Extraction and analysis of non-volatile memory of the ZW0301 module, a Z-Wave transceiver

Z-Wave is an implementation of home automation, under the broad category of Internet of Things (IoT). To date, the ability to perform forensic investigations on Z-Wave devices has largely been ignored; however, the placement of these devices in homes and industrial facilities makes them valuable assets for the investigation of criminal and adversarial actors. Z-Wave devices consist of sensors and actuators, which can be connected to the Internet via a gateway. Therefore, their memory contents may contain sensor reports of criminal activity or, more indirectly, provide evidence that the devices have been manipulated to achieve physical or cyber access. This paper provides details on extracting and programming the Flash and EEPROM memory of the ZW0301, which is a common Z-Wave transceiver module found on many Z-Wave devices. Specifically, the memory usage is characterized and several artifacts are identified. The feasibility of conducting a firmware modification attack on the ZW0301 is also explored. The results of this work identify several data structures including the node protocol information table and node adjacency table. The compiler and coding language used for the firmware image are also fingerprinted.