Next Article in Journal
From Patterns to Deviations: Detecting Behavioural Drift for Mental Health Monitoring Using Smartphone and Wearable Data
Previous Article in Journal
Synthetic Data Augmentation for Imbalanced Tabular Data: A Comparative Study of Generation Methods
Previous Article in Special Issue
Wavelet-Based IoT Device Fingerprinting
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Electronics
Volume 15
Issue 4
10.3390/electronics15040884
electronics-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Smart Home IoT Forensics in Matter Ecosystems: A Data Extraction Method Using Multi-Admin

by
Sungbum Kim
1,
Sungmoon Kwon
2 and
Taeshik Shon
3,*
1
Department of Artificial Intelligence Convergence Network, Ajou University, 206 World Cup-ro, Suwon-si 16499, Gyeonggi-do, Republic of Korea
2
Graduate School of Information and Communication Technology, Ajou University, 206 World Cup-ro, Suwon-si 16499, Gyeonggi-do, Republic of Korea
3
Department of Cybersecurity, Ajou University, 206 World Cup-ro, Suwon-si 16499, Gyeonggi-do, Republic of Korea
*
Author to whom correspondence should be addressed.
Electronics 2026, 15(4), 884; https://doi.org/10.3390/electronics15040884
Submission received: 13 January 2026 / Revised: 16 February 2026 / Accepted: 18 February 2026 / Published: 20 February 2026
(This article belongs to the Special Issue New Challenges in IoT Security)
Browse Figures
Versions Notes

Abstract

As the smart home ecosystem expands with the adoption of Matter, a wide variety of Internet of Things (IoT) devices are entering the market, and these devices are becoming more complex, as they support diverse functionalities. Consequently, smart home forensics often requires data extraction procedures that are specific to each device and platform, which increases the technical burden and time costs for investigators. To address these challenges, this study proposes a method that leverages Matter Multi-Admin support for multiple fabrics to enable efficient data acquisition from Matter-enabled IoT devices, regardless of the underlying smart home platform. This method configures a forensic Matter controller using chip-tool and commissions IoT devices that have already been commissioned to a smart home platform into a secondary fabric via Multi-Admin. The forensic controller then performs data extraction using standardized Matter interfaces. The proposed approach was validated on our smart home testbed by targeting a Matter smart bulb commissioned to the SmartThings platform and successfully extracting data generated by the platform, thereby demonstrating the utility of the method. The results indicate that the method enables nondestructive and efficient evidence acquisition from smart home IoT devices and can support future research and real-world investigations.

1. Introduction

Driven by the rapid proliferation of smart home devices, the global smart home market reached an estimated valuation of $183.2 billion in 2024, with the United States accounting for approximately $50.6 billion [1]. As the market expands, industry stakeholders are increasingly adopting the Matter standard to ensure interoperability across leading platforms, including Google Home, Amazon Alexa, Apple Home, and Samsung SmartThings. Since its official launch, the ecosystem has grown to encompass more than 1400 certified devices, enabling broad compatibility across devices and platforms [2]. Internet of Things (IoT) devices, with capabilities such as voice assistants, security cameras, and environmental sensors, have been deployed in hundreds of millions of households worldwide, continuously collecting daily data that can serve as “silent witnesses” in criminal investigations. For example, in 2022, investigators in Kansas City sought, pursuant to a warrant, to obtain audio logs stored in the cloud from an Amazon Echo device recovered at a homicide scene. In the same year, Ring disclosed that it had provided video to law enforcement on at least eleven occasions without user consent, thereby underscoring the legal and investigative value of data generated by smart home devices [3,4]. Accordingly, automatically generated voice recordings, video footage, sensor logs, and control records from smart home devices are increasingly being used for crime scene reconstruction, alibi verification, and suspect tracking, heightening the importance of smart home forensics. However, the field faces several challenges. Devices are becoming increasingly miniaturized and engineered with greater complexity, making access to internal storage difficult. Manufacturers adopt divergent hardware and firmware architectures, as well as interface designs, which require acquisition and analysis techniques tailored to specific devices. Additionally, approaches that rely on serial debug interfaces, such as the Universal Asynchronous Receiver-Transmitter (UART) and Joint Test Action Group (JTAG) port or chip-off carry the risk of device damage or destruction, and device-to-device communications are typically encrypted; thus, decryption is required before packet analysis. To address these challenges, new acquisition methods that can be applied across smart home devices and platforms are required to extract data reliably [5,6,7].
The Matter standard, which is being adopted rapidly in the smart home domain, is supported by major platforms such as Google Home, Amazon Alexa, and Samsung SmartThings, and many IoT manufacturers are introducing devices that support Matter. By contrast, as the range of device types and functions supported by Matter grows, the attack surface expands and smart home security risks increase. Therefore, researchers have been conducting security analyses of Matter. Moreover, as smart home devices are increasingly misused as tools of crime and used as evidence in domestic cases, the technical features of newly released devices remain insufficiently reflected in existing smart home forensics research, which can hinder their use in real investigations. Accordingly, this study proposes a Matter-based smart home forensic approach that can be applied across devices and platforms and evaluates its effectiveness experimentally.
The main contributions of this study are as follows:
  • Proposal of an IoT forensic acquisition approach based on Matter Multi-Admin: This study proposes a digital evidence acquisition approach that can be applied to most devices that support Matter, regardless of the manufacturer or platform. By providing a Matter standard-based solution for smart home forensics, which has traditionally relied on extraction methods tailored to specific devices, this approach enables the efficient acquisition of diverse digital evidence.
  • Implementation and validation of a nondestructive data acquisition technique: The feasibility of extracting forensic data stored on IoT devices without disassembly or direct access to on-device storage was experimentally verified on a smart home testbed. Using a smart bulb paired with SmartThings, the device was added to a secondary Matter fabric implemented with chip-tool, and the data generated in the primary SmartThings fabric were extracted without damaging the device.
  • A novel acquisition approach for smart home forensics: A new approach is proposed that applies Matter features to forensic acquisition in smart home environments and provides foundational insights for future research on smart home forensics.
The remainder of this paper is organized as follows: Section 2 introduces Matter and chip-tool; Section 3 reviews related works on Matter and smart home forensics; Section 4 presents a smart home forensic approach based on Matter; Section 5 describes the experimental validation for the proposed approach on a smart home testbed; Section 6 discusses the proposed approach and experiments; and Section 7 concludes the paper.

2. Background

2.1. Matter

Matter is an open standard established by the Connectivity Standards Alliance (CSA; Davis, CA, USA) to ensure interoperability between smart homes and IoT devices. Version 1.0 was released in 2022. Matter operates on a single IP-based network and uses Wi-Fi, Thread, and Ethernet as transport links for operational traffic. Bluetooth Low Energy (BLE) is primarily used during commissioning as a temporary link. This standard aims to provide compatibility independent of vendors and platforms, improving both the ease of installation and security.
The Matter standard is organized around encrypted security domains known as fabrics. A smart home platform discovers nearby commissionable devices via BLE advertisements, Wi-Fi Soft Access Point, or DNS Service Discovery (DNS-SD), and the onboarding payload is conveyed through a QR code or, in newer versions, NFC. The commissioning flow consists of Discovery, Password-Authenticated Session Establishment (PASE), Certificate-Authenticated Session Establishment (CASE), and Configuration. A secure channel is established using a one-time pairing code, following which X.509 operational certificates are exchanged to obtain long term operational credentials [8].

2.1.1. Fabric

In Matter, a fabric is a logical security and administrative domain that defines a trusted relationship between a controller ecosystem and Matter devices. Practically, a fabric corresponds to a set of devices and controllers that share the same trust anchor, represented by a fabric’s root Certificate Authority, and operate under a common identity namespace [9].
A fabric is created and managed by a controller that performs commissioning, referred to as the commissioner. In many consumer deployments, the commissioner is typically implemented as a mobile app, often in conjunction with a smart home hub depending on the platform architecture. During commissioning, the commissioner establishes an initial secure session with the device using a one-time setup credential and then operationalizes the fabric by issuing and installing fabric-scoped operational credentials on the device. In particular, the device receives a Node Operational Certificate and related identifiers that bind the device to that fabric, while the controller retains the corresponding fabric information required to authenticate and communicate with the device in subsequent interactions. As a result, secure operational communication in Matter is fabric-scoped, meaning that session establishment, peer authentication, and access control decisions are evaluated within the context of the fabric.
When a device is commissioned into a fabric, it is provisioned with fabric-scoped operational credentials and metadata. These credentials enable the device to establish secure sessions, authenticate peer nodes, and enforce access control within that fabric. A single physical Matter device can be commissioned into multiple fabrics. During commissioning, the device stores fabric-scoped operational credentials and identifiers for each fabric, enabling independent authentication and access control per fabric. This means that the same device may belong to different administrative domains while maintaining independent operational credentials and access permissions per fabric.

2.1.2. Multi-Admin

In a Matter network, the capability that allows a single device to join multiple fabrics simultaneously is referred to as Multi-Admin. Each fabric has its own root certification authority (root CA) and unique identifier (fabric ID). During commissioning, the device receives and stores fabric-specific operational credentials, including a Node Operational Certificate, for each fabric. Consequently, the same device can be used for different fabrics, and it can be controlled and monitored by the commissioner in each fabric.

2.1.3. Matter Data Model

The Matter data model is organized into the endpoint, cluster, and attribute/command/event layers. An endpoint represents a logical functional unit within a physical device such as the partition responsible for lighting control or temperature sensing. Each endpoint is assigned one or more clusters; a cluster denotes a specific functional set and, within it, defines attributes that describe the state, commands that request actions, and, where applicable, events that deliver notifications. For example, in the on/off cluster (0 × 0006), the onoff attribute stores the power state, and the on and off commands perform power control. Notifications such as hardware faults are typically exposed by related diagnostics clusters when defined. Under the Matter Interaction Model specification, a controller accesses cluster interfaces to perform attribute reads and writes, send commands, and subscribe to events consistently, thereby enabling a uniform control and monitoring mechanism, regardless of the manufacturer or platform.

2.2. Chip-Tool

Chip-tool is a command line interface (CLI)-based controller implementation included in the Matter SDK, which is developed by members of the Connectivity Standards Alliance. It is designed to allow users to commission devices onto a network and interact with them directly over Matter messages using only the command line [10]. Its key capabilities include device discovery via BLE advertisements and DNS-SD, onboarding with QR code payloads, and NFC that is supported as an onboarding payload in recent releases. It supports the commissioning of a device into a fabric using PASE/CASE, managing fabrics, including adding or removing them, reading and writing cluster attributes, invoking commands, and subscribing to events. Using these functions, the end-to-end behavior of Matter devices can be exercised and implemented entirely from the command line.

3. Related Works

A broad range of evidence acquisition and analysis techniques for heterogeneous devices and ecosystems have been developed for smart home and IoT forensics. The studies cited in this section were selected to represent recurring acquisition paradigms in smart home IoT forensics and to capture early security insights on multi controller behaviors in Matter, such that the practical limitations motivating a standardized, nondestructive acquisition path can be clearly contextualized. Proposed DEF-IoTF for smart bulbs demonstrated that artifacts stored on the device, including network related traces and application logs, could be recovered through a combination of software level and hardware level acquisition [11]. Although this study highlighted the evidentiary value of internal artifacts, its applicability is constrained by a strong dependence on a specific device category and partial reliance on a particular weakness, which limits portability across vendors and IoT classes. Shin et al. presented an integrated methodology that combines open-source intelligence with application, network, and hardware analyses to investigate heterogeneous smart home incidents across multiple platforms [12]. This approach improves the investigative completeness but still requires investigators to tailor the acquisition steps to each platform and device combination, reflecting persistent fragmentation in smart home ecosystems.
Beyond platform level heterogeneity, prior studies have examined artifacts and acquisition constraints that are specific to device categories. Kim et al. studied intelligent and smart IoT devices in the wearable domain and showed that considering both logical and physical extraction can reveal rich personal artifacts from sensor-driven devices [13]. However, procedures and storage patterns centered on wearables cannot be readily generalized to nonwearable smart home devices, which expose different interfaces and artifact structures. Kim et al. also analyzed smart wallpad control panels and demonstrated that abundant evidentiary data could be obtained through a combination of network capture, software exploitation, serial access, and storage imaging [14]. This line of work underscores the value of hub like components but also illustrates common limitations of invasive or vendor-specific techniques, including an increased risk of device damage and reduced repeatability across vendors.
Other studies have pursued generalized frameworks and network centric approaches. Mazhar et al. proposed an M2M-based framework that uses centralized logging and machine learning to detect and analyze attacks, demonstrating that network layer traces can support IoT forensic analysis at scale [15]. Such approaches can preserve volatile event evidence and interaction patterns observed in the communication layer; however, they remain limited when investigators must interpret device resident state, histories, and on-device configurations as primary evidence. In addition, network centric monitoring alone often cannot substitute for standardized acquisition of device resident artifacts when device side state and histories must be interpreted for evidential purposes. To address cross platform investigations, Kim et al. proposed a common architecture-based framework that analyzes application functionality, extracts data from interconnected devices, and identifies evidentiary artifacts across multiple smart home platforms [16]. Although this approach improves scalability at the investigation level, it still depends on platform-specific interfaces and does not provide a broadly reusable, nondestructive acquisition channel on the device side. Collectively, these limitations indicate the need for a standardized device side acquisition path, rather than relying primarily on platform-dependent interfaces or invasive access methods.
Recent research has further emphasized the need for generalizable data acquisition and systematic evidence handling. Kaushik et al. summarized the challenges in smart home IoT forensics and stressed that heterogeneity in storage, protocols, and companion-app designs complicates consistent acquisition and analysis across devices [17]. Mahmood et al. comparatively evaluated IoT forensic frameworks and reported that many approaches fail to satisfy the heterogeneity, scalability, and evidence preservation requirements simultaneously, suggesting gaps in end-to-end applicability [18]. Eichhorn et al. examined smart relays and their companion apps and observed that relevant artifacts can be distributed across the device, mobile application, and cloud layers, while noting that artifact locations and semantics remain vendor- and app-dependent [19]. This distribution complicates repeatable acquisition and interpretation, because investigators must reconcile multiple evidence layers and their timelines under differing access controls and data formats. Ruiz-Villafranca et al. proposed a tool-assisted procedure to identify, acquire, and analyze IoT evidence sources, particularly network traffic, via near real-time monitoring, which helps to preserve volatile traces. However, this method remains centered on network layer artifacts rather than standardized acquisition of device resident evidence across heterogeneous platforms [20].
As smart home ecosystems evolve toward standardized interoperability, the evidence surface increasingly includes protocol level interactions and multi controller behaviors that cross vendor boundaries. Matter has emerged as a unifying standard in this direction, and early security analyses have provided important insights into how commissioning, controller trust, and delegation can affect the security and integrity of device states. Shafqat et al. demonstrated outsider access risks in Matter devices controlled by third party applications, in which incomplete onboarding allowed an external party to recommission and control a device without user consent [21]. Shashwat et al. analyzed the trust model of Matter controllers and identified a weakness in which a device could be commissioned by an arbitrary controller without verifying the controller trustworthiness, enabling stealth fabric enrollment and abnormal cross fabric interactions [22]. Liao et al. investigated pairing and delegation in commercial Matter ecosystems and reported a hidden hub eavesdropping scenario in which a secondary user can add a concealed hub and continuously receive device state updates without clear visibility in the owner application [23]. These findings collectively suggest that although multi-controller capabilities can be exploited, they also represent a critical locus where visibility, accountability, and reliability become central requirements if additional controllers are introduced for legitimate purposes, including evidence acquisition and interpretation. Complementary theory oriented work on reliable global diagnosis based on self-comparative models and the g-good-neighbor property further reinforces the importance of reliable state assessment in complex networks, where not all nodes can be assumed to be trustworthy [24]. The limitations observed in device-specific and invasive acquisition approaches, together with the growing importance of standardized multi controller semantics, motivate acquisition strategies that operate consistently across vendors while minimizing device disruption and maintaining interpretable and diagnosable device states under Multi-Admin conditions. In this context, our study demonstrates that leveraging Matter Multi-Admin can provide a standardized and nondestructive acquisition path, enabling evidence extraction across heterogeneous smart home deployments while improving repeatability and preserving interpretability under Multi-Admin conditions.

4. Smart Home Forensic Method Using Matter Multi-Admin

Major smart home platforms such as Amazon Alexa, Google Home, and Apple Home now support the Matter standard to improve interoperability. A forensic approach is proposed for smart home platforms that use Matter by leveraging its Multi-Admin capability. As shown in Figure 1, the main concept consists of three steps.
  • Identify the target smart home environment. The target device is determined by examining the connected devices and selecting those that support Matter.
  • Using chip-tool, configure an independent Matter controller as a forensic controller and commission the target Matter IoT device to it. The device can then interact with two Matter controllers.
  • Interact with the device through chip-tool and extract the device data via the chip-tool CLI.
For smart home devices that are already linked to a platform, the detailed procedure for extracting forensic data by constructing a Multi-Admin Matter environment is as follows.

4.1. Step 1: Forensic Readiness and Target Device Identification

To conduct smart home forensics, the target environment must first be identified. A smart home environment includes multiple components; therefore, the investigator should identify the smart home platform (e.g., Google Home and SmartThings), types of connected IoT devices, and whether each device supports Matter. If IoT devices that support Matter are identified, one of them is designated as the target device. When such devices are identified, devices with broader functionality, such as smart speakers, or those that generate data relevant to an investigation, such as door locks, are prioritized. This forensic readiness phase is essential because identifying the environment and selecting a target device in advance reduces costs and enables a more efficient investigation when an incident occurs.

4.2. Step 2: Joining Matter Device to Secondary Fabric

Subsequently, the Matter device is added to a second fabric for forensic purposes. Specifically, the smart home platform app that performed the initial commissioning is used to generate a QR code via a feature such as “Share with other services,” and chip-tool is then used to commission the IoT device into the second fabric. Consequently, the device belongs to the two fabrics simultaneously, and the controllers of both fabrics can access the device.

4.3. Step 3: Data Extraction Using Chip-Tool

The internal state and log data of the device are collected using the chip-tool controller that has joined the forensic fabric. The chip-tool CLI provides commands to enumerate the endpoints and clusters of the device. Because Matter clusters group the specific capabilities supported by the device, the types of data maintained by the device can be inferred. Accordingly, the attributes of clusters that are likely to contain forensically relevant information are read, and the data that exist on the smart home platform are extracted.
As this Matter-based forensic approach operates through the device-implemented Matter clusters, it enables standardized evidence collection without disassembling the device or relying on the manufacturer. Additionally, because it uses the chip-tool CLI, the workflow can be automated to extract data from IoT devices in a smart home environment.

5. Experiment

In Section 4, a forensic method was proposed that uses Multi-Admin in Matter to extract data from Matter IoT devices connected to smart home platforms via chip-tool. To validate the methodology, an experiment was conducted by following the three-step procedure and demonstrating data extraction from a Matter IoT device that was already linked to a smart home platform. Access to the user’s smartphone was assumed, and the devices used in the experiment are listed in Table 1. As shown in Figure 2, the smart home hub was a Samsung SmartThings Station, which is a TP-Link Tapo Smart Wi-Fi Multicolor Bulb (L535E, Product ID 769), and the forensic controller was chip-tool from the Matter SDK installed on Linux.
For the testbed setup, the bulb was first powered on, and the SmartThings Station was connected to the Wi-Fi network. The SmartThings mobile app was then used to scan the QR code of the bulb and add the bulb to SmartThings. During this process, SmartThings automatically created the first fabric, which included the bulb. Approximately 3 min after powering on the bulb, the bulb was connected to chip-tool. Approximately 4 min after the connection, which was approximately 7 min after power-on, data were acquired from the smart bulb. This timing offset allowed us to determine whether chip-tool could extract data that existed before the chip-tool connection. When the acquired data includes time-related fields, the offsets make it possible to infer when the data were generated.

5.1. Forensic Readiness and Target Device Identification

First, the smart home platform and connected IoT devices were identified. Access to a smartphone, which could be used to determine the devices linked to the smart home platform, was assumed. The smartphone ran the SmartThings app and the connected devices could be viewed in the app, as shown in Figure 3. In this environment, Samsung SmartThings was linked to a SmartThings Station and a TP-Link smart bulb (L535E). After confirming that the smart bulb supported Matter, it was designated as the target device.

5.2. Joining Matter Device to Secondary Fabric

After identifying the target device, as shown in Figure 4, the “Share with other services” feature of the SmartThings app was used to generate a QR code and commission the smart bulb to chip-tool.
To confirm that chip-tool could extract the data generated in the primary fabric (SmartThings), the bulb was kept running for approximately 3 min and then commissioned into a secondary fabric using the chip-tool pairing command, thereby establishing a Multi-Admin environment. Thus, the bulb belonged to both the SmartThings fabric and the forensic fabric simultaneously, and interaction with the device was possible from both fabrics.

5.3. Data Extraction Using Chip-Tool

After completing the Multi-Admin setup, chip-tool was used to list the clusters by endpoint. On Endpoint 0, the clusters included Descriptor, AccessControl, BasicInformation, OtaSoftwareUpdateRequestor, and General Diagnostics, as shown in Figure 5. On Endpoint 1, the clusters included Identify, OnOff, LevelControl, Descriptor, and ColorControl, as shown in Figure 6. The role, functions, attributes, commands, and events of each cluster are defined in detail in the official Matter documentation [9,25]. Table 2 and Table 3 summarize these cluster functions.
Endpoint 0 is defined as a mandatory reserved endpoint that must exist on every node for device management, commissioning, security, and diagnostics clusters. As shown in Table 2, Endpoint 0 includes clusters required for management and operation, such as Network Commissioning 0x0031 for configuring network interfaces, Access Control 0x001F and Operational Credentials 0x003E for access control and operational credential management, and General Diagnostics 0x0033 for device status reporting. Endpoint 1 is populated with clusters according to the device functionality. In our experiment, the smart bulb exposed the clusters listed in Table 3. The presence of OnOff 0x0006, Level Control 0x0008, and Color Control 0x0300 indicates that this endpoint was responsible for lighting control. The Identify 0x0003 cluster supports device identification during installation and maintenance, and the Groups 0x0004 cluster enables group-based control. The cluster at 0x0005 was not labeled in our controller output; however, it is inferred to correspond to the Scenes cluster because the Matter cluster identifier mapping assigns 0x0005 to Scenes in the Matter Application Cluster Specification [25].
At Endpoint 0, the Basic Information cluster included attributes such as VendorName and ProductName. Reading these attributes using chip-tool confirmed that the connected device was a Tapo Smart Multicolor Bulb, as shown in Figure 7 and Figure 8.
Additionally, querying the UpTime attribute in the General Diagnostics cluster on Endpoint 0 returned 454 s, as shown in Figure 9. This indicates that the forensic controller implemented using chip-tool can extract the device’s operating time from before commissioning.

6. Discussion

A forensic methodology has been proposed that uses the Multi-Admin capability in Matter to extract data from Matter IoT devices that connected to smart home platforms, and it was validated on Samsung SmartThings with a TP-Link Tapo smart bulb. The methodology consists of three steps. First, identify the platform and the IoT devices in the target smart home environment that support Matter. Second, connect the target device to chip-tool so that the device can receive commands from two Matter controllers. Third, use the controller implemented with chip-tool to extract data via clusters. This approach overcomes the difficulty of physically accessing increasingly miniaturized IoT devices, and enables the acquisition of diverse data in real investigations.
The methodology was verified using a smart bulb commissioned to the SmartThings fabric. In our setup, a SmartThings Station and the bulb were paired in the SmartThings app, and the bulb (a Matter-enabled device) was then commissioned into a secondary fabric using the “Share with other services” feature of the app to connect chip-tool as an additional controller. Through chip-tool, attribute reads were performed on the relevant Matter clusters. In the experiment, the bulb was powered on, commissioned to chip-tool after approximately 3 min, and queried at approximately 7 min by reading the UpTime attribute in the General Diagnostics cluster, which returned 454, indicating that the bulb had been on for 454 s. This demonstrates that chip-tool can extract a device-reported state that predates the chip-tool commissioning, that is, data generated during the prior interaction of the bulb with SmartThings. Additionally, reading VendorName from the Basic Information cluster confirmed that the manufacturer was Tapo, which was not displayedin the SmartThings app. This suggests that platform apps may not expose all data available through Matter. Overall, the proposed method enables nondestructive and efficient evidence acquisition from smart home IoT devices and can yield a broader range of data than those available solely on smartphones. Specifically, chip-tool acquires device-reported artifacts by reading cluster attributes and returning structured values that consist of standardized cluster and attribute identifiers and strictly typed values(e.g., Unsigned Integer, UTF-8 String). In our experiment, these artifacts included the temporal diagnostic state, such as UpTime, and device identity metadata, such as VendorName. These values provide a direct evidentiary source that can support timeline reconstruction and corroborate records from the primary platform, particularly in forensic scenarios where the platform application masks or omits granular device details.
Prior smart home IoT forensic studies have demonstrated valuable artifact recovery; however, many approaches remain constrained by acquisition paths that are specific to particular devices or vendors and, in some cases, require invasive access, which can be difficult to generalize across device classes [11,14]. More scalable investigation frameworks can correlate evidence across different smart home platforms; however, they typically depend on platform-specific interfaces and do not provide a reusable device side acquisition channel [16]. Although network and logging centric methods can support large-scale monitoring and behavioral analysis, they may be insufficient when investigators must directly interpret device resident states, histories, and configurations as evidential artifacts [15]. By contrast, our methodology leverages the standardized Multi-Admin capability in Matter together with chip-tool to enable a reusable and nondestructive device side acquisition path. This indicates that the approach can retrieve device-reported information that is not surfaced by the platform application, as shown by the UpTime and VendorName reads under SmartThings.
The proposed methodology has four limitations and considerations for practical deployment. First, during Multi-Admin enrollment, opening a commissioning window in the existing fabric typically requires operating the smartphone app. When the smartphone is available to investigators, substantial data can already be acquired; however, as platform apps do not necessarily persist in every Matter field in app storage, our method remains valuable for accessing additional device-reported data. The Matter ecosystem is also trending toward simpler and more automated Multi-Admin, such as the “Fabric Synchronization” introduced in Matter 1.4. If future platforms such as smart TVs or specialized hubs permit the addition of an additional forensic fabric through centralized synchronization without direct smartphone interaction, the forensic applicability and accessibility of the method will be enhanced significantly.
Second, this study’s validation is limited to a single device type (a smart bulb), which constrains the empirical demonstration of the methodology’s generalizability across diverse IoT device categories. While the smart bulb effectively demonstrates the feasibility of Multi-Admin-based data extraction through standardized Matter clusters, real-world smart home environments typically contain heterogeneous devices such as smart locks, security cameras, environmental sensors, and thermostats, each implementing different cluster sets with varying forensic relevance [8]. The evidentiary scope and data richness may vary substantially across device categories. For instance, smart locks implement the Door Lock cluster (0x0101), which provides access to lock state, user management attributes, and control commands, and may expose lock operation events when supported by the device [25]. Environmental sensors utilize Temperature Measurement (0x0402) and Relative Humidity Measurement (0x0405) clusters to provide current measurement values, which can be periodically collected by the forensic controller to reconstruct environmental conditions over time. Smart plugs provide On/Off state and control via cluster 0x0006, and expose power measurement values such as voltage, current, and active power through the Electrical Power Measurement cluster (0x0090), enabling investigators to establish device usage patterns through controller side data collection. However, without empirical validation on these device types, practical challenges remain uncertain. For example, security sensitive devices such as smart locks may implement more restrictive Access Control Lists, resource constrained sensors may maintain limited event histories, and certain device categories may expose only minimal metadata rather than detailed forensic artifacts due to privacy concerns, vendor-specific implementations, or resource constraints. Although the Matter specification mandates Multi-Admin support for all certified devices, suggesting architectural compatibility across categories, future work must validate the methodology across diverse device types from multiple manufacturers to confirm its practical applicability and establish category-specific acquisition techniques.
Third, the technical constraints in real-world environments must be considered. To conserve hardware resources, some manufacturers may employ nonstandard Matter implementations or firmware level restrictions that limit the number of active fabrics. If a device has already reached its maximum fabric capacity (typically a minimum of five), investigators should first prioritize other devices that have available fabric slots. If investigating a specific device with full fabric capacity is necessary and multiple users have commissioned the device to different fabrics in a shared living environment, investigators may seek cooperation from fabric administrators who are not subjects of the investigation. These individuals may voluntarily remove their fabrics through their respective platform applications to temporarily accommodate the forensic controller. While this action temporarily disrupts their access to the device, it is not expected to cause substantial evidence tampering or data loss that would compromise the forensic investigation. When such cooperation cannot be obtained, investigators should document the fabric capacity limitation as a constraint on evidence acquisition. Additionally, scalability constraints arise when investigating environments with numerous IoT devices, as manually commissioning each device becomes time intensive. Since chip-tool is a command line interface, automated acquisition scripts could be developed to programmatically discover devices and iterate through extraction workflows, potentially streamlining the process. Prior to deploying the methodology in active investigations, forensic teams should establish testbeds that replicate target environments to identify potential compatibility issues and verify device behavior across different manufacturers and firmware versions.
Finally, the addition of a forensic administrator inevitably leaves a forensic footprint because it updates the fabric list and access control rules of the device. Because commissioning and multi controller behaviors can also be abused in practice, investigators should record why and how the additional controller was authorized and preserve the resulting fabric and access control changes as part of the case record so that the acquisition remains auditable and clearly separable from adversarial misuse [21,22,23]. However, this state change also provides a transparent and repeatable audit trail for the investigation process. From a forensic standpoint, this method offers a justifiable balance between the integrity of evidence and need for acquisition.

7. Conclusions

As smart home platforms and devices that adopt the Matter standard have surged in recent years, there is a growing need for a common forensic method that can extract digital evidence from the IoT devices of heterogeneous vendors. To address this need, this study has proposed a general smart home digital forensics method that leverages the Multi-Admin capability in Matter. The method implements a forensic controller with chip-tool and registers it as an additional administrator for the device, enabling the extraction of on-device data without physical procedures, such as chip-off of flash memory or access via JTAG/UART. To validate the method, it was applied to a smart lighting device connected to the SmartThings platform, and it was confirmed that the smart bulb data could be obtained effectively without disassembling the device or decrypting the encrypted communications. In particular, this experimental scenario demonstrated that the data generated before linking the device to the chip-tool-based secondary fabric could be extracted, indicating practical applicability to real smart home forensics. The scalability and practical utility of the proposed method are likely to increase as the Matter standard evolves to support Multi-Admin setup without a smartphone and vendors implement a broader set of clusters. Nevertheless, the current validation was limited to a single device class (smart bulbs), and the evidentiary scope and acquisition constraints may vary across device categories, such as sensors, smart locks, and cameras, because of differences in cluster support and access control policies. Future work will expand the evaluation to a broader range of device classes and platforms to characterize these differences and strengthen the generalizability of the proposed method. Tooling that automates data collection is also planned to improve the practical utility and applicability of this approach in smart home forensics further.

Author Contributions

Conceptualization, S.K. (Sungbum Kim); methodology, S.K. (Sungbum Kim); software, S.K. (Sungbum Kim); validation, S.K. (Sungbum Kim) and S.K. (Sungmoon Kwon); formal analysis, S.K. (Sungbum Kim) and S.K. (Sungmoon Kwon); investigation, S.K. (Sungbum Kim); resources, S.K. (Sungbum Kim); data curation, S.K. (Sungbum Kim); writing—original draft preparation, S.K. (Sungbum Kim); writing—review and editing, S.K. (Sungbum Kim) and T.S.; visualization, S.K. (Sungbum Kim); supervision, T.S.; project administration, S.K. (Sungbum Kim). All authors have read and agreed to the published version of the manuscript.

Funding

This work was supported by a National Research Foundation of Korea (NRF) grant funded by the Korean Government (MSIT) (RS-2025-16068069).

Data Availability Statement

The data are included in this article.

Conflicts of Interest

The authors declare no competing interests.

References

  1. Global Market Insights. Smart Home Market Size—By Type, By Connectivity, By Price, By Application, By Distribution Channel, Forecast 2025–2034. 2025. Available online: https://www.gminsights.com/industry-analysis/smart-home-market (accessed on 8 February 2026).
  2. Tuohy, J.P. Every Smart Home Device That Works with Matter. The Verge. 2024. Available online: https://www.theverge.com/23568091/matter-compatible-devices-accessories-apple-amazon-google-samsung (accessed on 8 February 2026).
  3. Medina, D. Kansas City, Missouri, Police Turn to Amazon Alexa Device for Clues in Shooting Death of 2 Researchers. KSHB 41 News. 2022. Available online: https://www.kshb.com/news/crime/kansas-city-police-turn-to-amazon-alexa-device-for-clues-in-shooting-death-of-2-researchers (accessed on 8 February 2026).
  4. McGill, M.H. Ring Doorbell Shared Footage Without Consent 11 Times This Year. Axios. 2022. Available online: https://www.axios.com/2022/07/13/amazon-ring-doorbell-footage-law-enforcement (accessed on 8 February 2026).
  5. Ahmed, A.A.; Farhan, K.; Jabbar, W.A.; Al-Othmani, A.; Abdulrahman, A.G. IoT forensics: Current perspectives and future directions. Sensors 2024, 24, 5210. [Google Scholar] [CrossRef] [PubMed]
  6. Kebande, V.R.; Awad, A.I. Industrial internet of things ecosystems security and digital forensics: Achievements, open challenges, and future directions. ACM Comput. Surv. 2024, 56, 1–37. [Google Scholar] [CrossRef]
  7. Atlam, H.F.; Hemdan, E.E.D.; Alenezi, A.; Alassafi, M.O.; Wills, G.B. Internet of things forensics: A review. Internet Things 2020, 11, 100220. [Google Scholar] [CrossRef]
  8. Belli, D.; Barsocchi, P.; Palumbo, F. Connectivity Standards Alliance Matter: State of the art and opportunities. Internet Things 2024, 25, 101005. [Google Scholar] [CrossRef]
  9. Connectivity Standards Alliance. Matter Specification, version 1.4; Connectivity Standards Alliance: Davis, CA, USA, 2024. [Google Scholar]
  10. Project Connected Home over IP (Matter). Connectedhomeip/ConnectedHomeIP [Internet]GitHub Repository. 2025. Available online: https://github.com/project-chip/connectedhomeip (accessed on 8 February 2026).
  11. Sharma, P.; Awasthi, L.K. Unveiling the Hidden Dangers: Security Risks and Forensic Analysis of Smart Bulbs. Forensic Sci. Int. Digit. Investig. 2024, 50, 301794. [Google Scholar] [CrossRef]
  12. Shin, D.H.; Han, S.J.; Kim, Y.B.; Euom, I.C. Research on Digital Forensics Analyzing Heterogeneous Internet of Things Incident Investigations. Appl. Sci. 2024, 14, 1128. [Google Scholar] [CrossRef]
  13. Kim, M.; Shin, Y.; Jo, W.; Shon, T. Digital Forensic Analysis of Intelligent and Smart IoT Devices. J. Supercomput. 2023, 79, 973–997. [Google Scholar] [CrossRef]
  14. Kim, S.; Bang, J.; Shon, T. Forensic Analysis for Cybersecurity of Smart Home Environments with Smart WallPads. Electronics 2024, 13, 2827. [Google Scholar] [CrossRef]
  15. Mazhar, M.S.; Saleem, Y.; Almogren, A.; Arshad, J.; Jaffery, M.H.; Rehman, A.U.; Shafiq, M.; Hamam, H. Forensic Analysis on Internet of Things (IoT) Device Using Machine-to-Machine (M2M) Framework. Electronics 2022, 11, 1126. [Google Scholar] [CrossRef]
  16. Kim, S.; Lee, G.; Song, J.; Lee, I.; Shon, T. A Common Architecture-Based Smart Home Tools and Applications Forensics for Scalable Investigations. Comput. Mater. Contin. 2025, 83, 661–683. [Google Scholar] [CrossRef]
  17. Kaushik, K.; Bhardwaj, A.; Dahiya, S. Smart Home IoT Forensics: Current Status, Challenges, and Future Directions. In Proceedings of the 2023 International Conference on Advancement in Computation & Computer Technologies (InCACCT), Gharuan, India, 5–6 May 2023; IEEE: New York, NY, USA, 2023. [Google Scholar]
  18. Mahmood, H.; Arshad, M.; Ahmed, I.; Fatima, S.; ur Rehman, H. Comparative Study of IoT Forensic Frameworks. Forensic Sci. Int. Digit. Investig. 2024, 49, 301748. [Google Scholar] [CrossRef]
  19. Eichhorn, M.; Pugliese, G. Do You “Relay” Want to Give Me Away? Forensic Cues of Smart Relays and Their IoT Companion Apps. Forensic Sci. Int. Digit. Investig. 2024, 50, 301810. [Google Scholar] [CrossRef]
  20. Ruiz-Villafranca, S.; Castelo Gómez, J.M.; Roldán-Gómez, J. A Forensic Tool for the Identification, Acquisition and Analysis of Sources of Evidence in IoT Investigations. Internet Things 2024, 27, 101308. [Google Scholar] [CrossRef]
  21. Shafqat, N.; Ranganathan, A. Seamlessly Insecure: Uncovering Outsider Access Risks in AiDot-Controlled Matter Devices. In Proceedings of the 2024 IEEE Security and Privacy Workshops (SPW), San Francisco, CA, USA, 23 May 2024; IEEE: New York, NY, USA, 2024; pp. 281–288. [Google Scholar]
  22. Shashwat, K.; Hahn, F.; Ou, X.; Singhal, A. Security Analysis of Trust on the Controller in the Matter Protocol Specification. In Proceedings of the 2023 IEEE Conference on Communications and Network Security (CNS), Orlando, FL, USA, 2–5 October 2023; IEEE: New York, NY, USA, 2023; pp. 1–6. [Google Scholar]
  23. Liao, S.; Yan, J.; Cheng, L. Wip: Hidden Hub Eavesdropping Attack in Matter-Enabled Smart Home Systems. In Proceedings of the Workshop on Security and Privacy in Standardized IoT (SDIoTSec), San Diego, CA, USA, 26 February 2024. [Google Scholar]
  24. Wang, M.-J.-S.; Xu, S.-H.; Jiang, J.-C.; Xiang, D.; Hsieh, S.-Y. Global Reliable Diagnosis of Networks Based on Self-Comparative Diagnosis Model and g-Good-Neighbor Property. J. Comput. Syst. Sci. 2025, 155, 103698. [Google Scholar] [CrossRef]
  25. Connectivity Standards Alliance. Matter Application Cluster Specification, version 1.4; Connectivity Standards Alliance: Davis, CA, USA, 2024. [Google Scholar]
Electronics 15 00884 g001
Figure 1. Smart home forensic method that uses the Matter Multi-Admin (three steps).
Figure 1. Smart home forensic method that uses the Matter Multi-Admin (three steps).
Electronics 15 00884 g001
Electronics 15 00884 g002
Figure 2. Smart home environment testbed.
Figure 2. Smart home environment testbed.
Electronics 15 00884 g002
Electronics 15 00884 g003
Figure 3. Devices connected to Samsung SmartThings.
Figure 3. Devices connected to Samsung SmartThings.
Electronics 15 00884 g003
Electronics 15 00884 g004
Figure 4. “Share with other services” in Samsung SmartThings.
Figure 4. “Share with other services” in Samsung SmartThings.
Electronics 15 00884 g004
Electronics 15 00884 g005
Figure 5. Cluster list on Endpoint 0 of the TP-Link Tapo smart bulb.
Figure 5. Cluster list on Endpoint 0 of the TP-Link Tapo smart bulb.
Electronics 15 00884 g005
Electronics 15 00884 g006
Figure 6. Cluster list on Endpoint 1 of the TP-Link Tapo smart bulb.
Figure 6. Cluster list on Endpoint 1 of the TP-Link Tapo smart bulb.
Electronics 15 00884 g006
Electronics 15 00884 g007
Figure 7. VendorName value in the Basic Information cluster.
Figure 7. VendorName value in the Basic Information cluster.
Electronics 15 00884 g007
Electronics 15 00884 g008
Figure 8. ProductName value in the Basic Information cluster.
Figure 8. ProductName value in the Basic Information cluster.
Electronics 15 00884 g008
Electronics 15 00884 g009
Figure 9. UpTime value in the General Diagnostics cluster on Endpoint 0.
Figure 9. UpTime value in the General Diagnostics cluster on Endpoint 0.
Electronics 15 00884 g009
Table 1. Testbed environment.
Table 1. Testbed environment.
ComponentDevice Name
Smart home platformSamsung SmartThings (v1.8.18.21; Samsung Electronics Co., Ltd., Suwon, Republic of Korea)
Smart home hubSamsung SmartThings Station(Samsung Electronics Co., Ltd., Suwon, Republic of Korea)
IoT deviceTP-Link Tapo Smart Wi-Fi Multicolor Bulb L535E(TP-Link Systems Inc., Irvine, CA, USA)
Matter controllerchip-tool (v1.4.2.0; Connectivity Standards Alliance (CSA), Davis, CA, USA)
SmartphoneSamsung Galaxy S9 (Android 10; Samsung Electronics Co., Ltd., Suwon, Republic of Korea)
Table 2. Clusters included in Endpoint 0.
Table 2. Clusters included in Endpoint 0.
Cluster IDCluster NameDescription
0x001D (29)DescriptorProvides metadata describing the server and client clusters and device types present on the endpoint. Supplies foundational information for interoperability.
0x001F (31)Access ControlDefines and manages the Access Control List to govern permissions for subjects such as users, administrators, and nodes. A core component of the security policy.
0x0028 (40)Basic InformationExposes baseline properties such as VendorID, ProductID, device name, and hardware/software versions. Essential for device identification and management.
0x002A (42)OTA Software Update RequestorAllows the device to request over-the-air updates and helps to keep software up to date.
0x0030 (48)General CommissioningHandles basic commissioning procedures, including device initialization, reset, and network joining.
0x0031 (49)Network CommissioningConfigures and manages network interfaces such as Wi-Fi, Thread, and Ethernet.
0x0033 (51)General DiagnosticsProvides common diagnostic data, including error logs, counters, and status information, to support maintenance and troubleshooting.
0x003C (60)Administrator CommissioningEnables an administrator to establish a secure connection to the device, open a commissioning window, and manage administrative access.
0x003E (62)Operational CredentialsManages the security credentialing of the device, including NOCs and trusted roots, to ensure secure communications.
0x003F (63)Group Key ManagementManages the security keys required for group communication, enabling secure multicast.
Table 3. Clusters included in Endpoint 1.
Table 3. Clusters included in Endpoint 1.
Cluster IDCluster NameDescription
0x0003 (3)IdentifySupports physical device identification (e.g., LED blinking, audible tones) to locate the device during installation and maintenance.
0x0004 (4)GroupsEnables grouping of multiple devices for simultaneous control.
0x0005 (5)Unknown-
0x0006 (6)On/OffProvides basic power control (turn on/off), essential for lighting devices.
0x0008 (8)Level ControlAllows adjustment of brightness levels; commonly used with On/Off in lighting.
0x001D (29)DescriptorProvides endpoint metadata.
0x0300 (768)Color ControlProvides detailed color controls such as RGB and color temperature, core functions for smart bulbs and lighting devices.
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Kim, S.; Kwon, S.; Shon, T. Smart Home IoT Forensics in Matter Ecosystems: A Data Extraction Method Using Multi-Admin. Electronics 2026, 15, 884. https://doi.org/10.3390/electronics15040884

AMA Style

Kim S, Kwon S, Shon T. Smart Home IoT Forensics in Matter Ecosystems: A Data Extraction Method Using Multi-Admin. Electronics. 2026; 15(4):884. https://doi.org/10.3390/electronics15040884

Chicago/Turabian Style

Kim, Sungbum, Sungmoon Kwon, and Taeshik Shon. 2026. "Smart Home IoT Forensics in Matter Ecosystems: A Data Extraction Method Using Multi-Admin" Electronics 15, no. 4: 884. https://doi.org/10.3390/electronics15040884

APA Style

Kim, S., Kwon, S., & Shon, T. (2026). Smart Home IoT Forensics in Matter Ecosystems: A Data Extraction Method Using Multi-Admin. Electronics, 15(4), 884. https://doi.org/10.3390/electronics15040884

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop