1

The Computer Forensic Tools and Frameworks – Literature Review

Abstract

With the continued advancement of technology, computer forensics has received considerable

attention from researchers and experts alike. The ever-increasing complexity of contemporary

cyberattacks is directly associated with the sophistication of evidence acquisition, which often

requires several tools and frameworks. So far, numerous researchers have presented many

reviews and examinations on the field. Nevertheless, only a few studies focus on the latest

advances in different domains of computer forensics. Aiming to fill this gap, I reviewed the

current literature in the field of computer forensics, particularly about tools, approaches, and

frameworks used in examining digital evidence. This review specifically aims to offer a

background of relevant tools and frameworks that investigators consider to handle potentially

digital evidence from diverse web contexts. Therefore, several studies have been carefully

chosen and analyzed in this paper. The analysis will generate significant insights into the need to

create approaches that support the management of digital evidence effectively. 

   
 2

Introduction

Computer forensics involves the application of systematic investigatory approaches to

solving criminal cases. The field was developed as a sovereign concept in 2000, as soon as

computer-related crimes began advancing. But recently, the continued advancement of

technology has created severe issues in the digital forensic field, leading to new techniques and

tools used in the digital examination. According to Kaur et al. (2016), using tools in digital

forensics has proved more advantageous. It is possible to develop a dependable visualization and

analysis with tools by lessening the efforts and time of the investigation. When examining

evidence, interpretation of digital sources containing evidence is done using computer forensic

tools, which offer an abstraction of a file system to the digital sources of evidence critically, such

that the contents can be examined and traced (Kohn et al., 2013). Even if the focus of digital

forensics was initially to investigate crimes executed through computers, this area is now

diversified in a way that encompasses multiple digital devices such as smartphones and cameras.

Information contained in such devices can easily be traced, identified, and inspected for crime

facilitation. Advanced technologies have led to notable shifts and challenges during the

investigation processes. Because crimes nowadays are done using digital technologies, the

process of investigating should be unique and dynamic enough to revolve around the unfamiliar

occurrences related to crime. Several computer forensic tools and frameworks have been

developed to deal with such challenges and advanced technology. As such, this paper presents a

state-of-the-art review and fills the current literature gap regarding computer tools and

frameworks. 

Problem Statement
 3

Computer forensics is a rapidly developing field that continues to evolve in research and

practice. Most works have been devoted to developing novel tools and frameworks to collect

evidence and intelligence from different sources. At the moment, investigators commit

considerable efforts to offer a systematic overview of advancements in digital forensics with

focused research and evaluation. However, a comprehensive analysis of the tools and

frameworks of the different digital forensics domains – such as operating systems, mobile

devices, and networks – is still limited. In other words, the current literature mainly focuses on a

particular domain; thus, common issues, approaches, and challenges of other domains are not

identified. Furthermore, research directions that could be used in most domains remain

unexplored, lacking interoperability and signifying a lack of adequate research. I maintain that

such inadequacy generates a serious gap in the existing literature and aim to fill it in this paper.

To this end, a literature review on digital forensic tools and frameworks is being presented that

may enable researchers to explore new ideas and offer new solutions to challenges in the field.

Methodology

The research community has witnessed significant developments in the recent decades,

especially with the introduction of new channels for publication, such as numerous scientific

journals, conference proceedings, and open archives, enabling present-day researchers to publish

their works in a wide range of venues. New methodological strategies for synthesizing research

have been established to keep up with the proliferation of systematic reviews across fields.

Besides, conducting state-of-the-art reviews has become a logical approach to presenting

evidence in domains where an increasing number of systematic examinations is obtainable. In

this regard, a detailed systematic review of the current literature is presented to help fill the gap

regarding computer forensic tools and frameworks, with specific reference to operating systems,
 4

email, cell phones and mobile devices, and network and internet systems. I used an initial search

of web-based databases to offer recommendations of databases to be used in computer forensics.

Of the recommended databases, suitable databases were selected based on relevance to the topic:

IEEEXplore, ScienceDirect, SpringerLink, and ACM Digital Library. These databases were used

to retrieve pertinent journal articles on computer forensics. The analytical exploratory search was

originally limited to publications from 2015 onwards because that was the year computer

forensics began to experience substantial growth. However, this yielded a limited number of

journal articles relating to the topic. The search span was extended to publications from 2010 and

onwards. I applied inclusion and exclusion criteria to yield relevant literature. Those publications

that did not meet the criteria were omitted. The keywords used in the search include: “review of

digital forensic tools,” “computer forensics,” “digital forensic frameworks,” and “current

research on digital forensic.” It is worth noting that the search queries generated about 20

relevant publications, which are analyzed in the subsequent section.

Synthesis of the Literature Findings

Computer Forensic Tools

Numerous researchers have examined computer forensic tools. Some of the most

prominent forensic tools for operating systems and mobile devices discussed by various studies

include EnCase, Winhex, ProDiscover, FTK Imager, and X-Ways. Lee and Soh (2020) argued

about Encase, emphasizing that it is used to conduct critical, forensically-based data and identify,

analyze, and report information defensibly and repeatably. Having been created through the

Guidance Software, EnCase occurs differently as a forensic tool, security panel, eDiscovery

element, and portable device. All these products have their strong points and drawbacks. The

significance of EnCase lies in its capacity to be accepted by courts of law globally for its digital
 5

media capability (Kohn et al., 2013). By using the de-facto file format to preserve the crime-

based evidence, EnCase helps the examiner capture all the available data that are unpredictable

or predictable. Besides, like most forensic tools, it can expose the unknown evidence, reviewing

the findings in detail. The tool comes in different operating systems such as Mac, Linux,

Windows platform, Unix, and Solaris to enhance the diversified investigation. But Ghazinour et

al. (2017) cite that there are examiner privileges required to prevent the investigating bodies

from changing data without authorization. Alternatively, a customized report helps decision-

makers develop information relevant to the case and generate detailed reports to acquire

information about the process used during the investigation. Although different from EnCase,

Winhex is another forensic tool that allows users to view, inspect, and edit pertinent files in

hexadecimal format. According to Johnson (2014), WinHex can be used in scenarios that require

recovering deleted files or data from hard drives or digital camera cards. The same point is

highlighted by Lee and Soh (2020), asserting that WinHex is appropriate in situations involving

forensics, data recovery, low-level data processing, and information security. However, more

research is required about its applicability and effectiveness.

In a study conducted by Maheswari and Shobana (2021), X-Ways is identified as an all-

purpose data recovery tool mostly used in cell phones and mobile devices. This tool has been

used in performing safe recoveries in any digital device, with Lee and Soh (2020) stressing its

incorporation of various automated recovery modes and the capacity to allow the convenient

recovery of data. With its all-purpose functionalities like RAM testing and disk imaging content

analysis, X-Ways facilitate possible recovery of data, files, and even frequent text searches.

When using X-Ways as a computer forensic tool, Raghavan and Raghavan (2013) insist that the

interpretation of image files, physical RAM, and virtual memory of devices is done strictly in a
 6

read-only style. With the write protection embedded, using X-Ways in forensics enhances the

originality of data because no one can alter the contained information. Kaur et al. (2016) further

point out that X-Ways is almost similar to ProDiscover, a forensic tool that enables the user to

locate the data in a computer hard drive and generate a high-quality analysis of the data for any

legal actions. Investigators have often used ProDiscover to create forensic images, which analyze

in detail the existing evidence. Like Ningsih (2018) and Javed et al. (2022) argues in their

studies, this tool can also recover the deleted files, dynamically allowing examination of the

storage spaces in a device.

More studies have discussed FTK Imager, a prominent computer forensic tool that

enables the user to assess the electronic evidence in question quickly. As purported by Yates

(2010), the uniqueness of this tool is its development using access data through network and

internet systems. This way, it can offer comprehensive indexing and data processing before,

facilitating searching and filtering of data. When used in forensics, FTK Imager offers integrated

and innovative aspects that support the processed data due to its imaging depth, integrity,

analysis, and speed complexity. Sindhu and Meshram (2012) believe that the nature of data-

driven information in FTK permits the handling and sensible analysis of datasets through data

visualization and processing capacity. Other than its capacity to process diversified information,

FTK Imager can enable registry analysis, file decryption, password cracking, and report

management within a solitary platform. FTK Imager analysis also entails disk image

programming, a simple forensic mechanism necessitating a realistic user interface. The resulting

images are saved on the protected internet drive. But the problem with FTK Imager, as argued by

Javed et al. (2022), is the reconstruction of data by those involved in forensics. This means that

perpetrators may influence data integrity before the cases are solved.
 7

In terms of investigating networks and internet systems, the tool that has received

considerable attention is Wireshark. Ghazinour et al. (2017), Kaur et al. (2016), and Lee and Soh

(2020) define this tool as a network protocol analyzer that captures network packets and displays

them at a granular level for real-time or offline analysis. Wireshark lets users put their network

traffic under a microscope, filtering it and troubleshooting problems, enhancing network analysis

and eventually network security. This application is demonstrated by Lee and Soh (2020) in their

study involving comparative analysis of integrated digital forensic tools for digital forensic

investigation. According to Maheswari and Shobana (2021), investigators can use Wireshark

remotely to identify who initiated a network attack and trace their activities. In forensics, such a

process is vital as it helps identify a perpetrator for the investigation to begin (Johnson, 2014).

Javed et al. (2022) further highlight that Wireshark can help track the data gathered and

determine if the data is adequate to analyze the network. The tool performs a different and

distinctive function rather as compared to most other forensic tools, which are based on

operating systems and mobile devices.

Computer Forensic Frameworks

Besides tools, different computer forensic frameworks have been developed and

discussed in the past years. However, the style and terminologies employed in these forensic

frameworks have not been standardized, with some models bearing a unique scenario and others

applied in different areas of high-level-case descriptions (Maheswari & Shobana, 2021). In

addition, various models are detailed while others are somewhat general, creating confusion for

forensic personnel when choosing the suitability and appropriateness of the model during the

investigation process. Notably, in early 2000, the Integrated Digital Investigation Process (IDIP)

was introduced, founded on techniques and theories of physical forensic procedures (Ningsih,
 8

2018). The model incorporates digital and physical evidence during the investigation process.

With more than ten sub-phases for the generalization of evidence, IDIP is significant in

addressing forensic data. The fundamental phases include readiness, disposition, digital crime

scene, physical crime scene, and assessment (Garfinkel, 2010). Infrastructures and operations are

checked for full investigation support in the initial phase. The second phase of deployment

entails providing ways of detecting and confirming incidences. The physical and digital phase

occurs progressively, focusing on the digital side of the crime and the physical aspects triggering

the crime events. The last phase entails rechecking and identifying the possible areas that need

improvement, creating a mechanism that efficiently examines forensic data (Elyas et al., 2015).

The Digital Forensics Framework (DFF) is another progressive mechanism of steps, sub-

steps, outputs and inputs, needs, and standards in forensics. In the past years, the use of the

internet and network systems in forensics has been coupled as appropriate to identify and

prosecute offenders (Babun et al., 2019). Investigating using network systems occurs through a

curtained sequence of scientifically enhanced methods of recognizing, collecting, upholding,

searching, and analyzing data to determine the crime done. The DFF has enabled the forensic

personnel to easily investigate a crime without interfering with data, becoming the architecture

that supports successful investigation (Maheswari & Shobana, 2021). But in a study conducted

by Elyas et al. (2014), it is recommended that a well-defined framework be created for the digital

processing of data so that investigators can conduct an integrated crime recovery promptly. Elyas

and colleagues believe restructuring investigation becomes a simulating aspect with a framework

that necessitates digital forensics. Hence, a proper DFF is required to collect, preserve, and

exposition forensic evidence.

 9

A handful of studies have also emphasized the models and respective critical aspects that

enable effective crime investigation. In particular, Le-Khac et al. (2019) argues about the

Scientific Crime Investigation Model (SCIM), which focuses on physically acquired evidence

fitting into the digital crime investigation scene. For this model to be successful, it should occur

in different phases, including recognizing, identifying, individualizing, and reconstructing

information (Kalaimannan et al., 2013). In the initial phase of recognizing data, corrupt patterns

or items are documented as the only evidence. In the next phase of identifying data, different

pieces of evidence are labeled and classified based on their chemical, biological, and physical

damage. In the third phase, the evidence is individualized and associated with similar patterns of

prior events. In the last phase, the sequence of events is constructed to be analyzed in the end.

Even if these steps refer to the specific part of the investigation process in forensics, Horsman

(2022) contended that they are based on the investigation stage of evidence using devices. This

means that SCIM focus on a systematic and strategized way of analyzing evidence digitally with

devices such as mobiles and cell phones.

Conclusion

There is no doubt that crimes nowadays are done using digital technologies; thus,

investigating these offenses should be unique and dynamic enough to revolve around the

unfamiliar occurrences related to crime. This state-of-the-art review illuminated the various

computer forensic tools and frameworks developed to face such challenges. The review has

confirmed that computer forensic practices are advancing every day, allowing tracing of crimes

using digital media linked to emails, the internet, network systems, operating systems, and cell

phones. The in-depth analysis presented in this review is comparative, discussing the

evolutionary changes and development. The existing age of technology advancement calls for
 10

future research to focus on users' privacy and comprehensively analyze the impact of digital

forensics. Besides, since the most discussed forensic tools and frameworks are country-based and

organization-based, further research needs to expound on their applicability. Overall, this review

provides provisional findings of the tools and frameworks concerning computer forensics. Future

studies will help generate more insights into this topic and enhance understanding of computer

forensics.
 11

References

Babun, L., Sikder, A. K., Acar, A., & Uluagac, A. S. (2019). A digital forensics framework for

smart settings. Proceedings of the 12th Conference on Security and Privacy in Wireless

and Mobile Networks. https://doi.org/10.1145/3317549.3326317

Elyas, M., Ahmad, A., Maynard, S. B., & Lonie, A. (2015). Digital forensic readiness: Expert

perspectives on a theoretical framework. Computers & Security, 52, 70-89.

https://doi.org/10.1016/j.cose.2015.04.003

Elyas, M., Maynard, S. B., Ahmad, A., & Lonie, A. (2014). Towards a systemic framework for

digital forensic readiness. Journal of Computer Information Systems, 54(3), 97-105.

https://doi.org/10.1080/08874417.2014.11645708

Garfinkel, S. L. (2010). Digital forensics research: The next 10 years. Digital Investigation, 7,

S64-S73. https://doi.org/10.1016/j.diin.2010.05.009

Ghazinour, K., Vakharia, D. M., Kannaji, K. C., & Satyakumar, R. (2017). A study on digital

forensic tools. 2017 IEEE International Conference on Power, Control, Signals and

Instrumentation Engineering (ICPCSI). https://doi.org/10.1109/icpcsi.2017.8392304

Horsman, G. (2022). Defining principles for preserving privacy in digital forensic examinations.

Forensic Science International: Digital Investigation, 40, 301350.

https://doi.org/10.1016/j.fsidi.2022.301350

Javed, A. R., Ahmed, W., Alazab, M., Jalil, Z., Kifayat, K., & Gadekallu, T. R. (2022). A

comprehensive survey on computer forensics: State-of-the-Art, tools, techniques,

challenges, and future directions. IEEE Access, 10, 11065-11089.

https://doi.org/10.1109/access.2022.3142508
 12

Johnson, L. R. (2014). Forensics tools. Computer Incident Response and Forensics Team

Management, 145-165. https://doi.org/10.1016/b978-1-59749-996-5.00014-5

Kalaimannan, E., Gupta, J. N., & Yoo, S. (2013). Maximizing investigation effectiveness in

digital forensic cases. 2013 International Conference on Social Computing.

https://doi.org/10.1109/socialcom.2013.93

Kaur, M., Kaur, N., & Khurana, S. (2016). A literature review on cyber forensic and its analysis

tools. IJARCCE, 5(1), 23-28. https://doi.org/10.17148/ijarcce.2016.5106

Kohn, M., Eloff, M., & Eloff, J. (2013). Integrated digital forensic process model. Computers &

Security, 38, 103-115. https://doi.org/10.1016/j.cose.2013.05.001

Lee, J., & Soh, W. (2020). Comparative analysis on integrated digital forensic tools for digital

forensic investigation. IOP Conference Series: Materials Science and Engineering,

834(1), 012034. https://doi.org/10.1088/1757-899x/834/1/012034

Le-Khac, N., Plunkett, J., Kechadi, M., & Chen, L. (2019). Digital forensic process and model in

the cloud. Security, Privacy, and Digital Forensics in the Cloud, 239-255.

https://doi.org/10.1002/9781119053385.ch12

Maheswari, K. U., & Shobana, G. (2021). The state of the art tools and techniques for remote

digital forensic investigations. 2021 3rd International Conference on Signal Processing

and Communication (ICPSC). https://doi.org/10.1109/icspc51351.2021.9451718

Martini, B., & Choo, K. R. (2012). An integrated conceptual digital forensic framework for

cloud computing. Digital Investigation, 9(2), 71-80.

https://doi.org/10.1016/j.diin.2012.07.001
 13

Ningsih, S. (2018). Digital forensics workflow as a mapping model for people, evidence, and

process in digital investigation. International Journal of Cyber-Security and Digital

Forensics, 7(3), 294-304. https://doi.org/10.17781/p002463

Raghavan, S., & Raghavan, S. V. (2013). A study of forensic & analysis tools. 2013 8th

International Workshop on Systematic Approaches to Digital Forensics Engineering

(SADFE). https://doi.org/10.1109/sadfe.2013.6911540

Sindhu, K. K., & Meshram, B. B. (2012). Digital forensic investigation tools and procedures.

International Journal of Computer Network and Information Security, 4(4), 39-48.

https://doi.org/10.5815/ijcnis.2012.04.05

Yates, M. (2010). Practical investigations of digital forensics tools for mobile devices. 2010

Information Security Curriculum Development Conference on - InfoSecCD '10.

https://doi.org/10.1145/1940941.1940972