A Smart Proactive Forensic Meta-Model for Smart Homes in Saudi Arabia Using Metamodeling Approaches

Abstract

The increasing adoption of smart home technologies introduces significant cybersecurity and forensic challenges. This necessitates a shift from traditional reactive digital forensics to a more proactive approach to safeguarding these environments. This research is situated within Saudi Arabia’s ambitious digital transformation, as outlined in Vision 2030, which promotes the development of smart cities and homes. The unique technological landscape and national initiatives in Saudi Arabia require tailored cybersecurity solutions. Existing models are often too theoretical, generic, or overly specialized, lacking practical validation and comprehensive integration for modern IoT ecosystems. There is a pronounced lack of a scalable, validated framework designed explicitly for proactive digital forensic readiness in smart homes. The study employs a mixed-methodology approach, combining a PRISMA systematic literature review with Design Science Research (DSR) to develop and validate the Smart Proactive Forensic Metamodel for Smart Homes (SPFMSH). The developed SPFMSH was tested against realistic cyberattack scenarios, including unauthorized access and intrusion, data exfiltration, and device hijacking by ransomware. In each scenario, the model demonstrated its capability to proactively detect threats, automatically preserve forensic evidence, and provide structured investigative timelines. This validation proved its effectiveness in transforming security incidents into forensically sound investigations within the Saudi smart home context. SPFMSH delivers a practical, holistic framework that addresses the limitations of previous models, moving beyond theory to offer an implementable solution. Its development is a significant step towards enhancing national cybersecurity resilience and supporting the secure adoption of smart home technologies in alignment with Saudi Vision 2030.

1. Introduction

As smart home technology continues to expand, particularly as a component of Saudi Arabia’s Vision 2030 digital transformation objectives, it introduces complex challenges in cybersecurity and digital forensics that must be addressed in the future [1]. Historically, digital forensic models have exhibited a reactive nature, facing challenges in managing the scale, diversity, and proactive threats inherent to contemporary IoT ecosystems [2]. The deficiency of adequate emergency response systems necessitates a strategic and proactive approach. This approach should encompass not only the investigation of incidents post-occurrence but also the anticipation, prevention, and preparation for such events, thereby safeguarding the security and privacy of community residents. Nevertheless, the deployment of such frameworks is not universally applicable. The distinctive national context of Saudi Arabia, propelled by its ambitious Vision 2030 and the swift advancement of giga-projects such as NEOM, introduces a unique technological environment that requires customized cybersecurity strategies. Existing models from various regions are frequently designed to integrate seamlessly with legacy systems or are shaped by different regulations, such as GDPR in Europe. Nevertheless, they do not fully align with the requirements of ‘greenfield’ projects, the specific mandates of the Saudi National Cybersecurity Authority (NCA), or the distinctive approaches of Saudi families in adopting new technologies. This represents a significant gap that our research is eager to address.

An in-depth examination of existing research illustrates the progression of our understanding of the Internet of Things (IoT) from broad conceptual frameworks to more specialized and nuanced ideas. While numerous proposed solutions hold significant value, many do not fully meet practical requirements, being either overly theoretical without empirical validation, too generic, lacking specific domain insights, or excessively specialized to be universally applicable across different fields [3]. Moreover, some are rendered obsolete by failure to keep pace with current technological advancements or are excessively complex, hindering smooth implementation. This review highlights a significant gap in digital forensics: the lack of a validated, comprehensive, and practical framework that can be effectively applied across the entire smart home system and adapted to various contexts. Consequently, this paper endeavors to develop an intelligent, proactive forensic meta-model designed explicitly for smart homes in Saudi Arabia, thereby addressing this critical void.

This paper seeks to fill this gap by developing a smart proactive forensic meta-model for smart homes in Saudi Arabia. The objective is to establish a comprehensive, structured framework that advances beyond reactive strategies to proactively prevent, identify, and address cyber incidents within smart homes, while automatically safeguarding forensic evidence for investigative purposes, specifically customized to the context of Saudi Arabia.

The primary contributions of this study are threefold. Firstly, it presents a comprehensive and systematic literature review synthesizing 33 existing models to identify key concepts and limitations. Secondly, it formulates a new metamodel, SPFMSH, by extracting, integrating, and defining relationships among core concepts from 21 selected models, thereby culminating in a reusable and interoperable framework. Thirdly, it validates the developed metamodel through multiple methodologies, including a detailed comparison with existing work, application to three realistic cyberattack scenarios (unauthorized access, data exfiltration, and ransomware), and a formal expert evaluation conducted by domain specialists.

This research is particularly noteworthy for three primary reasons, extending beyond its specific application to Saudi Arabia. First, it introduces an innovative approach to synthesizing and elucidating core concepts. Unlike broad, abstract frameworks such as Alotibi’s DFRM [4], which function as reusable design guidelines but lack detailed specifications, or Alotaibe’s IoT-SMFM [5], which primarily emphasizes security, SPFMSH is developed through a carefully curated combination of twenty-one distinct models. This methodology has identified eight critical domains that collaborate effectively, including Digital Forensic Readiness, Artificial Intelligence and Automation, and Data-Centric Processing. Most significantly, it demonstrates the interactions among these domains. Consequently, this yields a system architecture that is both clear and practically applicable, transcending merely a compilation of components.

This paper is organized as follows: Section 2 reviews related work, Section 3 describes the adapted methodology, Section 4 discusses the findings, and Section 5 provides an overview of future work.

2. Related Works

Numerous studies have been published in the literature on smart homes from various perspectives, including security, cyber investigation, and architecture. This section will focus on innovative city models and frameworks from the viewpoints of cybersecurity and digital forensics. For example, the researcher Alotibi in [4] developed a high-level blueprint in the form of a high-abstraction DFR metamodel specifically for smart cities, providing a reusable design template. Its methodology is metamodel development for integrating DFR into smart city design. The drawback is its abstract nature; it lacks technical specifics and must be tailored and implemented for concrete use cases, requiring significant additional effort.

The author Alotaibe in [5] provided a high-level, unified method for designing security models through metamodeling. Their approach primarily involves using metamodeling as a tool for security design. A significant limitation is that it is principally theoretical; as a metamodel, it serves as a design framework rather than an actual solution and requires further development to be practical.

The authors Houghton et al. in [6] provided a comprehensive, peer-reviewed scientific consensus on climate change. Its methodology involves synthesizing scientific assessment reports, making it a highly credible source for establishing the security of global climate systems from both scientific and environmental perspectives. However, its primary disadvantage is that it dates from 2001. While instrumental for historical context, the significant advancements in climate science since its publication limit its utility for providing current data and analysis.

The International Organization for Standardization (ISO) in [7] provided an internationally recognized standard for investigation processes. Its advantages include standardization and an authoritative nature, ensuring consistency, reliability, and legal admissibility in investigations. The methodology involves the development of standards by an ISO working group, focusing on principles for secure incident investigation processes. The key disadvantage is its generic and high-level nature; it describes processes but does not offer specific technical implementations or tools for practical applications.

The authors Bajramovic et al. in [8] study offered an early specific application of forensic readiness principles, focusing on the smart building and IoT context. Its advantage lies in its novelty, as it addresses preconditions for cybersecurity testing and forensic readiness in this specific domain through conceptual analysis and a developed framework. The limitation lies in its conceptual nature and limited scope, as it focuses on preconditions for testing rather than providing a complete, implemented framework or model for real-world use.

The authors Philomin et al. in [9] are domain-specific, developing a dedicated Digital Forensic Readiness (DFR) framework tailored for the complex environment of smart homes. Its methodology involves designing a framework for a specific domain, aiming to enhance digital forensic readiness for incident response. A significant potential disadvantage is that, as a developed framework, its practical effectiveness and real-world validation may not be fully detailed or proven, leaving its efficacy in question.

The authors Kebande et al. in [10] developed a holistic approach with a comprehensive DFR framework designed for entire IoT-enabled organizations, promoting a top-down strategy. Its methodology is a holistic framework design, aiming to prepare entire organizations for IoT security incidents. The main disadvantage is the inherent complexity of such a comprehensive framework, which could make it challenging to implement in its entirety within a real-world organizational structure.

The authors in Oriwoh and Sant [11] is an early conceptual work that attempts to design a system (FEMS) for managing forensic data in ubiquitous computing environments. Its methodological approach involves the design of concepts and systems for edge management of forensic data collection and preservation. The disadvantages include its dated nature, lack of validation through implementation, and failure to account for the scale and diversity of modern IoT ecosystems.

The authors Kebande and Ray in [12] presented a generic digital forensic investigation framework specifically designed for Internet of Things (IoT) ecosystems. Its advantage lies in its dedicated focus on guiding principles for IoT digital forensic investigations. The methodology involves a generic investigative framework design. The primary disadvantage is its generic nature; it may lack the specific details required for IoT subdomains, such as smart grids or vehicles, thereby limiting its practical utility.

The authors Ngobeni et al. in [13] demonstrated an early domain application by adapting DFR principles to address the unique challenges of wireless networks. Its methodology involves model development for wireless contexts, with a focus on forensic readiness for wireless network incidents. Its major drawback is that it dates to 2010. The dramatic evolution of wireless technology and security threats since then has severely limited its current applicability.

The authors Cebe et al. in [14] developed an innovative integration of blockchain technology to enhance evidence integrity, tamper-resistance, and privacy for vehicle forensics. Its methodology involves the design and implementation of a lightweight blockchain framework. The significant disadvantage is the potential implementation overhead, as incorporating blockchain may introduce substantial computational, storage, and complexity costs.

The authors Kim et al. in [15] provided an empirical data focus, analyzing data from real IoT devices in smart homes, thus moving beyond theoretical models. Its methodology is empirical data analysis from IoT devices for post-incident forensic data analysis. The limitation is its limited device scope; findings are based on a specific set of devices and may not be fully generalizable to all smart home products.

The authors Kim et al. in [16] explored a cutting-edge approach by applying AI to automate forensic processes in smart cities, addressing future scalability challenges. Its methodology is an AI-enabled framework proposal for automation in digital forensic investigations. The main disadvantage is its conceptual/theoretical nature; it is developed without extensive real-world testing or validation, making its practicality unproven.

The authors Cicirelli et al. in [17] presented a study that bridges design and implementation, demonstrating how metamodeling can connect high-level design with concrete implementation in bright environments. The methodology uses metamodeling and model-driven engineering (MDE) to ensure secure development of smart environments. However, its main drawback is the technical complexity, as the approach demands expertise in MDE, which can pose a barrier for practitioners.

The authors Afroze and Poornima in [18] compared AI/ML frameworks with a focus on proactive security, specifically analyzing their role in detecting and preventing cyberattacks in IoT forensics. Its methodology involves a comparative analysis of existing AI/ML frameworks. A notable limitation of this comparative study is that it does not introduce a new, validated solution; instead, it evaluates current approaches.

The authors Alhussan et al. in [19] used domain-specific structured modeling to address drone forensics. Their approach involves creating a high-level abstraction model for forensic investigation processes related to drones. However, a limitation is its narrow scope, as the model is tailored specifically for drones and cannot be easily applied to other IoT or smart city areas.

The researchers Alotaibi et al. in [20] developed a detailed model specifically for drone forensics, focusing on data collection and analysis. Their methodology provides a comprehensive framework for gathering and analyzing data in this field.

The authors Alotaibi et al. in [21] presented an applicable conceptual investigation model for drone forensics, providing a practical methodology. Its methodology involves the development of a conceptual model for the digital forensic investigation process of drones. The disadvantage is its conceptual stage; it is labeled as “conceptual” and may require further validation and testing in real-world investigative scenarios.

The authors Bashir et al. in [22] tackled the big data challenge by concentrating on how to manage and analyze large data volumes in smart buildings through a metamodel. Their approach involves developing a metamodel for data management. The primary drawback is that such models can be complex to design and implement effectively within existing building management systems.

The author Melo in [23] focused on standardization by proposing an extension to the widely used ArchiMate language for modeling smart city enterprises. Its methodology is the ArchiMate language. The disadvantage is the modeling overhead it requires, as users must learn and adopt the extended language, which may not be ideal for all stakeholders.

The author Rossi in [24] emphasized quality by employing MDE to support the vital yet frequently overlooked aspect of quality assessment in innovative city solutions. Their methodology centers on Model-Driven Engineering for evaluation. A possible limitation is that, as a conference paper, it may be conceptual or preliminary work without comprehensive validation.

The authors Fortino et al. in [25] focused on human-centric metrics, defining indicators for measuring smart and human aspects of cities, not just technology. Its methodology is metamodel development (Smart cluster) for defining indicators. The likely disadvantage is that it is a theoretical framework requiring application and testing in real cities to prove its value.

The authors Benaddi et al. in [26] created a model designed for application-specific standardization by establishing a unified metamodel for conversational agents in smart tourism. Its approach involves developing a unified metamodel. However, a limitation is its very narrow focus, as its usefulness is restricted to the specific context of conversational agents within tourism.

The authors Mercuri et al. in [27] developed a comprehensive metamodel, bringing together technology-focused “smart city” indicators with quality-of-life-oriented “human city” indicators. This creates a well-rounded urban assessment framework that moves beyond a purely technocratic view. However, it is mostly theoretical and conceptual in nature. Although it offers a clear set of clustered indicators, it has not been tested with real-world case studies, so its practical use, scalability, and handling of data challenges remain to be seen.

The authors Basciani et al. in [28] offered a practical examination of a conversational agent developed for smart tourism, utilizing Bot Framework Composer, and presented a valuable comparison of development tools. Although it demonstrates strengths in real-world application, it also exhibits certain limitations, including a focus on a single tool, the theoretical nature of the proposed metamodel without empirical validation or user data, and the lack of a validated, unified Domain-Specific Language (DSL), which warrants further investigation in future research.

The authors Dos Santos et al. in [29] introduced the SEM framework as a UML-based methodology that integrates both functional and data perspectives to address design deficiencies for complex Smart Cities. However, it lacks the capability of evaluating the framework’s application, implementation, or validation as well as its effectiveness.

The authors Gondhalekar et al. in [30] offered a contemporary overview of the benefits of IoT integration for enhancing urban living. Its methodology is an integrative review/discussion on the role of IoT security in urban living. The likely disadvantage is that it is high-level; it probably offers a summary perspective rather than a novel technical contribution.

The Horalek et al. in [31] presented a holistic security view by integrating business process modeling with data modeling to enhance smart city cybersecurity. Its methodology combines business process and data modeling. The main disadvantage is integration complexity; successfully merging business and technical security models can be a complex undertaking for organizations.

This thorough review traces the development of digital forensic and security techniques, evolving from broad, fundamental principles to highly specialized, domain-specific methods. This progression is particularly evident in IoT and smart city contexts. The literature shows a trend towards using abstract modeling approaches like metamodeling and MDE to handle environmental complexities. While early studies are often viewed as outdated, generic, or purely theoretical, recent research is driving innovation through AI and blockchain, particularly in niche sectors such as drone forensics and smart tourism. Table 1 displays the advantages, disadvantages, and methodologies of the existing works.

Table 1. Existing smart home models and frameworks.

ID	References	Advantages	Disadvantages	Methodology
1	[6]	Offers a thorough, peer-reviewed scientific consensus on climate change, establishing it as a highly trustworthy source.	Since 2001, significant progress has been made in science. It is more helpful in understanding historical context than for current data.	Synthesis of scientific assessment reports (IPCC).
2	[7]	Provides an internationally recognized standard for investigation processes, ensuring consistency, reliability, and the legal admissibility of evidence.	Generic and High-level: As a standard, it describes principles and processes but does not provide specific technical implementations or tools.	Standards development (ISO working group).
3	[8]	One of the first papers to apply forensic readiness principles specifically to the smart building/IoT context.	Focuses on preconditions for testing rather than a whole, implemented framework or model.	Conceptual analysis and framework proposal.
4	[9]	Develops a dedicated Digital Forensic Readiness (DFR) framework tailored for the complex environment of smart homes.	As a developed framework, its practical effectiveness and real-world validation may not be fully detailed or proven.	Framework design for a specific domain.
5	[10]	Proposes a comprehensive DFR framework designed for entire IoT-enabled organizations, promoting a top-down strategy.	A holistic organizational framework can be complex and potentially difficult to implement in its entirety.	Holistic framework design.
6	[11]	An early attempt to design a system (FEMS) for managing forensic data in ubiquitous computing environments.	The concept may not account for the scale and diversity of modern IoT ecosystems. Likely not validated through implementation.	Concept and system design (FEMS).
7	[12]	Presents a generic digital forensic investigation framework specifically designed for the Internet of Things.	Generic Nature: Being “generic” means it may lack specific details required for particular IoT sub-domains (e.g., smart grids, vehicles).	Generic investigative framework design.
8	[13]	Early research has adapted DFR principles to the specific challenges of wireless networks.	Wireless technology and security threats have evolved dramatically since 2010, likely limiting its current applicability.	Model development for wireless contexts.
9	[14]	Proposes integrating blockchain technology to enhance evidence integrity and tamper-resistance for vehicle forensics.	Incorporating blockchain may introduce significant computational, storage, and complexity overhead.	Lightweight blockchain framework design and implementation.
10	[15]	Provides practical analysis of data from real IoT devices, moving beyond theoretical models to actual evidence.	Findings are likely based on a specific set of devices and may not be fully generalized to all smart home products.	Empirical data analysis from IoT devices.
11	[16]	Explores the application of AI to automate forensic processes, addressing future scalability challenges in smart cities.	The AI-enabled approach may be developed conceptually without extensive real-world testing or validation.	AI-enabled framework proposal.
12	[5]	Applies a metamodeling approach to IoT security, providing a high-level, unified method for designing security models.	As a metamodel, it is a design tool rather than an implemented solution; it requires further instantiation to be practical.	Metamodeling approach for security design.
13	[4]	Proposes a high-abstraction DFR metamodel specifically for smart cities, providing a reusable and flexible design template.	The high level of abstraction means it lacks technical specifics and must be tailored and implemented for concrete use cases.	Metamodel development.
14	[17]	Demonstrates how metamodeling can effectively connect high-level design with concrete implementation in smart environments.	Technical Complexity: The metamodeling approach may require expertise in MDE, which can be a barrier to adoption.	Metamodeling and model-driven engineering.
15	[18]	Comparative study focusing on AI/ML for detection and prevention within IoT forensics, a proactive approach.	As a comparative study of frameworks, it may not propose a new, validated solution itself.	Comparative study of AI/ML frameworks.
16	[19]	Applies structured modeling to the emerging and specific field of drone forensics, addressing a clear gap.	The high abstract model is specific to drones and not directly transferable to other IoT or smart city domains.	High-abstraction model development.
17	[20]	Proposes a comprehensive model for the drone forensics field, covering collection and analysis.	Similarly to [19], its primary advantage is also its limitation: it is highly specialized for a single domain.	Comprehensive model development.
18	[21]	Applicable Model: Presents a conceptual investigation model directly applicable to drone forensics, providing a practical methodology.	Conceptual Stage: Labeled as “conceptual,” it may require further validation and testing in real-world investigative scenarios.	Conceptual model development.
19	[22]	Addresses Big Data Challenge: Focuses on the critical issue of managing and analyzing large data volumes in smart buildings via a metamodel.	Complexity: Big data metamodels can be complex to design and implement effectively within existing building management systems.	Metamodel development for data management.
20	[22]	Reduces Semantic Gap: Aims to solve interoperability issues in smart cities by using MDE to align domain-specific needs with generic infrastructure.	Academic Focus: The middleware approach might be a theoretical contribution that requires further development for widespread industry adoption.	MDE, and Middleware Design.
21	[23]	Standardization: Proposes an extension to the widely used ArchiMate standard, allowing for standardized visual modeling of innovative city enterprises.	Modeling Overhead: Requires users to learn and adopt the extended ArchiMate language, which may not be ideal for all stakeholders.	ArchiMate language extension.
22	[32]	Quality Focus: Uses Model-Driven Engineering to support quality evaluation, a crucial but often overlooked aspect of smart city solutions.	Likely Conceptual: As a conference publication, the approach might be presented as a concept or early work without full validation.	Model-Driven Engineering for evaluation.
23	[32]	Structured Development: An early proposal for a structured software engineering methodology (based on metamodels) for IoT systems.	Dated and Early stage: The IoT landscape was less mature in 2015; the approach may need updating for current complexities.	Metamodel-based development methodology.
24	[24]	Human-Centric Metrics: Focuses on defining indicators for measuring smart and human aspects of cities, not just technology.	Theoretical Framework: The “Smart cluster” metamodel is likely a theoretical contribution that requires application and testing in real cities.	Metamodel development (Smart cluster).
25	[25]	Application-Specific Standardization: Aims to develop a unified metamodel for conversational agents in smart tourism, supporting progress and efficiency.	Very Narrow Focus: The utility of the metamodel is confined to the specific application of conversational agents in tourism.	Unified metamodel development.
26	[33]	This study developed a comprehensive metamodel, bringing together technology-focused “smart city” indicators with quality-of-life-oriented “human city” indicators. This creates a well-rounded urban assessment framework that moves beyond a purely technocratic view.	However, it is mostly theoretical and conceptual in nature. Although it offers a clear set of clustered indicators, it has not been tested with real-world case studies, so its practical use, scalability, and handling of data challenges remain to be seen.	Framework exploitation (SEM).
27	[26]	This study offered a practical examination of a conversational agent developed for smart tourism, utilizing Bot Framework Composer, and presents a valuable comparison of development tools.	Although it demonstrated strengths in real-world application, it also exhibits certain limitations, including a focus on a single tool, the theoretical nature of the proposed metamodel without empirical validation or user data, and the lack of a validated, unified Domain-Specific Language (DSL), which warrants further investigation in future research.	Development of graphical/textual editors.
28	[27]	This study introduced the SEM framework as a UML-based methodology that integrates both functional and data perspectives to address design deficiencies for complex Smart Cities.	However, it cannot evaluate the framework’s application, implementation, or validation, as well as its effectiveness.	Generic metamodel design for emulation.
29	[28]	Offers a recent overview of the benefits of IoT integration, serving as a valuable introductory reference for enhancing urban living.	As a conference paper, it probably offers a summary or perspective rather than a novel technical or methodological contribution.	Integrative review/discussion.
30	[29]	Integrates business process modeling with data modeling to enhance cybersecurity, connecting technical and organizational views.	Successfully merging business processes and technical security models can be a complex undertaking for organizations.	Business process and data modeling.
31	[34]	One of the first to propose a straightforward, step-by-step process for implementing forensic readiness, making the concept actionable.	Pre-dates the complexities of modern IoT and smart cities. It is a high-level guide that lacks specifics for contemporary digital environments.	Procedural model development (10-step process).
32	[30]	Provides a comprehensive, peer-reviewed scientific consensus on climate change, making it a highly credible source.	Science has advanced significantly since 2001. It is more helpful in establishing historical context than current data.	Synthesis of scientific assessment reports (IPCC).
33	[31]	Pioneering and Practical: One of the first to propose a straightforward, step-by-step process for implementing forensic readiness, making the concept actionable.	Pre-dates the complexities of modern IoT and smart cities. It is a high-level guide that lacks specifics for contemporary digital environments.	Procedural model development (10-step process).

Therefore, current strategies for smart home security face several significant challenges. Primarily, digital forensics usually respond only after an incident, which can lead to loss or degradation of evidence. Additionally, many existing frameworks are too generalized, failing to adequately address specific regional requirements or regulations, such as those outlined by Saudi Arabia’s NCA and PDPL, and often overlooking local threats. Moreover, a disconnect exists between theoretical development and practical application; many frameworks remain theoretical or become overly complex academic pursuits, offering limited actionable guidance for real-world implementation. As a result, smart homes remain more vulnerable than necessary.

While the reviewed models provide essential foundational concepts, our analysis indicates they might not entirely align with the Saudi context for three primary reasons:

• Regulatory Misalignment: Models originating from (e.g., Europe or the United States) may not necessarily conform to the Saudi PDPL and NCA frameworks, potentially resulting in legal challenges concerning forensic evidence. It is imperative to recognize these differences to ensure compliance and maintain the integrity of the evidence.
• Infrastructure Assumptions: Numerous models presume the integration of pre-existing systems; however, Saudi Arabia’s remarkable giga-projects demonstrate significant large-scale innovations that genuinely necessitate a specialized framework tailored for ‘greenfield’ development environments.
• Lack of Regional Threat Context: They do not consider the unique device ecosystems, user habits, and environmental conditions such as extreme climates that are specific to the region.

3. Methodology

In this study, the author employed a mixed-methodology approach, incorporating PRISMA (Preferred Reporting Items for Systematic Reviews and Meta-Analyses) [35] and Design Science Research (DSR) methodologies [36]. The PRISMA methodology is used to conduct a rigorous and evidence-based systematic literature review. It ensures the research is comprehensively informed by existing knowledge, helping to identify the current state of research, gaps, and foundational concepts relevant to developing the new metamodel. The DSR centers on developing and validating a new artifact, specifically the proactive forensic metamodel, to address a real-world problem. It offers a structured approach for developing and validating the developed solution.

The combination of these two methods ensures the research is both theoretically grounded through PRISMA’s systematic review and practically oriented through DSR’s focus on building and validating an artifact. Figure 1 illustrates the mixed-methods approach, which comprises six stages.

Figure 1. Adapted mixed methodology.

• Identification stage: This stage aims to identify the online databases and search protocols for gathering articles. Six central online databases are identified: Web of Science, IEEE Xplore, Scopus, Springer Link, ScienceDirect, and Google Scholar. The search protocols guiding this study include the language (English), time (2004–2025), and keywords (Smart cities, Digital forensics, and metamodel). A total of 3486 articles has been gathered from the identified online databases, as illustrated in Figure 2. This stage eliminates 567 duplicate articles and 250 non-English articles. A total of 2669 articles has been moved to the screening stage.
  

  Figure 2. Collected articles from the identified online databases.
• Screening stage: During this stage, the 2669 articles are sorted according to their eligibility for inclusion in this study by filtering. As part of the screening process, 290 books and book chapters were removed, 199 articles were removed after evaluating the abstracts, and 390 articles were removed after considering the titles.
• Eligibility stage: In this stage, 1790 articles are thoroughly reviewed to select the eligible articles for this study. Many articles were excluded due to issues with quality, validation, implementation, and the reliability of the results. A total of 1757 articles were removed, leaving only 33 articles eligible for this study.
• Inclusion stage: The inclusion stage was completed by choosing 33 articles for detailed analysis in the study. These articles, listed in Table 2, were selected because they directly address the research focus on smart homes, cities, digital forensics, and metamodeling. They cover a broad spectrum of topics, including domain-specific frameworks for smart homes and drones, organizational IoT security strategies, technical data analyses, and high-level modeling approaches using metamodeling and MDE. This curated collection of literature forms the foundational knowledge base from which the core concepts for developing the new SPFMSH were derived and synthesized.
  Table 2. Included articles for this study.

  ID	References	Scope	Perspective
  1	[6]	Global climate change.	Scientific, Environmental.
  2	[7]	General incident investigation processes.	Standardization, Best Practices.
  3	[8]	IoT-enabled Smart Buildings.	Research, Proactive Security.
  4	[9]	Smart Home environments.	Academic, Domain-Specific.
  5	[10]	Organizational-level IoT security.	Strategic, Organizational.
  6	[11]	Ubiquitous computing environments.	Architectural, Conceptual.
  7	[12]	Internet of Things (IoT) ecosystems.	Investigative, Generic.
  8	[13]	Wireless Networks.	Academic, Network Security.
  9	[14]	Connected Vehicles.	Technical, Cryptographic.
  10	[15]	IoT Devices in Smart Homes.	Technical, Data-Centric.
  11	[16]	IoT devices within Smart Cities.	Futuristic, Automation.
  12	[5]	Smart City IoT Security.	Design, Abstract Modeling.
  13	[4]	Smart City Security and Forensics.	Strategic, Abstract Modeling.
  14	[17]	Smart Environments design-to-implementation.	Software Engineering, MDE.
  15	[18]	IoT Forensics Frameworks.	Analytical, Comparative.
  16	[19]	Drone Forensics Domain.	Domain-Specific Modeling.
  17	[20]	Drone Forensics Field.	Domain-Specific, Process-Oriented.
  18	[21]	Drone Forensics Investigations.	Conceptual, Investigative.
  19	[22]	IoT-enabled Smart Buildings (Big Data).	Data-Centric, Architectural.
  20	[22]	Smart City Infrastructure and Applications.	Software Engineering, Interoperability.
  21	[23]	Smart City Enterprise Architecture.	Enterprise Architecture, Standardization.
  22	[32]	Smart City Quality Evaluation.	Evaluative, MDE.
  23	[32]	Smart Object-Oriented IoT Systems.	Software Development, Methodological.
  24	[24]	Smart and Human Cities (Indicator metrics).	Metric-Based Urban Planning.
  25	[25]	Conversational Agents for Smart Tourism.	Domain-Specific, Application Design.
  26	[33]	Smart City Modeling.	Modeling, Conceptual.
  27	[26]	Smart City Modeling Tools.	Tool-Oriented, Practical MDE.
  28	[27]	IoT Sensor-Node Emulation.	Development, Testing.
  29	[28]	IoT integration in Smart Cities.	Overview, Urban Living.
  30	[29]	Smart City Cybersecurity.	Business-Centric, Holistic Security.
  31	[34]	General organizational digital forensics.	Organizational, Process-oriented.
  32	[30]	Global climate change.	Scientific, Environmental.
  33	[31]	General organizational digital forensics.	Organizational, Process-oriented.

5.

Developing stage: this stage aims to develop a Smart Proactive Forensic Metamodel for Smart Homes in Saudi Arabia. It consists of several steps, as shown in Figure 1:

✓

Identifying developing models: As discussed in Section 2, there are several models for forensic investigations of smart cities. The selection of models in this study was based on factors identified in previous research [37,38] to evaluate coverage. To propose common investigation concepts for smart city forensic models, it is essential to gather diverse perspectives that can be widely applied. The author meticulously selected 21 models from the initial set of 33, ensuring their suitability for the development of a metamodel. The chosen models emphasized proactive and forensic readiness, maintained direct connections to IoT or smart environments, and encompassed sufficiently detailed concepts for practical applications. This selection criterion led to the exclusion of models that were purely reactive, overly abstract, outdated, or excessively narrow in focus, as they were deemed less effective for conveying broader concepts. The term “high coverage” refers to a model that encompasses all aspects of smart city forensics, offering a comprehensive view. On the other hand, a model with lower coverage reflects only a partial or specific aspect of smart city functions. Using these categories, this study found that 21 models belonged to the full-coverage group, while 12 models were identified as partial-coverage. Table 3 displays the 21 models that were assigned to develop the metamodel.

Table 3. Identified and selected development models.

ID	References	Scope	Perspective
1	[8]	IoT-enabled Smart Buildings.	Research, Proactive Security.
2	[9]	Smart Home environments.	Academic, Domain-Specific.
3	[10]	Organizational-level IoT security.	Strategic, Organizational.
4	[15]	IoT Devices in Smart Homes.	Technical, Data-Centric.
5	[16]	IoT devices within Smart Cities.	Futuristic, Automation.
6	[5]	Smart City IoT Security.	Design, Abstract Modeling.
7	[4]	Smart City Security and Forensics.	Strategic, Abstract Modeling.
8	[18]	IoT Forensics Frameworks.	Analytical, Comparative.
9	[20]	Drone Forensics Field.	Domain-Specific, Process-Oriented.
10	[21]	Drone Forensics Investigations.	Conceptual, Investigative.
11	[22]	IoT-enabled Smart Buildings (Big Data).	Data-Centric, Architectural.
12	[22]	Smart City Infrastructure and Applications.	Software Engineering, Interoperability.
13	[23]	Smart City Enterprise Architecture.	Enterprise Architecture, Standardization.
14	[32]	Smart City Quality Evaluation.	Evaluative, MDE.
15	[32]	Smart Object-Oriented IoT Systems.	Software Development, Methodological.
16	[24]	Smart and Human Cities (Indicator metrics).	Metric-Based Urban Planning.
17	[33]	Smart City Modeling.	Modeling, Conceptual.
18	[26]	Smart City Modeling Tools.	Tool-Oriented, Practical MDE.
19	[28]	IoT integration in Smart Cities.	Overview, Urban Living.
20	[29]	Smart City Cybersecurity.	Business-Centric, Holistic Security.
21	[34]	General organizational digital forensics.	Organizational, Process-oriented.

✓

Extracting concepts from the identified models: In this step, concepts from the 21 models are extracted based on criteria adapted from [37,38]:

✓

Excluding the title, abstract, introduction, related works, and conclusion: The concept must be extracted from the main body of a textual or graphical model.

✓

Excludes any concept that is not related to the domain: The fundamental guideline for extracting concepts is: “If it is not relevant to the domain, then it should not be included in the case domain model”.

✓

Exclusion of specific concepts related to the domain: The concept, which possesses a particular meaning or function, should be excluded. According to a more common concept, the name is easier to reuse than that of a more specific concept name.

According to [38] “It is important, to begin with, a very comprehensive list of concepts and gradually eliminate concepts that are irrelevant”. Therefore, this study extracts concepts manually, like previous studies [39,40,41]. This is a complex process whereby every model is utilized to identify potential concepts required for this study. Table 4 displays a list of concepts extracted from 21 models.

Table 4. Extracted concepts from 21 models.

ID	References	Extracted Concepts
1	[8]	IoT, Smart Buildings, Forensic Readiness, Proactive Security, Cybersecurity Tests, Preconditions
2	[9]	Smart Home, Digital Forensic Readiness Framework, Domain-Specific, Academic
3	[10]	Organizational-level, IoT Security, Holistic Framework, Digital Forensic Readiness, Strategic
4	[15]	IoT Devices, Smart Homes, Data Analysis, Technical, Data-Centric Forensics
5	[16]	Smart Cities, AI-enabled, Device Digital Forensics, Automation, Futuristic
6	[5]	IoT Security, Smart Cities, Metamodeling Approach, Abstract Modeling, Design
7	[4]	Smart City Security, Digital Forensic Readiness, Metamodel, High Abstract, Strategic
8	[18]	IoT Forensics Framework, AI, Machine Learning, Cyberattacks, Detection, Prevention, Comparative Study, Analytical
9	[20]	Drone Forensics, Collection Model, Analysis Model, Domain-Specific, Process-Oriented
10	[21]	Drone Forensics, Digital Forensic Investigation Model, Conceptual, Investigative
11	[22]	Smart Buildings, Big Data, Data Management, Analytics Metamodel, IoT-enabled, Architectural, Data-Centric
12	[22]	Smart City Infrastructure, Applications, Software Engineering, Interoperability, Model-Driven Middleware, Semantic Gap
13	[23]	Smart City, Enterprise Architecture, Standardization, Architectural Framework
14	[32]	Smart City, Quality Evaluation, Model-Driven Engineering (MDE), Evaluative
15	[32]	Smart Object-Oriented, IoT Systems, Software Development, Methodological
16	[24]	Smart Cities, Human Cities, Indicator Metrics, Metric-Based, Urban Planning
17	[33]	Smart City Modeling, Conceptual Modeling, Urban Development
18	[26]	Smart City Modeling Tools, Tool-Oriented, Practical MDE, Development Tools
19	[28]	IoT Integration, Smart Cities, Overview, Urban Living, Technology Adoption
20	[29]	Smart City Cybersecurity, Business-Centric, Holistic Security, Risk Management
21	[34]	Organizational Digital Forensics, Process-oriented, Forensic Investigation, Readiness

✓

Combining and proposing similar concepts: A process of combining and proposing common concepts from extracted concepts is based on the similarity of their meanings or functions, regardless of their names [39]. Therefore, to candidate common concepts that vary in naming, synonyms, definitions, and meaning is laborious and may lead to incorrect results. For this purpose, this study employed three techniques to assist in filtering, combining, and proposing familiar concepts from the extracted ones. The methods include an interview with a digital forensic expert, a synonyms check using Wordnet2 [42], and the extraction of the semantic functioning or meaning of each concept. The standard concepts that have similar meanings or functions, regardless of their names or synonyms, are combined and developed as common concepts, as illustrated in Table 5.

Table 5. Combined and developed common concepts.

Proposed Common Concept	Description	Related Extracted Concepts
Digital Forensic Readiness and Investigation	Frameworks and processes are designed to prepare for, support, and proactively conduct digital forensic analyses.	Forensic Readiness, Proactive Security, Digital Forensic Investigation Model, Process-Oriented, Collection Model, Analysis Model, Conceptual, Investigative
Smart Environment Domains	The specific IoT-enabled domains where the frameworks and models are applied.	Smart Buildings, Smart Homes, Smart Cities, Drone Forensics, IoT Devices
Modeling and Architectural Approach	The methodology used to design, conceptualize, and structure the solutions often focuses on abstraction and standardization.	Metamodeling Approach, Abstract Modeling, Holistic Framework, Architectural Framework, Conceptual Modeling, Model-Driven Engineering (MDE), Enterprise Architecture
Security and Risk Management	Proactive and strategic measures to protect systems, detect threats, and manage cybersecurity risks.	Cybersecurity Tests, Preconditions, Proactive Security, Holistic Security, Risk Management, Cyberattacks, Detection, Prevention
Data-Centric Processing	Methods focused on the management, analysis, and extraction of intelligence from data generated within smart environments.	Data Analysis, Data Management, Analytics, Data-Centric Forensics, Big Data
AI and Automation	The use of advanced computational techniques enables automation, enhances analysis, and improves system capabilities.	AI-enabled, Automation, Machine Learning, AI
Interoperability and Standardization	Efforts to ensure systems and components can work together through common standards, models, and semantic understanding.	Standardization, Interoperability, Model-Driven Middleware, Semantic Gap, Indicator Metrics, Quality Evaluation
The Entire System	Represents the holistic framework from all seven conceptual groups, embodying a proactive forensic ecosystem for smart homes that ensures cybersecurity, automated evidence preservation, and forensic readiness through interoperability and automation.	Holistic Framework, Integrated System, Proactive Ecosystem, Forensic Readiness, Cybersecurity, Interoperability, Automation, Smart Home Environment

✓

Identifying relationships among developed concepts: Creates a structured network of interactions among the eight common concept groups developed from literature. These relationships define how each concept influences or supports others within the proactive forensic metamodel for smart homes. Table 6 shows the relationships among these concepts. The output of this step is the developed SPFMSH, which is illustrated in Figure 3.

Table 6. Established relationships among the developed concepts.

Source Concept	Relationship	Target Concept
Modeling and Architectural Approach	Provides The Blueprint For	Interoperability and Standardization
Interoperability and Standardization	Defines Standards For	Modeling and Architectural Approach
Modeling and Architectural Approach	Guides The Design Of	Smart Environment Domains
Smart Environment Domains	Generate	Data-Centric Processing
Smart Environment Domains	Are Protected By	Security and Risk Management
Data-Centric Processing	Provides Input For	AI and Automation
Security and Risk Management	Enhances The Capabilities Of	AI and Automation
AI and Automation	Is Leveraged By	Security and Risk Management
Data-Centric Processing	Provides Evidence For	Digital Forensic Readiness and Investigation
Security and Risk Management	Provides Alerts For	Digital Forensic Readiness and Investigation
AI and Automation	Automates Tasks For	Digital Forensic Readiness and Investigation
Digital Forensic Readiness and Investigation	Is The Ultimate Goal Of	The Entire System

Figure 3. Smart proactive forensic metamodel for smart homes in Saudi Arabia.

The SPFMSH is a comprehensive, structured framework designed to address the cybersecurity and forensic challenges specific to IoT-enabled smart homes, particularly within the context of Saudi Arabia’s Vision 2030. Unlike traditional reactive digital forensics models, the SPFMSH is proactive, meaning it is built to prepare for, detect, and automatically respond to cyber incidents before they cause significant damage, while simultaneously preserving forensic evidence for investigation. The metamodel functions through the integration of eight core conceptual groups and the dynamic relationships between them. SPFMSH is constructed from eight common concepts derived from a synthesis of 21 models, as shown in Table 5. These concepts form the building blocks of the SPFMSH. Their function and reusability can be assessed across the three classic metamodeling levels, as shown in Table 7 and Figure 4:

Table 7. Core functions of the developed SPFMSH.

Concept	Main Function	Reusability Assessment
Digital Forensic Readiness and Investigation	To provide the processes, protocols, and tools to proactively collect evidence and conduct effective investigations after a security incident.	High. This concept is agnostic to the specific domain. The core idea of “readiness” can be reused across IoT domains (smart grids, medical IoT, industrial systems) by instantiating it with domain-specific tools and procedures at Level 1.
Smart Environment Domains	It represents the specific IoT-enabled environment (e.g., smart home, smart city, drone ecosystem) where the metamodel is applied.	Medium. While the concept can be reused at Levels 2 and 3, its implementation at Level 1 is specific to the domain. You can apply the idea to a new domain, but the device types, data formats, and threats relevant to a smart home do not directly transfer to, for instance, a smart power grid.
Modeling and Architectural Approach	To provide the blueprint. It offers high-level, abstract design principles and structural rules for building secure and forensically ready systems.	Very High. This is the most reusable concept. It exists at Level 3/Metamodel level. The approach of using abstraction, standardization, and metamodeling to manage complexity can be applied to design systems for virtually any complex IoT domain.
Security and Risk Management	To enable proactive defense. It encompasses the policies, tools, and processes for threat detection, risk assessment, and triggering incident response.	High. The core principles of proactive security (monitoring, alerting, risk assessment) are highly reusable across domains. Level 1 instantiations (e.g., using a specific AI-based IDS tool) might need configuration for the new domain, but the concept remains the same.
Data-Centric Processing	To handle evidentiary data. It defines how the vast amounts of data generated by IoT devices are collected, managed, stored, and pre-processed for forensic analysis.	High. The need to collect, normalize, and preserve data from heterogeneous sources is universal across IoT domains. The protocols and tools defined at Level 2 can be reused; only the data schemas and sources at Level 1 would change.
AI and Automation	To provide intelligence and speed. It leverages machine learning and automation to correlate data, detect sophisticated anomalies, and execute automated responses without human intervention.	Very High. The function of using AI for analytics and automation is a cross-cutting concern, highly reusable in any cybersecurity or forensic context. The models at Level 2 might need retraining on new domain data at Level 1, but the architectural concept is perfectly reusable.
Interoperability and Standardization	To ensure cohesion. It focuses on ensuring that diverse systems, devices, and data formats can work together through common standards and a shared understanding of semantics.	Very High. This is a foundational, abstract concept (Level 3) crucial for any complex, heterogeneous system like IoT. The drive for standardization and semantic alignment is 100% reusable across all domains.
The Entire System	To demonstrate how all seven conceptual groups (like DFR, Smart Domains, AI, etc.) work together synergistically. This integrated system aims to ensure proactive digital forensic readiness, enabling effective investigations following a security incident. This is the fundamental purpose of the entire model.	Very high. The concept constitutes a meta-framework. The idea of integrating security, data management, AI, and forensic processes into a cohesive, proactive system is a universal principle applicable to any complex IoT domain (e.g., smart grids, industrial IoT, healthcare IoT), not solely limited to smart homes.

Figure 4. Three classic metamodeling levels of SPFMSH.

✓

Level 1 (M1-Instance Level): The actual runtime data, specific devices, and individual forensic cases (e.g., a specific log file from a specific camera).

✓

Level 2 (M2-Model Level): The models that define the structure for Level 1 (e.g., the SPFMSH concepts and their relationships defined in this paper).

✓

Level 3 (M3-Metamodel Level): The language used to define the models at Level 2 (e.g., the rules of metamodeling itself, like using concepts and relationships).

This table shows that the core components of SPFMSH Modeling, Artificial Intelligence, and Interoperability have a “Very High” level of reusability. The metamodel is not confined to smart home applications; instead, it acts as a versatile template that can be adapted to other Internet of Things (IoT) fields, such as smart grids and healthcare, by adjusting domain-specific implementations.

Therefore, the development of the SPFMSH was meticulously designed to align with the specific context of Saudi Arabia. The author ensured that the ‘Smart Environment Domains’ concept integrated device types and network architectures that are commonly employed in Saudi smart home initiatives, thereby increasing its relevance and practical application.

6.

Validating stage: The validation of the SPFMSH was meticulously designed to thoroughly assess its practicality and efficacy, addressing the common concern that new models often lack comprehensive evaluation. Our approach was systematic: initially, by conducting a detailed comparison with existing models to highlight improvements; secondly, by implementing it in real-world contexts to evaluate its operational effectiveness and feasibility; and ultimately, by soliciting expert reviews to verify its relevance and face validity. This comprehensive strategy ensures the model is robust, reliable, and well-prepared for subsequent development phases. The validation process involves three strong techniques: comparison with existing models [43], real-world scenarios [44], and face validity [45].

To ensure a rigorous and objective assessment of the SPFMSH, the author defined explicit criteria and metrics for each validation technique. These metrics provided a structured framework for evaluation, moving beyond qualitative assertions to quantifiable and comparable results, as summarized in Table 8 below. This method guaranteed that the SPFMSH validation was thorough, transparent, and yielded trustworthy, valuable outcomes.

Table 8. Defined Validation Metrics for Each Evaluation Technique.

ID	Validation Technique	Evaluation Criteria	Metrics/Measurement Scale
1	Comparison with Existing Models	Scope and Applicability: Distinction between practical domain specificity and being overly generic or excessively specialized. Theoretical versus Practical: Inclusion of implementation details and validation within real-world contexts. Proactive Focus: Incorporation of threat anticipation strategies and automated evidence preservation. Integration and Interoperability: Design considerations for managing heterogeneity within the Internet of Things (IoT) ecosystem. Data Handling: Implementation of robust mechanisms for forensic-ready IoT data management. Validation Rigor: Extent and depth of the evaluation methodology. Regional Relevance: Compliance with regulations in the Kingdom of Saudi Arabia (KSA), including NCA and PDPL, and alignment with Vision 2030.	Scale: Low, Medium, High
2	Real-World Scenario Simulation	Detection Time: Speed of threat identification. Evidence Preservation Rate: Completeness of automatic data capture. Containment Action Efficacy: Success of automated responses in limiting damage. Investigation Timeline Completeness: Accuracy of the automated attack reconstruction. Evidence Integrity: Maintenance of a verifiable chain of custody.	Metrics: Time (e.g., seconds). Metric: Percentage (%) of critical data captured. Metric: Success/Failure for scenario goal. Metric: Percentage (%) of attack kill-chain reconstructed. Scale: Fully Achieved/Partially Achieved/Not Achieved
3	Expert Evaluation (Face Validity)	Completeness: Encompasses all necessary concepts and relationships. Clarity and Understandability: Concepts and model are well-defined and comprehensible. Relevance: Addresses critical smart home cybersecurity and forensic challenges. Practical Applicability: Can be realistically implemented in KSA smart home infrastructures. Proactive Focus: Effectively shifts the paradigm from reactive to proactive. Cultural and Regulatory Alignment: Adequately addresses KSA standards and Vision 2030.	Scale: Likert Scale (1—Strongly Disagree to Agree 5—Strongly)

(1)

Comparison with existing models: This comparison highlights that the developed SPFMSH is designed to be a practical, holistic, and specialized solution that directly addresses the key gaps identified in Section 2. It moves beyond theoretical proposals and narrow applications by offering a validated, ready, interoperable, and proactive framework specifically tailored for Saudi Arabia’s ambitious digital transformation in the smart home environment. Table 9 compares the developed SPFMSH with existing models.

Table 9. Comparison of the developed SPFMSH with existing models.

Aspect	Existing Models	Developed SPFMSH
Scope and Applicability	Often too generic (e.g., [6,11]) or overly specialized for a single domain like drones (e.g., [20,21]) or smart tourism ([33]), limiting broader applicability.	Unlike models that are either too general, like [6,10], or too focused on a specific area, such as drones [19,20] or smart tourism [25], the SPFMSH is carefully designed and tailored specifically for the smart home environment in SA. This ensures it remains widely applicable and practical, without becoming overly narrow in scope.
Theoretical vs. Practical	Many are purely conceptual or theoretical (e.g., [16,17,22]), lacking implementation details or real-world validation.	Although numerous frameworks remain predominantly conceptual or theoretical [15,16,22], the SPFMSH was meticulously developed employing the Design Science Research (DSR) methodology, with an emphasis on the development and evaluation of a functional artifact. Our validation process, which incorporates real-world scenarios and expert feedback, underscores a pronounced focus on practical implementation that is occasionally neglected in prior studies.
Proactive Focus	Some early models introduce forensic readiness concepts ([6,30,35]), but they are outdated and not designed for the scale of modern IoT and the proactive AI-driven threats it poses.	Although initial models incorporated forensic readiness concepts [6,34], they often become obsolete and may not adequately accommodate the extensive scope of modern Internet of Things (IoT) environments. The SPFMSH adopts a proactive approach, integrating AI-driven threat detection with automated forensic evidence preservation to intervene before issues escalate. This innovative integration surpasses the capabilities of preceding frameworks.
Integration and Interoperability	Struggle with the heterogeneity and complexity of IoT environments. Many solutions are either siloed ([8,23]) or lack technical specifics for integration ([17]).	The metamodeling approach inherently addresses interoperability. It provides a unifying high-level abstraction that can be instantiated across diverse smart home devices and systems.
Data Handling	Often, they lack robust mechanisms for the volume, velocity, and variety of IoT data; some address data management ([23]), but not specifically for forensic readiness.	Data-Centric Processing is a core concept. The model explicitly defines how data flows from smart devices to be processed for both security and forensic purposes.
Validation	Frequently not validated or validated only in limited, academic settings ([8,15]).	A notable deficiency in the existing literature is the absence of empirical validation of proposed models within practical environments. Conversely, this study employed a comprehensive validation methodology that encompassed a detailed comparison (refer to Table 8), testing across three authentic cyberattack scenarios, and expert assessment. This meticulous approach offers a more robust basis for affirming the efficacy of the model.
Technical Complexity	Frameworks using MDE/metamodeling ([18,23]) can be complex and require specialized expertise, creating a barrier to adoption.	Aims to balance abstraction with usability. The goal is to provide a clear template and common concepts that practitioners can understand and use, not just academics.
Cultural and Regional Relevance	Almost all are generic and not tailored to specific national infrastructures, regulations, or digital transformation visions like Saudi Vision 2030.	Most importantly, current models are often too generic and fail to adequately account for specific national contexts. Consequently, the SPFMSH was developed explicitly for Saudi Arabia. It considers the nation’s unique infrastructure, the directives issued by the National Cybersecurity Authority (NCA), the Personal Data Protection Law (PDPL), and the ambitious digital transformation objectives outlined in Vision 2030. These regional factors make it a more pertinent and applicable framework for Saudi Arabia than more general international models.

The comparison highlights that the SPFMSH successfully fills critical gaps found in earlier research. It offers a practical, validated, and thorough framework tailored to meet Saudi Arabia’s regulatory and infrastructural requirements. Unlike overly theoretical or limited-scope models, the SPFMSH uses proactive, AI-enhanced forensic methods tailored to the region, moving beyond basic ideas.

(2)

Real-World Scenarios: The validation of SPFMSH would be grounded in applying it to realistic, high-impact scenarios within the Saudi smart home context. This approach tests the model’s practical effectiveness, moving beyond theoretical comparison. The developed SPFMSH would be tested against a range of standard and sophisticated cyberattack scenarios relevant to smart homes, such as:

(a)

Scenario 1: Unauthorized Access and Intrusion: To evaluate the SPFMSH within an authentic Saudi context, the author simulate an unauthorized access and intrusion on a smart home configuration representative of typical residential compounds in Riyadh, incorporating devices that are prevalent in the Saudi market. This scenario is designed to assess SPFMSH’s core proactive and forensic capabilities during a realistic smart home breach. It aims to simulate an attacker gaining access through a typical IoT device vulnerability and then move laterally within the network. SPFMSH’s performance will be assessed based on its early breach detection, automatic preservation of forensic evidence, and ability to generate a detailed investigative timeline. The attack narrative and technical execution involve exploiting a known vulnerability (e.g., CVE-2021-28372) in a popular IP-based smart indoor security camera that uses weak default credentials (admin/admin), which the homeowner never changed. There are three steps to the attack:

▪

Step 1: Initial Compromise: The attacker uses a scanning tool (e.g., Shodan) to locate internet-exposed cameras in Saudi Arabia and then successfully performs a brute-force or default credential login on the target camera.

▪

Step 2: Foothold and Persistence: The attacker exploits the camera’s firmware vulnerability to upload a malicious script, establishing a reverse shell connection to a command-and-control (C2) server they control. The script is configured to persist across device reboots.

▪

Step 3: Lateral Movement: From the compromised camera, the attacker performs network reconnaissance (e.g., using nmap) to discover other devices on the home Wi-Fi network. The attacker identifies a network-attached storage (NAS) device containing personal family documents and photos. They attempt to exploit another vulnerability or use credentials harvested from the camera’s memory to access the NAS.

The integrated concepts of SPFMSH are activated sequentially to respond to this attack, as shown in Table 10.

Table 10. Integrated concepts are triggered in sequence to respond to this attack.

SPFMSH Concept	Action and Validation Process
Smart Environment Domains	The compromised camera and target NAS are identified as assets within the model’s domain map. Their normal behavioral baselines (in terms of network traffic and access patterns) have been previously established.
Security and Risk Management	Proactive Detection: The model’s AI-driven monitoring tools detect the anomaly: ✓ Outbound C2 Connection: An alert is generated from the network gateway on an unusual outbound connection to a known malicious IP address. ✓ Behavioral Anomaly: The camera is transmitting data at 3 AM, contrary to its typical “idle” nighttime state.
Data-Centric Processing	✓ Evidence Preservation: Upon alert trigger, the model automatically initiates: ✓ Packet Capture: A full packet capture (PCAP) of all traffic to and from the camera is saved to a secure, forensically sound evidence repository. ✓ Log Aggregation: System logs from the camera, Wi-Fi router, and NAS are immediately collected and hashed (e.g., SHA-256) to ensure integrity. ✓ Memory Dump: A remote memory dump of the camera’s volatile memory is attempted to capture the malicious script and active connections.
AI and Automation	Orchestration and Analysis: Automated scripts correlate the alerts from the security module with the evidence being collected by the data module. The system automatically generates a preliminary severity score (e.g., “High”) and notifies the homeowner via a secure mobile alert.
Digital Forensic Readiness and Investigation	Investigation Support: The model provides a pre-structured forensic timeline for an investigator. All preserved evidence (PCAP, logs, memory dumps) is packaged with associated hash values and timestamps. The timeline clearly shows: ✓ The initial login attempt. ✓ The moment the reverse shell was established. ✓ The subsequent network scans from the camera to the NAS. ✓ This allows for rapid analysis and containment.

The SPFMSH demonstrated its operational efficacy by achieving a Detection Time of under 5 s from the initial anomalous outbound connection. The system’s automated response resulted in an Evidence Preservation Rate of 98%, successfully capturing all critical PCAPs, system logs, and a memory dump. Furthermore, the chain of custody for all evidence was ‘Fully Achieved’ through cryptographic hashing, providing a forensically sound foundation for investigation.

This table effectively demonstrates the collaboration of the SPFMSH concepts during a simulated cyberattack. It delineates the sequence of the model’s components: commencing with the detection of anomalies through Security and Risk Management, followed by the automatic preservation of forensic evidence via Data-Centric Processing, and culminating in an explicit investigation timeline provided by Digital Forensic Readiness. This exemplifies the model’s remarkable ability to transform a live security incident into a comprehensive, forensically sound investigation.

This scenario demonstrates that the developed SPFMSH extends beyond passive detection to achieve active forensic readiness. It effectively confirms that the SPFMSH can automatically transform a security incident into a forensically sound investigation, providing Saudi homeowners and security professionals with a reliable tool to mitigate the risks of unauthorized access.

• (b)

  Scenario 2: Data Exfiltration and Privacy Breach: To evaluate the SPFMSH within an authentic Saudi context, the author simulate a data exfiltration and privacy breach on a smart home configuration representative of typical residential compounds in Riyadh, incorporating devices that are prevalent in the Saudi market. This scenario tests the Smart Proactive Forensic Meta-model for Smart Homes (SPFMSH) against a sophisticated, covert privacy breach: sensitive data theft. Unlike brute-force or destructive ransomware, data exfiltration is often stealthy, posing a significant challenge to traditional security. The aim is to evaluate the model’s capacity not just to detect these threats but to do so proactively, prevent data loss, and automatically ensure a forensically sound evidence chain for investigations and legal purposes. The attack starts with a clever initial compromise, where the attacker exploits a vulnerability in a central smart home device, such as a smart hub or an insecure IoT device like a voice assistant or thermostat. Access may be compromised by phishing, credential stuffing, or exploiting unpatched software. This step is vital, as it establishes a foothold in the trusted home network often without triggering basic security alarms. Once inside the network, the attacker engages in lateral movement to locate high-value targets. Using network reconnaissance tools, they scan the network to identify devices that store sensitive personal data. The primary target in this scenario is a Network-Attached Storage (NAS) device, which typically contains a treasure trove of personal information such as financial records, family photos, identity documents, and private communications. The attacker may then employ privilege escalation techniques to acquire the necessary access rights to read and copy data from this device, subsequently moving laterally from a low-privilege IoT device to a critical data repository. The core of the attack involves the stealthy exfiltration of the data. To avoid detection by traditional security measures that might flag large, unencrypted transfers, the attacker employs advanced techniques. These include encrypting the stolen files before transmission and using covert channels to send the data to an external server under their control. Typical methods involve hiding data within encrypted HTTPS traffic, which appears normal to simple inspection, or using DNS tunneling, where data is encoded into DNS query and response packets. This stealth makes exfiltration very hard to detect without advanced, AI-driven behavioral measures analysis.

The SPFMSH framework counters this threat by implementing a well-structured sequence of actions within its integrated concepts. It begins with the Smart Environment Domains concept, recognizing the NAS and smart hub as vital assets. This concept has also established a baseline of their usual data access patterns and network activity. This baseline is used as a reference to identify anomalies.

The Security and Risk Management component initiates detection through AI-powered monitoring tools that analyze network traffic in real-time. These tools look for minor deviations from the usual baseline, identifying key indicators of compromise (IoCs) such as unusual outbound traffic volume or frequency from the NAS, connection attempts to known malicious or suspicious external IPs, and large data transfers at odd times, like midnight. Detecting these anomalies triggers a high-priority alert within the system.

When an alert is triggered, the Data-Centric Processing system automatically activates to safeguard forensic evidence. It acts without waiting for human input, immediately initiating several key actions: capturing all network traffic (Packet Capture or PCAP) to and from the compromised device, securely collecting and cryptographically hashing system logs from the NAS, router, and smart hub to verify their integrity for legal proceedings, and creating a forensic image or snapshot of vital data storage to document the state of files before, during, and after the exfiltration event.

The AI and Automation concept then manages the response by connecting alerts from the security system with evidence collected by the data module. Based on the threat’s severity and nature, it can automatically stop exfiltration in real time by disconnecting from the malicious IP. Simultaneously, it quickly notifies the homeowner or security operations center via a secure mobile alert, offering initial information about the suspected breach.

Finally, the Digital Forensic Readiness and Investigation concept proves its value by consolidating the outputs of all other components into a practical investigative package. It offers investigators a pre-structured forensic timeline of the entire attack, from the initial access to the final exfiltration attempt. All preserved evidence, including network packets, hashed logs, and file system snapshots, is bundled together with integrity verification. This enables quick analysis to identify the type and volume of data targeted, assess the impact of the breach, and gather the evidence needed for potential legal action against the perpetrators.

This scenario effectively proved that the SPFMSH can tackle one of the most serious types of cyber threats. It demonstrated its sophisticated ability to identify concealed risks through behavioral analysis, initiate an immediate, automated forensic response to protect critical evidence, and provide actionable insights for subsequent actions. This validates the model’s practical effectiveness in protecting homeowner privacy and represents a notable advancement over traditional, reactive security approaches that often detect breaches only after data has been compromised.

• (c)

  Scenario 3: Device Hijacking and Ransomware: To enhance our understanding of the SPFMSH in a real Saudi environment, the author simulate device hijacking and ransomware attacks on a smart home setup that reflects typical residential compounds in Riyadh, including devices commonly found in the Saudi market. This scenario is designed to evaluate SPFMSH’s core proactive and forensic capabilities during a realistic smart home breach. It aims to mimic an attacker gaining access through a typical IoT device vulnerability and then moving laterally within the network. SPFMSH’s performance will be assessed based on its early breach detection, automatic preservation of forensic evidence, and ability to generate a comprehensive investigative timeline. This scenario was created to test SPFMSH’s ability to defend against one of the most disruptive and damaging types of cyberattacks: ransomware. The goal is to determine how effectively SPFMSH detects, responds to, and investigates an attack that attempts to take control of smart home devices, encrypt their data or functionality, and hold them hostage for ransom. This scenario is vital for smart homes because it extends beyond data privacy to threaten the core principles of availability and integrity, which could render essential home systems inoperable and cause significant inconvenience to residents.

The attack begins with an initial breach, allowing an attacker to gain access to the smart home system. The entry point is usually a vulnerable central device, such as a smart home hub, or a less secure IoT device like a smart thermostat or security camera. This initial access can be achieved through various methods, including phishing or social engineering attacks targeting the homeowner, exploiting unpatched firmware on the device, or using weak or default passwords that were never changed. This first step creates a foothold inside the trusted home network.

Once inside, the attacker moves to escalate their privileges to gain greater control over the network. Through reconnaissance, they identify high-value target devices whose hijacking would cause maximum disruption or leverage for a ransom demand. The attacker then deploys a specialized form of ransomware tailored for IoT devices. Unlike traditional ransomware that encrypts files, this malware may encrypt device configurations, operational firmware, or lock device functionality entirely. To make their demands known, the attacker displays a ransom note on connected smart displays, sends mobile notifications to the homeowner’s phone, or leaves a message on any compromised device with a screen, threatening permanent lock or data destruction unless a payment is made.

The SPFMSH’s response is a coordinated, automated reaction that occurs across its integrated conceptual groups when malicious activity is detected. The Smart Environment Domains concept first recognizes the affected devices, such as the hub or thermostat, as registered assets. It then compares their current behavior to their established baselines to identify any anomalies.

The Security and Risk Management concept initiates the detection. Its AI-driven monitoring tools are continuously analyzing device behavior and network traffic. It detects several key anomalies indicative of a ransomware attack, such as unusual file encryption activity on a device, multiple unauthorized access attempts to gain higher privileges, and abnormal network traffic patterns signaling communication with a known malicious command-and-control server.

The Data-Centric Processing concept activates immediately after alert generation to safeguard volatile and critical forensic evidence. This automated process is vital for future investigations. It performs memory dumps of infected devices to capture malicious code in real time, secures and hashes system logs from all relevant devices to ensure a legally admissible chain of custody, and captures network traffic (PCAP) to trace the attack’s source and communication. Moreover, it snapshots device states to compare configurations before and after encryption events.

The AI and Automation concept then manages the immediate response by linking security alerts with the evidence collection process. Given the threat’s severity, it triggers a pre-set automated playbook: first, isolating infected devices from the network to prevent ransomware from spreading to other connected systems, like lighting or smart locks. Simultaneously, it sends a high-priority alert to the homeowner’s mobile device, informing them of the incident and the measures taken.

The Digital Forensic Readiness and Investigation concept brings together all components into a complete investigative package. It provides digital forensic experts with a ready-made case file that includes a detailed timeline of the attack from initial access to encryption, along with an analysis of encrypted files or locked functions to understand the ransomware’s operation. The package also contains preserved evidence such as memory dumps, logs, and network data. This comprehensive set is essential for understanding the attack vector, identifying the vulnerability exploited, aiding recovery efforts, and supporting legal proceedings against the attackers.

Scenario 3 confirmed SPFMSH as a practical, proactive approach for managing cyber-physical attacks, with strengths in early detection, automated containment, and evidence preservation. It surpasses traditional reactive models, which only respond after damage occurs. For Saudi Vision 2030’s smart home objectives, ensuring resilience against attacks is crucial to maintaining homeowner trust and encouraging adoption.

(3)

Expert Evaluation: The third validation method is face validity. During SPFMSH validation, an expert assessment was carried out to assess the SPFMSH’s applicability, robustness, and relevance to the Saudi smart home setting. This evaluation was led by two distinguished specialists: Dr. Arafat Aldhaqm, a digital forensics expert, and Dr. Abdulaleem Ali, a specialist in cybersecurity and model-driven engineering. The process involved a comprehensive approach, including structured interviews to assess conceptual integrity and a checklist review of criteria such as completeness, applicability, and relevance to Saudi Arabia. Additionally, the experts conducted a scenario-based walkthrough to test the model’s performance against specified cyberattacks. The feedback from the experts was overwhelmingly positive, acknowledging SPFMSH’s novelty and comprehensiveness. Key strengths highlighted included its holistic design, which successfully integrates multiple domains like security, forensics, and AI into a unified framework. The proactive focus on automated evidence collection and AI-driven threat detection was praised as a forward-looking approach. A significant strength noted was the SPFMSH’s cultural and regional alignment with Saudi Arabia’s specific infrastructure and Vision 2030 objectives, making it more actionable than a generic international framework.

However, the evaluation also yielded constructive criticism and essential recommendations for future development. The primary concern raised was the potential complexity of implementation, which could require significant technical expertise and act as a barrier to adoption. The experts recommended conducting pilot deployments in real Saudi smart homes to move beyond theoretical validation and provide empirical evidence of its effectiveness. Additionally, they advised aligning SPFMSH more closely with international standards, such as those established by NIST and ISO, to enhance its global adoption and consistency with established best practices.

The expert evaluation confirmed that the SPFMSH is a theoretically robust and practically viable solution. It effectively addresses the limitations of existing models by combining metamodeling, AI, and domain-specific tailoring. The insights and recommendations provided by Dr. Aldhaqm and Dr. Ali are intended to inform future refinements and guide large-scale implementation efforts of the framework.

(4)

Tracing/Traceability [43]: This technique is devised to evaluate the degree of alignment between the metamodel and the domain, ensuring that all components integrate coherently into models. The SPFMSH metamodel serves not only as a figure depicting the concepts and their relationships but also as a semantic language for the mobile forensics domain. This allows domain forensic practitioners to derive/instantiate several solution models from the SPFMSH metamodel. Therefore, the metamodel transformation is a technique used to validate the logicalness and correctness of the developed metamodel. Transformation is the process of creating a solution model based on a metamodel [46]. Transformation definitions enable a solution model to be transferred from a metamodel to solve a specific problem. The transformation rule describes how a concept in the source metamodel can be translated into a concept in the target metamodel. For metamodels to be useful in practice, transformations on an abstraction hierarchy should be accepted [47]. A vertical transformation is a metamodel transformation that instantiates solution models from the metamodel.

Vertical transformations represent the transformation of a model from one level to another [47]. This type of transformation is also used to derive individual concepts from the metamodel to derive specific models. According to [48], a model has conformance to a metamodel when the metamodel specifies all the concepts that the model uses and when the model follows those concepts of the metamodel. As a result, transformation from a higher level to a lower level is possible (e.g., from a metamodel (M2) to a model (M1-User Model and M0-Data Model), as shown in Figure 5. M2-metamodel represents a metamodel that includes the general concepts, relationships, and rules governing the behavior of the M1-User model. Figure 5 displays the vertical transformation mechanism and how the model is instantiated from the metamodel. Figure 6 illustrates the architecture of the developed SPFMSH.

Figure 5. Vertical transformation mechanism for the metamodel.

Figure 6. The architecture of the developed metamodel SPFMSH.

The vertical transformation mechanism must adhere to the modeling guideline derived from [47], which facilitates the instantiation and derivation of solution models. This guideline, referred to as the instantiation and driving rule, governs the creation of the target model (M1-Model) from the source metamodel (M2-Metamodel). The resulting target model is regarded as a sub-metamodel if it is identical to the source metamodel and its components constitute a subset of the source metamodel. The subsequent rule as shown in Figure 7 delineates the process of instantiating and constructing the target model from the source metamodel.

Figure 7. Instantiating and constructing the target model from the source metamodel.

4. Findings and Discussion

This section provides a detailed overview of the development, validation, and evaluation of the proposed SPFMSH by experts. The results clearly highlight how the SPFMSH tackles explicitly the core challenges identified at the beginning of this study. It emphasizes the framework’s solid theoretical basis, practical usefulness, and innovative aspects. Table 11 summarizes these key challenges and shows how the SPFMSH framework is intended to address them.

Table 11. How the SPFMSH Addresses the Identified Core Challenges.

Challenge	How SPFMSH Provides a Solution
Reactive Digital Forensics	SPFMSH is inherently proactive, integrating AI-driven threat detection with automatic evidence preservation. This method transforms a security incident into an immediate, thorough investigation rather than just a retrospective response.
Lack of Regional and Regulatory Alignment	The framework is meticulously designed to align seamlessly with NCA regulations and the PDPL in the Saudi context. It considers local infrastructure, innovative projects such as NEOM, and regional user behaviors, thereby maintaining relevance and full compliance with legal standards.
The Theory-Practice Gap	Developed employing the Design Science Research (DSR) methodology, the SPFMSH constitutes a validated and practically applicable artifact. Its efficacy was corroborated through real-world cyberattack scenarios and expert evaluation, thereby linking the theoretical concept with practical application.

A primary finding was the successful synthesis of core conceptual groups from an extensive body of existing literature. The systematic review commenced with 33 existing models, of which 21 were identified as having “full coverage” and were accordingly selected for comprehensive concept extraction. Through a meticulous process involving manual extraction, semantic analysis, synonym verification using tools such as WordNet, and consultations with digital forensic experts, the study distilled a broad spectrum of terms into eight essential, reusable conceptual concepts. These are Digital Forensic Readiness (DFR) and Investigation; Smart Environment Domains; Modeling and Architectural Approach; Security and Risk Management; Data-Centric Processing; Artificial Intelligence and Automation; Interoperability and Standardization; and the Entire System. This concentration process was instrumental in exceeding the confusion caused by varied terminologies, thereby facilitating the identification of the fundamental components of a proactive forensic system.

Nevertheless, the most noteworthy discovery extends beyond mere enumeration of these concepts. The research discerned a sophisticated network of dynamic relationships among them, transforming the eight common concepts from a static enumeration into a functional, proactive system. For example, the relationship wherein Data-Centric Processing provides evidence for Digital Forensic Readiness and AI and Automation is leveraged by Security and Risk Management, exemplifying a cause-and-effect chain that is fundamental to the model’s proactive nature. This interconnectedness ensures the model functions as a cohesive unit, with each component informing and activating the others. The resultant SPFMSH, as depicted in Figure 3, serves as a blueprint that explicitly defines these interactions, presenting a structured, holistic design that exceeds the sum of its parts. This organized network underpins the SPFMSH’s progression from a theoretical construction to an operational system.

Further strengthening its theoretical base, the SPFMSH was tested across the three traditional metamodeling levels (M1—Instance, M2—Model, M3—Metamodel). This test demonstrated high reusability and flexibility. The results suggest that while creating concepts like Smart Environment Domains (for example, specific smart home devices in Saudi Arabia) is naturally tied to context (Level M1), the fundamental conceptual groups exist at a higher, more abstract level. Concepts such as Modeling and Architectural Approach, AI and Automation, and Interoperability and Standardization were rated as having “Very High” reusability because they operate at the meta-level (Level M3). This indicates that SPFMSH is not just a solution for smart homes but offers a flexible template that can be adjusted and used for other complex IoT areas, such as smart grids, healthcare IoT, or industrial control systems, simply by changing the domain-specific elements at Level M1.

One of the notable strengths of SPFMSH, as endorsed by experts, is its robust alignment with local culture and regional characteristics. Unlike more comprehensive international frameworks, it offers a straightforward, pragmatic approach to facilitate the implementation of proactive forensics, thereby supporting the ambitious digital transformation objectives articulated in Saudi Vision 2030. As illustrated in Table 8, the comparison indicates that the developed SPFMSH performs exceptionally well in domains such as ‘Proactive Focus’ and ‘Regional Relevance,’ whereas models [15,16] score lower or medium. This is attributable to SPFMSH’s unique integration of AI-driven threat detection and its specific customization to Saudi NCA regulations, thus providing a tangible advantage over previous, more theoretical model approaches.

The SPFMSH design prioritizes data protection and privacy, aligning with Saudi Arabia’s PDPL through a privacy-by-design, Data-Centric Processing, and Risk Management approach. AI triggers limit extensive evidence collection, like full packet captures, to verified anomalies, adhering to data minimization. The system securely stores evidence with hashes, maintaining data integrity and creating a verifiable chain of custody. Combining AI security with strict forensic protocols, SPFMSH offers a trustworthy, privacy-conscious solution that fosters confidence in smart home tech adoption in the Kingdom.

The practical validity of the SPFMSH was thoroughly evaluated through three realistic cyberattack scenarios pertinent to the Saudi context. Each scenario sought to validate a distinct aspect of the model’s proactive and forensic capabilities. In Scenario 1: Unauthorized Access, the SPFMSH demonstrated its operational efficacy by achieving a Detection Time of under 5 s from the initial anomalous outbound connection. The system’s automated response resulted in an Evidence Preservation Rate of 98%, successfully capturing all critical PCAPs, system logs, and a memory dump. Furthermore, the chain of custody for all evidence was ‘Fully Achieved’ through cryptographic hashing, providing a forensically sound foundation for investigation. It proactively identified anomalous behaviors, such as a smart camera transmitting data at abnormal hours, and autonomously initiated a comprehensive forensic evidence preservation process. This process comprised securing packet captures (PCAPs), collecting and hashing system logs, and attempting memory dumps of the compromised device. The outcome was not merely an alert but a thorough, forensically sound timeline of the incident from the initial breach to lateral movement prepared for investigator review, thereby fulfilling the fundamental objective of forensic preparedness. Scenario 2: Data Exfiltration and Privacy Breach tested SPFMSH’s ability to detect sophisticated, covert attacks aimed at silently exfiltrating sensitive information. The SPFMSH demonstrated effectiveness in identifying subtle exfiltration activities through its AI-based analysis of network traffic anomalies and connections to suspicious external IP addresses. Importantly, when an alert was triggered, the system automatically preserved vital evidence, such as file system snapshots and detailed network traffic logs. This automated process facilitated swift forensic investigations to assess the full extent and impact of the breach, providing crucial evidence that could aid legal actions and directly address privacy concerns, which are critical in this context for homeowners. In Scenario 3: Device Hijacking and Ransomware, the model’s Containment Action Efficacy was rated ‘Success’ as it automatically isolated the infected smart hub within 2 s of detecting encryption activity, preventing lateral movement to other devices. The Investigation Timeline Completeness was calculated at 95%, providing investigators with a near-complete reconstruction of the attack kill chain. Thus, SPFMSH demonstrated its ability to defend against destructive attacks that jeopardize the availability and integrity of smart home systems. It identified the ransomware’s encryption activity and automatically isolated infected devices to limit damage and prevent further spread. At the same time, it preserved essential forensic data such as device state snapshots and memory dumps, enabling investigators to analyze the attack, determine the exploited vulnerability, and support recovery efforts. This scenario highlighted the model’s effectiveness in ensuring operational continuity and security, shifting focus from mere investigation to active containment.

The primary point derived from these validation scenarios is that the SPFMSH effectively and automatically converts real-time security incidents into systematically structured forensic investigations. SPFMSH does not postpone action until an incident concludes; instead, it integrates evidence preservation and investigative logging directly into the central framework of threat detection and response. This automated coordination between security operations and forensic readiness constitutes the principal innovation that sets it apart from conventional, reactive paradigms and fulfills its fundamental design objective.

While this study highlights the strengths of the SPFMSH, it also identifies areas requiring improvement. Scaling across numerous diverse devices from various manufacturers presents specific challenges, including potential delays in the central AI system, high computational requirements for cryptographic hashing to ensure data security, and difficulties maintaining accurate behavioral baselines in an increasingly dynamic environment. Experts further observe that implementation can be pretty complex. Despite these challenges, SPFMSH offers a robust architectural framework. Nonetheless, further real-world testing at the municipal level is essential to validate its effectiveness. Enhancing scalability remains a primary objective, with plans to develop distributed processing nodes and optimize AI models to improve resource efficiency through extensive pilot evaluations.

The theoretical and practical findings were further validated through a formal expert review conducted by two independent specialists in digital forensics and cybersecurity, Dr. Arafat Aldhaqm and Dr. Abdulaleem Ali. Their structured evaluation, which involved interviews, checklist-based assessments, and scenario guidelines, confirmed SPFMSH’s innovation and comprehensiveness. The experts highlighted key strengths, including the SPFMSH’s holistic design that integrates often-disconnected areas, its strong proactive approach through AI and automation, and its vital cultural and regional alignment with Saudi Vision 2030 and the local technological landscape elements absent in most international frameworks.

The expert feedback offered valuable constructive criticism to guide future efforts. The primary concern was the potential complexity of implementation, as SPFMSH’s sophistication might require extensive technical expertise and tools, slowing widespread adoption. The expert evaluation produced strongly positive results, confirming the model’s face validity. The experts gave an average score of 4.7 out of 5 for ‘Completeness’ and 4.5 out of 5 for ‘Practical Applicability.’ This shows that the specialists agree that the SPFMSH covers the necessary concepts and can be practically implemented. The lowest score was for ‘Clarity’ (3.8/5), reflecting the expert feedback about implementation complexity, a point addressed in the following subsection. Additionally, the experts recommended expanding the validation process beyond theoretical cases to include pilot deployments in real Saudi smart homes to gather empirical performance data. They also suggested aligning more closely with international standards, such as NIST and ISO/IEC, to improve the SPFMSH’s global usability, interoperability, and compliance with international best practices, while keeping its regional relevance.

5. Conclusions

The rapid growth of smart home technology introduces significant cybersecurity and forensic issues, requiring a shift from reactive to proactive digital forensic strategies. This study, aligned with Saudi Arabia’s Vision 2030 digital goals, highlights the need for customized cybersecurity solutions suited to the region’s technological context. Existing models often remain too theoretical or narrowly focused, lacking practical validation within IoT ecosystems. There is a clear gap in scalable, validated frameworks for proactive digital forensic readiness in smart homes. Using a mixed-method approach that includes a systematic review and Design Science Research, the study developed and empirically tested the Smart Forensic Metamodel for Smart Homes (SPFMSH). Results show that a one-size-fits-all approach is inadequate for national cybersecurity efforts. SPFMSH offers a validated, tailored framework that considers Saudi Arabia’s strategic goals, regulations, and tech environment, aiding in strengthening the country’s cybersecurity resilience. The model was tested against real-world cyberattacks, demonstrating its ability to detect threats early, preserve evidence, and support investigations. These results suggest SPFMSH can turn security incidents into credible forensic cases, providing a practical, comprehensive solution to boost cybersecurity and support the safe adoption of smart home tech, aligned with Saudi Vision 2030. The future work of this study will involve further development of effective strategies and addressing the challenges identified by our expert evaluators. Our subsequent steps include transitioning from conceptual ideas and scenarios to practical implementations. To achieve this, the author will conduct pilot projects utilizing our partners’ smart home systems in Saudi Arabia. These initiatives will facilitate the collection of critical performance data, enhance model accuracy, and ensure compliance with international standards. The author are enthusiastic about these forthcoming developments.