See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/355183549

Digital Forensics and Cyber Forensics Investigation: Security Challenges,

Limitations, Open Issues, and Future Direction

Article in International Journal of Electronic Security and Digital Forensics · October 2021
DOI: 10.1504/ijesdf.2022.10037882

CITATION READS

1 843

2 authors:

Abdullah Ayub Khan Asif Ali Laghari

Benazir Bhutto Shaheed University Lyari (BBSUL) Karachi Sindh Madressatul Islam University
82 PUBLICATIONS 1,172 CITATIONS 192 PUBLICATIONS 3,300 CITATIONS

SEE PROFILE SEE PROFILE

All content following this page was uploaded by Asif Ali Laghari on 08 August 2023.

The user has requested enhancement of the downloaded file.

124 Int. J. Electronic Security and Digital Forensics, Vol. 14, No. 2, 2022

Digital forensics and cyber forensics investigation:

security challenges, limitations, open issues, and
future direction

Abdullah Ayub Khan*

Faculty of Computer Science,
Sindh Madressatul Islam University,
Karachi, Sindh, Pakistan
and
Faculty of Computing Science and Information Technology,
Benazir Bhutto Shaheed University Lyari,
Karachi, Sindh, Pakistan
Email: [email protected]
*Corresponding author

Aftab Ahmed Shaikh and Asif Ali Laghari

Faculty of Computer Science,
Sindh Madressatul Islam University,
Karachi, Sindh, Pakistan
Email: [email protected]
Email: [email protected]

Mazhar Ali Dootio

Faculty of Computing Science and Information Technology,
Benazir Bhutto Shaheed University Lyari,
Karachi, Sindh, Pakistan
Email: [email protected]

M. Malook Rind
Faculty of Computer Science,
Sindh Madressatul Islam University,
Karachi, Sindh, Pakistan
Email: [email protected]

Shafique Ahmed Awan

Faculty of Computing Science and Information Technology,
Benazir Bhutto Shaheed University Lyari,
Karachi, Sindh, Pakistan
Email: [email protected]

Copyright © 2022 Inderscience Enterprises Ltd.

Digital forensics and cyber forensics investigation 125

Abstract: Digital forensics (DF) is the scientific investigation of digital

criminal activities, illegal attempts, and cyber-attacks through computer
systems. It is becoming a crucial aspect of law enforcement agencies, court
law, and business farms to identify, preserve, examine, and analyse digital
evidence using proof approve and efficient techniques for eventual
demonstration of evidence that help to take further actions. This review paper
explores the different methodologies and frameworks related to digital
forensics investigation and incident response, and explain the impact of forgery
and tampering in the evidence chain-of-custody. Moreover, we highlight a list
of popular investigation tools along with the features in terms of distinct
prospects. Finally, we have evaluated and examined various applications,
implementation research challenges, and limitations. The open research areas
and future directions also address which need concern for a better and more
efficient digital investigation.
Keywords: digital forensics; computer forensics; scientific investigation;
digital crime; forgery investigation; cybersecurity; information security;
malicious attacks.
Reference to this paper should be made as follows: Khan, A.A., Shaikh, A.A.,
Laghari, A.A., Dootio, M.A., Rind, M.M. and Awan, S.A. (2022) ‘Digital
forensics and cyber forensics investigation: security challenges, limitations,
open issues, and future direction’, Int. J. Electronic Security and Digital
Forensics, Vol. 14, No. 2, pp.124–150.
Biographical notes: Abdullah Ayub Khan is a PhD research scholar in the
Department of Computer Science Sindh Madressatul Islam University, Karachi.
He has completed his Graduation from Benazir Bhutto Shaheed University
Lyari, Karachi, in the field of computing and information technology
(December 2015). After graduation completion enrolled in Master/MPhil in the
Faculty of Information technology (January 2017) at Sindh Madressatul Islam
University, Karachi, and completed his degree in computer science (December
2018). Recently, he has more than ten research publications in well-reputed
journals in the domain of digital forensics, cloud computing, network security,
blockchain and artificial intelligence. Also, he is working as a Lecturer at the
Faculty of Computing Science and Information Technology Benazir Bhutto
Shaheed University Lyari, Karachi (From 2017 To 2021).
Aftab Ahmed Shaikh earned his Doctorate degree in Computer Application and
Technology from Beijing University of Aeronautics and Astronautics (BUAA)
in 2010. He has more than 18 years of professional experience in teaching and
research in different countries including Pakistan, China and Oman. He is
associated with number of reputable research communities and editorial boards.
He published several research articles in reputable international journals and
conference proceedings. He has supervised several dissertations and projects
and leading a research group of computational intelligence (CI).
Asif Ali Laghari earned his PhD in Computer Science and Technology from
Harbin Institute of Technology (HIT), China in 2019. He is the author of over
55 research articles in HEC recognised and impact factor journals, conferences
and two book chapters of international repute. His research interests include
cloud computing, quality of experience, multimedia streaming, fog computing
and social networking.
Mazhar Ali Dootio earned his Doctorate degree in Natural Language
Processing and Linguistic from ZABIST Karachi in 2019. He has more than ten
years of teaching and research experience. He is serving as in-charge/HoD of
Faculty of Computing Science and Information Technology, Benazir Bhutto
Shaheed University Lyari, Karachi. He is associated with number of research
publication in international, local, and community-based well reputed journals.
126 A.A. Khan et al.

M. Malook Rind is a Professor of Computer Science Department at Sindh

Madressatul Islam University (SMIU), Karachi Pakistan. He earned his PhD in
Information Technology (IT) from International Islamic University Malaysia.
He has more than 18 years of diversified industry, teaching and research
experience. He is author of one book and has over 40 published articles in
various ISI, Scopus, IEEE, recognised journals and international conferences.
His research interests include data communication networks, software-defined
networking, electronic and mobile commerce, network security, pervasive
computing, cloud computing, social networking and information systems.

Shafique Ahmed Awan earned his PhD degree in Image Processing IT from
Quaid-e-Awam University of Engineering and Technology Nawabshah. He
earned his MS Information Technology from NED University of Engineering
and Technology. He has more than 12 years of teaching experience in
Government universities. He has more than 16 publications in nationals and
internationals journals.

1 Introduction

Digital forensics (DF) is the newest and popularity gaining innovation of all time in the
field of computer investigation. The technology can examine and analyse illegal criminal
activities of state and federal government law enforcement departments (Garfinkel,
2010). The concept of data storage on forensics was coined in the early 1970s to 1980s,
the area gained more attention at the era because the agent had long worked to seize,
retain, and analyse suspects documentation, manual documentation takes a longer time as
compared to computer systems. In 1984, the Federal Bureau of Investigation (FBI)
launched the ‘magnet media program’; this was the first official DF program at a federal
agency, mainly used to tackle suspicious activities on the cyber environment.
Nowadays, more than 50% of the world population lives their life in urban areas and
the ratio expectedly extends because the population rapidly increases and migrate
towards the urban areas (Baig et al., 2017). Modern societies rely on cutting-edge
information technology such as communication networks, cloud services, cybersecurity,
internet of things (IoT), ubiquitous and mobile appliances; these technological services
are used to manage the overall business transactions, commercial as well as governmental
growth activities, and individual lifestyle transformation (Caviglione et al., 2017). No
doubt, the mentioned technology provides lots of benefits, however, at the same time the
impact of cybercrime on the peak, several new threats evolve in the past few years
namely, spoofing, identity theft, cyberbullying, malicious attacker, malware, distributed
denial of service (DDoS), zombie, and data leakage exploitation. The consequences of
cyber-attacks have major brunt on both governmental and individual levels. Therefore,
DF becomes essential for protecting evidence by attacks or securing evidence by forgery
and makes it possible to present in the courtroom.
In a couple of decades, the framework of DF improved day-to-day, emerge diversity
in crime investigation, need sophisticated improvement that enhances the analysis of
digital investigation, framework structure manipulates according to the distinct
committed crimes, for example, early computer systems to mobile devices and storage
devices, changes made according to the crime committed over time (Agarwal and
Kothari, 2015). Pollitt (1995) proposed framework in 1995, the first-ever official
 Digital forensics and cyber forensics investigation 127

framework, mainly divides into four steps such as acquisition, identification, evaluation,
and admission. The proposed framework did not fit for the generalised form of evidence
investigation, only allowed for the physical, logical, and legal context. Farmer and
Venema (1999) add steps on the previous framework changes necessary for the
improvement of generalising crime investigation:
1 ‘secure and isolated’
2 ‘record the scene’ the model only available on the UNIX platform.
After a few more variations in the onwards decade; Ciardhuain (2004) gives the new
direction for the process of investigation which starts with awareness, authorisation,
planning, notification, identification search, collection, transport, storage, examination,
hypotheses, presentation, proof, defence, and dissemination, till now the framework is
supposed to be the complete model.
Carrier and Spafford (2003) modify the integrated digital investigation model by
introducing two phases trace back and dynamite. This modification allows two phases
simultaneously running for the criminal investigation process without any hindrance like
an iterative model capability (Baryamureeba and Tushabe, 2014). Moreover, Cohen
(2010) suggests the appropriate model that has seven phases, which start from
identification, collection, transportation, storage, examination, presentation, and
destruction; this is the perfect framework for digital evidence investigation for the overall
crime scene. For cyber-fraud, Agarwal et al. (2011) proposed 11 phases to investigate
fraud detection on a network environment, quite useful to track fraud, however, the
drawback is to restrict the model into the domain of cybersecurity. Smartphone
investigation is the emerging information technology in the field of DF. Framework for
smartphone investigation is the hot topic in the recent year, Ruuhwan et al. (2017)
develop soft system methodology (SSM) that aim to evaluate the conceptual model with
a real activity using a smartphone. WhatsApp is a well-known communication
application using throughout the world. Phases of WhatsApp application framework for
crime evidence investigation are the same as the integrated DF investigation version 2,
the model mainly divides into four stages namely preparation, case place event,
examination, and report generator (Actoriano and Riadi, 2018). Furthermore, Hossain
et al. (2018) state the importance of FIF-IOT a forensics investigation framework for
IoT-based and cloud-based devices. Till now, approximately two decades passed and still
DF is one of the focused research areas for all researchers because of rising challenges,
limitations, and several unfilled gaps available that should be filled by researchers for the
future.
At this stage, the process of DF contains five steps:
1 identification
2 preservation
3 analysis
4 documentation
5 presentation (Garfinkel, 2010).
Due to advancement, DF seems like a healthy field with clear objective targets.
Computer-based or smartphone-based digital evidence investigation of a crime scene is
128 A.A. Khan et al.

only possible of DF. Gather a huge number of records, analyse by applying tools and
techniques, preserve material on the storage device and present as the evidence in the
court of law. Here, we have highlighted the main objectives of the field, which described
in the below:
 identify the forgery in a piece of evidence if occur then what strategy follows to
prevent it recover, examine, analyse cyber-attacks in a cloud environment.
 find the motive behind the attempted crime and identify the main culprit.
 recover deleted files and partitions from the digital media to extract and validate
evidence.
 it helps to store suspect crime scene without corrupting digital evidence, in-short
reliability.
 quickly identify and estimate the impact of crime on the victim.
 evidence preservation in the custody.
 very easy to generate a criminal investigation report.
This paper will address the importance of DF, cutting-edge information, and explain how
DF is utilised in forgery and digital criminal investigation. This survey will provide
details about the type of tools and applications, online available datasets, and techniques.
Limitations of previous work and challenges of future work also discussed. Furthermore,
this research identifies and discuss a set of open research issues yet to be addressed, for
efficiently applying of DF in cybercrime and forgery investigation.
The paper organised in eight sections. Section 2 is based on DF techniques for
investigation. In Section 3, provide explanation and detail investigation of the forgery,
types, and its impact in DF, Section 4 is based on the tools and applications and Section 5
provides information about the online availability of datasets for DF. Similarly, Section 6
based on the challenges and limitations of DF research and Section 7 provides open
research issues for future work. Finally, we conclude the paper in Section 8.

2 DF techniques for investigation

The professional of DF learns about whole forensics techniques imperatively. Learning

forensics techniques is not just for gaining knowledge but dealing with situations in a
wide range, even though it helps to allow sophisticated problems solved quickly.
Moreover, the professional is less likely to get stuck on forensics problem because the
person is equipped with multiple knowledge of forensics techniques. In this paper,
highlight the critical aspects and detail implementation of forensics techniques in the light
of newly research, mitigate digital crime, and ensure the importance of below techniques
that help to prevent evidence for the digital investigation are as follows:

2.1 Data recovery and file carving

Data recovery is an essential part of DF, not only for penetrator testers and ethical
hackers but it is also essential for investigators to penetrate criminal computer systems
and recover crucial deleted files or data during the investigation. Conceal and deleted
 Digital forensics and cyber forensics investigation 129

files recover with extract exact data without dropping the quality of the file is a prime
task in the field of DF, varies data recovery tools available for Windows-based and
Linux-based platform, and therefore, the author suggests a deleted file recovery technique
for the Ext 2/3 file system, which commonly used in Linux (Lee and Shon, 2014). The
proposed technique analyses filesystem structure, file storage structure and Meta
information of the file. Another researcher discussed the importance of Linux-based
operating system recovery deleted filesystem, demonstrate Ext 2/3 techniques for Linux
command-line utility, the ability to gather deleted evidence from volatile memory and a
magnetic disk, furthermore, identify hidden file and find out rename files with the
extension (Craiger, 2005). Currently, Ext 4 is the default filesystem on installing several
new versions of Linux products; the data structure of Ext 4 includes extent trees,
directory indexing HTrees, description of extent, and flex block group (Fairbanks, 2012).
In DF, these are the process of extracting data from a file with the help of a filesystem
data structure.
File carving is the process of extracting data from magnetic disk or other storage
media without the assisting of the filesystem. Data carving is falling into four main
directories. One is the need for a realistic dataset for tool testing; the second one is the
need for object validation under fragment data storage. Thirdly, content-based validation
investigation and the last that is a new direction in the file carving field, which are
in-place, bulk extractor, and semantic validation (Alherbawi et al., 2016). In forensics,
file carving techniques successfully applied for carve JPEG files; techniques to identify
validate and reassemble files (Ali et al., 2018). In the multimedia data field, media data
like photographs and videos are such valuable evidence, restore conceal or deleted media
without assist filesystem; file fragmentation assumes image file consists of a header
(start-of-image: marker FF D8), body (checking additional features) and footer
(end-of-image: marker FF D9) (Steinebach et al., 2015). For this situation, recovering and
reassembling image files using a greedy heuristic file carving technique, efficient
mechanism to determine the fragmentation point of a file (Pal et al., 2008). Boyer-Moore
and Aho-Corasick are the multi-pattern searching algorithms used to locate header and
footer in a disk. Using those algorithms on a system, enables file carving, in which
essentially takes some time to read a carved file in the disk (Zha and Sahni, 2010).
Nevertheless, these are the sophisticated carving algorithms that can handle
fragmentation, concealing data, recovering, and reassembling files from a media disk
storage.

2.2 Password recovery

Digital devices increasingly used for various criminal activities, for example: cracking an
authentic password, get access control of information systems without permission, leak
information, sniffing, spying and harm others’ computers, attacks through distributed
network environments and many more. Password recovery strategies are splitting into
three dimensions, one is reconnaissance, the second is scanning, and the last is gaining
access. Brute force (Hranický et al., 2016a), active and passive online attack, offline
attack, rainbow attack, smartphone security attack, password cracking technique,
password dump locally and remotely, FTP, POP3, SBMP, and sniff the password of the
network are the well-known techniques. Nowadays, different document format and
encrypt tools (like PDF, ZIP, Doc, Docx) support encryption to protect the sensitive
contents of the document, cryptography encryption standard algorithms are AES, RC4,
130 A.A. Khan et al.

and SHA (Hranický et al., 2016b), these are the algorithms that help to retain document
integrity and confidentiality. In wireless network domain, using brute force and rainbow
table can easily help to recover password for WPA-PSK, password recover of
WPA2-PSK is the critical problem in DF, simulated annealing (SA) and hidden Markov
model (HMM) perform quite well where HMM used to generate a known password
based on SA, which could be used to recover candidate password (Ge et al., 2016). At
last, elaborating the crucial password recovery tools such as network sniffing,
administration password bypassing, decryption, and password cracking tool.

2.3 Information retrieval

Keyword searching is one of the searching techniques for retrieve records from a digital
device as a purpose of an investigation. The technique is highly preferable for the
collection of digital evidence like modelling user browser behaviour, search string index,
and history of irrelevant search. Cluster search information retrieval (IR) is another type
of searching algorithm used widely in digital investigation. In the string searching
process, a case study shows that clustering IR significantly reduces the overhead of IR in
DF (Beebe et al., 2011). A self-organised neural network with clustering post-retrieval
information will enhance text string searching in DF (Beebe and Clark, 2007).
Improve retrieval performance, IR adapts knowledge either domain-specific or
domain-independent (Du et al., 2008). In a digital investigation, analyses a huge amount
of data to retrieve meaningful information means digital evidence is the time taking and
cost-effective task. These data mining concepts help to reduce system and human
processing time, improve quality with data analyses, and decrease the cost associated
with DF (Beebe and Clark, 2005).

2.4 Live forensics analysis

Traditional forensics performed manually to gather and analyse data, while DF performs
through static analysis of data preservation, and live forensics is something that is slightly
changing the mechanism of forensics science that is the dynamic analysis of a running
system for deeper understanding (Mrdovic et al., 2009). Live DF techniques escalate
forensics analysis reasons behind it seek to take a snapshot of a state of the computer, for
example, photographs of the crime scene (Adelstein, 2006). Forenscope is one of the
successful active live system analysis frameworks that allow running processes, like open
files, open network sockets, and encrypt the filesystem (Chan et al., 2010). Nevertheless,
live analysis pushes forensics science one step forward in the recent era, but
unfortunately, it has some logical challenges, the problem is that the operation is not
repeatable because of the state of the system perform both (user and investigator)
activities together (Hay et al., 2009).

2.5 Event correlation

It is the network based on the coding technique to take data from host logs or application
logs then provide the relation between events with the help of data analysis results
(Kliger et al., 1995). Event correlation determines the underlying cause of a problem and
resolved it quickly, and this helps to minimise the impact of losses in a business. It is a
technique that achieves various related events to identify patterns, action can be imposed
 Digital forensics and cyber forensics investigation 131

when patterns threaten the security. The main objective is to analyse logical events that
collected through the sequence of related events (user-define rules). As a result, security
analysts take an appropriate decision in the response of generated threats. In a digital
investigation, Jonathon et al developed an event correlation forensics framework for
scenario matching, reduce heterogeneous logs, and run as an automated recognition of
event scenarios (Abbott et al., 2006). Data intelligence, fraud detection, root cause
analysis, and operations support are the crucial use-cases of event correlation. The overall
scenario helps to investigate digital crime on the network domain.

2.6 Network sniffing

Network sniffer monitors the flow of data over computer networks take snapshot copies
without redirecting anything and help to troubleshoot network traffic (Choudhury, 2011;
Ansari et al., 2003). This is used by network or system administrator to monitor data
package containing sensitive information and ensure it deliver at the destination securely.
The attackers used sniffer for capturing the detail of the data package, it could be
hardware or software. There are two types of sniffing:
1 active
2 passive sniffing.
Active sniffing is the process that regulates the data packets through the switch, while on
the other hand, passive sniffing is done through the hub. In this paper, discussing the
open-source multi-platform sniffing tools and techniques that help to monitor dataflow
with the protection of sensitive information is as under:
 NetworkMiner (Hjelmvik, 2008)
 SolarWinds Packet Analysis Bundle (Podolanko et al., 2014)
 Packet Capture
 Steel Central Packet Analyser (Pathania, 2018)
 Fiddler
 Kismet and many more.
Considering research, the results show that network sniffing tools identify, analyse,
protect, and monitor crucial information of data packets on the network environment
(Hjelmvik, 2008; Podolanko et al., 2014; Pathania, 2018).

2.7 IP address tracking

In network security, locate users or visitors, session history, IP router and path, only
possible through IP tracking system (Achi et al., 2008). Simply, a device connects to the
network, the first thing that exchange is the IP address, ensure that data can be properly
delivered or received between two parties. It is an essential part of the internet protocol
whereby IP addresses handshake first whenever it starts work with others. There are
distinct types of IP trackers tools used for different purposes, WilframAlpha provides
detail location of IP, IP Lookup provides basic information of IP location with a pin
marker, trace an email through IP address using What is my IP, some more popular
132 A.A. Khan et al.

examples are IP tracers, Google analytics (Clifton, 2012; Plaza, 2011), and open web
analytics.

2.8 Evidence visualisation

In general, the goal of DF analysis is to identify digital evidence for the investigation.
Visualisation is the graphical representation used to display a large amount of data at
once (Chavhan and Nirkhi, 2012). Data mining visualisation techniques help to extract
useful patterns and anomalies from a huge amount of data (Keim, 2002), for example,
associate rule mining, support vector machine (SVM), outlier analysis, discriminate
analysis, Bayesian networks, etc. The capability of the technique is truly reliable for
extracting meaningful knowledge that helps in the investigation of computer crime.
Visualisation techniques are also perfectly fit in the field of network, detect attacks or
threats and anomalies (Schrenk and Poisel, 2011), furthermore, also helps to display
graph-based web history of users’ logs, able to visualise static or dynamic instances.

3 Forgery investigation

Forgery is something that imitates the original it refers to a fake signature without
permission, creating a false document, unauthorised data manipulation, image tamper,
and currency forged. In forensics science, there are several types of forgery possible but
highlighting the most popular and crucial types of forgery namely:
1 freehand, simulated, and copied forgery
2 traced forgery
3 forgery by memory
4 forgery by impersonation.
In freehand forgery, is the type of natural handwritten based forgery (Garfinkel, 2010),
the process adopted by criminals to do frauds such as doing person’s signature, document
attestation, fake identity signature, signature on behalf of a person without revealing
actual identification. Sometimes the fake signature is so identical with the genuine where
you must need one of the methods of DF to identify between forged and real signature
(Black, 1995). Freehand forgery is still an active area for all researchers; on day-to-day
basis research contributions enhanced the field capability towards stability. According to
Hanmandlu et al. (2005) make possible an offline signature verification system using
fuzzy modelling for forgery detection. Angle feature extraction from the box approach is
the potential approach with Takagi Sugeno (TS) model to detect forged signature.
Another effective contribution delivered by Sayeed et al. (2007) in freehand forgery, the
objective of the research is to detect forged signature using principal component analysis
(PCA) with increase electrode volume for noise-free inputs as well as ensure performance
accuracy. Similarly, Madasu and Lovell (2008) develop an automatic offline signature
verification system using fuzzy modelling with the grid method, the system is more
reliable than a previous one.
 Table 1

References Proposed work Attributes Features

Walia and Kumar This paper presents systematic scrutiny of  Addressed several forgery investigations  Copy-move forgery
(2019) digital image forgery. The evolution of digital challenges and limitation.  Image splicing
image, image manipulation investigation  Recommendation for possible research direction
techniques, and comprehensively analyses the  Image Retouching
current research on forgery detection. Also,  Devising effect  Resampling
the paper answers the predefine set of  Real-time detection  Detect anti-forensics forgery
research questions from 2001 to before July  Localised method  Classification
2017.  Taxonomy of digital image forgery  Source camera identification
 Also, discrimination
 Discussing active and passive method of image
forgery
Lin et al. (2019) The research is based on the multimedia  SIFT and LIOP used to extract features  Scale invariant feature transform
forensics investigation for tamper image  Tentative matching used to improve matching  Scale invariant feature transform
detection, the novel copy-move forgery relationship
detection method proposed using features and  Filtering false matches
tentative matching.  Filtered approach  Dataset and error measures
 Image segmentation  Detection results under plain copy-move
State-of-the-art forgery investigation and its impact

 Affine transformations
Digital forensics and cyber forensics investigation

 Better detection performance on the public

 Locate duplicate regions dataset
Marra et al. (2020) The proposed framework of convolutional  Used gradient checkpoint  Join optimisation
neural network (CNN) based forgery  Trainable end-to-end framework  Patch-level feature extraction
detection investigation, which makes
decisions based on full-resolution information  Image-level supervision  Feature aggregation
gathered from the whole image pixels.  Largely outperform all baseline models  End-to-end training
 Support almost all the image dataset
133
 134

Table 1
A.A. Khan et al.

References Proposed work Attributes Features

Zhang et al. (2019) This image forgery detection method used the  Ground truth masks  Robust to additive noise
fully convolutional network (FCN), enable  Detect Spliced Regions  Remove Gaussian blur
locating the splice region. Whereas, forming
positive and negative sample sets for the  Lack precise location information  Geometric transformation
purpose to distinguish the difference between  VGG 16 network used  Improved localisation
the original image pixels and forge pixels.  Stochastic gradient descent  Region classification
 Speedup network convergence
Huang and Ciou This copy-move forgery approach presents a  Super-pixel segmentation  Refine coarse forgery regions
(2019) novel procedure for detection, highlight three  Helmert transformation calculate geometric  Remove isolated areas
main steps are as follows: First, used SIFT to distance
extract checkpoint and their descriptors.  Regional segmentation
Then, matching pixels cluster and calculate  Forgery localisation  Robust solution for scaling, rotation, and
similarities. At last, group pairs by obtaining  Group merging and clustering comparison forgery
spatial distance and geometric constraints  The Angle consistency
using Helmert transformation.  Spatial adjustment
 Detect copying and translation
State-of-the-art forgery investigation and its impact (continued)
 Digital forensics and cyber forensics investigation 135

Reproduction, replica, copies of anything do not consider a crime until the alteration and
misrepresentation occur on it known as coping forgery. In the recent era, disparate
powerful image editing software tools, which create an identical clone of an image just
like copy-paste, despite this doing some manipulation in an image, question rise towards
the authenticity of the image, for the situation copied forgery detection is the first task
after detecting need to protect the evidence for the representation in a court law
(Mahmood et al., 2016). Computer vision techniques applied to reduce the dimensionality
of an image, manage high-resolution images, remove blur and extra effects, extract
features, recognised the pattern and so on. Blind image restoration is the process of
restore point-spread function using partial information and transforms into an original
image. Copy-paste content applies within the same image, the scenario called
postprocessing. An evaluation of copy-move blind image forgery (IF) detection is not an
easy task. Multiple postprocessing algorithms proposed in past few decades, Christlein et
al. (2012) evaluate the performance of previous algorithms (Sift-Surf, block-based DWT,
PCA, KPCA, DCT, and Zernike) where authors suggest SIFT keypoint-based method for
forgery feature detection because of the remarkable efficient execution and consume low
computation power.
Trace is like copied forgery but the slight difference, which means reproducing the
exact duplication of the genuine signature (Tarannum, 2015). Sometimes trace forgery
executed through carbon paper, scanned image, paper and indented tracing, and tracing
using light-transmitting. Thus, trace forgery committed is the closest resemblance and
exact similar mathematical measurements with the model (Misra et al., 2015). Around the
globe, human has a unique content writing style, initial writeup, and signature strategy; it
is impossible to do as the same what it does, if it seems like a perfect carbon copy
without authentication then the only possibility of a tracing forgery. Handwriting
detection forgery is the form of trace forgery, automatic forge signature detection through
a machine is the challenging task, it can be done by comparing stored datasets (which is
the original signature of a person) with provided on real-time. Detection takes made by
shaky handwriting, letter proportions, pen lifts, and sign of retouching and examines very
close similarity between two signatures (Cha and Tappert, 2002).
In the age of digitising, a digital image is a perfect carrier to transmit visual
information (Meena and Tyagi, 2019). IF is the process of manipulating some meaningful
information of the digital image (Sridevi et al., 2012). DF aims to detect alteration or
modification on the original image, achieved by applying different methods, prevent
useful information and store in a secure database for further action by present evidence to
the jury. In IF, digital watermarking is the key concept of image authentication while
making the company’s documentation, watermark insert at the time of generating records
or documentation. Copying image and removing watermark without permission is
another type of IF, approaches used to abolish authentic marking, discarding visual clues
of the image consider as an illegal activity (Farid, 2009). In contrast, slicing as well as
retouching forge images are the critical problem described in the section of challenges
and limitations. However, image processing software tools make counterfeiting easier to
distort image information within very low cost (Liu et al., 2014). In this situation, expose
such type of forgery Liu et al. (2014) proposed an integrated algorithm which mainly
used to classify copy-move and slicing forgery (Popescu and Farid, 2004). Further,
highlighting the impact of a low-cost and high-resolution camera with sophisticated
open-source photo-editing software cause remarkable easy to alter images without
leaving visual clues, Popescu and Farid (2004) suggest some well-known statistical tools
136 A.A. Khan et al.

(i.e., Fourier transformation: quantisation, compression, sampling, up-sampling,

down-sampling, rotations, and affine) for detecting forgery in the absence of watermark
or signature (Carrier, 2002).
Mostly, the authors collapse two concepts forgery by impersonation and forgery by
memory. Impersonation means a person without using the name of another person and
writes or sign on the behalf of the person in his handwriting style is known as a forgery
by impersonation. On the other hand, forgery by memory refers to the signature prepared
from the material by the mental impression (with the help of computer programming) of
letters which same as the actual signature without seeing any model at the time of
forgery. The next couple of sections indicate the impact of DF tools and techniques that
lead towards the improvement in the field and resist forgery in the digital environment.

4 Tools and applications

When committed crime did not accept by someone then the importance of investigating
tools starts to analyse digital evidence and finds the appropriate result regarding a crime
did commit by a person or not (Kumari and Mohapatra, 2016). Further, ubiquitous
computing gains rapid advancement, as same the cybercrime expends. Criminals utilise
counter equipment to neutralise the effect of forensics where manipulation of the
evidence is one of the challenging issues (Omeleze and Venter, 2019). Researchers need
to think about the long-term approach to overcome the problems and develop some
standardised software tools according to the technology needs. In this context, the
argument raises when the division of open source and closed source software tools of
digital evidence analysis is used a single platform for investigation. Open-source is one
that is freely accessible on the internet while the closed-source is opposite to
open-source; accessibility of the tools is only possible when a user pays the cost of the
product. There is a vast difference regarding security, accessibility, reliability, and
support between paid and unpaid tools (Kumari and Mohapatra, 2016). DF tools are
categories as under:
 digital image forensics
 computer forensics
 network forensics
 file analysis
 database forensics
 disk/data capture
 memory forensics
 internet/cyber forensics
 email forensics
 audio/video analysis forensics.
 Table 2

Category Name of tool Platform Cost Features

File analysis and SANS SIFT Linux Open source  Auto-DFIR package update and customisations
disk/data capture  Cross platform capability
 Expended filesystem support
 Install standalone system facility
CrowdResponse Windows Closed source  Lightweight console application
 Displays application resource application
Top ten DF tools with features

 Verify the digital signature

 Scan memory, load file module, and running processes of disk files
The Sleuth Kit Windows and Open source  Extract data from SMS, call logs, contacts, etc.
Linux  Display system events through a graphical interface
 E-mail analyses
Memory forensics Volatility Windows, Linux Open source  A Fast and efficient algorithm to analyse RAM dumps from large systems
and Mac  Support varies verity file format
Digital forensics and cyber forensics investigation

 Facilitate extensions and API

Digital image forensics FTK Imager Windows, Open source  Data preview/file, folder, and content preview capability
Command-Line  Support image mounting
Linux-Based and
Mac  Multicore CPU use to parallelise action
 Make an image file without disturbing the original one.
137
 138

Table 2

Category Name of tool Platform Cost Features

Mobile, data-recovery CAINE Linux Open source  User-friendly interface
and network forensics  Bring together many open-source DF tools
 Use to in-depth forensics investigation
A.A. Khan et al.

 Generate reports easily

USB Historian Windows Open source  Gaining information such as USB name, type, serial number and mount date/time
with user account
 Useful deal with data and identity theft
 Parse data facility
 Wizard driven analysis
Network forensics Xplico Linux Open source  Extract application data from the internet
 Extract e-mail messages from POP, SMTP, IMAP
 Decoding data, module and individual network
Top ten DF tools with features (continued)

 Decode VoIP call

Computer forensics LastActivityView Windows Open source  Trace last user active logs
 Records user actions like open/close file logs, recent software installation and
others
 Create timeline of events
Database forensics Free Hex Editor Windows Open source  Design to handle very large files, e.g., database
Neo  Easy to find data pattern across large files
 Multi-core processing
 Fast searching
 Make file patches
 Digital forensics and cyber forensics investigation 139

DF applications are commonly applied in almost every field of computer science even
not only in the computer domain, very common in the business environment as well. For
example, monitoring suspicious employee’s illegal activities on the company’s computer
that is totally against the recruitment policy and difficult to trace individuals at the same
time. Suppose a suspicious person is in a prominent position then the situation becomes
very stressful to act ethically. In this scenario, DF application plays a remarkable role to
identify, collect, analyse, and store proper evidence, after that take the right action based
on presented evidence in a jury. Introducing some well-known DF real-time applications
are shown in Table 3.
Table 3 Real-time applications of DF

Name of research/application Proposed research attributes/features

Online neighbourhood watch (Justicia ONW is the crowdsources for potential digital
and Riadi, 2018) evidence of neighbourhood crime (Justicia and Riadi,
2018).
Analysis of forensics video in storage This application is widely used by Yogyakarta Police
data using temper method (Farid and to analyse video (CCTV) footage for investigation. The
Lyu, 2003) system provides the accuracy of the assessment in case,
process investigation faster, suspect face easily be
identified and help to document generation (Farid and
Lyu, 2003).
Higher-order wavelet statistic and The statistical model for natural image classification.
their application to digital forensics the benefit of this model is to classify image alteration,
(Hanmandlu et al., 2003) vulnerable to counterattack, find out higher-order
statistic (Hanmandlu et al., 2003).
Unconstrained handwritten character The application utilises in a bank for an automatic
recognition based on fuzzy logic cheque signature verification system (pattern
(Grajeda et al., 2017) recognition) (Grajeda et al., 2017).

5 Online available datasets for DF

The former type of DF research required datasets, to produce high-quality research

results then ensure the selection of perfect dataset (Dang-Nguyen et al., 2015). Dataset
features mainly classify into three critical parts:
1 quality of the dataset
2 quantity of the dataset
3 availability of dataset.
The quality of the dataset provides labelled and real-world data that help researchers to
get accurate and generalisable results. Enough data needs to train and validate machines
indicates a quantity of the dataset; this is especially utilising for machine/deep learning
techniques. Availability of dataset help to reproduce and improve the state-of-the-art
results (Dang-Nguyen et al., 2015). Wrong selection of the dataset effect on research
results, online open-access DF dataset uploaded in a bulk form, choosing dataset
according to the research is the main task for the researchers. As under, mentioning some
crucial types of forensics dataset according to quality, quantity, and availability;
140 A.A. Khan et al.

elaborating each dataset’s name with features, purpose, accessible link and results that
positive impact on the real-time environment.

5.1 Raise: a raw images dataset for digital image forensics

In 2015, Dang-Nguyen et al. present RAISE, a large dataset contains exact 8156 numbers
of high-resolution raw images, data collection from various subjects and scenarios (Guan
et al., 2019). A wide verity of diverse data is enough to test and evaluate recent as well as
new generation forensics algorithms’ accuracy and efficiency.

5.2 University of new haven

Cyber forensics datasets categories into three origin field datasets:
1 user-generated
2 experiment-generated
3 computer-generated datasets (Garfinkel, 2010).
Almost every type of cyber-related open-source datasets (like e-mail, leaked password,
hard disk images, computer malware, chat logs, network traffic, mobile malware for
android, and media pictures) available in different file formats and extensions.

5.3 National Institute of Standards and Technology

NIST provides a computer forensics reference dataset (CFReDS) to an investigator for
examining a documented set of simulated digital evidence. Types of datasets are testing
forensics tools, establishing and check lab equipment functioning, testing proficiency in a
particular skill, and dataset for training laboratory staff.1

5.4 Media forensics challenge (MFC) dataset

Large scale benchmark dataset for media forensics, the comprehensive dataset consists of
high provenance (HP) 176,000 images and 11,000 HP videos; almost 35 million of
internet images and 3,00,000 video clips; moreover 1,00,000 manipulated images with
4,000 videos in a single bunch2. In the past two years, the dataset assesses the progress
and analyse the performance of diverse computer systems on a different media forensics
task.

5.5 3D people dataset for surveillance and forensics (3DPES)

A dataset of 3D multi-view surveillance is available for assessing the performance of new
generation DF tools and techniques. The dataset contains hundreds of video sequences,
exact 200 different people videos taken from multi-cameras with various viewpoints,
detection of each person multiple times with a different time frame and distinct lighting
condition (Baltieri et al., 2011). This dataset is perfect for analysing any forensics media
tools, techniques, and applications.
 Digital forensics and cyber forensics investigation 141

6 Challenges and limitations

In the past few decades, vast development in the field of computer technology, usage of
the technology defined as both scenarios, either its good or bad (Kaur and Jindal, 2020;
Haldar, 2020). Some people use technology for gives benefits to others, for example,
innovation, problem solution, proposed research methods that fulfil the needs of society.
While on the other side, criminals used technology to achieve illegal targets. Nowadays,
analysis of criminal activities become the massive challenging task for digital
investigation offices, such as tackling attack or threats on a certain time; recover hide or
lost data, evidence preservation on storage media with protection and so on (Sikos, 2020;
Zhang et al., 2020). In DF, computer-assisted crime challenges are dividing into three
main categories:
1 technical
2 legal
3 resource challenges:
 technical challenges include anti-forensics, encryption, stenography, live
acquisition, and analysis.
 legal challenges are the lack of standardised international legislation and other,
and resource challenges are data volume, time delay acquiring and analyse
media files, etc. (Al Fahdi et al., 2013).
IoT is the emerging field of computer science that performs a significant role in technical,
economic, and social (Alam et al., 2020). IoT refers to physical devices connect to the
internet; collection all sends and receives data (Biswas et al., 2020). It integrates various
sensors, objects, and nodes to communicate with each other, probably you can say that
control of the devices on your fingertips. On one side, the technology provides potential
benefits, for example, access control of a device. While on the other side, various sorts of
drawbacks emerge in terms of security, according to Conti et al. (2018) coined security
challenges in IoT environment such as authentication, authorisation and access control,
privacy, and secure architecture for the prevention of information from malicious attacker
or insider. Similarly, mentioned forensics challenges in IoT environment, one is IoT
evidence identification, collection, and preservation, another is evidence analysis and
correlation, and deficit attributes (Conti et al., 2018). As we know, the world increasingly
used ubiquitous computing in this era, evidence no longer restricted on mobile devices. In
this situation, MacDermott et al. (2018) explore more forensics challenges in the IoT
environment, such as growing data acquisition, extraction, and analysis with the pace.
Cybersecurity is the practice of defending computer-related devices or data from
malicious attackers (Reddy, 2019). The field is splitting mainly into six categories
namely, network application, information, operational, disaster recovery, and end-user
security. However, cybersecurity applies in a variety of contexts, from a small device to
large business, security specialists facing difficulty regarding cyber threats or
cybercriminal attacks on a network, tackling the current challenges of DF in
cybersecurity is the hot issue raise nowadays (Cybenko et al., 2019). Pandey et al. (2020)
categorise cybersecurity challenges in three sub-categories; one is source related issues
that mean problem emerges because of collection and visualisation of digital evidence
and through scalability. Second is the law-related issue, includes court level privacy,
142 A.A. Khan et al.

presentation of digital evidence, and evidence validation. The last is scientific related
issues; problems arise because of a lack of hardware equipment and anti-forensics
techniques (Pandey et al., 2020).
With increasingly cyber-attacks occurred every day, digital investigation tackles
another forensics domain challenges that are memory-based forensics. Forensics
examiner unravels memory data of a system by acquiring and inspecting. Evidence
analysis can be invalided if memory acquisition has been altered (Zhang et al., 2018).
Moreover, the DF discipline wholly depends upon the application software and tools for
examining evidence, error present in any stage of analysis can undermine the whole
investigation compromised. Reliability of the tools can impact criminal justice
proceeding, ability to determine exact result according to collect evidence based on this
judge assume that suspect guilt or innocence. Despite, lack of sufficient tool-testing
standards and procedures to validate their usage during an investigation that further help
to decision-makers in a court of law (Horsman, 2019). This is another aspect of the DF
challenge; this paper cannot indicate towards the 100% accuracy in all crime incidents
investigation.

7 Open research areas

DF discipline is all about collecting digital data, examination, analysis, preserve on the
storage, generate documents or investigation reports, and present digital evidence in a
court of law (Sunde and Dror, 2019; Al Mutawa et al., 2019). Undoubtedly, most of the
works done in this field till present but still numbers of areas are remaining untouched.
Forensics researchers have lots of space to contribute his work in the field, open areas of
DF are as under:

7.1 Cloud forensics

Cloud computing is one of the transformative technologies that globally adopted by both
the public and private sectors (Laghari et al., 2018; Kumar et al., 2019). Cloud computing
provides services according to the need of the user, services are SaaS, PaaS, and IaaS
(Laghari et al., 2017, 2019). Netherlands Forensic Institute (NFI) implements DF as a
service (DFaaS) to combat the volume of backlogged cases (Van Baar et al., 2014). The
system handles resource management, improving the turnaround time of evidence
investigation, directly query the data, and provide collaboration facility through
annotation and shared knowledge (Lillis et al., 2016). However, DFaaS plays a
significant role in the current situation of forensics science, meanwhile, the model needs
improvement in the current processes, potential latency in using the online platform, the
network bandwidth dependency when uploading investigational records (Ruan et al.,
2011; Koroniotis et al., 2020; Laghari et al., 2016). Replication of evidence in cloud
storage create redundancy, it increases time complexity to retrieve a file from the storage,
similar name of two different investigational files also impacts on the index searching
strategy, another drawback is to monitoring cloud-to-cloud virtual storage and lack of
cloud security, multi-jurisdiction and multi-tendency create an additional challenge,
eliminate the mentioned non-pertinent in cloud forensics before starting the investigation
(Rani and Geethakumari, 2020). Nevertheless, the technology needs more concentration
 Digital forensics and cyber forensics investigation 143

in terms of proper facilitation to the users; cloud services could leverage the more
computational power that supports investigators in cybercrime and many more.

7.2 Forensics data mining and big data analysis

Despite the bottleneck of several DF techniques being analysed big data and mining
information, daily handle a huge amount of forensics cases, reduction of un-useful
forensics data on time, and extract the meaningful knowledge of collected records, till
now it is the leading problem for investigational professionals in DF (Rao and Satpathy,
2020). Quick and Choo (2014) highlight the rapid growth in volumes of data and its
impact on forensics examination, increase data length consume more time to create a
copy of forensics investigation analysis. A collaboration of data mining principles and
big data analysis tools and techniques can easily tackle DF data analysis problems,
provide a more efficient method to collecting and preserving evidence, the capability to
triage evidence, reduce data storage, ability to quickly retrieve and review of information
on time, achieve important data.

7.3 Mobile device forensics

In forensics science, mobile device forensics is the hot research area throughout the globe
(Khan et al., 2014). It is the science of recovering digital evidence from a mobile device.
Ayers et al. (2014) create the guideline, which provides an in-depth look into mobile
technologies and their relationship involvement in forensics procedures. The rapid
growth of social networking applications used on a mobile device makes a mobile phone
as a goldmine for investigation. Al Mutawa et al. (2012) successfully tested to installed
social networking applications such as Facebook, Twitter, and MySpace on three
different devices named iPhones, BlackBerry, and Android Phones. The resulting popup
newly challenging factor in mobile forensics, Android Phones and iPhones store a
significant amount of valuable data, and it could be recovered for forensics investigation
while BlackBerry could not recover or trace any data (Al Mutawa et al., 2012).
Moreover, space available not only in the social networking domain but the leading open
research areas of mobile device forensics is also mobile file carving, mobile forgery,
restore compressed and hidden data quality, live mobile forensics analysis and many
others.

7.4 Distributed evidence in DF

A single CPU performs a single task at a time, more CPUs work simultaneously to
execute the same task in a minimal amount of time. In forensics, the sophisticated
investigation also affected by both limited I/O of the mechanical disk and CPU resource
substantial (Roussev et al., 2013). Distributed computing speed up the analysis of digital
evidence examination, a large file (evidence) or a large block of unallocated space are
split into several nodes to make maximum use of available volatile memory. For
example, thumbnailing operations can be executed rapidly if more processor store image
files, rather than use a few nodes of clustered image files (Richard and Roussev, 2006).
With the help of task distribution, the research area boosts up the evidence identification,
examination, analysis, preservation means overall performance in DF.
144 A.A. Khan et al.

7.5 NTFS compressed file carving

File carving is the method of recovery a file without knowing the path or location at
unallocated space for investigation purposes, while the NTFS file system used by
Windows has built-in compression features, ability to reduce file space on a hard drive
(Neyaz et al., 2019). NTFS is one of the most widely used file systems, support internal
data compression function, but file carving tool cannot recover NTFS compressed file
(Yoo et al., 2012). Several types of research published in distinct journals separately
regarding NTFS file compression, file fragmentation, normalise compression, file carving
and researchers must be focused on the other side too that is file carving tools and
techniques for recovery the NTFS compressed file.

8 Conclusions

In this paper, the concept of a modern-day version of forensics science that is DF, it
escalates across many sub-portions such as forensics data analysis, network forensics,
mobile device forensics, live forensics, and computer forensics, these subjects utilise
according to the behaviour of digital crime. Undoubtedly, forensics examination of
electronic devices gains a huge success in the identification of computer-assisted crime,
the capability to handle appropriate incidence, and stop the misuse of the cyber
environment. Nevertheless, this paper concluded according to the state-of-the-art
computer-assisted crime in DF in distinct scenarios of attempted digital crime
investigations. This paper also describes types of forgery such as freehand or simulated,
trace, memory, and impersonation, briefly elaborate on the impact of forgery in DF by
suggesting the problem solution considering the latest research. The open and close
source crucial tools that help investigators to examine the evidence as well as highlight
the newest developments in DF, online neighbourhood watch application, automatic
forged detection, high-order wavelet statistic, and cloud forensics. Finally, we have
discussed the open research issue and the future direction of DF.

References
Abbott, J., Bell, J., Clark, A., De Vel, O. and Mohay, G. (2006) ‘Automated recognition of event
scenarios for digital forensics’, in Proceedings of the 2006 ACM Symposium on Applied
Computing, pp.293–300.
Achi, H., Hellany, A. and Nagrial, M. (2008) ‘Network security approach for digital forensics
analysis’, in 2008 International Conference on Computer Engineering & Systems, IEEE,
pp.263–267.
Actoriano, B. and Riadi, I. (2018) ‘Forensic investigation on WhatsApp web using framework
integrated digital forensic investigation framework version 2’, International Journal of
Cyber-security and Digital Forensics (IJCSDF), Vol. 7, No. 4, pp.410–419.
Adelstein, F. (2006) ‘Live forensics: diagnosing your system without killing it first’,
Communications of the ACM, Vol. 49, No. 2, pp.63–66.
Agarwal, A., Gupta, M., Gupta, S. and Gupta, S.C. (2011) ‘Systematic digital forensic investigation
model’, International Journal of Computer Science and Security (IJCSS), Vol. 5, No. 1,
pp.118–131.
Agarwal, R. and Kothari, S. (2015) ‘Review of digital forensic investigation frameworks’, in
Information Science and Applications, pp.561–571, Springer, Berlin, Heidelberg.
 Digital forensics and cyber forensics investigation 145

Al Fahdi, M., Clarke, N.L. and Furnell, S.M. (2013) ‘Challenges to digital forensics: a survey of
researchers & practitioners attitudes and opinions’, in 2013 Information Security for South
Africa, IEEE, pp.1–8.
Al Mutawa, N., Baggili, I. and Marrington, A. (2012) ‘Forensic analysis of social networking
applications on mobile devices’, Digital Investigation, Vol. 9, pp.S24–S33.
Al Mutawa, N., Bryce, J., Franqueira, V.N.L., Marrington, A. and Read, J.C. (2019) ‘Behavioural
digital forensics model: embedding behavioural evidence analysis into the investigation of
digital crimes’, Digital Investigation, Vol. 28, pp.70–82.
Alam, S., Siddiqui, S.T., Ahmad, A., Ahmad, R. and Shuaib, M. (2020) ‘Internet of things (IoT)
enabling technologies, requirements, and security challenges’, in Advances in Data and
Information Sciences, pp.119–126, Springer, Singapore.
Alherbawi, N., Shukur, Z. and Sulaiman, R. (2016) ‘A survey on data carving in digital forensic’,
Asian Journal of Information Technology, Vol. 15, No. 24, pp.5137–5144.
Ali, R.R., Mohamad, K.M., Jamel, S. and Khalid, S.K.A. (2018) ‘A review of digital forensics
methods for JPEG File carving’, Journal of Theoretical and Applied Information Technology,
Vol. 96, No. 17, pp.5841–5856.
Ansari, S., Rajeev, S.G. and Chandrashekar, H.S. (2003) ‘Packet sniffing: a brief introduction’,
IEEE Potentials, Vol. 21, No. 5, pp.17–19.
Ayers, R.P., Brothers, S. and Jansen, W. (2014) Guidelines on Mobile Device Forensics,
No. Special Publication (NIST SP)-800-101 Rev 1.
Baig, Z.A., Szewczyk, P., Valli, C., Rabadia, P., Hannay, P., Chernyshev, M., Johnstone, M. et al.
(2017) ‘Future challenges for smart cities: cyber-security and digital forensics’, Digital
Investigation, Vol. 22, pp.3–33.
Baltieri, D., Vezzani, R. and Cucchiara, R. (2011) ‘3dpes: 3d people dataset for surveillance and
forensics’, in Proceedings of the 2011 Joint ACM Workshop on Human Gesture and Behavior
Understanding, pp.59–64.
Baryamureeba, V. and Tushabe, F. (2014) ‘The enhanced digital investigation process model’, in
Proceedings of the Fourth Digital Forensic Research Workshop, pp.1–9.
Beebe, N. and Clark, J. (2005) ‘Dealing with terabyte data sets in digital investigations’, in IFIP
International Conference on Digital Forensics, Springer, Boston, MA, pp.3–16.
Beebe, N.L. and Clark, J.G. (2007) ‘Digital forensic text string searching: improving information
retrieval effectiveness by thematically clustering search results’, Digital Investigation, Vol. 4,
pp.49–54.
Beebe, N.L., Clark, J.G., Dietrich, G.B., Ko, M.S. and Ko, D. (2011) ‘Post-retrieval search hit
clustering to improve information retrieval effectiveness: two digital forensics case studies’,
Decision Support Systems, Vol. 51, No. 4, pp.732–744.
Biswas, A., Majumdar, A., Nath, S., Dutta, A. and Baishnab, K.L. (2020) ‘LRBC: a lightweight
block cipher design for resource constrained IoT devices’, Journal of Ambient Intelligence and
Humanized Computing, pp.1–15.
Black, J.A. (1995) ‘Simulated signatures–forgery by imitation’, Journal of Forensic Identification,
Vol. 45, No. 3, pp.283–297.
Carrier, B. (2002) Open Source Digital Forensics Tools: The Legal Argument Stake.
Carrier, B. and Spafford, E.H. (2003) ‘Getting physical with the digital investigation process’,
International Journal of Digital Evidence, Vol. 2, No. 2, pp.1-–20.
Caviglione, L., Wendzel, S. and Mazurczyk, W. (2017) ‘The future of digital forensics: challenges
and the road ahead’, IEEE Security & Privacy, Vol. 15, No. 6, pp.12–17.
Cha, S-H. and Tappert, C.C. (2002) ‘Automatic detection of handwriting forgery’, in Proceedings
Eighth International Workshop on Frontiers in Handwriting Recognition, IEEE, pp.264–267.
Chan, E., Venkataraman, S., David, F., Chaugule, A. and Campbell, R. (2010) ‘Forenscope: a
framework for live forensics’, in Proceedings of the 26th Annual Computer Security
Applications Conference, pp.307–316.
146 A.A. Khan et al.

Chavhan, S. and Nirkhi, S.M. (2012) ‘Visualization techniques for digital forensics: a survey’,
International Journal of Advanced Computer Research, Vol. 2, No. 4, p.74.
Choudhury, J.D. (2011) ‘Sniffing-based network monitoring’, US Patent 7,936,694 issued 3 May.
Christlein, V., Riess, C., Jordan, J., Riess, C. and Angelopoulou, E. (2012) ‘An evaluation of
popular copy-move forgery detection approaches’, IEEE Transactions on Information
Forensics and Security, Vol. 7, No. 6, pp.1841–1854.
Ciardhuain, S.Ó. (2004) ‘An extended model of cybercrime investigations’, International Journal
of Digital Evidence, Vol. 3, No. 1, pp.1–22.
Clifton, B. (2012) Advanced Web Metrics with Google Analytics, John Wiley & Sons.
Cohen, F. (2010) ‘Toward a science of digital forensic evidence examination’, in IFIP
International Conference on Digital Forensics, Springer, Berlin, Heidelberg, pp.17–35.
Conti, M., Dehghantanha, A., Franke, K. and Watson, S. (2018) Internet of Things Security and
Forensics: Challenges And Opportunities, pp.544–546.
Craiger, P. (2005) ‘Recovering digital evidence from Linux systems’, in IFIP International
Conference on Digital Forensics, Springer, Boston, MA, pp.233–244.
Cybenko, G., Wellman, M., Liu, P. and Zhu, M. (2019) ‘Overview of control and game theory in
adaptive cyber defenses’, in Adversarial and Uncertain Reasoning for Adaptive Cyber
Defense, pp.1–11, Springer, Cham.
Dang-Nguyen, D-T., Pasquini, C., Conotter, V. and Boato, G. (2015) ‘RAISE: a raw images dataset
for digital image forensics’, in Proceedings of the 6th ACM Multimedia Systems Conference,
pp.219–224.
Du, L., Jin, H., De Vel, O. and Liu, N. (2008) ‘A latent semantic indexing and WordNet based
information retrieval model for digital forensics’, in 2008 IEEE International Conference on
Intelligence and Security Informatics, IEEE, pp.70–75.
Fairbanks, K.D. (2012) ‘An analysis of Ext4 for digital forensics’, Digital Investigation, Vol. 9,
pp.S118–S130.
Farid, H. (2009) ‘Image forgery detection’, IEEE Signal Processing Magazine, Vol. 26, No. 2,
pp.16–25.
Farid, H. and Lyu, S. (2003) ‘Higher-order wavelet statistics and their application to digital
forensics’, in 2003 Conference on Computer Vision and Pattern Recognition Workshop, IEEE,
Vol. 8, pp.94–94.
Farmer, D. and Venema, W. (1999) ‘Computer forensics analysis class handouts’ [online]
http://www.fish.com/forensics.
Garfinkel, S.L. (2010) ‘Digital forensics research: the next 10 years’, Digital Investigation, Vol. 7,
pp.S64–S73.
Ge, L., Wang, L. and Xu, L. (2016) ‘A method for cracking the password of WPA2-PSK based on
SA and HMM’, in 2016 3rd International Conference on Information Science and Control
Engineering (ICISCE), IEEE, pp.59–62.
Grajeda, C., Breitinger, F. and Baggili, I. (2017) ‘Availability of datasets for digital forensics – and
what is missing’, Digital Investigation, Vol. 22, pp.S94–S105.
Guan, H., Kozak, M., Robertson, E., Lee, Y., Yates, A.N., Delgado, A., Zhou, D., Kheyrkhah, T.,
Smith, J. and Fiscus, J. (2019) ‘MFC datasets: Large-scale benchmark datasets for media
forensic challenge evaluation’, in 2019 IEEE Winter Applications of Computer Vision
Workshops (WACVW), IEEE, pp.63–72.
Haldar, N.A.H. (2020) ‘Advances in digital forensics frameworks and tools’, Cyber Warfare and
Terrorism: Concepts, Methodologies, Tools, and Applications: Concepts, Methodologies,
Tools, and Applications, p.165.
Hanmandlu, M., Mohan, K.R.M., Chakraborty, S., Goyal, S. and Choudhury, D.R. (2003)
‘Unconstrained handwritten character recognition based on fuzzy logic’, Pattern Recognition,
Vol. 36, No. 3, pp.603–623.
 Digital forensics and cyber forensics investigation 147

Hanmandlu, M., Yusof, M.H.M. and Madasu, V.K. (2005) ‘Off-line signature verification and
forgery detection using fuzzy modelling’, Pattern Recognition, Vol. 38, No. 3, pp.341–356.
Hay, B. Bishop, M. and Nance, K. (2009) ‘Live analysis: progress and challenges’, IEEE Security
& Privacy, Vol. 7, No. 2, pp.30–37.
Hjelmvik, E. (2008) ‘Passive network security analysis with NetworkMiner’, IN Secure, Vol. 18,
pp.1–100.
Horsman, G. (2019) ‘Tool testing and reliability issues in the field of digital forensics’, Digital
Investigation, Vol. 28, pp.163–175.
Hossain, M., Karim, Y. and Hasan, R. (2018) ‘FIF-IoT: a forensic investigation framework for IoT
using a public digital ledger’, in 2018 IEEE International Congress on Internet of Things
(ICIOT), IEEE, pp.33–40.
Hranický, R., Holkovič, M. and Matoušek, P. (2016a) ‘On efficiency of distributed password
recovery’, Journal of Digital Forensics, Security and Law, Vol. 11, No. 2, p.5.
Hranický, R., Matoušek, P., Ryšavý, O. and Veselý, V. (2016b) ‘Experimental evaluation of
password recovery in encrypted documents’, in Proceedings of ICISSP, SciTePress-Science
and Technology Publications, Vol. 2016, pp.299–306.
Huang, H-Y. and Ciou, A-J. (2019) ‘Copy-move forgery detection for image forensics using the
superpixel segmentation and the Helmert transformation’, EURASIP Journal on Image and
Video Processing, No. 1, p.68.
Justicia, A.P. and Riadi, I. (2018) ‘Analysis of forensic video in storage data using tampering
method’, International Journal of Cyber-Security and Digital Forensics, Vol. 7, No. 3,
pp.328–336.
Kaur, H. and Jindal, N. (2020) ‘Image and video forensics: a critical survey’, Wireless Personal
Communications, pp.1–22.
Keim, D.A. (2002) ‘Information visualization and visual data mining’, IEEE Transactions on
Visualization and Computer Graphics, Vol. 8, No. 1, pp.1–8.
Khan, S., Shiraz, M., Wahab, A.W.A., Gani, A., Han, Q. and Abdul Rahman, Z.B. (2014) ‘A
comprehensive review on adaptability of network forensics frameworks for mobile cloud
computing’, The Scientific World Journal.
Kliger, S., Yemini, S., Yemini, Y., Ohsie, D. and Stolfo, S. (1995) ‘A coding approach to event
correlation’, in International Symposium on Integrated Network Management, Springer,
Boston, MA, pp.266–277.
Koroniotis, N., Moustafa, N. and Sitnikova, E. (2020) ‘A new network forensic framework based
on deep learning for internet of things networks: a particle deep framework’, Future
Generation Computer Systems.
Kumar, V., Laghari, A.A., Karim, S., Shakir, M. and Brohi, A.A. (2019) ‘Comparison of fog
computing & cloud computing’, Int. J. Math. Sci. Compute, Vol. 1, pp.31–41.
Kumari, N. and Mohapatra, A.K. (2016) ‘An insight into digital forensics branches and tools’, in
2016 International Conference on Computational Techniques in Information and
Communication Technologies (ICCTICT), IEEE, pp.243–250.
Laghari, A.A., He, H., Halepoto, I.A., Memon, M.S. and Parveen, S. (2017) ‘Analysis of quality of
experience frameworks for cloud computing’, IJCSNS, Vol. 17, No. 12, p.228.
Laghari, A.A., He, H., Khan, A., Kumar, N. and Kharel, R. (2018) ‘Quality of experience
framework for cloud computing (QoC)’, IEEE Access, Vol. 6, pp.64876–64890.
Laghari, A.A., He, H., Memon, K.A., Laghari, R.A., Halepoto, I.A. and Khan, A. (2019) ‘Quality
of experience (QoE) in cloud gaming models: a review’, Multiagent and Grid Systems,
Vol. 15, No. 3, pp.289–304.
Laghari, A.A., He, H., Shafiq, M. and Khan, A. (2016) ‘Assessing effect of cloud distance on end
user’s quality of experience (QoE)’, in 2016 2nd IEEE International Conference on Computer
and Communications (ICCC), IEEE, pp.500–505.
148 A.A. Khan et al.

Lee, S. and Shon, T. (2014) ‘Improved deleted file recovery technique for Ext2/3 filesystem’, The
Journal of Supercomputing, Vol. 70, No. 1, pp.20–30.
Lillis, D., Becker, B., O’Sullivan, T. and Scanlon, M. (2016) Current Challenges and Future
Research Areas for Digital Forensic Investigation, arXiv preprint arXiv: 1604.03850.
Lin, C., Lu, W., Huang, X., Liu, K., Sun, W., Lin, H. and Tan, Z. (2019) ‘Copy-move forgery
detection using combined features and transitive matching’, Multimedia Tools and
Applications, Vol. 78, No. 21, pp.30081–30096.
Liu, B., Pun, C-M. and Yuan, X-C. (2014) ‘Digital image forgery detection using JPEG features
and local noise discrepancies’, The Scientific World Journal.
MacDermott, A., Baker, T. and Shi, Q. (2018) ‘Iot forensics: challenges for the IOA era’, in 2018
9th IFIP International Conference on New Technologies, Mobility and Security (NTMS),
IEEE, pp.1–5.
Madasu, V.K. and Lovell, B.C. (2008) ‘An automatic off-line signature verification and forgery
detection system’, in Pattern Recognition Technologies and Applications: Recent Advances,
IGI Global, pp.63–89.
Mahmood, T., Nawaz, T., Irtaza, A., Ashraf, R., Shah, M. and Mahmood, M.T. (2016) ‘Copy-move
forgery detection technique for forensic analysis in digital images’, Mathematical Problems in
Engineering.
Marra, F., Gragnaniello, D., Verdoliva, L. and Poggi, G. (2020) ‘A full-image full-resolution end-
to-end-trainable CNN framework for image forgery detection’, IEEE Access, Vol. 8,
pp.133488–133502.
Meena, K.B. and Tyagi, V. (2019) ‘Image forgery detection: survey and future directions’, in Data,
Engineering and Applications, Springer, Singapore, pp.163–194.
Misra, V.C., Gupta, S. and Shukla, S.K. (2015) ‘Intense examination of unusual case of companion
tracing’, International Journal of Multidisciplinary Research and Development, Vol. 2,
pp.87–89.
Mrdovic, S., Huseinovic, A. and Zajko, E. (2009) ‘Combining static and live digital forensic
analysis in virtual environment’, in 2009 XXII International Symposium on Information,
Communication and Automation Technologies, IEEE, pp.1–6.
Neyaz, A., Zhou, B. and Karpoor, N. (2019) ‘Comparative study of wear-leveling in solid-state
drive with NTFS file system’, in 2019 IEEE International Conference on Big Data (Big Data),
IEEE, pp.4294–4298.
Omeleze, S. and Venter, H.S. (2019) ‘Digital forensic application requirements specification
process’, Australian Journal of Forensic Sciences, Vol. 51, No. 4, pp.371–394.
Pal, A., Sencar, H.T. and Memon, N. (2008) ‘Detecting file fragmentation point using sequential
hypothesis testing’, Digital Investigation, Vol. 5, pp.S2–S13.
Pandey, A.K., Tripathi, A.K., Kapil, G., Singh, V., Khan, M.W., Agrawal, A., Kumar, R. and
Khan, R.A. (2020) ‘Current challenges of digital forensics in cyber security’, in Critical
Concepts, Standards, and Techniques in Cyber Forensics, pp.31–46, IGI Global.
Pathania, N. (2018) ‘Comparative study of audio and video chat application over the internet’, in
2018 International Conference on Intelligent Circuits and Systems (ICICS), IEEE,
pp.251–257.
Plaza, B. (2011) ‘Google analytics for measuring website performance’, Tourism Management,
Vol. 32, No. 3, pp.477–481.
Podolanko, J., Datta, S. and Das, S.K. (2014) ‘Performance analysis of real-time traffic over
802.11 n wireless local area networks: an experimental study’, in 2014 International Wireless
Communications and Mobile Computing Conference (IWCMC), IEEE, pp.453–457.
Pollitt, M. (1995) ‘Computer forensics: an approach to evidence in cyberspace’, in Proceedings of
the National Information Systems Security Conference, Vol. 2, pp.487–491.
Popescu, A.C. and Farid, H. (2004) ‘Statistical tools for digital forensics’, in International
Workshop on Information Hiding, Springer, Berlin, Heidelberg, pp.128–147.
 Digital forensics and cyber forensics investigation 149

Quick, D. and Choo, K-K.R. (2014) ‘Data reduction and data mining framework for digital forensic
evidence: storage, intelligence, review and archive’, Trends & Issues in Crime and Criminal
Justice, Vol. 480, pp.1–11.
Rani, D.R. and Geethakumari, G. (2020) ‘Secure data transmission and detection of anti-forensic
attacks in cloud environment using MECC and DLMNN’, Computer Communications,
Vol. 150, pp.799–810.
Rao, M.S. and Satpathy, S.C. (2020) ‘Digital forensics and digital investigation to form a
suspension bridge flanked by law enforcement, prosecution, and examination of computer
frauds and cybercrime’, in Big Data Analytics and Computing for Digital Forensic
Investigations, pp.21–41, CRC Press.
Reddy, N. (2019) ‘Introduction to cyber forensics’, in Practical Cyber Forensics, pp.1–28, Apress,
Berkeley, CA.
Richard III, G.G. and Roussev, V. (2006) ‘Next-generation digital forensics’, Communications of
the ACM, Vol. 49, No. 2, pp.76–80.
Roussev, V., Quates, C. and Martell, R. (2013) ‘Real-time digital forensics and triage’, Digital
Investigation, Vol. 10, No. 2, pp.158–167.
Ruan, K., Carthy, J., Kechadi, T. and Crosbie, M. (2011) ‘Cloud forensics’, in IFIP International
Conference on Digital Forensics, Springer, Berlin, Heidelberg, pp.35–46.
Ruuhwan, R., Riadi, I. and Prayudi, Y. (2017) ‘Evaluation of integrated digital forensics
investigation framework for the investigation of smartphones using soft system methodology’,
International Journal of Electrical and Computer Engineering, Vol. 7, No. 5, p.2806.
Sayeed, S., Andrews, S., Besar, R. and Kiong, L.C. (2007) ‘Forgery detection in dynamic signature
verification by entailing principal component analysis’, Discrete Dynamics in Nature and
Society.
Schrenk, G. and Poisel, R. (2011) ‘A discussion of visualization techniques for the analysis of
digital evidence’, in 2011 Sixth International Conference on Availability, Reliability and
Security, IEEE, pp.758–763.
Sikos, L.F. (2020) ‘Packet analysis for network forensics: a comprehensive survey’, Forensic
Science International: Digital Investigation, Vol. 32, p.200892.
Sridevi, M., Mala, C. and Sanyam, S. (2012) ‘Comparative study of image forgery and copy-move
techniques’, in Advances in Computer Science, Engineering & Applications, Springer, Berlin,
Heidelberg, pp.715–723.
Steinebach, M., Yannikos, Y., Zmudzinski, S. and Winter, C. (2015) ‘Advanced multimedia file
carving’, Handbook of Digital Forensics of Multimedia Data and Devices, pp.219–269.
Sunde, N. and Dror, I.E. (2019) ‘Cognitive and human factors in digital forensics: problems,
challenges, and the way forward’, Digital Investigation, Vol. 29, pp.101–108.
Tarannum, A. (2015) Traced Forgery – A Case Study.
Van Baar, R.B., Van Beek, H.M.A. and Van Eijk, E.J. (2014) ‘Digital forensics as a service: a
game changer’, Digital Investigation, Vol. 11, pp.S54–S62.
Walia, S. and Kumar, K. (2019) ‘Digital image forgery detection: a systematic scrutiny’, Australian
Journal of Forensic Sciences, Vol. 51, No. 5, pp.488–526.
Yoo, B., Park, J., Lim, S., Bang, J. and Lee, S. (2012) ‘A study on multimedia file carving method’,
Multimedia Tools and Applications, Vol. 61, No. 1, pp.243–261.
Zha, X. and Sahni, S. (2010) ‘Fast in-place file carving for digital forensics’, International
Conference on Forensics in Telecommunications, Information, and Multimedia, November,
pp.141–158, Springer, Berlin, Heidelberg.
Zhang, J., Li, Y., Niu, S., Cao, Z. and Wang, X. (2019) ‘Improved fully convolutional network for
digital image region forgery detection’, CMC-Computers Materials & Continua, Vol. 60,
No. 1, pp.287–303.
 150 A.A. Khan et al.

Zhang, N., Zhang, R., Sun, K., Lou, W., Hou, Y.T. and Jajodia, S. (2018) ‘Memory forensic
challenges under misused architectural features’, IEEE Transactions on Information Forensics
and Security, Vol. 13, No. 9, pp.2345–2358.
Zhang, X., Yuen, T.T. and Choo, K-K.R. (2020) ‘Experiential learning in digital forensics’, in
Digital Forensic Education, pp.1–9, Springer, Cham.

Notes
1 Dataset link: https://www.cfreds.nist.gov/.
2 https://www.nist.gov/publications/mfc-datasets-large-scale-benchmark-datasets-media-
forensic-challenge-evaluation.

View publication stats