Over the past ten to fifteen years, our buildings have gained a pulse. Sensors, loggers and control systems now produce a continuous flow of signals that describe what is actually happening inside a property. This development has turned building automation into an increasingly important source for forensic work. At last year’s IoT World Inspiration Day, I had the privilege of having lunch with Johnny Bengtsson, IT forensics specialist at the Swedish National Forensic Centre (NFC). It was an unforgettable walkthrough of how IoT can be used in forensics. And when I later attended one of Johnny’s presentations (Forensics and connected buildings, arranged by IoT World and Cyberly), one thing became clearer than ever: crime scenes inside buildings are no longer just physical locations where an incident occurs. They are places to investigate, sometimes carrying a narrative—true or manipulated. Buildings have become witnesses.
Forensics in connected buildings
Building automation is fundamentally different from traditional IT; here, the focus is on measurement values from sensors or presence detection from PIR sensors. In his research, Johnny has used CO₂ sensors, IR sensors and magnetic contacts, among other components. But a smart building also includes actuators—devices that take action based on sensor readings. These systems often rely on low sampling frequencies, simple logic functions and components never designed for evidentiary value. This makes systematic testing and methodology essential to determine what can actually be trusted.
When intentional and unintentional events mix
In a connected building, data is generated by three types of events: deliberate stimuli, unintentional occurrences, and pure accidents. A magnetic sensor reacting to a door opening, a voice command to a smart speaker turning on a light, or a water leak triggering a shutoff valve—all these events generate digital traces that can, in theory, be used to reconstruct a timeline during an investigation. But one critical question remains: can sensor data be manipulated to produce a misleading picture of what actually happened, or are the measurements correct? Did the sensor function as intended, and how was it mounted? You will find more on this topic in my post on bias.
False motion and hidden footprints
One of the most illustrative test cases involved PIR sensors, commonly used in offices and stairwells for presence detection. PIR reacts to changes in infrared radiation—practically speaking, heat—and by flying a small drone indoors, the research team produced clear false positives: the system interpreted the drone as human motion. This demonstrates how easily misleading traces can be created, and how quickly an investigation may be pushed off course. Equally important were the attempts to achieve false negatives; using a metallised emergency blanket, the team could partially mask body heat and bypass motion detection. In practical tests with motion-controlled bathroom lighting, registration could fail entirely. CO₂ sensors showed higher robustness; human respiration is difficult to hide over time, though breathing into air mattresses provided a partial workaround. But once you overlay two sensors’ data, the challenge becomes significantly harder. The PIR sensor may not be triggered, yet the CO₂ sensor might show elevated levels—unless, of course, a leaking CO₂ cartridge is tucked away in a corner.
Forensic work demands methodology
To draw credible conclusions, investigators need a structured workflow mirroring traditional forensics—seizure and documentation, hardware analysis, data extraction, interpretation and final assessment—yet with an added engineering dimension. Timestamps may be unsynchronised, sampling frequencies too low, and log levels tuned for operations rather than evidence collection. This results in data gaps and creates small time windows that can be exploited by an attacker or someone intent on avoiding detection. The human factor also plays a critical role; cognitive bias, expectations and groupthink can all skew interpretation. NFC’s practice of having two analysts work together helps reduce the risk of premature conclusions.
Cyberattacks and hybrid threats reach our buildings
When building automation and IoT systems are connected, the attack surface—and the incentive for malicious activity—increases. Motives range from financial gain and extortion to sabotage and complex hybrid influence where critical infrastructure or production capacity becomes the target. The consequences can include locked-out operations staff, manipulated sensors, or altered indoor environments designed to cause harm or distort forensic data. Preventive measures must therefore combine classical security architecture—segmentation, network separation, patch processes—with operational routines: incident plans, clear responsibility chains and defined procedures for securing logs and artefacts when an intrusion is suspected.
Digital twins and preserving scenarios
Digital twins offer one promising path forward: continuously updated replicas of the building’s state, enabling both attack simulation and the ability to freeze a moment in time during an incident. By combining lidar, GPS, time logs and sensor data, it becomes possible to create a synchronised temporal snapshot that aids reconstruction. Digital twins can also serve as controlled test environments where teams practice attack and defence scenarios without risking production systems. Yet for digital twins to hold forensic value, design choices must prioritise evidence integrity: secure logs, clock synchronisation, higher sampling rates where relevant, and an architecture that supports preservation of snapshot data.
When the building becomes a witness
What makes this field so compelling is the tension between technical potential and practical limitations. Sensor data, when handled correctly, can help investigators understand what actually occurred; but the same data can mislead if systems are fragile or deliberately manipulated. For the IoT sector, this introduces a responsibility: to design solutions that not only optimise operations and energy efficiency but also account for forensic traceability. Our connected buildings expose more signals than ever before, but leveraging them requires knowing how to interpret and preserve them.