Proactive Forensics: Building Digital Forensic Readiness in IoT-Enabled Organisations for Real- Time Incident Response

The lightning-fast spread of the Internet of Things (IoT) devices in the environment of the most vital infrastructure and systems (healthcare, smart cities, and industrial systems) has led to an increase in the volume of the attack surface of cyber threats to a critical mass. Conventional digital forensic methods are fundamentally reactive, distributed, and cannot cater to the real-time, distributed, and privacy-conscious events in IoT ecosystems. This study introduces a new federated online reinforcement learning system, FOR-IoTNet, which enables proactive forensic readiness within IoT-ramped organisations. FOR-IoTNet utilises Federated Edge Anomaly Learners (FEAL) for local anomaly detection, leveraging deep autoencoders or LSTM networks. This approach enables operation without data sharing, ensuring privacy preservation. Anomalies occur and prompt interventions through a centralised Online Reinforcement Forensics Agent (ORFA), which is optimised using the Proximal Policy Optimisation (PPO) algorithm. ORFA actively selects the best forensically initiated actions, such as isolating a compromised device, invoking secure log capture, or escalating an alert, and dynamically routes them according to context parameters and historical results stored in a Forensic Policy Knowledge Base (FPKB). The framework has been applied and experimented with in simulated IoT, including various attack scenarios such as DoS attacks, firmware hacks, and lateral mobility. The framework has been deployed and evaluated in synthetic IoT scenarios under various attack conditions, including DoS, firmware tampering, and lateral movement, among others. By comparing it to traditional centralised forensics and a rule-based non-learning system, it is evident that FOR-IoTNet offers several advantages, including a lower average detection time of 2.37 seconds, 98.8% accuracy, and enhanced evidence completeness. It reduces the false positive rate to 3.47 and also reduces resource consumption by 28.4% in CPU, 450 MB in memory, and 31.9 MB/min in bandwidth compared to using baseline methods. The outcomes of the RL training show an even more improved policy, where, at episode 500, the percentage of correct decisions reaches 98.4% with an average reward of 0.81. The outcomes indicate that FOR-IoTNet represents a significant improvement in terms of forensic preparedness, response time, and protection of privacy laws through the non-centralisation of raw data. The research has developed a forensic model that can scale in next-generation IoT environments, enabling the integration of intelligent, autonomous, legally compliant, and explainable forensic systems into cyber-physical infrastructures.