(IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 12, No. 10, 2021 265 | Page www.ijacsa.thesai.org Forensic Analysis on False Data Injection Attack on IoT Environment Saiful Amin Sharul Nizam 1 , Zul-Azri Ibrahim 2 , Fiza Abdul Rahim 3 Hafizuddin Shahril Fadzil 4 , Haris Iskandar Mohd Abdullah 5 , Muhammad Zulhusni Mustaffa 6 UNITEN R&D Sdn. Bhd., Selangor, Malaysia 1, 4, 5, 6 College of Computing and Informatics, Universiti Tenaga Nasional, Malaysia 2 Razak Faculty of Technology and Informatics, Universiti Teknologi Malaysia, Malaysia 3 Institute of Informatics and Computing Energy, Universiti Tenaga Nasional, Malaysia 2, 3 Abstract—False Data Injection Attack (FDIA) is an attack that could compromise Advanced Metering Infrastructure (AMI) devices where an attacker may mislead real power consumption by falsifying meter usage from end-users smart meters. Due to the rapid development of the Internet, cyber attackers are keen on exploiting domains such as finance, metering system, defense, healthcare, governance, etc. Securing IoT networks such as the electric power grid or water supply systems has emerged as a national and global priority because of many vulnerabilities found in this area and the impact of the attack through the internet of things (IoT) components. In this modern era, it is a compulsion for better awareness and improved methods to counter such attacks in these domains. This paper aims to study the impact of FDIA in AMI by performing data analysis from network traffic logs to identify digital forensic traces. An AMI testbed was designed and developed to produce the FDIA logs. Experimental results show that forensic traces can be found from the evidence logs collected through forensic analysis are sufficient to confirm the attack. Moreover, this study has produced a table of attributes for evidence collection when performing forensic investigation on FDIA in the AMI environment. Keywords—Advanced Metering Infrastructure (AMI); False Data Injection Attack (FDIA); man in the middle (MITM); internet of things (IoT); forensic analysis I. INTRODUCTION Internet of Things (IoT) offers many benefits and advantages to people in the current modern era [1]. Besides, even in our daily life, IoT has proven to be beneficial. IoT is a system of interrelated intelligent devices that are provided with unique identifiers and given the ability to connect with other devices by exchanging information over a communication network. The IoT is seen as one of the foremost important zones in future development and is expanding tremendous consideration from a wide scope of businesses [2]. IoT will play a major role in improving many sectors such as manufacturing, public security, health care, accommodation, entertainment, environment protection, agriculture, industrial monitoring, intelligent transportation, and traditional metering system. However, little consideration has been paid to IoT adoption that may affect the IoT device‟s security measure, such as lack of authentication and insecure communication are among the main problems in most IoT devices [3]. These vulnerabilities will lead to many forms of attacks taking place, such as malware injection, SQL injection [4], false data injection (FDI), man-in-the-middle (MITM) [5], zero-day exploit, distributed denial-of-service (DDoS), DNS tunnelling [6], and many more cyber-attacks. Since the case of the Mirai botnet in 2016, over 600,000 IoT devices were targeted to launch cyberattacks that reached 620 Gigabits at the peak. The number of malware in the cyber world has been growing, giving threats to cybersecurity to face other types of aggravated attacks. There is also concern about one of the IoT environments, the Advanced Metering Infrastructure (AMI). AMI is a system consisting of modern electronic-digital hardware and software, which enables data measurement intermittently and remote communication continuously. The system gives a few important capacities that were not already possible or had to be performed manually. For instance, the ability to remotely and automatically measure power usage, connect and disconnect service, and voltage monitoring. FDIA is one of the popular attacks that can impact AMI as countries around the globe are implementing an AMI in their infrastructure. Like the MITM attack, FDIA is more toward creating falsified data, which the attacker injected from compromised smart meters to change the actual value sent by another smart meter in AMI. This threat can negatively affect both utilities and customers as it is difficult to investigate from the available log in the AMI [7]. This paper aims to simulate the impact of FDIA on the IoT environment and perform forensic analysis on digital traces from data obtained. In the next section of this paper, related literature on cyber attacks in the smart grid was reviewed. Subsequently, Section III presents the development of a testbed that is used to simulate the cyber attack in components of the smart grid. Section IV presents the result from the simulation and how forensic investigations are done to investigate FDI attacks in the smart grid environment. Section V provides a conclusion to the paper. II. LITERATURE REVIEW A. False Data Injection Attack (FDIA) The operation of the smart grid faces extreme consequences when the smart meters have been compromised and reporting false power consumption. Most current cases include the crime of electricity stealing. However, a few other sorts of data falsification attacks are conceivable such as FDIA. AMI would