Professional Documents
Culture Documents
Abstract
With the continued advancement of technology, computer forensics has received considerable
attention from researchers and experts alike. The ever-increasing complexity of contemporary
cyberattacks is directly associated with the sophistication of evidence acquisition, which often
requires several tools and frameworks. So far, numerous researchers have presented many
reviews and examinations on the field. Nevertheless, only a few studies focus on the latest
advances in different domains of computer forensics. Aiming to fill this gap, I reviewed the
current literature in the field of computer forensics, particularly about tools, approaches, and
frameworks used in examining digital evidence. This review specifically aims to offer a
background of relevant tools and frameworks that investigators consider to handle potentially
digital evidence from diverse web contexts. Therefore, several studies have been carefully
chosen and analyzed in this paper. The analysis will generate significant insights into the need to
2
Introduction
solving criminal cases. The field was developed as a sovereign concept in 2000, as soon as
technology has created severe issues in the digital forensic field, leading to new techniques and
tools used in the digital examination. According to Kaur et al. (2016), using tools in digital
forensics has proved more advantageous. It is possible to develop a dependable visualization and
analysis with tools by lessening the efforts and time of the investigation. When examining
evidence, interpretation of digital sources containing evidence is done using computer forensic
tools, which offer an abstraction of a file system to the digital sources of evidence critically, such
that the contents can be examined and traced (Kohn et al., 2013). Even if the focus of digital
forensics was initially to investigate crimes executed through computers, this area is now
diversified in a way that encompasses multiple digital devices such as smartphones and cameras.
Information contained in such devices can easily be traced, identified, and inspected for crime
facilitation. Advanced technologies have led to notable shifts and challenges during the
investigation processes. Because crimes nowadays are done using digital technologies, the
process of investigating should be unique and dynamic enough to revolve around the unfamiliar
occurrences related to crime. Several computer forensic tools and frameworks have been
developed to deal with such challenges and advanced technology. As such, this paper presents a
state-of-the-art review and fills the current literature gap regarding computer tools and
frameworks.
Problem Statement
3
Computer forensics is a rapidly developing field that continues to evolve in research and
practice. Most works have been devoted to developing novel tools and frameworks to collect
evidence and intelligence from different sources. At the moment, investigators commit
focused research and evaluation. However, a comprehensive analysis of the tools and
frameworks of the different digital forensics domains – such as operating systems, mobile
devices, and networks – is still limited. In other words, the current literature mainly focuses on a
particular domain; thus, common issues, approaches, and challenges of other domains are not
identified. Furthermore, research directions that could be used in most domains remain
unexplored, lacking interoperability and signifying a lack of adequate research. I maintain that
such inadequacy generates a serious gap in the existing literature and aim to fill it in this paper.
To this end, a literature review on digital forensic tools and frameworks is being presented that
may enable researchers to explore new ideas and offer new solutions to challenges in the field.
Methodology
The research community has witnessed significant developments in the recent decades,
especially with the introduction of new channels for publication, such as numerous scientific
journals, conference proceedings, and open archives, enabling present-day researchers to publish
their works in a wide range of venues. New methodological strategies for synthesizing research
have been established to keep up with the proliferation of systematic reviews across fields.
this regard, a detailed systematic review of the current literature is presented to help fill the gap
regarding computer forensic tools and frameworks, with specific reference to operating systems,
4
email, cell phones and mobile devices, and network and internet systems. I used an initial search
Of the recommended databases, suitable databases were selected based on relevance to the topic:
IEEEXplore, ScienceDirect, SpringerLink, and ACM Digital Library. These databases were used
to retrieve pertinent journal articles on computer forensics. The analytical exploratory search was
originally limited to publications from 2015 onwards because that was the year computer
forensics began to experience substantial growth. However, this yielded a limited number of
journal articles relating to the topic. The search span was extended to publications from 2010 and
onwards. I applied inclusion and exclusion criteria to yield relevant literature. Those publications
that did not meet the criteria were omitted. The keywords used in the search include: “review of
digital forensic tools,” “computer forensics,” “digital forensic frameworks,” and “current
research on digital forensic.” It is worth noting that the search queries generated about 20
Numerous researchers have examined computer forensic tools. Some of the most
prominent forensic tools for operating systems and mobile devices discussed by various studies
include EnCase, Winhex, ProDiscover, FTK Imager, and X-Ways. Lee and Soh (2020) argued
about Encase, emphasizing that it is used to conduct critical, forensically-based data and identify,
analyze, and report information defensibly and repeatably. Having been created through the
Guidance Software, EnCase occurs differently as a forensic tool, security panel, eDiscovery
element, and portable device. All these products have their strong points and drawbacks. The
significance of EnCase lies in its capacity to be accepted by courts of law globally for its digital
5
media capability (Kohn et al., 2013). By using the de-facto file format to preserve the crime-
based evidence, EnCase helps the examiner capture all the available data that are unpredictable
or predictable. Besides, like most forensic tools, it can expose the unknown evidence, reviewing
the findings in detail. The tool comes in different operating systems such as Mac, Linux,
Windows platform, Unix, and Solaris to enhance the diversified investigation. But Ghazinour et
al. (2017) cite that there are examiner privileges required to prevent the investigating bodies
from changing data without authorization. Alternatively, a customized report helps decision-
makers develop information relevant to the case and generate detailed reports to acquire
information about the process used during the investigation. Although different from EnCase,
Winhex is another forensic tool that allows users to view, inspect, and edit pertinent files in
hexadecimal format. According to Johnson (2014), WinHex can be used in scenarios that require
recovering deleted files or data from hard drives or digital camera cards. The same point is
highlighted by Lee and Soh (2020), asserting that WinHex is appropriate in situations involving
forensics, data recovery, low-level data processing, and information security. However, more
purpose data recovery tool mostly used in cell phones and mobile devices. This tool has been
used in performing safe recoveries in any digital device, with Lee and Soh (2020) stressing its
incorporation of various automated recovery modes and the capacity to allow the convenient
recovery of data. With its all-purpose functionalities like RAM testing and disk imaging content
analysis, X-Ways facilitate possible recovery of data, files, and even frequent text searches.
When using X-Ways as a computer forensic tool, Raghavan and Raghavan (2013) insist that the
interpretation of image files, physical RAM, and virtual memory of devices is done strictly in a
6
read-only style. With the write protection embedded, using X-Ways in forensics enhances the
originality of data because no one can alter the contained information. Kaur et al. (2016) further
point out that X-Ways is almost similar to ProDiscover, a forensic tool that enables the user to
locate the data in a computer hard drive and generate a high-quality analysis of the data for any
legal actions. Investigators have often used ProDiscover to create forensic images, which analyze
in detail the existing evidence. Like Ningsih (2018) and Javed et al. (2022) argues in their
studies, this tool can also recover the deleted files, dynamically allowing examination of the
More studies have discussed FTK Imager, a prominent computer forensic tool that
enables the user to assess the electronic evidence in question quickly. As purported by Yates
(2010), the uniqueness of this tool is its development using access data through network and
internet systems. This way, it can offer comprehensive indexing and data processing before,
facilitating searching and filtering of data. When used in forensics, FTK Imager offers integrated
and innovative aspects that support the processed data due to its imaging depth, integrity,
analysis, and speed complexity. Sindhu and Meshram (2012) believe that the nature of data-
driven information in FTK permits the handling and sensible analysis of datasets through data
visualization and processing capacity. Other than its capacity to process diversified information,
FTK Imager can enable registry analysis, file decryption, password cracking, and report
management within a solitary platform. FTK Imager analysis also entails disk image
programming, a simple forensic mechanism necessitating a realistic user interface. The resulting
images are saved on the protected internet drive. But the problem with FTK Imager, as argued by
Javed et al. (2022), is the reconstruction of data by those involved in forensics. This means that
perpetrators may influence data integrity before the cases are solved.
7
In terms of investigating networks and internet systems, the tool that has received
considerable attention is Wireshark. Ghazinour et al. (2017), Kaur et al. (2016), and Lee and Soh
(2020) define this tool as a network protocol analyzer that captures network packets and displays
them at a granular level for real-time or offline analysis. Wireshark lets users put their network
traffic under a microscope, filtering it and troubleshooting problems, enhancing network analysis
and eventually network security. This application is demonstrated by Lee and Soh (2020) in their
study involving comparative analysis of integrated digital forensic tools for digital forensic
investigation. According to Maheswari and Shobana (2021), investigators can use Wireshark
remotely to identify who initiated a network attack and trace their activities. In forensics, such a
process is vital as it helps identify a perpetrator for the investigation to begin (Johnson, 2014).
Javed et al. (2022) further highlight that Wireshark can help track the data gathered and
determine if the data is adequate to analyze the network. The tool performs a different and
distinctive function rather as compared to most other forensic tools, which are based on
Besides tools, different computer forensic frameworks have been developed and
discussed in the past years. However, the style and terminologies employed in these forensic
frameworks have not been standardized, with some models bearing a unique scenario and others
addition, various models are detailed while others are somewhat general, creating confusion for
forensic personnel when choosing the suitability and appropriateness of the model during the
investigation process. Notably, in early 2000, the Integrated Digital Investigation Process (IDIP)
was introduced, founded on techniques and theories of physical forensic procedures (Ningsih,
8
2018). The model incorporates digital and physical evidence during the investigation process.
With more than ten sub-phases for the generalization of evidence, IDIP is significant in
addressing forensic data. The fundamental phases include readiness, disposition, digital crime
scene, physical crime scene, and assessment (Garfinkel, 2010). Infrastructures and operations are
checked for full investigation support in the initial phase. The second phase of deployment
entails providing ways of detecting and confirming incidences. The physical and digital phase
occurs progressively, focusing on the digital side of the crime and the physical aspects triggering
the crime events. The last phase entails rechecking and identifying the possible areas that need
improvement, creating a mechanism that efficiently examines forensic data (Elyas et al., 2015).
The Digital Forensics Framework (DFF) is another progressive mechanism of steps, sub-
steps, outputs and inputs, needs, and standards in forensics. In the past years, the use of the
internet and network systems in forensics has been coupled as appropriate to identify and
prosecute offenders (Babun et al., 2019). Investigating using network systems occurs through a
searching, and analyzing data to determine the crime done. The DFF has enabled the forensic
personnel to easily investigate a crime without interfering with data, becoming the architecture
that supports successful investigation (Maheswari & Shobana, 2021). But in a study conducted
by Elyas et al. (2014), it is recommended that a well-defined framework be created for the digital
processing of data so that investigators can conduct an integrated crime recovery promptly. Elyas
and colleagues believe restructuring investigation becomes a simulating aspect with a framework
that necessitates digital forensics. Hence, a proper DFF is required to collect, preserve, and
A handful of studies have also emphasized the models and respective critical aspects that
enable effective crime investigation. In particular, Le-Khac et al. (2019) argues about the
Scientific Crime Investigation Model (SCIM), which focuses on physically acquired evidence
fitting into the digital crime investigation scene. For this model to be successful, it should occur
information (Kalaimannan et al., 2013). In the initial phase of recognizing data, corrupt patterns
or items are documented as the only evidence. In the next phase of identifying data, different
pieces of evidence are labeled and classified based on their chemical, biological, and physical
damage. In the third phase, the evidence is individualized and associated with similar patterns of
prior events. In the last phase, the sequence of events is constructed to be analyzed in the end.
Even if these steps refer to the specific part of the investigation process in forensics, Horsman
(2022) contended that they are based on the investigation stage of evidence using devices. This
means that SCIM focus on a systematic and strategized way of analyzing evidence digitally with
Conclusion
There is no doubt that crimes nowadays are done using digital technologies; thus,
investigating these offenses should be unique and dynamic enough to revolve around the
unfamiliar occurrences related to crime. This state-of-the-art review illuminated the various
computer forensic tools and frameworks developed to face such challenges. The review has
confirmed that computer forensic practices are advancing every day, allowing tracing of crimes
using digital media linked to emails, the internet, network systems, operating systems, and cell
phones. The in-depth analysis presented in this review is comparative, discussing the
evolutionary changes and development. The existing age of technology advancement calls for
10
future research to focus on users' privacy and comprehensively analyze the impact of digital
forensics. Besides, since the most discussed forensic tools and frameworks are country-based and
organization-based, further research needs to expound on their applicability. Overall, this review
provides provisional findings of the tools and frameworks concerning computer forensics. Future
studies will help generate more insights into this topic and enhance understanding of computer
forensics.
11
References
Babun, L., Sikder, A. K., Acar, A., & Uluagac, A. S. (2019). A digital forensics framework for
smart settings. Proceedings of the 12th Conference on Security and Privacy in Wireless
Elyas, M., Ahmad, A., Maynard, S. B., & Lonie, A. (2015). Digital forensic readiness: Expert
https://doi.org/10.1016/j.cose.2015.04.003
Elyas, M., Maynard, S. B., Ahmad, A., & Lonie, A. (2014). Towards a systemic framework for
https://doi.org/10.1080/08874417.2014.11645708
Garfinkel, S. L. (2010). Digital forensics research: The next 10 years. Digital Investigation, 7,
S64-S73. https://doi.org/10.1016/j.diin.2010.05.009
forensic tools. 2017 IEEE International Conference on Power, Control, Signals and
Horsman, G. (2022). Defining principles for preserving privacy in digital forensic examinations.
https://doi.org/10.1016/j.fsidi.2022.301350
https://doi.org/10.1109/access.2022.3142508
12
Management, 145-165. https://doi.org/10.1016/b978-1-59749-996-5.00014-5
https://doi.org/10.1109/socialcom.2013.93
Kaur, M., Kaur, N., & Khurana, S. (2016). A literature review on cyber forensic and its analysis
Kohn, M., Eloff, M., & Eloff, J. (2013). Integrated digital forensic process model. Computers &
Lee, J., & Soh, W. (2020). Comparative analysis on integrated digital forensic tools for digital
Le-Khac, N., Plunkett, J., Kechadi, M., & Chen, L. (2019). Digital forensic process and model in
the cloud. Security, Privacy, and Digital Forensics in the Cloud, 239-255.
https://doi.org/10.1002/9781119053385.ch12
Maheswari, K. U., & Shobana, G. (2021). The state of the art tools and techniques for remote
Martini, B., & Choo, K. R. (2012). An integrated conceptual digital forensic framework for
https://doi.org/10.1016/j.diin.2012.07.001
13
Ningsih, S. (2018). Digital forensics workflow as a mapping model for people, evidence, and
Raghavan, S., & Raghavan, S. V. (2013). A study of forensic & analysis tools. 2013 8th
(SADFE). https://doi.org/10.1109/sadfe.2013.6911540
Sindhu, K. K., & Meshram, B. B. (2012). Digital forensic investigation tools and procedures.
https://doi.org/10.5815/ijcnis.2012.04.05
Yates, M. (2010). Practical investigations of digital forensics tools for mobile devices. 2010
https://doi.org/10.1145/1940941.1940972