloud service providers. Table 7 List of evidence sources in Ag-IoT for forensic investigation. Full size table The data source defines data in three forms in the Ag-IoT system: Data at Rest (ROM), Data in Use (Sensor, Flash Memory, Microcontroller, Cloud, Router), and Data in Transit (Network, Cloud). These different categories of data in Ag-IoT is classified in Table 8. Table 8 Data at Rest/ Use/ Transit: Sources, Types, and Extracted data. Full size table Imaging: Once acquisition is done, a bit-by-bit copy of the data must be created called imaging, so that the original data is contained before proceeding with any operation on the actual image. Preservation It is essential not to manipulate the original data to ensure the preservation of the evidence. Once digital evidence has been identified, collected, and imaged, the integrity of data should be maintained using different methods. This preservation process requires the use of encrypted storage methods and the enforcement of stringent access controls to restrict access only to authorized forensic examiners. Furthermore, the secure storage facility must protect the evidence from environmental risks such as extreme temperatures, moisture, and electromagnetic interference, which have the potential to compromise the digital evidence38. Hashing or blockchain based digital evidence preservation tools can be utilized during this phase39,40. The main and significant part of the post-incident response is the incident response, which consists of the following phases. Incident response This critical phase aims to limit the spread of an incident, remove the threat, and restore normal operations. It includes implementing containment strategies to isolate affected systems, identifying the source of the attack, and taking actions to eradicate the threat and recover affected systems. Containment The fundamental aim of containment in the Ag-IoT incident response process is to minimise the impact and prevent additional damage from spreading across smart systems. This critical phase consists of several key steps, each indispensable for effectively mitigating the incident, preventing further damage, and protecting evidence for potential legal proceedings or analysis during the review phase41. The containment can be done in two forms based on duration. The short-term containment focuses on rapidly curtailing the extent of damage within the Ag-IoT infrastructure. Actions can range from isolating affected network segments of compromised IoT devices to shutting down breached servers and redirecting data flow to secure backup systems. This step is designed as a provisional measure to control the situation and prevent it from escalating. The long-term containment strategy involves ensuring that compromised systems are temporarily secure. The main objective is to remove any unauthorized access or backdoors created by attackers, implement essential security patches, and implement additional measures to prevent the incident from worsening. These actions allow regular agricultural activities to continue while preparations are made for a complete system reconstruction20. Containment within Ag-IoT involves physically disconnecting impacted systems. This could mean detaching network cables from compromised IoT devices or powering down specific network devices to segment off compromised parts of the network. Such actions help to localize the problem, preventing the spread of malware across the agricultural network and reducing the risk of additional systems being compromised, thus ensuring the integrity of the agricultural production process. Eradication The main goal of this step is to eliminate the root cause of the incident and the threat is completely removed from the system to prevent the recurrence of incidents. It involves comprehensive analysis to determine how the security breach or incident has occurred. Some indicative approaches are collecting the firmware and analyzing for malware, tracing back the exploited vulnerabilities from the nature of the attack, or any suitable technique that uncovers the methods used by attackers to launch attacks. Cleansing infected IoT devices or gateways and ensuring from malicious code from firmware and software and patching vulnerabilities up. During eradication, the IR team must ensure that the operations of agricultural activities are not disrupted for a long period of time and also the forensic artifacts are preserved for further investigation. Recovery The recovery stage is crucial to guarantee the secure and effective restoration of systems to their regular operations after an incident. It involves carefully reinstating the impacted systems into the operational environment to avoid repeated incidents. The scheduling of recovery operations includes establishing a precise time and date to initiate the restoration of compromised systems. This is especially critical in Ag-IoT due to the time-critical aspect of agricultural activities. Delay in the recovery process can result in missed opportunities for planting or harvesting, affecting both yield and financial results. Therefore, planning recovery operations requires thoughtful consideration of agricultural schedules to ensure that systems are reinstated at a moment that reduces interference with farming tasks. After recovering the Ag-IoT system, the breaches have been fixed or reconstructed. It is crucial to perform comprehensive testing to confirm its full functionality. This process includes validating the proper operation of all elements, such as sensors, actuators, communication networks, and data processing units. Functional testing should simulate real agricultural situations to ensure that the systems can operate effectively under normal conditions. Furthermore, security assessments must be performed to verify that vulnerabilities have been resolved and that systems are no longer prone to the same attacks that caused the initial compromise. Lesson learnt This phase plays a critical role in improving the resilience and security of the agricultural technology ecosystem. This phase focuses on extracting insight and actionable information from incidents to improve future responses and system robustness. A comprehensive assessment is required to be performed to pinpoint the strengths and weaknesses of the existing incident response (IR) strategy. This evaluation should result in a clear set of lessons to take away, such as recognizing vulnerabilities that were exploited, assessing the efficacy of containment measures, and assessing timeliness and teamwork within the IR team. The knowledge gained should then be used to review and improve the security protocols, software, and hardware components of the Ag IoT system42. feedback To finalize the documentation that was not completed during the incident, along with any additional documentation that could be useful for incidents in the future, call for a meeting after the incident recovered to learn from IR, review the strategy to update the system and collect feedback using a common form or template. Digital forensics phase-II Digital Forensics Phase-II (DF-II) follows DF-I during the post-incident phase of the proposed DFIRMM. DF-II is focused on the examination, analysis, and documentation of evidence. Ag-IoT is a sophisticated technology that encompasses other technologies to facilitate connectivity, communication, data storage, multimedia, and cloud services. The use of diverse technologies span the problem of IoT forensics to other dimensions as shown in Figure 3. All these dimensions are used in holistic IoT29,43,44 and, with respect to Ag-IoT, are discussed in the thesis45. The classified sources of a variety of forensic tools are discussed in Table 7 DF-II requires additional personnel from forensic experts and an intensive effort to identify the case law. Due to this reason, the DF-II phase in the proposed DFIRMM is optional. This phase can be activated or initiated if the incident is very dangerous and costs a large amount of business loss or jeopardizes. Fig. 3 Dimensions of Ag-IoT forensics. Full size image DF-II contains the core steps to confirm the perpetrator based on data examination, evidence analysis, and reports prepared to prove it in a court of law. These phases are further discussed in Fig. 1. Examination In the examination phase, a forensic analyst scrutinizes the evidence collected to understand the details of the cyber incident. Given the diverse and interconnected nature of Ag-IoT systems, which can include everything from soil moisture sensors to autonomous tractors and cloud-based data analytics platforms, the examination process must be both thorough and adaptable. Forensic tools can be utilized to analyze data stored on Ag-IoT devices, including logs, sensor data, configuration files, and communication records with other devices and servers. Network traffic logs and patterns should be examined to identify suspicious activities, such as unauthorized access or data exfiltration attempts. Analysis Ag-IoT encompasses a wide array of devices, including sensors, drones, automated irrigation systems, and cloud-based data analytics platforms, making the analysis both crucial and complex. A secure and isolated analysis environment should be established to prevent any potential contamination of evidence or the introduction of biases in the data. The appropriate digital forensic tools should be utilized to handle the specific types of data generated by Ag-IoT devices. This may include specialized software for network analysis, data carving, and log analysis. It is required to construct timelines of events from logs and metadata to understand the sequence of actions leading up to and following the incident. The reconstruction of the events should be performed for fragmented data pieces into meaningful information. Examine data transmissions between Ag-IoT devices and external networks to identify any unauthorized access or data exfiltration attempts. Different applications, such as machine learning or statistical analysis tools, can be utilized to identify anomalies in data patterns that could indicate malicious activity or system malfunctions. Thus, the correlated data can be arranged in a chronological manner from different sources (e.g., devices, logs, network traffic) to construct a comprehensive view of the incident. The patterns or events can be analyzed that could indicate the method and timeline of the attack or breach. Presentation The presentation stage involves documenting the procedures followed throughout the investigation, the results obtained from the examination and analysis stages, and any inferences made. The results, proofs, and inferences are consolidated into a detailed, customized report for the target audience, which could consist of technical personnel, legal representatives, law enforcement officials, and senior executives. The report must effectively convey the details of the case, supported by evidence, and might also propose measures to avert potential events. Experimental evaluation and results To evaluate the proposed incident response model, we conducted a case study based analysis on MQTT enabled smart Agriculture network. We assume that all the managerial operations mentioned in the model are followed. Detailed information on the experimental setup, the data set, analysis, and suggested incident response is given below. Smart agriculture setup The adoption of advanced technologies such as the Internet of Things (IoT) has greatly transformed agricultural methods. Farmers use IoT devices, including soil moisture sensors, water level sensors, temperature and humidity sensors, light sensors, CO2 gas sensors, motion sensors, and actuators such as motor pumps to improve crop production and efficiently use resources. In addition, alarm systems are established to alert farmers about potential dangers such as fires, animal intrusions, or unauthorized entry into farm areas. In our analysis, we consider a smart irrigation and monitoring setup that incorporates various sensors and actuators, as depicted in Fig. 4. These sensors deliver instantaneous soil condition data, facilitating targeted irrigation management tailored to the specific requirements of different agricultural zones. Communication between sensors and actuators is conducted using the MQTT protocol. Installed in irrigation reservoirs or tanks, water level sensors keep track of water quantities to guarantee a sufficient irrigation supply. They issue warnings when water levels drop, necessitating refilling or water saving actions. Temperature and humidity sensors monitor vital environmental parameters such as temperature and humidity, which are essential to evaluate crop vitality and vulnerability to diseases. The immediate feedback from these sensors enables farmers to modify irrigation timings and apply cultivation methods suited to specific climates. Light sensors assess the intensity of ambient light, offering information on sunlight exposure in the farm. These data are crucial for optimal crop arrangement and the tailoring of irrigation plans for light-dependent plants, improving even growth, and maximising agricultural output. CO2 gas sensors assess carbon dioxide concentrations in the atmosphere, reflecting photosynthetic activity and the general health of plants. By evaluating CO2 levels together with other environmental factors, farmers can detect unintended fires in their crops. Motion sensors identify movements on the farm, acting as a preventive measure against intruders or animals. These sensors activate alarms or send notifications to inform farm staff immediately about possible security violations. Actuators, such as motor pumps, control water distribution based on sensor readings and irrigation plans, streamlining the irrigation process to provide exact water quantities to plants, thus reducing water and energy use. A security system equipped with sensors for detecting fires, animal entries, or unauthorized access monitors the farm’s safety. It notifies farmers or security personnel about potential dangers, allowing prompt actions to reduce risks. The benefits of this system include water conservation, improved crop yield and quality, cost savings, and improved security. Fig. 4 Smart irrigation and monitoring using Ag-IoT. Full size image Attack scenarios and datasets Given the critical nature of the Ag-IoT setup, attacks are possible with the inherent vulnerabilities of networks and communication protocols. In this study, we considered DoS and DDoS attacks on the smart agriculture system that disrupt its operations. These attacks are launched using different open-source tools such as MQTT-malaria, IoT-Flock, and MQTTSA46. We used MQTTset46 dataset that is collected from the MQTT based network environment that resembles the smart agriculture setup described above. In addition to this, we also analysed a similar dataset, DoS/DDoS-MQTT-IoT47. The details of both datasets are given in Table 9. Table 9 Datasets and attack categories. Full size table Pre-incident phase In this phase, we prepare the Ag-IoT system technically to identify a list of incidents, data sources, and security policies as shown in Table 10. As stated earlier, we assume that all managerial steps are followed as described in section “Pre-incident”. Table 10 Technical preparation. Full size table Incident phase We used four machine learning techniques to classify MQTT network traffic for the attacks listed in Table 9. Based on the security policies identified for different incidents, we statistically analyzed network traffic from the MQTT datasets to detect the incidents (3,4,5) listed in Table 10. The average results are given in Figs. 5, 6 and Table 11. The results show that among the four algorithms used, KNN performed better with both datasets. Once an incident is detected, it is reported to the system stakeholders for necessary action. Table 11 Attack classification results for two datasets using different ML algorithms. Full size table Fig. 5 Classification performance of MQTTSet dataset. Full size image Fig. 6 Classification performance of DoS/DDoS-MQTT-IoT dataset. Full size image Post-incident phase As presented in the proposed model, this phase focuses on two activities, namely digital forensics and incident response. Digital forensic investigation is conducted in two phases while the first phase acts as a preparation to incident response. Based on incidents detected, relevant data sources are collected and preserved for post-incident analysis. Digital forensics phase-I Based on the information collected during incident detection, we identified relevant artifacts from network traffic and preserved them for analysis. The list of identified artifacts is given in Table 12. Table 12 List of Artifacts for different Attacks. Full size table Incident response We propose a Quality of Service (QoS) based incident response to address different priorities of the target system. MQTT offers three levels (0,1,2) of QoS with varying impacts on the network48. The QoS recommendations for different categories of attacks are given in Table 13. Pre-QoS and Post-QoS represent the QoS levels in the network before and after attack detection, respectively. Table 13 Quality of Service (QoS) based incident response recommendations. Full size table Containment Considering the DoS/DDoS attacks in place, one of the important measures to limit the spread or impact of the attacks is to regulate the network traffic. To achieve this, for each incoming request, the IP address of the client is monitored on the MQTT broker to identify the number and frequency of the requests. Requests originating from a suspicious client(s) must be blocked if necessary. For example, MQTT uses TCP, and any UDP traffic from random clients can be safely blocked to avoid flooding attacks. Similarly, any traffic directed towards unauthorized ports may be blocked. Traffic throttling is another way to limit traffic from suspicious clients. In addition, the QoS level can be adapted accordingly to limit the number of message exchanges between clients and the broker. Eradication Once security experts identify the root cause of vulnerabilities that open the doors for attacks, the next step is to eradicate it. Sometimes, immediate security patches may not be readily available; hence, it is recommended to change the security configurations to safeguard the system from further exploitation. For example, a strong authentication mechanism can be enforced in the target system using client certificates or OAuth. To address attacks targeting the network bandwidth, message size can be limited by enforcing a policy on the MQTT broker. Recovery Once recommended steps are taken, the system can be restarted to perform its functions. Although the system might have recovered from major impacts, any unaddressed vulnerabilities still cause recurring incidents. In this phase, it is recommended to perform close monitoring of the system. Lessons learned A detailed analysis of the attack patterns and eradication mechanisms gives us useful insight to improve the overall security of the system. It also helps to educate farmers to follow best security practices. The lessons learned from the statistical analysis and the case study are listed below. Series of DoS and DDoS attacks are launched on the MQTT network. Major attacks exploited the vulnerabilities in weak authentication policy of MQTT network. Flooding DoS contributes to the highest attack traffic. Policies concerning authentication and traffic filtering will address the root problem in the MQTT network. Feedback Finally, the insights of the incident response case study are used to improve overall security as well as to prepare for the next iteration of the incidents with more sophisticated approaches. Digital Forensics Phase-II We analyzed the artifacts collected during the earlier digital forensics phase and detected the malicious communication patterns between the attacker and victim nodes in the network. As described in Table 12, attacks were launched from different IP addresses targeting other IoT devices and MQTT brokers in the network. Conclusion The integration of IoT into agriculture has transformed monitoring and control practices and also raised concerns about potential hypothetical cyber attacks. A DFIRMM establishes a solid foundation for safeguarding and strengthening Ag-IoT systems against emerging cyber-attacks, ensuring resilience in the future agriculture industry. This article proposed a DFIR management model for Ag-IoT to address the unique challenges of Ag-IoT sector by prioritizing prompt incident detection, analysis, and recovery while preserving the evidence for future use in digital forensics. The case study presented in this article demonstrates the practical relevance of the proposed model in a real-time Ag-IoT setup. We believe that the proposed DFIRMM empowers stakeholders in the agricultural sector to protect their IoT ecosystems and ensure the integrity, confidentiality, and availability of critical agricultural data and services. Data availability The datasets analysed during the current study are available in the Kaggle repository, MQTTset, DoS/DDoS-MQTT-IoT References Tzounis, A., Katsoulas, N., Bartzanas, T. & Kittas, C. Internet of things in agriculture, recent advances and future challenges. Biosys. Eng. 164, 31–48 (2017). Article   Google Scholar   Das, M. et al. Synergy of 6g technology and iot networks for transformative applications. Int. J. Commun. Syst. 37, e5869 (2024). Article   Google Scholar   Alreshidi, E. Smart sustainable agriculture (ssa) solution underpinned by internet of things (iot) and artificial intelligence (ai). Int. J. Adv. Comput. Sci. Appl. 10(5), 93–102. https://doi.org/10.14569/IJACSA.2019.0100513 (2019). Chamara, N., Islam, M. D., Bai, G. F., Shi, Y. & Ge, Y. Ag-iot for crop and environment monitoring: past, present, and future. Agric. Syst. 203, 103497. https://doi.org/10.1016/j.agsy.2022.103497 (2022). Article   Google Scholar   Uddin, M. A., Mansour, A., Le Jeune, D. & Aggoune, E. H. M. Agriculture internet of things: Ag-iot. In 2017 27th International Telecommunication Networks and Applications Conference (ITNAC) 1–6 (IEEE, 2017). https://doi.org/10.1109/ATNAC.2017.8215399. Rudrakar, S. & Rughani, P. Iot based agriculture (ag-iot): a detailed study on architecture, security and forensics. Inf. Process. Agric. https://doi.org/10.1016/j.inpa.2023.09.002 (2023). Article   Google Scholar   Rudrakar, S., Rughani, P. & Rami, J. Uart port bane or boon: Vulnerabilities vs significance for digital investigation in ag-iot. In 2023 16th International Conference on Security of Information and Networks (SIN) 1–6 (IEEE, 2023). Yang, X. et al. A survey on smart agriculture: development modes, technologies, and security and privacy challenges. IEEE/CAA J. Autom. Sin. 8, 273–302. https://doi.org/10.1109/JAS.2020.1003536 (2021). Article   CAS   Google Scholar   de Araujo Zanella, A. R., da Silva, E. & Albini, L. C. P. Security challenges to smart agriculture: current state, key issues, and future directions. Array 8, 100048. https://doi.org/10.1016/j.array.2020.100048 (2020). Article   Google Scholar   Kulkarni, A. et al. A review of cybersecurity incidents in the food and agriculture sector (2024). Martínez, J. & Durán, J. M. Software supply chain attacks, a threat to global cybersecurity: Solarwinds’ case study. Int. J. Saf. Secur. Eng. 11, 537–545. https://doi.org/10.18280/ijsse.110505 (2021). Starks, T. Livestock feeding and an iowa farming cooperation. Crozier, R. Australian wool sales stopped by ransomware attack (2020). Bolfe, E., Barbedo, J. G. A., Massruhá, S. M. F. S., de Souza, K. X. S. & Assad, E. D. Challenges, trends and opportunities in digital agriculture in brazil (2023). Shahbandeh, M. Smart agriculture—statistics & facts. https://www.statista.com/topics/4134/smart-agriculture (2024). Braley, J. Food and agriculture sector eyes cybersecurity threats (2024, accessed 5 Nov 2024). https://www.govtech.com/security/food-and-agriculture-sector-eyes-cybersecurity-threats. IBM. What is incident response. https://www.ibm.com/topics/incident-response (2024). Congress, U. Federal information security modernization act of 2014. Public Law 2014, 113–283 (2014). Cichonski, P., Millar, T., Grance, T., Scarfone, K. et al. Computer security incident handling guide. NIST Spec. Publ. 800, 1–147. https://dx.doi.org/10/6028/NIST.SP.80061r2 (2012). Kral, P. The incident handlers handbook. Sans Institute (2011). ISO/IEC. Information technology—information security incident management. https://www.iso.org/obp/ui/en/#iso:std:iso-iec:27035:-1:ed-2:v1:en (2023). (Accessed on 07/01/2024). ENISA. Good practice guide for incident management (2010, accessed 7 Aug 2023). https://www.enisa.europa.eu/publications/good-practice-guide-for-incident-management. ENISA. Enisa csirt maturity framework—updated and improved—enisa. https://www.enisa.europa.eu/publications/enisa-csirt-maturity-framework (2022). (Accessed on 07/08/2023). Salfati, E., Salfati, E. & Pease, M. Digital forensics and incident res