See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/351683844

Cyber Forensics Tools: A Review on Mechanism and Emerging Challenges

Conference Paper · April 2021

DOI: 10.1109/NTMS49979.2021.9432641

CITATIONS READS

20 1,235

1 author:

Vihara Fernando
Sri Lanka Institute of Information Technology
3 PUBLICATIONS 20 CITATIONS

SEE PROFILE

All content following this page was uploaded by Vihara Fernando on 10 July 2023.

The user has requested enhancement of the downloaded file.

 Cyber Forensics Tools: A Review on
Mechanism and Emerging Challenges
Vihara Fernando
[email protected]
Department of Computer Systems Engineering, Faculty of Graduate Studies and Research,
Sri Lanka Institute of Information Technology, New Kandy Road, Malabe.

Abstract—With the development of technology, “Data”, also through the data acquisition methods which are, Static Data
interpreted as “Information” has become a major role played in Acquisition and Dynamic Data Acquisition [3]. After
the field of Cyber Forensics. One of the most crucial incidents acquiring the data, it should be analyzed and examined in order
which needs data to be important is, when it is taken as evidence
in cyber-crimes. These crimes can be occurring in the fields of
to find the evidence related to a crime. Therefore, a digital
digital media and network in many instances related to crime forensic tool to perform its functionalities well, it should have
scenes. Crime and forensic both investigators need the help of a greater level of accuracy throughout the investigation process
digital forensics to investigate in order to identify, whether the until it becomes an acceptable evidence to the court of law.
victim has committed a crime or not. Therefore, it is a There is a vast categorization of digital forensics according
requirement for an investigator to use a suitable, accurate, to the media and platform the data is stored. Computer
affordable and a reliable cyber forensic tool for the forensics
investigations conducted with respect to crimes. Many
Forensics, Network Forensics, Mobile Forensics, Database
researchers have done experiments on different functionalities, a Forensics, and Forensic Data Analysis are the main categories
forensic tool should have and have come up with various tools of digital forensics discovered [2]. Moreover, with different
specifically for each branch in cyber forensics. Furthermore, with means, digital forensics is narrowed and specified into the
time, these cyber forensic tools have been identified with categories of Memory, Disk, Operating System, Proactive,
drawbacks due to the invasion of crimes, especially related to the Wireless, Cloud, Email, Malware, Web, Registry, Recycle Bin,
sophisticated technology expansion. Therefore, the acquiring
process of forensics tools is in lack of advanced features to detect
Image, Audio/Video and Log Forensics. Cyber forensic tools
evidence. This paper describes on some timely Digital Forensics are developed aligned to each of these categories either as a
tools and discusses emerging challenges in advanced areas of tool which caters a specific task or as a suite which is capable
Digital Forensics. of many forensic functions together with corresponding digital
forensic frameworks.
Keywords — Cyber Forensics tools, Digital Forensics, Evidence, Several drawbacks in digital forensics tools are being
Investigation
discovered over time, while performing in forensic
investigations. Likewise, other software and hardware devices,
I. INTRODUCTION cyber forensics tools too have drawbacks encountered due to
the facts of accuracy, data extraction capacity, responsiveness,
Forensic Science [1] describes on determining the
encryption and compatibility issues with systems [18, 20, 27].
evidential value of a crime scene and related evidence which
These challenges cause investigations to become a failure,
can be used to give the right penalties to persons who have
when the tools are not capable of performing the relevant tasks
committed crimes or clear the names of the suspects who have
of extracting, analyzing and reporting accurately.
not been involved in crimes. In this paper it is emphasized on a
Performing a vivid literature survey on the drawbacks of
main branch of Forensic science; Digital Forensics [2] which is
forensics tools, numerous challenges were recognized upon the
a much-needed component in crime scene investigations.
fields, which are at the peak of development in the present.
According to crime scene investigation researchers, Digital
This paper conveys the reader on Digital Forensic tools and the
Forensics is the process of preservation, identification,
forthcoming challenges recognized due to their drawbacks.
extraction, interpretation and documentation of computer and
Furthermore, this paper concludes with solutions and research
digital evidence that are stored in digital and electronic
to be developed as future work.
devices. In order to fulfill this objective of digital forensics, a
range of tools are required with various functionalities.
A cyber forensic tool [4] is the main recourse in a forensic II. CYBER FORENSICS TOOLS
investigation to retrieve the evidence included with data, which
can be gained directly, hidden data and meta data [2]. These A. Computer Forensics
tools need to have the capability of extracting evidence stored 1. EnCase
in digital devices in a way that the data containing within Encase [4] is a commercial platform having a suite of
evidence are not corrupted or unsecured. Furthermore, the investigation tools and techniques embedded in it. It analyzes
evidence should be extracted unaltered and undisclosed

978-1-6654-4399-9/21/$31.00 ©2021 IEEE

deeply into recovering deleted files, sort and review files, TCP, UDP, IPv4 and IPv6. Network traffic analyzing,
signature analysis, internet history review, Hash value multithreading, modularity of the input interface (protocol
analysis, timeline review, gallery review and registry analysis. decoder) and output interface (dispatcher), port independent
EnCase gives a very clear and understandably formatted protocol identification and large scale pcap data analysis are
report, explaining important details and organizes the content the main features of Xplico.
with the support of the bookmarking feature.
Some of the specific task tools of network forensics are [11],
2. Autopsy • Packet sniffers – dumpcap, pcapdump.
This is an open-source software and provides its facilities • Protocol analyzers – tcpdump, tstat, netsniff-ng.
as a forensic suite in both Windows and UNIX operating • Network analysis – NetworkMiner.
systems [5]. Web artifact extraction, hash filtering, • Intrusion detection – snort, suricata, bro.
multimedia review, timeline analysis, keyword search and file • Match regular expressions – ngrep.
analysis on file types such as NTFS, FAT, ExFAT, HFS+ and • Extract files – nfex, driftnet.
Ext2/3/4 are the investigation purposes that can be achieved • Sniff passwords or HTTP sessions – dsniff, firesheep,
using Autopsy. Ettercap, creds

3. Forensic Toolkit (FTK) C. Mobile Forensics

Forensic Toolkit [6] is a Windows, digital forensic
software implemented by AccessData. This tool is supported 1. XRY
for data analysis, recover deleted files, hash verification of XRY [12] is a digital as well as a mobile forensics tool to
MD5 and SHA, file analysis of FAT, NTFS, Ext2 and CDFS investigate on smart phones, mobile phones, tables and GPS
and graphical file viewing. The process of disk imaging is also navigation systems. This is used in the areas of intelligence
done using the FTK Imager program attached to the FTK operations, criminal investigations, law enforcements and
Toolkit. military agencies. XRY analyzes data by communicating
directly with the OS and avoiding the OS as well as dumping
4. Volatility the memory.
Volatility [7] is an open-source software, which is mainly
supported for memory forensics as well as malware analysis 2. Cellibrite UFED
and incident response. This can be executed in Linux, Cellebrite UFED Pro series [13] is a mobile forensic device
Windows, Mac and Android. Volatility analyzes RAM in 32 which helps in investigations by accessing, decoding,
bit or 64-bit systems and investigates raw dumps, VMware analyzing, reviewing, managing and controlling with data.
dumps (vmem), crash dumps, virtual box dumps, Firewire, Functions of, analyzing encrypted data, unblocking cloud-
LiME format, Expert witness HPAK format (fast dump) and based evidence, retrieving real time data, accessing all iOS and
QEMU memory dumps. high-end devices, analyze and report video evidence, live data
acquisition and forensic imaging are capable with this toolkit.
5.Mail Viewer
Mail Viewer [8] is a popular software for viewing and More mobile Forensics tools [14]:
analyzing emails in, Microsoft Outlook Express 4, 5 and 6, • Mobiledit Forensic – examines and report on data from
Windows Live Mail and Mozilla Thunderbird reader mail GSM/CDMA/PCS mobile phones.
clients. It can extract all the mails at once and has capabilities • iXAM – forensics data imaging tool.
of deep searching and filtering through mail folders. • CellDEK TEK – extraction of information from phone
log, serial numbers, deleted SMS from SIM, calendar, To
B. Network Forensics Do List.
1. Wireshark D. Database Forensics
Wireshark [9] is a free and open-source protocol and
packet analyzer which runs on Windows, UNIX, macOS, BSD 1. SQLite Forensics Browser
and Linux. Features of WireShark includes capturing packets SQLite Forensics Browser [15] is a Database forensics tool
from a live network using pcap and read, capturing raw USB which can create, manage and analyze the evidence in the
traffic, detecting voice over protocols in the captured traffic creation of the case. This tool has the capabilities of creating
and color-coded packets to help users to identify types of SQLite databases, scan and preview database files, database
traffic. indexing, adding multiple custodian entries, advanced search
and exporting multiple file formats.
2. Xplico
Xplico [10] is used to extract data from the captured 2. SQLCMD
application where data is contained, such as email content, SQLCMD [16] is a database extraction tool developed by
protocol content and voice over protocol content. Protocols Microsoft as a command-line tool to execute ad-hoc
supported to Xplico are, HTTP, IMAP, SIP, POP, SMTP, commands and scripts in SQL database. This tool helps in
analyzing databases and process loggings. A text output is For that purpose, it is needed a tool which reports detail wise at
gained during the execution of SQLCMD. the end of the process. Hex dumping is the physical acquisition
process of file systems in a mobile phone. In Cell Phone
Forensic tools which have capabilities of Database Forensics Forensics Tools, there exists an inconsistency of report formats
are [16], in hex-dumping [20]. This drawback occurs, as these
• Oxygen Forensics Detective – explore database files components of mobile devices and cell phones are not yet
(SQLite, SQLite3, SQLite db) using SQLite viewer. being trained through mobile forensic tools, with regards to
• Xplico – extract data from databases using MYSQL or reporting format purposes.
SQLite.
• Windows Forensics Toolchest – extract volatile data from 3. Cloud
SQL server databases and analyze recent activity, error Mobile Forensics tools face a lot of challenges when trying
logs and recover lost data. to acquire and analyze data in cloud services, regarding to
• Systools Sql Log Analyzer – analyze offline databases mobile devices [19]. These forensics tools which are used for
using MDF files in Windows systems. cloud investigations in mobile devices, are in shortage of
• Detective Digital Blade v1.13 – extract SQLite DB data, resource sharing procedures in cloud environment, unable to
and verify integrity of recovered data in mobile devices. sort out and provide information on data origins, cloud access
authorization issues and cannot retrieve locations form where
E. Forensics Data Analysis the evidence is being taken from, especially in a virtual
infrastructure. Most of the mobile forensics tools developed
Forensics Data Analysis [17] is a branch of Digital Forensics
are offline based and only a limited number of tools are
which analyses structured data including big data and data
implemented for cloud investigation with the basic
from application systems, and databases related to financial
methodologies, such as data viewing and analyzing [21].
crimes and fraudulent activities. Digital, Database, Network
forensics tools are used for investigation purposes in Forensics
4. Android Forensics
Data Analysis.
Modern day Mobile Forensic field expands with the means
of Android devices [22], by introducing various models to the
III. CHALLENGES IN CYBER FORENSICS TOOLS mobile world. Although there are direct acquisition methods
and tools such as Emergency Download Mode (EDL)
Until today, Cyber forensics tools are being developed in extraction, it is a low-level method and strictly limited to
large scale for investigation purposes in various areas as specific vendors of Android mobile devices and chips.
mentioned previously. The following challenges are discussed Furthermore, these tools might not perform data acquisition
regarding on the upcoming technological areas. and extraction, depending on the mobile device settings,
android version and encryption modes enabled. For example,
A. Mobile Forensics the mobile devices before Android 9, never had encryption of
1. Artifact Extraction Android backups, which led to conducting insecure data
acquisitions.
Most of the Mobile Forensics tools are commercial with
advanced technologies and capabilities. The only problem 5. Deleted Data Analysis
regarding a commercial tool is that it is difficult in affording.
Mostly in Apple iPhones, it was a difficult task to recover
They are beneficial for investigation agencies in their
and retrieve deleted files due to the encryption key methods
information acquisitions, but in general, it may not be needed.
used by those mobile devices [22]. The Solid-State Drives
This can be solved by acquiring open-source tools available for
(SSD) are being trimmed so that the data is not possible to gain
Android, iOS and basic mobile phones [18]. There are tools
after the file is deleted. Methods such as SSD factory access
such as, Linux Memory Extractor (LiME) used for memory
modes are being developed to retrieve hidden data from the
capturing in Android mobile phones using a debugging bridge
SSD drives. Therefore, forensics tools are being experimented
interface, BitPim can acquire data from basic mobile phones
with such features to recover deleted files in mobile devices.
and iPhone Backup Analyzer is able to analyze backups of
devices. Extracting tools, including open source and
6. Two-Factor Authentication
commercial tools, have drawbacks on lack of support
regarding devices’ compatibility on operating systems of being Forensics tools sometimes do not have the ability to access
selective on OS such as Paraben Device Seizure, cannot sensitive information by disabling, an authentication technique
identify hidden and encrypted data, unable to interpret like Two-Factor Authentication [22]. For example, Apple
information stored by Android applications and validations of device users who use Two-Factor Authentication to protect
the tool [19]. their accounts from unauthorized access, can disable the Find
My Protection option or resetting Apple Identification/iCloud
2. Reporting password without providing their actual Apple
Identification/iCloud password. This leads mobile users to hide
Any investigation process should be capable of delivering
or alter information, which can be useful in investigations.
a good documentation with the findings and conclusions made.
B. Cloud Computer Forensics hypervisor, but not the virtual machines. As a result, the
1. Identification of evidence network information which appears beyond the system are
Accessing evidence through logs, is difficult, as the unable to track [26]. Once a virtual machine is deleted, all
availability of logs are dependent on cloud distributive network information will be deleted.
implementation models [21]. The distributive landscape of
cloud computing inherits difficulties in data extraction and 2. Duplicate Mac Addresses
identification. In infrastructures such as Software-as-a-Service Mac addresses are used for communication in Ethernet
(SaaS) and Platform-as-a-Service (PaaS), it is difficult to based networks and it is unique for each Network Interface
access the available logs than Infrastructure-as-a-Service Card (NIC) [27]. Virtual machines are isolated into specific
(IaaS). As cloud consists with data in volatile nature, server networks using Mac addresses, but as they are in a virtual
providers do not keep any track of user activities done in cloud environment, these Mac addresses will not be selected as
computing. unique Mac addresses. As the addresses are not unique,
acquiring of network information might not be valid. The data
2. Volatile Data captured would include the same Mac address multiple times,
Volatile data is the data in a computer which will be lost which would be assigned to different hosts. This results in a
when the computer is shut down [21]. Volatile data should be difficulty of identifying suspect machines in the network.
protected from getting vanished and altered in Cloud
Computing landscapes as it tends to do so in many stages in 3. Virtual Machine Deletion
investigations. In cloud computing, it contains volatile data Similarly, as network information, data in virtual machines
and most virtual machines use dynamic RAMs and they do not are not able to track and gain very easily in investigations [26].
allow data preserving and data capturing facilities. Therefore, When the user deletes a virtual machine, the machine gets
any digital forensics tool is unable and hard to identify volatile deleted and leaves no record of it. As the data is based on
data even at live data acquisitions in investigations. volatilization, once you delete the machine, the information
contained, and the data saved in virtual memory is destroyed.
3. Integrity of Data The recovery of the destroyed data requires more advanced
In forensic investigations, examiners need to preserve the operation tools than the existing tools.
integrity of information when acquiring data [27]. It should
be the original data which the investigator is gaining, that you 4. Tracing Back Records
are able to present at the court of law and get accepted. In There are two generation types of virtual machines in a
Cloud Forensics, maintaining integrity of data is difficult. specific virtualization system, named as, Microsoft’s
Nature of Cloud Computing is spread throughout distributed Virtualization System [28]. The first generation machine has
systems and virtual systems. Cloud data tends to get changed drivers installed in the sharable hardware, which allows to
every time while data is at rest and being processed, and create logs, to record details on computations and activities.
when receiving network information, meta data gets altered With the use of the hardware drivers, forensic tools can
[23]. Existing forensics tools are not capable of retrieving and perform extraction of data in investigations. The second
examining the data in its original form of state. generation machines, on the other hand, do not create such
drivers, but has synthetic drivers installed. These do not record
4. Cloud-Enabled Big Data any kind of information on computations and activities. As
Cloud-Enabled Big Data has an impact on criminal there is no function to gain information from the virtual
investigations as well as civil litigations [24]. This occurs machines and no inbuilt functionality existed in tools to gain
because of the nature of Cloud-Enabled Big Data is being such information, forensics tools fail to acquire evidence
stored and processed in distributed systems. Cloud Computing related to those machines.
forensics tools face difficulties in identifying remnants of
information related to important evidence, which are needed to 5. Multitenancy
be acquired. Virtualization can assist a dynamic and scalable
establishment of virtual machines to work concurrently [27].
C. Virtualization Forensics These virtual machines share the same hardware drives,
network cards and memory. It is a complicated task for the
1. Network Information investigators to gather information precisely from ‘capturing
In Virtualization, system machines, hosts and servers, are devices’ on those virtual machines. More specifically saying, it
interpreted and manipulated as, virtual machines, virtual hosts is difficult to identify the relevant user’s machine and identify
and virtual servers with a hypervisor installed in between them the unique activities for that user.
[25]. Hypervisor is a software, hardware or firmware which
creates and runs virtual machines. Network traffic can be 6. Nested Virtualization
occurred between virtual machines or between virtual
Nested Virtualization [27] is deployed by creating
networks, without the knowledge of the host server and
virtualization within virtualization, which can be derived to
system. Therefore, network information can be deleted or
come up with virtual machines as parts of other virtual
altered. Investigators and forensics tools often can access the
machines. Day to day data capturing and processing is difficult Most of the forensics investigation procedures are unable to
in such systems, as the virtual computer network is completely identify the source of an attack in Software Defined Networks
isolated from the physical system. Forensics tools are not able (SDN) [30]. This occurs frequently in the link fabrication
to gather information on deleted systems, network traffic and attacks where the attacker creates invalid links through
logs, in such terms of Nested Virtualization [27]. Crimes switches, deceiving Link Layer Discovery Protocol packets. A
which are proceeded through the internet and Virtual Private controller in the network, forwards data on this new link,
Networks (VPN), in Nested Virtualization systems, cannot be supposing to be a legitimate link. Therefore, eavesdropping
identified by the existing tools and techniques during attacks are initiated at this point. Since there are no Network
investigations. forensics tools developed or any feature added to capture the
source of an attack in the present, it is a challenge remaining in
Network forensics to identify the source and data origins
D. Network Forensics
related to an attack once it has been detected.
1. Large Scale Computer Networks Log files and trace files are important in investigations to
identify and analyze the activities occurred during an attack
Large scale networks contain with huge capacity of data, but, it is hard to protect them. Forensics investigations in
in which the evidence related to a crime is difficult to be Network forensics fail due to the fact of preserving the
identified by utilizing existing tools [29]. The significant integrity of log files after an attack has taken place. Software
evidence is captured while leaving behind some subtle Defined Networks do not facilitate trusted up-to-date
evidence, which is also important to make conclusions. mechanisms in order to ensure the integrity of data, thus makes
Data in large scale networks is a challenge to capture as an attacker possible to modify the content of log files during a
they transfer through the network at salient speed. This makes malicious act [30]. There are no approaches taken or trusted
the investigation tools unable to acquire the most relevant and mechanisms implemented within the Network forensics
accurate information. Portions of network data can be missed, domain to identify the collected evidence and locations to be
and some additional information can be added while legitimate.
transferring. Therefore, the integrity of the acquired data is at
risk. E. Robot Operating System Forensics
Forensics tools for large scale networks are limited to a
number of tools, which only consist of single-user computers 1. Integrity of Evidence
and single threaded features. These tools are not equipped with Acquiring of data from Robot Operating Systems (ROS)
the latest technology and architecture to aid the present can be done through live or remote data acquisition techniques,
network forensics. Moreover, most of them are not able to as ROS mainly deals with volatile data [31]. In live acquisition
support various formats of data in network storage, and methods, data can be altered and can be added additional
processing operations of the network, which ultimately result information to the original evidence due to the communication
in eliminating the origins of the data being captured [29]. between the Robot Operating System and robot sensors. In
The financial state of tools discourages the small-scale remote data acquisition methods, it is recognized that the data
investigation agencies in purchasing them, though they are which is being acquired from ROS through a network, is huge
efficient and accurate in investigating evidence. Furthermore, in size and it is difficult to transfer from the existing forensic
in the financial scope of tools, it requires a significant amount devices. Although there are tools such as FTK and Encase to
of money to license the tools before utilizing them. perform static data acquisition, there are no tools developed
with advanced features to acquire data accurately from a Robot
2. Virtualization Operating System remotely.
Each physical network interface card (pNIC) in hardware
systems, has a corresponding virtual network interface card 2. Specialized Tools
(vNIC), which is used to establish a connection to a virtual Forensics investigations in Robot Operating Systems are at
network [27]. With the use of a vNIC in a virtual machine, the risk due to communication, privacy and access control factors
incoming and outgoing data packets are merged with some concerning the stored data [31]. Every new bit of data and
pNICs, when traversing to an external network from locally sensor added to the system needs to be analyzed thoroughly
hosted virtual machines. The data capturing forensics tools in during the investigation. Therefore, ROS forensics
virtual systems, do not have the ability to acquire the network investigations lack in specialized forensics tools and
data without harming their integrity and privacy. technologies to collect, preserve and examine evidence as well
Data in a virtual network can migrate from one host to as to maintain confidentiality, integrity and availability of data
another host according to a client’s requirement by changing while complying with the digital devices.
network information. Migration of virtual machines and vNICs
makes the data capturing process and data encapsulating F. Internet of Things Forensics
protocols such as, VXLAN difficult [27]. Thereby, the
acquisition and analyzing of network data using forensics tools 1. Identification of Evidence Sources
too become complicated and unreliable. Internet of Things (IoT) systems produce massive amount
of data which causes investigations harder to proceed. It is
3. Software Defined Network difficult to identify the origins, backgrounds and sources of the
data acquired, and has a doubt on whether the investigators Virtualization, Robot Operating Systems and Internet of
have collected all the evidence without leaving behind any Things Forensics in Digital Forensics. Issues regarding these
information. Consuming the capabilities of forensics tools in tools have been occurred due to inadequate capacity of data
IoT forensics, it was found that there exist ambiguities on acquisition, network information acquisition, examination,
where data is stored, how data is acquired and how evidence is technology variations, compatibility and securing integrity of
examined [32]. Therefore, when analyzing the evidence, evidence. These challenges result in poor digital forensics
forensics investigators need to seek for the physical and investigations, and provide inaccurate evidence, which is not
mechanical nature of smart devices. able to be accepted and consumed to take decisions. Therefore,
currently a few tools are identified to be at development stage
2. Detection Accuracy in implementing solutions for the draw backs.
Forensics tools used for IoT Forensics investigations are
implemented with technologies such as, Machine Learning and
V. FUTURE WORK
Deep Learning algorithms [33]. Data sets are being trained
through these algorithms to enhance the accuracy of At present-day, research and developments on Cyber
functionalities like, feature selection and data detection. As IoT Forensics tools are being conducted, based on the encountered
devices and systems deal with real-time situations in day-to- drawbacks. Implementing features of, securing integrity in
day life, there is a gap of algorithms being not trained on real- volatile data (memory, cache and event logs) through live
time behavioral patterns. Therefore, Internet of Things acquisitions in network systems and mobile devices, and
Forensics is at a risk, as it needs real-time intrusion detection acquiring remnants from massive data in Cloud systems are
mechanisms embedded in the digital forensics tools. proposed by software architects and they are needed to be
implemented in the future. Forensics tools need to be
3. Training Data implemented under, Software Defined Network Forensics, in
A forensic tool should be efficient, accurate and secure in order to preserve the integrity of log files after an attack has
an investigation process [34]. Although there are data sets been occurred, as well as to identify the source of an attack in
trained on forensics tools to detect evidence in Machine link fabrication attacks and eavesdropping attacks. Moreover,
Learning based data processing algorithms, they happen to be in Internet of Things Forensics, training data sets and patterns
synthetic data sets with number of decades old. These data should be established according to the current leanings in
sets are outdated for modern, complicated IoT Network algorithms of IoT Network Forensics investigations.
Forensics investigations. Furthermore, it is difficult to get As Robot Operating System Forensics is an upcoming
accurate results, especially in real-time data and network forensics branch, it requires specialized tools to be developed
attacks with the aid of such forensics tools. in order to investigate sensors, nodes and objects in robot
systems. The origins and nature of the massive data identified
IV. CONCLUSIONS in IoT systems should be able to acquire in the forthcoming
implementations on forensics tools. The technologies and
Cyber forensics tools have become a major topic in the features of Digital Forensics tools should be improved with the
present, due to the increase of cyber-crimes occurred in the advancements of the emerging technological and industrial
cyber space. Ongoing research and developments are being areas. Thereby, Digital Forensics tools should be enhanced
done as a result of advancements in technology of digital with technologies and features, aligning to the cyber-crimes
devices and various purposes of investigations. Digital occurring and the rapid advancements of the emerging
forensics tools play a huge role in the process of investigations, technological and industrial areas.
in dealing with the acquired digital devices and network, such
as, to acquire data, analyze the information and report on the VI. ACKNOWLEDGEMENT
evidence. The accurate performance of these tools aids the
investigations to provide with precise evidence to the clients as The author thanks Mr. Amila Senarathne (Senior Lecturer at
well as the court and law enforcement agencies. Ultimately, Sri Lanka Institute of Information Technology, Sri Lanka) for
the report containing results should be admissible by the court giving the opportunity to discuss on a timely topic on Cyber
of law for a victim to be freed or charged penalty. Therefore, Security and providing guidance to proceed with the paper.
cyber forensics tools should be capable in performing its best
in functionality and technology wise to retrieve proper VII. REFERENCES
evidence.
Researchers and investigators who are occupied in scientific [1] K. Inman and N. Rudin, Principles and Practice of Criminalistics: The
research and cyber-crime investigations, have identified Profession of Forensic Science. Florida, USA: CRC Press LLC, 2000.
various challenges in cyber forensic tools. Open-source tools [2] K.K. Sindhu and B.B. Meshram. (2012, April). “Digital Forensics and
can be gained freely and configured easily, while commercial Cyber Crime Datamining.” Journal of Information Security [Online]. vol.
tools need to be purchased. Using a commercial tool in 3, no. 3. Available: https://www.scirp.org/html/3- 7800083_21340.htm
[Accessed: 21-Aug- 2020].
investigations, would be much reliable and accurate in [3] J. Jones and L. Etzkorn, “Analysis of digital forensics live system
retrieving results than an open-source tool. Drawbacks are acquisition methods to achieve optimal evidence preservation,” in
found in branches such as, Mobile, Network, Cloud, SoutheastCon 2016, Norfolk, VA, USA, 2016, pp. 1-6.
[4] E. Casey, Handbook of Computer Crime Investigation: Forensic Tools [22] ELCOMSOFT Desktop, Mobile & Cloud Forensics Blog. Challenges in
and Technology. London, UK: Academic Press, 2002. Computer and Mobile Forensics: What to Expect in 2020 [Online].
Available: https://blog.elcomsoft.com/2019/12/challenges-in-computer-
[5] A. K. Mohan and P. Selwin, “Digital forensic investigation using sleuth and-mobile-forensics-what-to-expect-in-2020/ [Accessed: 24-Aug-2020].
kit autopsy,” in National Conference on Information, Communication
and Cyber Security, India, 2016, pp. 43-48. [23] S. Zargari and D. Benford, “Cloud Forensics: Concepts, Issues, and
Challenges,” in 2012 Third International Conference on Emerging
[6] K.K. Arthur and H.S. Venter, “An Investigation into Computer Forensic Intelligent Data and Web Technologies, Bucharest, Romania, 2012, pp.
Tools,” [Online]. Available: 236-243.
https://pdfs.semanticscholar.org/1636/195399eeeca73911458c41acaa96f
98d292a.pdf [Accessed: 20-Aug-2020]. [24] Y. Teing, A. Dehghantanha, K. R. Choo, Z. Muda and M. T. Abdullah,
“Greening Cloud-Enabled Big Data Storage Forensics: Syncany as a
[7] “Volatility.” GitHub [Online]. Available: Case Study,” IEEE Transactions on Sustainable Computing, vol. 4, no.
https://github.com/volatilityfoundation/volatility [Accessed: 20-Aug- 2, pp. 204-216, April-June 2019.
2020].
[25] Q. Liu, C. Weng, M. Li and Y. Luo, “An In-VM Measuring Framework
[8] “Mail Viewer.” MITEC [Online]. Available: for Increasing Virtual Machine Security in Clouds,” IEEE Security &
https://www.mitec.cz/mailview.html [Accessed: 21-Aug-2020]. Privacy, vol. 8, no. 6, pp. 56-62, Nov.-Dec. 2010.
[9] C. Sanders, Practical Packet Analysis, 3rd ed. San Francisco, CA, USA: [26] S.J. Vaughan-Nichols, “New Approach to Virtualization Is a
No Starch Press. Inc., 2017. Lightweight,” Computer, pp. 12-14, November 2006.
[10] Xplico. [Online]. Available: https://www.xplico.org/ [Accessed: 21-Aug- [27] D. Spiekermann and T. Eggendorfer. (2016, April). “Challenges of
2020]. Network Forensic Investigation in Virtual Networks.” Journal of Cyber
[11] INFOSEC. (2019). Computer Forensics: Network Forensics Analysis Security and Mobility [Online]. vol. 5, no. 2. Available:
And Examination Steps [Online]. Available: https://www.riverpublishers.com/journal_read_html_article.php?j=JCSM
https://resources.infosecinstitute.com/category/computerforensics/introdu /5/2/2 [Accessed: 24-Aug-2020].
ction/areas-of-study/digital-forensics/network-forensics-analysis-and- [28] K. Nance, M. Bishop and B. Hay, “Investigating the Implications of
examination-steps/#gref [Accessed: 21-Aug-2020]. Virtual Machine Introspection for Digital Forensics,” in 2009
[12] “XRY – Extract.” MSAB [Online]. Available: International Conference on Availability, Reliability and Security,
https://www.msab.com/products/xry/ [Accessed: 21-Aug-2020]. Fukuoka, Japan, 2009, pp. 1024-1029.

[13] G. Suciu , C. Istrate , R. I. Răducanu , M. Diţu , O. Fratu and A. Vulpe, [29] R. A. Hansen et al., “File Toolkit for Selective Analysis &
“Mobile devices forensic platform for malware detection,” in. 6th Reconstruction (FileTSAR) for Large-Scale Networks,” in 2018 IEEE
International Symposium for ICS & SCADA Cyber Security Research International Conference on Big Data (Big Data), Seattle, WA, USA,
2019 (ICS-CSR), Athens, Greece, 2019, pp. 59-66. 2018, pp. 3059-3065.

[14] R. Ahmed and R. V. Dharaskar, “Mobile Forensics: an Overview, Tools, [30] S. Khan et al., “Software-Defined Network Forensics: Motivation,
Future trends and Challenges from Law Enforcement perspective,” in 6th Potential Locations, Requirements, and Challenges,” IEEE Network, vol.
International Conference on E-Governance, New Delhi, India, 2008, pp. 30, no. 6, pp. 6-13, November-December 2016.
312-323. [31] I. Abeykoon and X. Feng, “Challenges in ROS Forensics,” in 2019 IEEE
[15] “SQLite Forensics Browser.” Revove. [Online]. Available: SmartWorld, Ubiquitous Intelligence & Computing, Advanced & Trusted
https://www.revove.com/database-forensics/sqlite-forensics-browser/ Computing, Scalable Computing & Communications, Cloud & Big Data
[Accessed: 22-Aug-2020]. Computing, Internet of People and Smart City Innovation
(SmartWorld/SCALCOM/UIC/ATC/CBDCom/IOP/SCI), Leicester,
[16] E. C. Cankaya and B. Kupka, “A survey of digital forensics tools for United Kingdom, 2019, pp. 1677-1682.
database extraction,” in 2016 Future Technologies Conference (FTC),
San Francisco, CA, USA, 2016, pp. 1014-1019. [32] W. Yang, M. N. Johnstone, L. F. Sikos and S. Wang, “Security and
Forensics in the Internet of Things: Research Advances and Challenges,”
[17] M. Quintana, S. Uribe, F. Sánchez and F. Álvarez, “Recommendation in 2020 Workshop on Emerging Technologies for Security in IoT
techniques in forensic data analysis: a new approach,” in 6th (ETSecIoT), Sydney, Australia, 2020, pp. 12-17.
International Conference on Imaging for Crime Prevention and
Detection (ICDP-15), London, UK, 2015, pp. 1-5. [33] A.Y. Javaid, Q. Niyaz, W. Sun and A. Mansoor, “A Deep Learning
Approach for Network Intrusion Detection System,” in 9th EAI
[18] R. Padmanabhan, K. Lobo, M. Ghelani, D. Sujan and M. Shirole, International Conference on Bio-inspired Information and
“Comparative analysis of commercial and open source mobile device Communications Technologies, New York, USA, 2015, pp. 21-26.
forensic tools,” in 2016 Ninth International Conference on
Contemporary Computing (IC3), Noida, India, 2016, pp. 1-6. [34] M. N. Johnstone and M. Peacock, “Seven Pitfalls of Using Data Science
in Cybersecurity,” in Data Science in Cybersecurity and Cyberthreat
[19] M. Chernyshev, S. Zeadally, Z. Baig and A. Woodward, “Mobile Intelligence. Cham, Switzerland: Springer, 2020.
Forensics: Advances, Challenges, and Research Opportunities,” IEEE
Security & Privacy, vol. 15, no. 6, pp. 42-51, November/December 2017.
[20] A. Zareen and Dr. S. Baig, “Mobile Phone Forensics Challenges,
Analysis and Tools Classification,” in 2010 Fifth International Workshop
on Systematic Approaches to Digital Forensic Engineering, Oakland,
California, 2010, pp. 47-55.
[21] P.R. Brandão, (2019). “Forensics and Digital Criminal Investigation
Challenges in Cloud Computing and Virtualization.” American Journal
of Networks and Communications [Online]. vol. 8, no. 1, pp. 23-31.
Available:
https://www.researchgate.net/publication/335419838_Forensics_and_Di
gital_Criminal_Investigation_Challenges_in_Cloud_Computing_and_Vi
rtualization [Accessed: 23-Aug-2020].

View publication stats