Unveiling the Dynamic Landscape of Digital Forensics: The Endless Pursuit

Abstract

The invention of transistors in the 1940s marked the beginning of a technological revolution that has impacted every aspect of our lives. However, along with the positive advancements, the malicious use of computing technologies has become a serious concern. The international community has been actively collaborating to develop digital forensics techniques to combat the unlawful use of these technologies. However, the evolution of digital forensics has often lagged behind the rapid developments in computing technologies. In addition to their harmful use, computing devices are increasingly involved in crime scenes and accidents, necessitating digital forensics to reconstruct events. This paper provides a comprehensive review of the development of computing technologies from the 1940s to the present, highlighting the trends in their malicious use and the corresponding advancements in digital forensics. The paper also discusses various institutes, laboratories, organizations, and training setups established at national and international levels for digital forensics purposes. Furthermore, it explores the initial legislations related to computer-related crimes and the standards associated with digital forensics. These reviews and discussions conclude at identifying the shortfalls in digital forensics and proposes an all-inclusive digital forensics process model meeting these shortfalls while complying to international standards and meeting regulatory and legal requirements of digital forensics.

1. Introduction

The National Institute of Standards and Technology (NIST) through its Computer Security Resource Centre (CSRC) defines digital forensics as “The application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data” [1,2]. Although traditional forensics has developed in a structured and consistent manner from the scientific community, digital forensics has emerged from ad hoc techniques and tools derived from the experiences of law enforcement, system and network administrators, and computer enthusiasts. Consequently, its development has been inconsistent [3]. Essentially, the progress of digital forensics has closely followed the evolution and misuse of computing technologies [4]. Thus, to understand the development of digital forensics, it is essential to examine the evolution of computing technologies.

Before 1947, computing devices depended on electromechanical technology, including components such as vacuum tubes, relays, gears, shafts, belts, and cams (machine switches) [5]. The advent of transistors in 1947 represented a major milestone in computer development, enabling the rise of transistor-based computing systems [6]. However, until the mid-1970s, computer use was mainly confined to industries, government agencies, universities, and research institutions.

During the 1980s, the advent of personal computers revolutionized the computing world, becoming popular among both computer enthusiasts and the general public. The early 1990s saw the Internet’s arrival, which led to a significant surge in the use of personal computers. The 2000s were marked by the rise of Web 2.0 and portable computing devices, which signified major technological progress. Since 2010, new technological paradigms such as cloud computing, blockchain, and the Internet of Things (IoT) have emerged, further enhancing the capabilities and potential of computing technology.

The evolution of digital forensics paralleled significant advancements in computing technologies. Initially, these advancements began with basic security audits conducted by system administrators and the creation of data recovery tools. Gradually, this field evolved into computer forensics, characterized by improvements in forensic tools, the creation of international standards, and the acknowledgment of digital evidence.

The golden age of digital forensics spanned from 2000 to 2010, marked by advancements in forensic facilities, tools, and models, as well as the simplicity of operating systems and file formats, the lack of encryption, and the absence of robust security in devices. These elements fostered an environment favorable for digital forensic investigations. After 2010, new areas such as network forensics, cloud forensics, and IoT forensics began to emerge. Various international organizations significantly contributed to the development of digital forensics by creating international standards, developing forensic models and tools, and providing training. However, digital forensics is trailing behind due to fast paced development in computing technologies and international standards defined since the 2010s. Hence, a model for all-inclusive digital forensics process is needed, capable of meeting international standards and carrying out forensics of the latest computing technologies.

The main contributions of this paper are as follows.

• An extensive analysis (the first of its kind, in our opinion) of the progression of computing, categorized into five distinct periods from the 1940s to the present day, grounded in significant technological advancements in Section 2.
• The evolution of the malicious use of computing technologies and the advancements in forensic science to combat these threats across different periods are discussed in Section 3, including:

  (a)

  The evolution from simple security to evidence recovery, computer forensics, digital evidence, and digital forensics, along with its emerging dimensions.

  (b)

  The metamorphosis of forensics tools, techniques, trainings, and facilities.

  (c)

  Some of the most talked-about forensics models/frameworks.

  (d)

  International initiatives and bodies dealing with digital forensics.

• The evolution of digital forensic approaches in various eras has been discussed in Section 4.
• Proposing an all-inclusive digital forensics process model that meets international standards and regulatory/legal requirements in Section 5.
• Identifying the shortfalls in previous forensic models/frameworks and drawing comparison with the proposed model in Section 6. Proposed model outperforms all the previous models.

The research for this paper has been carried out by examining existing literature from diverse sources, including contributions from the research community in prestigious journals and conferences. In addition, industry advancements have also been considered. To achieve a thorough understanding, prominent international initiatives in digital forensics have been reviewed, along with pertinent governmental, semi-governmental, and private organizations involved in the field. This methodology ensures that the article integrates a broad spectrum of viewpoints and the most current information from various reliable sources. Figure 1 illustrates the structure of the paper.

2. Advancement in Computing

The evolution of computing can be categorized into five distinct phases concerning the development of computing technologies.; Dawn of Computers (late 1940’s to early 1970s), Introduction of Personal Computers (late 1970s to late 1980s), Growth of Personal Computers (1990s), Introduction of Smart Phones/Devices (2000 to 2009) and Ubiquitous Networks and Services (2010 onward).

2.1. Dawn of Computers (Late 1940’s to Early 1970s)

The industrial computing era began with the transistor’s invention at Bell Laboratories in 1947 [6,7]. In 1949, Manchester University developed the first computer, Mark 1, which stored programs in electronic memory. Access to Mark 1 was restricted to scientists [8,9]. In 1959, integrated circuits (ICs) were created [10], followed by the silicon-based Metal-Oxide Semiconductor Field-Effect Transistor (MOSFET) in 1960 [11]. These innovations led to the first microprocessor, Intel 4004, in 1971 [12]. In 1964, Douglas Engelbart created a prototype computer with a mouse and a graphical user interface (GUI) [13]. Many computers followed, but until the early 1980s, their use was mostly limited to industries, government, universities, and research institutions.

2.2. Introduction of Personal Computers (Late 1970s to Late 1980s)

In 1974, H. Edwards Roberts and MITS (Micro Instrumentation and Telemetry Systems) developed the first personal computer, Altair, based on Intel’s 8080 microprocessor, but it was produced on a limited scale [14]. In 1976, Steve Jobs and Steve Wozniak developed the Apple I [15], a single-circuit board computer that was an instant hit, followed by the Apple II in 1977. In 1981, IBM launched its first personal computer, Acorn [16]. In the late 1980s, Compaq introduced the first laptop [8]. Personal computers gained popularity in the 1980s but were mainly used by hobbyists [7]. During this era, the Advanced Research Projects Agency Network (ARPAN) developed the first wide area network, ARPANet, with its first public demonstration in 1972 [17]. This later became the basis of the internet.

2.3. Growth of Personal Computers (1990s)

In 1990, the World Wide Web (www) was developed at CERN in Geneva, Switzerland [18], to facilitate global data sharing among scientists. The www spurred the explosive growth of personal computers, dominating the 1990s [19]. Other major developments included digital media (video/audio), digital fax machines, and compact cell phones (GSM 2G), further advancing computing technologies and integrating them into daily life.

2.4. Introduction of Smart Phones and Portable Devices (2000 to 2009)

Technologies like Bluetooth [20], WiFi (802.11 g) [21], 3G [22], USB flash memory sticks [23], broadband internet [19], and faster processors led to portable devices like smartphones, PDAs, and portable storage. These devices revolutionized information access and interaction, creating the wireless web [24], Web 2.0 (social media, blogs, etc.) [25], and mobile commerce. The wireless Web allowed access to the Internet without fixed locations, while Web 2.0 enabled the creation and sharing of interactive content [26]. Mobile commerce facilitated convenient transactions via portable devices. These advancements improved the interconnectedness and accessibility of computing technologies in daily life.

2.5. Ubiquitous Networks and Services (2010 Onward)

From 2010 onward, IT systems offered more services and functionalities, but their management became more complex [27]. The exponential increase in data made local storage difficult. Faster wireless technologies such as 4G and 5G, together with cloud computing, addressed these issues, leading to a more connected cloud environment [28,29].

Technologies such as the Internet of Things (IoT) and Cyber-Physical Systems (CPS) are revolutionizing daily life, including health services, city management, industries, agriculture, and logistics [30]. Compared to traditional computers, the ubiquity of cloud computing and IoT has popularized tablets, smartphones, and wearable devices [31]. Cryptocurrencies, e-wallets, digital and online marketplaces, AI chat-bots, and recommender systems have transformed business and shopping, driving e-commerce growth [32]. Blockchain technology introduced secure online transactions [33,34]. Smartphones gain popularity yearly [35].

The fish-bone diagram of the evolution of computing is shown in Figure 2.

3. Trends in Misuse of Computing Technologies and Evolution of Digital Forensics

In this section, we have mapped the trends in the misuse of computing technologies and the evolution of digital forensics with the phases of development of computing mentioned in Section 2.

3.1. Trends in Misuses and Forensics-Late 1940’s to Early 1970s

During the early years of computing, from the late 1940s to the early 1970s, the use of computers was limited to industry, government agencies, universities, and research centres. The concept of computer-related forensics, as we know it today, was virtually non-existent during this era [7].

3.2. Trends in Misuses and Forensics-Late 1970s to Late 1980s

The advent of personal computers saw their exploitation for illegal activities, sparking a new age of cybercrimes and digital espionage. In response, forensic teams and data recovery tools were devised to combat these increasing threats. Key advancements from this period are summarized below.

3.2.1. Introduction of Laws for Computer Related Crimes

With the introduction of personal computers in the 1980s, their usage for malicious activities also increased. Various countries responded to this emerging challenge by enacting laws to protect data from unauthorized access and to address computer-related crimes.

Sweden introduced a data protection law in 1973. West Germany’s 1977 Bundesdatenschutzgesetz (BDSG) addressed data protection and privacy. France’s 1988 laws targeted computer crimes. In U.S., the Florida Computer Crime Act was passed in 1978, followed by the 1986 Federal Computer Fraud and Abuse Act (CFAA) to combat computer crimes federally. The UK’s 1990 Computer Misuse Act aimed to deter and prosecute cybercrimes.

3.2.2. Emergence of Forensics Teams and Data Recovery Tools

In 1984, the FBI established the Computer Analysis and Response Team (CART) to investigate computer crimes [36], marking the early days of digital forensics. By the mid-1980s, the Royal Canadian Mounted Police (RCMP) and the U.S. Internal Revenue Service (IRS) developed basic command-line tools for digital investigations. Later in the 1980s, data recovery tools like Xtree and Norton DiskEdit became available [37]. In 1985, the Computer Crime Unit (CCU) of the Metropolitan Police of the UK was founded to address computer-related crimes [38].

In 1986, the High Technology Crime Investigation Association (HTCIA) was established in the U.S. to provide training and foster collaboration among high-tech crime professionals, and it has since grown internationally with various chapters [39]. The U.S. Secret Service launched the Electronic Crimes Special Agent Program (ECSAP) in 1987 to handle crimes involving electronic media and emerging technologies [40], while the Federal Law Enforcement Training Centre (FLETC) in Georgia started the Seized Computer and Evidence Recovery (SCER) program in 1989, which now continues as the Seized Computer Evidence Recovery Specialist (SCERS) [41]. In October 1989, the International Association of Computer Investigative Specialists (IACIS) was established in Oregon as the first international body for computer investigations, and it began offering formal training on investigating computer crimes, including specialized training for international law enforcement [36,42,43].

In 1989, the Council of Europe of Ministers acknowledged the increase in computer-related crimes [44], emphasizing the need to address cybercrimes and collaborative efforts against digital offenses.

3.2.3. First Ever Reported Case of Cyber Espionage

In 1986, German hackers supported by the Soviet KGB infiltrated more than three dozen U.S. military computers, exploiting telephone lines and unpatched vulnerabilities [45]. Due to the absence of modern digital forensics tools, espionage was tracked through other means. Network administrators monitored activities and used logs to trace and identify the intrusion.

Due to the lack of any formal forensics procedures and tools, Mark Pollitt termed the period before 1985 as “pre-history” and 1985–1995 as the “infancy” of digital forensics, and Simson L. Garfinkel referred to the period before the late 1990s as the “early days of digital forensics” [7,46].

3.3. Trends in Misuses and Forensics-1990s

With the rise of personal computers, the term“Computer Forensics” was coined by Collier and Spaul in 1992, suggesting the extension of forensic science to crimes committed via computers [44]. In the 1990s, the FBI defined computer forensics as the “Science of acquiring, preserving, retrieving, and presenting data that has been processed electronically and stored on computer media” [47]. This era saw the emergence of online computer crimes and significant developments in forensics, including international standardization efforts, establishment of forensic labs, formal training, and the availability of forensic tools. By the end of this era, the more inclusive term digital evidence emerged. Some of the important developments of this era are discussed in the following.

3.3.1. Standardization Efforts

During International Law Enforcement Conference hosted by FBI in 1993, it was concluded that the standards on computer forensics were required to be drafted [48]. During the sequel of the same conference, held in 1995, the International Organization on Computer Evidence (IOCE) was established, recognizing that international cooperation on computer forensics was required [36]. During annual meeting of the IOCE held in 1997, it was concluded that digital forensic standards were needed to be drafted. In the same year, during the meeting of G8 leaders in U.S., principles and action plan related to developing standards for computer forensics were approved and IOCE was tasked with the same by High Tech Crime Sub-Group of the G-8. However, IOCE decided to assign some computer forensics groups, which were already working on the development of standards [49]. Some of the prominent groups/initiatives at that time (1997/98) are as under.

• Technical Working Group Digital Evidence (TWGDE) In 1997, Federal Crime Laboratory Directors of U.S. constituted a Technical Working Group Digital Evidence (TWGDE) to deal with issues related to digital evidence, including drafting best practices document. In 1999, on recommendation of IOCE, this group was converted to a more elaborate Scientific Working Group Digital Evidence (SWGDE) [36,49].
• Forensic Computing Group (FCG) and Association of Chief Police Officers (ACPO) of UK The FCG of UK is the oldest organization in the world working on computer evidence. Under UK’s Association of Chief Police Officers (ACPO), this group was working on drafting guidelines for the safe handling of digital evidence including its seizure, acquisition, and examination [50]. These guidelines were eventually published in 1998 [51]. In 2015, ACPO was replaced by the National Police Chiefs’ Council (NPCC) [52].
• European Network of Forensic Science Institutes (ENFSI) In 1995, ENFSI was established, with the aim of strengthening cooperation between member European countries. In 1998, the Forensic Information Technology Working Group (FIT-WG) was established under ENFSI to work on the development and acceptance of guidelines, best practices, and standards related to information technology forensics [50].
• Technical Working Group for Electronic Crime Scene Investigation (TWGECSI) In 1998, TWGECSI was created by National Institute of Justice (NIJ), U.S. Department of Justice, to define the protocols for electronic investigations and prosecutions [53]. In 2001, Electronic Crime Scene Investigation: NIJ published a Guide for First Responders draughted by this group.
• Committee of Experts on Crime in Cyber-Space (PC-CY) - Council of Europe In 1997, PC-CY was established to deal with cyber crimes by drafting Convention on Cyber-Crimes [50,54]. Cyber-Crime Convention drafted by this committee was approved in 2001.

In 1998, IOCE selected TWGDE (renamed to SWGDE) for the task assigned to it by High Tech Crime Sub-Group of the G-8 (as mentioned above). SWGDE developed “Digital Evidence: Standards and Principles”, dealing with international principles for the recovery of computer evidence and the exchange of digital evidence. This document also included the definition of digital evidence; “any information of probative value that is either stored or transmitted in digital form”. During International High Tech Crime and Forensics Conference (IHCFC) in 1999, the IOCE document was prepared after incorporating ACOP’s Guidelines into SWDGE’s document and was shared with G8 High Tech Crime Sub-Group. In 2001, after some improvements, draft was approved for implementation at G8 level [49]. However, SWDGE original draft was also taken as draft standard for law enforcement agencies of U.S. [47,55]. This standard covered details including evidence collection, preservation, examination, its transportation, integrity and documentation of all activities (Chain of Custody) meeting legal and scientific requirements.

In 1995, the American Academy of Forensic Sciences (AAFS) observed that no mechanism was existing in U.S. to evaluate the quality and consistency of forensic specialists, available with various forensic bodies. To address the issue, the Accreditation and Certification Task Force, now known as the Forensic Specialities Accreditation Board (FSAB), was established to evaluate and monitor the various forensic outfits seeking accreditation. In 2000, FSAB was declared an independent organization [56,57].

3.3.2. Forensics Trainings and Labs

By 1995, almost 48 percent of law enforcement agencies in U.S. were having computer forensics laboratories, but these were working without any approved procedure. In 1993, the Forensic Association of Computer Technologists (FACT) was established at Iowa, U.S., to provide computer forensic training to law enforcement agencies [58]. UK had been running courses for its law enforcement agencies at its police training college in the 1990s, whereas computer investigation resources were present in its Customs and Exercise, Serious Fraud Office and Inland Revenue since the mid-1990s [38].

The requirement of having a dedicated laboratory for computer forensics, being a specialized and sensitive job, emerged during the early 1990s and the American Society of Crime Laboratory Directors/Laboratory Accreditation Board (ASCLD/LAB) issued guidelines for Forensics Laboratory Management Practices in 1994 [59]. In 1996, the Computer Technology Investigators Network (CTIN) was created to train and support public and private sector investigators and prosecutors [60].

In 1998, the Department of Defence (DoD) established the Defence Computer Forensics Laboratory (DCFL) (converted to Cyber Forensics Laboratory (CFL) in 2017) and the Defence Computer Investigations Training Academy (DCITA) (converted to Cyber Training Academy (CTA) in 2017) to deal with computer forensics [61]. In the late 1990s, for research and training purposes, FBI’s CART collaborated with DCFL [37]. In 2001, Department of Defense Cyber Crime Center (DC3) was established and DCFL and DCITA were placed under it [62,63].

3.3.3. Forensics Tools

First ever forensics tool; “Safeback” was developed in 1991 [64]. The tool was able to capture forensic images and evidence-grade hard drive backup [7]. Subsequently, computer forensics tools started appearing in the markets, along with the conduct of professional trainings by IACIS (already discussed above) and initiation of search warrant programs by IRS [37]. A commercial tool named Expert Witness was released for the forensics of Macintosh computers in 1995 [65], which was renamed to Encase in 1998.

3.3.4. From Computer Forensics to Digital Evidence

Numerous types of digital evidence emerged by end 1990s, including cell phones, digital audio storage media for digital audio and video evidence [66]. In 1998, during meeting of forensics experts from various law enforcement agencies, hosted by Forensics and Technical Services Division of U.S. Postal Inspection Service, term of “digital evidence” was suggested to replace “computer evidence”, thus giving birth to all inclusive term of “Digital Forensics”.

By end of 1990s, world community acknowledged that valid and reliable data recovery methods are fundamental to law enforcement’s investigations and forensics investigation needs to follow well established principles of examination, elaborate policies, practices and well documented procedures and techniques [47,67].

3.4. Trends in Misuses and Forensics-2000 to 2009

With an increase in the variety of digital evidence, this era saw the evolution of computer forensics to digital forensics. Complexity and variety of emerging digital evidence required the need to have a forum to share the knowledge and experience of digital forensics, as well as to deliberate on emerging challenges amongst academics, researchers, law enforcement, military, practitioners and industry [68]. These requirements led to the creation of Digital Forensic Research Workshop (DFRWS) in 2001 in U.S. [69,70].

Digital Forensics was formally defined in 2001 by DFRWS as “The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations” [69]. Some of the other important developments of this era are discussed below.

3.4.1. Improvements in Forensics Facilities

Guidelines for Forensics Laboratory Management Practices were issued by ASCLD/LAB in 1994, but the trend to carry out computer forensic examination in forensics laboratory, instead of offices/workplaces, was observed in the early 2000s [36]. North Texas Regional Computer Forensic Laboratory (RCFL) of FBI became the first digital forensic laboratory to be accredited by ASCLD/LAB [7]. In 2002, DoD established Defense Cyber Crime Institute (DCCI) (converted to DC3 Technical Solutions Development (DC3/TSD) in 2017) to develop new and customize existing tools to meet its requirements [61]. In 2008, the National Computer Forensics Institute (NCFI) was established in U.S. for training of law enforcement agencies, prosecutors, and judges in computer forensics.

Information Technology Laboratory (ITL) is a constituent laboratory of U.S. National Institute of Standards and Technologies (NIST). It is internationally recognized for research on IT measurements, testing and standards. Its two programs are dealing with digital forensics; National Software Reference Library (NSRL) and Computer Forensic Tool Testing (CFTT) [71]. NSRL maintains a Reference Data Set (RDS) containing digital signatures (hash values) of software applications, which can be consulted to detect malicious versions of applications [72], in addition to its other uses. The first volume of RDS was released in 2001 [73]. CFTT programme was launched to regulate and standardise computer forensic tools so that the results generated by them are both reliable and admissible in the court of law. CFTT project chalks out general tool specifications, detailed test procedures and to facilitate testing, also defines test criteria, test sets, and test hardware. The details of the tools tests under this project are available on their website [74]. The first report was published by CFTT in 2003 [73].

In UK, National High Tech Crime Unit (NHTCU) under Home Office was created in 2001, to deal with computer-related crimes. This was merged with the Serious Organised Crime Agency (SOCA) in 2006 [38]. To advance research and practice, the International Federation for Information Processing (IFIP) created Working Group (WG) 11.9 on Digital Forensics in 2004 [75]. Since 2004, this WG has held an annual conference in which new and unpublished ideas related to digital forensics are presented. It also conducts technology transfer workshops [75].

3.4.2. Forensics Models by Research Community/Academia

Up until the 1990s, research in digital forensics was mainly steered by law enforcement bodies. However, in 2000s, work by research community picked up pace and numerous forensics models/framework emerged. Some of the key models are discussed below.

In 2001, Digital Forensic Investigation Model (DFIM), commonly known as the three A’s model, was proposed, having three main phases; `A’cquiring evidence while ensuring its integrity, its `A’uthentication and `A’nalysis in a way that integrity was maintained [76]. It was an integrity-centric model. In 2001, the Forensic Process Model (FPM) was proposed by U.S. Department of Justice. FPM comprised four phases; Collection, examination, analysis, and reporting [53]. In 2001, Digital Forensic Research Workshop (DFRWS) proposed a seven phased model; Identification, preservation, collection, examination, analysis, presentation and decision [69] and shown in Figure 3. It was the first comprehensive model that included phases that were not present in previous models, such as identification involving activities before the acquisition of evidence and presentation involving post analysis activities, specially related to court proceedings.

In 2002, Abstract Digital Forensic Model (ADFM) was proposed by U.S. Air Force, adding two more phases in DFRWS Model; Preparation and approach strategy and renaming decision phase to “return of evidence” [77]. In 2003, the Integrated Digital Investigation Process Model (IDIPM) was proposed, comprising seventeen phases, organized into five groups [78], shown in Figure 4. In 2004, the same authors explained the proposed model in more detail under “event-based digital forensic investigation framework” [79]. In 2004, Enhanced Digital Investigation Process Model (EDIPM) further enhanced IDIPM [80]. The enhancements included making the phases of investigation as iterative rather, and introduced new phases with an aim to traceback to primary crime scene (where applicable). The groups were reorganized as readiness, deployment, traceback, dynamite, and review. Traceback was used to identify the primary crime scene (specially crimes where internet, remote login etc are used) and dynamite was used to explore that crime scene.

In 2003, the Computer Forensic Secure, Analyze, Present (CFSAP) model was proposed, in which four phases of FPM were grouped into three steps; Securing, analyzing and presenting. The secure step included identification and preservation, analyze step included extraction, processing and interpretation and present step included presentation, expert opinion, and testimony [81]. In 2004, Extended Model of Cybercrime Investigation (EMCI) was proposed. It comprised thirteen phases with the rationale that previous models were dealing with processing of digital evidence only [82]. Proposed phases included awareness (that investigation was needed), authorization (to carry out investigation), planning, notification (to all concerned parties about investigation), search for and identify evidence, collection (of evidence in a forensically sound manner), transport (of evidence in forensically sound manner), storage (of evidence while ensuring its integrity), examination (of evidence), hypothesis (what actually happened, based on examination phase), presentation (of hypothesis to concerned authority (court/management)), proof/defence (of hypothesis in front of concerned authority) and dissemination (of information from investigation process (limited, depending upon case-to-case basis) for future reference for investigators (archiving) or for formulation of policies and guidelines etc.

In 2006, “Guide to Integrating Forensic Techniques Into Incident Response” [2] of National Institute of Standards and Technology (NIST) proposed four phases of a digital forensics process; collection, examination, analysis, and reporting (shown in Figure 5).

In 2006, Computer Forensics Field Triage Process Model (CFFTPM) was proposed for time sensitive investigations, proposing on-site activities for extraction of time sensitive data, in forensically sound manner [83]. The proposed model comprised six phases; planning, triage, user usage profile (using home directory, file properties, and registry), chronology/timeline, internet activity (browser artefacts, email artifacts and instant messaging artifacts) and case-specific evidence.

In 2007, Common Process Model for Incident Response and Computer Forensics (CPMIRCF) was proposed for incident response and computer forensics. It comprised three main phases; Pre-Analysis, Analysis and Post Analysis [84]. The pre-analysis phase included activities of pre-incident preparation, detection of incident, initial response, and formulation of response strategy. The analysis phase included activities of live response (for running incident/volatile data), forensics duplication, data recovery, harvesting (collection of metadata of preserved evidence), reduction & organization and analysis. The post-analysis phase included the generation of reports (for legal requirements and carries information of activities conducted in the pre-incident and analysis phases) and resolution (reason of incidents, remedial measures, and measures to avoid occurrence of such incidents in future). In 2009, a seven-phased digital forensic model based on Malaysian Investigation Process (DFM-MIP) was proposed to meet Malaysia’s cyber laws [85]. These phases included planning, identification (live or static), reconnaissance (including evidence collection (live or static) and its transport & storage), analysis, result, proof & defence and archive storage. This model incorporated static and live acquisition, as well as data mining aspects in archive storage (for data mining).

3.4.3. Metamorphosis of Forensics Tools

In this era, advance level forensics tools were developed for commercial use. Some notable tools are EnCase [86], Forensics Toolkit (FTK) [87], Helix [88], The Sleuth Kit (TSK) [89,90] and Autopsy [91,92]. Governmental law enforcement agencies also developed some tools like Automated Case Examination System (ACES) and iLook, however, these tools could not keep pace with fast evolving technologies and soon became obsolete [7]. Mobile forensics tools also have emerged to cater for smart mobiles. Some of the popular mobile forensic tools are Paraben Device Seizure, Cellebrite, XRY, Susteen SecureView and CellDEK [93].

3.4.4. eDiscovery

In 2006, to address the legal issues being faced with Electronically Stored Information (ESI), Federal Rules of Civil Procedure were amended and digital information was declared as a form of evidence and eDiscovery (electronic discovery) system was implemented [7,94]. In 2007, US Federal Judicial Centre defined eDiscovery as “The process of collecting, preparing, reviewing and producing electronic documents in a variety of criminal and civil actions and proceedings” [94].

In 2005, Electronic Discovery Reference Model (EDRM) Project was launched, to standardize the electronic discovery and in 2006, EDRM was proposed [95,96]. EDRM comprised six phases as shown in Figure 6.

• Information Management Phase This phase dealt with the actions required to enable the infrastructure for e-discovery.
• Identification This phase dealt with identifying potential evidence sources, along with their details.
• Preservation and Collection This phase dealt with preservation of evidence sources, identified in the second phase, from contamination, destruction, and collection of potential evidence relevant to the case.
• Processing, Review and Analysis This phase dealt with processing of acquired evidence by digital forensic investigators, result of the findings by legal experts and analysis of the result by attorneys for their relevance and quality.
• Production This phase dealt with delivery of investigation results to other relevant parties, in easy-to-understand format, through appropriate delivery mechanism.
• Presentation This phase dealt with the details of the presentation of evidence to the audience concerned, while ensuring compliance with the relevant legal requirements.

Since EDRM, its numerous improvements have been proposed, but the main phases generally remained the same [97,98,99].

3.4.5. Emergence of Digital Forensics as a Profession

By late 2000s, digital forensics was regarded a core skill area and work of skilled craftsmanship. Investigators started to have formal academic qualification and certifications in addition to just trainings. Universities started offering specialized courses, graduate and post-graduate programs [7]. Digital forensics started considering as a true forensic science and career-enhancing skills.

The period 1999–2007 was termed as “Golden Age” for digital forensics due to the widespread use of Microsoft Windows, limited file formats, examination limited to single computer, standard interfaces of storage devices, availability of adequate number of forensic tools for recovery of allocated and unallocated (deleted) files, encryption on data was not introduced yet and the lack of strong security in devices [46].

The summary of trends in the misuse of computing technologies and the corresponding developments in forensics are shown in Figure 7.

3.5. Trends in Misuses and Forensics-2010 Onward

Digital forensics is becoming a more challenging and arduous task, with every passing year due to (1) growing size of storage media with increasing variety in their hardware interfaces, (2) increase in use of cloud services, (3) use of embedded flash storage, (4) RAM based malwares, (5) exponential increase in variety of operating systems and file formats, (6) use of encryption and (7) legal issues, as shown in Figure 8. Some of the important developments of this era are discussed below.

3.5.1. Advancements in Forensics Models

Numerous advances have been made in forensic models in this era. Some of the noteworthy advancements are discussed below.

In 2010, Digital Forensics Management Framework (DFMF) comprising three components, was proposed; Pro-active (ProDF), Active (ActDF) and Re-active (ReDF) [100]. ProDF achieved digital forensics readiness through preparation of requisite infrastructure, evidence management plan, augmenting the existing risk management plan, digital forensics training and awareness strategy, establishment of management capability in shape of digital forensics investigators and Computer Emergency Response Team (CERT), improvement of controls and responsible use of digital forensics tools. ActDF dealt with live forensics through incident response and confirmation, live evidence acquisition, analysis, limited event reconstruction and incident closure (termination of live acquisition). ReDF dealt with traditional digital forensics and had steps of incident response and confirmation, physical investigation, digital investigation through evidence acquisition, analysis and service restoration, incident reconstruction, present findings, dissemination of results, and incident closure.

In 2011, Proactive and Reactive Digital Investigation Process (PRDIP), derived from DFMF, was proposed [101]. PRDIP incorporated some functional details into the DFMF. However, the ActDF component of DFMF was not included in this model under the pretext that it lacked case-specific tools and methods.

In 2011, Systematic Digital Forensic Investigation Model (SDFIM) comprising eleven phases, was proposed [102]. The proposed model was systematic and generic in nature, affording an opportunity to carry out investigations according to country-specific techniques, in addition to assisting the judiciary. The model also followed the steps mentioned in guidebook of U.S. Department of Justice titled “Forensic Examination of Digital Evidence: A Guide for Law Enforcement” [103]. In 2013, SDFIM was enhanced by Enhanced Systematic Digital Forensic Investigation Model (ESDFIM), which incorporated techno-legal requirements of digital forensics investigation [104]. Moreover, the complete model was iterative in nature. ESDFIM comprised six phases; Preparation, acquisition & preservation, examination & analysis, information sharing, presentation, and review as shown in Figure 9. In 2011, the Digital Forensic Model for Digital Forensic Investigation (DFMDFI) with four phases was proposed [105]. The Preparation phase involved preparation, identification, authorization, and communication. The Interactive phase focused on collection, preservation, and documentation. The Reconstruction phase included examination, testing, and analysis. The Presentation phase addressed results, review, and reporting. The model used an iterative approach.

Integrated Conceptual Digital Forensics Framework for Cloud Computing (ICDFFCC) proposed in 2012, addressed the emergency challenges of carrying out forensics under cloud environment [106]. This model was based on NIST’s Forensics Process of 2006, already discussed in Section 3.4 [2]. However, its main difference from NIST’s Forensics Process was its iterative nature.

In 2013, the concept of hybrid evidence emerged as crime scenes began combining physical and digital elements, leading to the proposal of the Hybrid Evidence Investigation Model (HEIM) [107]. This model includes four phases: Preparation, Crime Scene Investigation, Laboratory Examination, and Conclusion. The Preparation phase involves notification, obtaining authorization, and arranging tools, equipment, and personnel. The Crime Scene Investigation phase focuses on preserving the scene, identifying and collecting physical and digital evidence, and ensuring secure transportation. During the Laboratory Examination phase, evidence is thoroughly examined, securely stored, and reports are generated. The Conclusion phase involves crime reconstruction, sharing insights, and making recommendations for future investigations.

In 2013, Integrated Digital Forensics Process Model (IDFPM) was proposed, which was a mix of various models including IDIPM, EDIPM and EMCI, already discussed in Section 3.4 [108]. No new concept was introduced in this model. However, this was standardization of previous models in terms of terminologies used.

Digital Forensics as a Service (DFaaS)

In the 2010s, the need for DDFaaS emerged to manage diverse, voluminous, and complex digital evidence. DFaaS established centralized digital forensic labs with specialized tools and expertise, available on demand to interested parties. In 2010, the Netherlands adopted DFaaS for high-volume digital investigations, using XIRAF, an XML-based indexing and querying service by the Netherlands Forensics Institute. XIRAF categorized stakeholders into detectives, digital investigators, and analysts. In 2015, it was succeeded by HANSKEN, which enhanced investigation capacity and speed, improved results, fostered innovation, provided better reporting, and optimized organizational integration.

In 2011, concept of Forensic Cloud was introduced and technology framework for cloud based forensics, based on Hadoop, offering faster analysis, capability to deal with wide variety of devices, pervasive analysis and collaborative analysis [109]. Framework comprised client layer (Windows applications for lab analysis, web applications for remote analysis and mobile applications for pervasive analysis), front-end layer supporting various kinds of client applications, data processing layer included numerous modules for developing forensics applications and platform layer based on apache Hadoop, capable of managing distributed systems.

3.5.2. New Dimensions of Digital Forensics

New dimensions have been added to digital forensics to address the challenges posed by emerging IT systems and applications. Some of the main dimensions are listed below.

Network Forensics

Although network forensics existed in the 2000s, it started to emerge as an independent discipline in 2010s. In 2010, Generic Process Model for Network Forensics (GPMNF), specific to network forensics and comprising nine phases, was proposed [110]. Proposed model, shown in Figure 10, aggregated various models, from network forensics perspective. For example, in phase dealing with “collection of network traces”, data is acquired from sensors deployed for collection of traffic data e.g., firewalls, Intrusion Detection Systems (IDS), traffic flow measurement software and packet analyzers. Hence, deployment of network security tools is pre-requisite for proposed model.

Cloud Forensics

It seems like the most debatable branch of digital forensics, in context of facilitating the investigator or making his job tougher [111]. Cloud forensics term appeared in 2010s and NIST defined it as “The application of scientific principles, technological practices, and derived and proven methods to reconstruct past cloud computing events through the identification, acquisition, preservation, examination, interpretation, and reporting of potential digital evidence.” [112]. Cloud computing presents various challenges to digital forensics, including data acquisition due to physical inaccessibility to data source, volatile nature of data, elastic nature of cloud resources, and less control on data (as per cloud service model being used), dependence on Cloud Service Provided (CSP) for provision of data, multi-tenancy and multi-jurisdiction issues [113]. In 2017, to address these issues, the cloud forensics framework was proposed as shown in Figure 11 [114]. On-premise centralized forensic server, having local forensic monitoring plane (FMP), was proposed to avoid reliance on CSP to obtain evidence for forensics. FMP was recommended to have a forensics tool, monitoring all incoming and outgoing traffic, and also making a forensics copy of the monitored data. However, the proposed model is resource intensive and also compromises the privacy of user data.

Integrated Conceptual Digital Forensics Framework for Cloud Computing (ICDFFCC), proposed in 2012, has already been discussed in Section 3.5.1.

Ref. [115] has concluded that forensic tools for carrying out automatic cloud incident analysis are non-existent and network forensics tools like OpenNebula and NetworkMiners are used for this purpose.

IoT Forensics

IoT term was introduced in 1999, during research on automation of supply chain by incorporating RFID [116] but was considered too unrealistic due to technological limitations. However, with technological advancements, exponential growth in IoT has been observed from 2012 onward [117]. To meet the forensics challenges of IoT, a new branch of IoT forensics merged. IoT forensics can be defined as the extraction of digital evidence from IoT devices, related internal and external networks [68]. Hence, IoT forensics is a mix of device forensics, network forensics and cloud forensics [118].

One of the first IoT models, which is taken as reference in most of the subsequent models, was proposed in 2013 as High-level Strategy for IoT-based Crime Scenarios [119]. In this model, the IoT paradigm was divided into three zones for forensics; 1-2-3 Zones. For scenarios where the object of interest is not available, concept of Next Best Thing (NBT) Triage Model was proposed in the same model. Zone 1, the internal zone, comprises all the IoT devices, software, and network (e.g., Bluetooth, wifi) present at a crime scene. Zone 2, the middle zone, comprises all perimeter devices (hardware and software) that act as a medium between internal and external networks, such as firewalls and intrusion detection and prevention systems (IDS and IPS). Zone 3, the external zone, comprises all the hardware and software which are outside of the internal network like cloud storage, Cloud Service Provider (CSP) Internet Service Provider (ISP), internet and web based services. The proposed zones are shown in Figure 12. However, various proposed IoT forensics models are handicapped due to lack of validated IoT forensic tools [120]. Moreover, some IoT forensics models have been proposed with Proof-of-Concept IoT forensic models, but these are device-specific. Ref. [121] is specific for the Belkin WeMo Smart Switch and the LIFX Original 1000 Smart Bulb, Ref. [122] is specific for the Almond + Ecosystem and [123] is specific for Nest devices and the iPhone.

Hence, it can be concluded that IoT Forensics is an emerging challenging dimension of digital forensics.

Mobile Device Forensics

Mobile devices possess unique challenges to digital forensics due to their variety, designs and fast paced technological advancements. To address the issue, a new branch of digital forensics emerged, named mobile device forensics. As per NIST, “Mobile device forensics is the science of recovering digital evidence from a mobile device under forensically sound conditions using accepted methods” [124]. In 2014, NIST issued the “Guidelines on Mobile Device Forensics”, recommending methodologies for the preservation, acquisition, examination, analysis, and reporting of evidence found in mobile devices. Currently, there is no well-established methodology for mobile forensics, but the recommended steps are shown in Figure 13 [125]. The intake phase deals with paper work and familiarization with relevant laws, while the identification phase deals with recognizing various details related to mobile devices to be investigated including legal aspects, data required to be extracted, details of mobile device, etc. The rest of the phases are similar to those already discussed earlier.

Four main types of mobile phones are existing; Android-based, iphone, Windows phones and Black Berry (decommissioned in January 2022 [126], but was a major market player in 2010s). Tools capable of dealing with mobile forensics, have been developed like Cellebrite, Magnet AXIOM, Belkasoft Evidence Center, Elcomsoft Phone Viewer, Oxygen Forensics, XRY, iXAM, CellDEK TEK, MOBILedit etc [127,128]. Review of various Mobile Forensics process models has been carried out in [129] with conclusions that standardization in mobile device forensics is lacking and proposed models are specific to certain type of mobile phones and events.

Privacy Concerns in Digital Forensics

With increasing involvement of personal devices in new dimensions of digital forensics dealing with networks, cloud infrastructure, IoT devices, and mobile devices carrying users personal data, privacy has emerged as a critical observation in forensic investigations. Beside legal aspects, these new dimensions are also questioning the ethical aspects. To address the issue, privacy standards have been defined by ISO/IEC 29100:2024, superseding ISO/IEC 29100 published in 2011 [130]. Some of the forensic models claimed to comply with said standard. In the European Union, citizens’ privacy is protected by the General Data Protection Regulations (GDPR) which came into effect in 2018 [131]. The key features of GDPR are shown in Figure 14. On similar lines, California Consumer Privacy Act (CCPA) also came into effect in 2018 in U.S., ensuring privacy of citizens’ data. In 2020, CCPA has been extended with California Privacy Rights Act (CPRA) [132,133].

3.5.3. Use of Artificial Intelligence (AI) and Machine Learning (ML) in Digital Forensics

Use of AI and ML can address most of the challenges emerging for digital forensics due to the latest technological developments (already discussed in beginning of this section and shown in Figure 8). Studies have proposed various AI and ML learning solutions to address challenges related to examination and analysis phases, and saving efforts and time of investigators by offering automated data sifting, pattern recognition, and expert systems. These solutions have been adequately covered in [134]. The summary of solutions based on AI and ML is covered in

Table 1. Summary-Impact of Proposed AI and ML Solutions on Digital Forensics.

Digital Forensics Process/Aspect	Impact of AI/ML	Solutions
Data Examination	Fast Data Sifting, Speedy Data Classification (including Encoded Data)	[135,136,137,138,139,140,141]
Analysis	Fast Data Analysis, Pattern Recognition	[142,143,144,145,146,147,148,149,150]
Chain of Custody	Preservation of Integrity of Investigations	[151]

.

There are still numerous issues faced in the adoption of AI and ML in digital forensic investigations. Some of the critical issues are as follows.

• The efficacy and efficacy of the AI/ML models are dependent upon availability of training dataset; larger the better. However, the type and size of datasets required for training AL/ML models is not available, thereby questioning the quality and integrity of results produced by these models.
• Quantum of online data can be issue for AI/ML models, necessitating incorporation of scalability in proposed models.
• Draft standards for incorporating AI/ML in digital forensic investigations to ensure admissibility in a court of law.
• Deployment of AI/ML solutions can lead to ethical issues, violating the privacy of user data.
• AI/ML models may need to be continuously trained in order to deal with evolving threats.

3.5.4. Standardization Efforts

Various initiatives to standardize and improve digital forensics are in process at global level. Some of the noteworthy initiatives are as follows.

• ISO/IEC. It is amongst the leading organizations in this regard. Its ISO/IEC JTC 1 is dealing with Information Technology and its various sub-committees, working groups and advisory groups are working on different subjects including ISO/IEC JTC 1/WG 10 working on Internet of Things (IoT), WG11 working on smart cities, and ISO/IEC JTC 1/SC 38 working on cloud computing and distributed platforms. ISO/IEC 27050-1: 2019 is the ISO standard released in 2019, dealing with eDiscovery [152]. ISO/IEC 27043 is another standard released in 2015, dealing with security techniques of investigation principles and processes [153]. Consortium of Digital Forensic Specialists (CDFS) is another international consortium launched in 2011 in U.S. to refine the field of digital forensics through standardization, ethics, outreach and advocacy from a unified platform [154,155].
• Unified Cyber Ontology (UCO) by U.S. Department of Justice (DOJ). UCO was developed in 2011, with an aim to standardize and incorporate interoperability in findings/results of digital forensic investigation. In 2014, UCO was handed over to NIST and is now being updated by it [156].
• Digital Forensic Analysis eXpression (DFAX). DFAX was developed in 2015 to represent technical information related to a digital forensic investigation and its exchange for use with other tools and techniques [157,158].
• NIST’s Organization of Scientific Area Committees (OSAC) for Forensic Science. In order to address the lack of discipline specific forensic science standard, NIST, in collaboration with U.S. Department of Justice (DOJ), established OSAC in 2013. The OSAC took on the responsibility of developing technically sound standards and guidelines and promoting their use in the forensic science community [159]. In the same year, OSAC established a working group, named the Cyber Forensics Investigation Working Group (CFIWG), to work on standardization and interoperability of digital forensic tools and techniques. CFIWG started working on the Cyber-investigation Analysis Standard Expression (CASE), and its first version was released in 2017. CASE was developed as an advanced version of UCO and DFAX, offering flexibility, extensibility, and adaptability to represent information about digital evidence, including collection collected, extracted, analysed, and exchanged throughout the digital forensic process [160].

Summary of trends in misuse of computing technologies and corresponding developments in forensics in 2010s onward is shown in Figure 15.

Fish-bone diagram of evaluation of computing vis-a-vis evolution of digital forensics is shown in Figure 16.

4. Evolution of Digital Forensics Approaches

The evolution of digital forensics is elaborately covered in Section 3 and shown in Figure 16. However, evolution in digital forensics can further be classified as per the approaches it took. The summary of the approaches taken by digital forensics along with the stimulus is shown in

Table 2. Summary-Evolution of Digital Forensics.

Ser	Year	Digital Forensics	Stimulus
1	1945–1975	System Audits	Security of system
2	1975–1990	Investigations by	a. Cyber Espionage
		Network Admin	b. Computer related crimes
3	1984–1990	Data Recovery Tools	With increase in use of personal computers, requirement of recovering of deleted information
4	1992 onward	Computer Forensics	With explosive growth in use of personal computers, requirement to standard their forensics process including acquiring, preserving, retrieving and presenting data stored on computer media
5	1990s	Forensics Tools	a. Increase in computer related crimes
6	1993 onward	Forensics Labs/Trainings	b. Requirement of safe handling of evidence including secure acquisition, examination, presentation, transportation, chain of custody and integrity
7	1993 onward	Standardization Efforts	c. Requirement to ensure quality and consistency of forensics specialists
			d. Emergence of online computer crimes
8	1995 onward	Accreditation & Certifications	e. Valid and reliable data recovery methods
			f. Requirement of well established principle of examination, elaborate policies and practices and well documented procedures and techniques for forensics investigation
9	1998	Digital Evidence	Evidences stored and transmitted in digital form (cell phones, digital audio storage media for digital audio, video evidence, fax machines etc)
10	2001	Digital Forensics	a. Requirement to have scientifically derived and proven methods to deal with complex and variety of digital evidences including their preservation, collection, validation, identification, analysis, interpretation, documentation and presentation
			b. Forensic results shall be reliable and admissible in court of law
11	2000 onward	Forensics Models	Refinement of procedures and frameworks of digital forensics
12	2006	eDiscovery	Declaration of digital information as form of evidence for acceptance in a court of law
13	2010 onward	New Dimensions of Digital Forensics (Network Forensics, Cloud Forensics, IoT Forensics, Smart Phones) Forensics etc.	a. New Technologies
			b. New paradigms (Ubiquitous Networks and Services)
			c. Growing size of storage media with increasing variety in hardware interfaces
			d. Increase in use of cloud services
			e. Use of embedded flash storage
			f. RAM based malwares
			g. Exponential increase in variety of operating systems and file formats
			h. Use of encryption
			i. Legal issues

. Details are given below.

4.1. Forensics Through System Audits (1945–1975)

During the initial period, computers were used as standalone systems and forensic was considered to be done by audits system administrators only.

4.2. Forensics by Network Administrators (1975–1990)

From 1970s, concept of networked computing system emerged, specially for research & development institutes. To investigate cyber espionage attacks on these networked computers, which are carried out to steal proprietary and classified information, a trend of forensics by network administrators emerged, which was based on analysis of logs and network traffic.

4.3. Forensics Through Data Recovery Tools (1984–1990)

With increase in use of personal computers, the requirement to recover deleted data emerged, giving birth to a new dimension of forensics; Data recovery tools.

4.4. Introduction of Computer Forensics (1990 Onward)

With explosive growth in the use of personal computers, the need to standardize their forensic process, including acquiring, preserving, retrieving, and presenting data stored on computer media, emerged. Moreover, regulatory, reliability, integrity, and quality requirements, as applicable in other forensics sciences, also emerged for digital forensics. This led to the introduction of the science of computer forensics. Various related approaches also emerged in the 1990s, some of which are as follows.

• Development of forensics tools, meeting the requirements of computer forensics, started in the 1990s, giving a new approach to the forensic process.
• Computer forensics became a proper science, requiring handling by expert computer forensics investigators in specialized labs. In order to meet these requirements, specialized computer labs and training centres starting establishing from 1993 onward.
• Following the footsteps of forensics science, efforts started in 1993 to standardize the procedures and techniques for computer forensics.
• In order to meet various regulatory requirements and take standardization efforts a step further, work on Accreditation & Certifications started in 1995.

4.5. Digital Evidence and Digital Forensics (1998 Onward)

With emergence of various types of digital storage devices including cell phones, digital audio storage media for digital audio, video evidence, fax machines, etc., a new term of digital evidence emerged in 1998, replacing computer evidence. This gave birth to a new approach in 2001, termed digital forensics (explained in detail in Section 3.4).

4.6. Forensics Models (2000 Onward)

In 2000s, research community started proposing new approaches to carry out digital forensics while ensuring compliance with regulatory requirements and forensic standards (some of the noteworthy frameworks are discussed in Section 3.4.2).

4.7. eDiscovery (2006)

With increase in involvement of digital evidence in criminal cases, digital information was declared as a form of evidence and the eDiscovery (electronic discovery) system was introduced, defining the process of collecting, preparing, reviewing, and producing electronic documents (details in Section 3.4.4).

4.8. New Dimensions and Approaches of Digital Forensics (2010s Onward)

New paradigm of ubiquitous networks and services, embedded flash storage, growing size of storage media with increase in variety in hardware interfaces, cloud services, RAM-based malwares, variety of operating systems and file formats, and encryption gained popularity since the 2010s. These advancements in computing technologies led to the emergence of new approaches/branches in digital forensics, some of which are Network Forensics, Cloud Forensics, IoT Forensics and Smart Phones Forensics (details covered in Section 3.5.2).

5. An All-Inclusive Digital Forensics Process Model

The evolution of digital forensics has seen the emergence of various approaches and standards in different countries (covered in detail in Section 3). However, no comprehensive model, incorporating all these approaches and standards exists which can act as a reference model for further development in digital forensics and its new dimensions. Based on recommendations of various models and standards discussed in previous section, an all inclusive 11 phase digital forensics process model has been proposed in this Section. This proposed model is grouped under five distinct categories, based on activities; (1) Proactive, (2) Forensics Initialization/Evidence Collection, (3) Forensics Investigation, (4) Reporting and (5) Reactive/Review. Each category comprises various phases, and each phase contains various steps. The proposed model along with categories, phases, and steps is shown in Figure 17 and is discussed in detail in the following paragraphs.

5.1. Preparation and Readiness Phase

This proactive phase comprises the following steps.

i   

Initial assessment of the expected crime scene.

ii  

Obtaining search warrants to carry out the forensic investigation.

iii 

Obtaining the necessary authorizations and approvals from competent authorities.

iv  

Planning and strategy for carrying out the forensic investigation.

v   

Study of laws applicable to the investigation of digital forensics concerned.

vi  

Ensuring operational readiness of investigators to carry out digital forensic investigations.

vii 

Infrastructure readiness for conducting forensic investigations (aka forensic readiness).

viii

Ensuring requisite capabilities with investigators, like Honeypots and similar tools, to deal with booby trap and remote killing of computing machines.

ix 

Ensuring awareness amongst the investigators, as well as the entire organization.

x   

Issuance of notification regarding initialization of forensic investigations.

5.2. Securing Crime Scene Phase

Being part of Forensics Initialization/Evidence Collection activities, this phase comprises following steps.

i 

Securing crime scene to avoid any contamination that may leads to compromise of integrity.

ii

Documenting the crime scene, to ensure availability of requisite information during next phases.

5.3. Survey & Recognition Phase

Being part of Forensics Initialization/Evidence Collection activities, this phase comprises the following steps.

i  

Identifying potential sources of evidences at crime scene.

ii 

Preserving potential sources of evidences from contamination, to avoid raising integrity issues.

iii

Formulating acquisition plan keeping in view the potential sources of evidence.

5.4. Acquisition Phase

Being part of Forensics Initialization/Evidence Collection activities, this phase comprises the following steps.

i  

Collecting evidences from potential sources.

ii 

If potential source is assumed to contain privileged information (encrypted or privacy data), filtering of source is to be carried out and its acquisition is to be carried out as per latest legislation/local laws e.g., obtain legal permission/warrant, if applicable, to collect evidence from said device (same may be added in Preparation and Readiness Phase). However, if legal permission/warrant is not available, evidences can not be collected from concerned sources.

iii

Ensuring integrity of evidence during acquisition of evidence from concerned sources.

iv 

Documenting each activity being performed on Evidence, to ensure maintenance of Chain of Custody of evidences.

5.5. Preservation Phase

Being part of Forensics Initialization/Evidence Collection activities, this phase comprises the following steps.

i  

Maintaining multiple copies of digital evidence and ensuring their integrity as per the latest legislation/local laws.

ii 

If privileged information (having encrypted or privacy data) is encountered during Acquisition Phase, then its preservation is to be carried out as per latest legislation/local laws, e.g., keeping evidence carrying privileged data, separate. If compliance to regulatory requirements is not possible due to technical limitations, it cannot be preserved/further processed.

iii

Ensuring appropriate labeling and packaging of evidence, to facilitate investigators in next phases.

iv

Ensuring safe transportation of evidence to avoid compromise of integrity during transportation.

v  

Ensuring safe storage of evidence to avoid compromise of its integrity.

vi 

Documenting each activity that is performed on evidence for the maintenance of the chain of custody.

5.6. Examination Phase

Being part of Forensic Investigation activities, this phase comprises the following steps.

i 

Examining and extraction of information from evidences by forensic experts.

ii

Documenting each activity being performed on Evidence, for maintenance of Chain of Custody.

5.7. Analysis Phase

Being part of Forensic Investigation activities, this phase comprises the following steps.

i 

Technical review of results of examination and reconstruction of cyber crime by investigators, to reach a conclusion as to what actually happened at the crime scene.

ii

Generating various hypothesis based on results.

Depending upon the type of evidence, requirement of forensic investigators, nature of investigation process, time constraints or any other compulsion, Analysis Phase may precede Examination Phase.

5.8. Information Sharing Phase

i

Being part of Forensics Investigation activities, this phase comprises sharing of information between law enforcement agencies, to obtain comprehensive criminal profile of the suspect/suspected activities.

5.9. Presentation Phase

Being part of reporting activities, this phase comprises following steps.

i  

Preparation of report carrying summary of investigation process and conclusions drawn during the investigation process. This report should use words and terms which can easily be understood by the court of concerned authority.

ii 

Testify before a court of law or concerned authority.

iii

Presenting proofs to defend the conclusions drawn during the investigation process.

5.10. Results Phase

Being part of Reactive/Review activities, this phase comprises the following steps.

i  

Documenting the result of presentation phase for future reference.

ii 

Archiving of the investigation process for future reference.

iii

Sharing of investigations with the concerned authorities to facilitate them in updating procedures and records.

5.11. Review Phase

Being part of Reactive/Review activities, this phase comprises the following steps.

i 

Analysis of the investigation process and results to improve the investigation process for future use.

ii

Appropriate disposal of evidence, ensuring privacy, intellectual property rights, business secrets.

6. Findings/Discussion

The proposed model ensures a highly scientific and well-structured digital forensic investigations, which outperforms all existing notable models/frameworks (discussed in Section 3). Moreover, it also ensures compliance to various regulatory/legal requirements.

Summary of comparison of existing digital forensics models/frameworks with 11 phases of the proposed All-Inclusive Digital Forensics Process Model along with steps of each phase, is shown in

Table 3. Comparison-Proposed All-Inclusive Digital Forensics Process Model with Previous Models.

	Preparation 5.1 i-x *		Securing the Crime Scene 5.2 i-ii *	Survey and Recognition 5.3 i-iii *	Acquisition 5.4 i-iv *		Preservation 5.5 i-vi *		Examination 5.6 i-ii *		Analysis 5.7 i-ii *		Info. Sharing 5.8 i *	Presentation 5.9 i-iii *	Result 5.10 i-iii *	Review 5.11 i-ii *
DFIM-2001			Acquiring Evidence				Authenticating Evidence		Analyzing Evidence
			ii	i	i, ii, iii		i-v		i, ii
FPM-2001				Collection			Examination				Analysis			Reporting
				i	i-iii		ii, v		i, v		i			i, ii
DFRW Model-2001				Identification	Collection		Preservation		Examination		Analysis			Presentation	Decision
				i	i, iii		i, iv, v		i		i			i, ii, iii	i
ADFM-2002	Identification	Preparation	Preservation	Approach Strategy	Collection				Examination		Analysis			Presentation		Returning Evidence
	i	ii-iv, vi	i	ii, iii	i		i		i		i			i		ii
IDIPM-2003	Readiness	Deployment	Physical Crime Scene Investigations			Digital Crime Scene Investigation										Review
	iv, v	i, ii, iii	i, ii	i, ii	iii	i, ii, iii	i-v		i		i			i		i
CFSAP-2003	Secure								Analysis					Present
	i			i	i, ii		i		i		i, ii			i, ii, iii
EDIPM-2004	Readiness	Deployment												Submission
				i, ii	i, ii, iii		i-v		i		i			i		Review
	iv, vi	i, ii, iii	i, ii	Traceback						Dynamite
				i, ii	i				i	i	i			i		i
EMCI-2004	Awareness	• Authorization • Planning • Notification		Search and Identification of Evidence	• Collection • Transport • Storage				Examination		Hypothesis			• Presentation • Proof & Defence	Dissemination
	ix	ii, iii, iv, v, viii		i-iii	i-iii		ii, iii, iv		i		i, ii			i, iii	iii
NIST’s Forens. Process-2006				Collection					Examination		Analysis			Reporting
				i, ii	i-iii				i, ii		i			i		i
CPMIRCF- 2007	Pre-Analysis (Pre-incident Preparation, Detection, Initial Response, Response Strategy)			Analysis (Live Response, Forensics Duplication, Data Recovery, Harvesting, Reduction and Organization and Analysis)										Post Analysis (Report Generation and Resolution
	i, iv-vii, ix, x			i, ii	i-iii		i, v		i, ii		i, ii			i	i-iii
DFM-MIP- 2009	Planning		Identification	Reconnaissance			• Transport • Storage		Analysis					• Result • Proof & Defence	Diffusion of Information
	ii, iii		i	i, ii, iii	i, ii		i, ii, iii, iv		i		i, ii			i, iii	ii, iii
GPMNF-2010	Preparation & Authorization		Incident Detection & Response	Collection of Network Traces		Protection and Preservation			Examination		Analysis	Investigation and Attribution		Presentation and Review
	iii, iv, vi		i, ii (Network Forens.)	i-iii	i-iii	i-iii	i, iv, v		i, ii		i, ii	i	i	i-iii	i-iii	i
DFMF-2010/ PRDIP-2011	ActDF/ReDF: Incident Response & Confirmation		ReDF: Physical Investigation	ActDF: Evidence Acquisition ReDF:Digital Investigation					ActDF:Analysis		ReDF:Incident Reconst. (ActDF:Ltd.)			ReDF:Present Findings	ActDF/ReDF: Incident Closure
	i-iv, vi, viii, ix		i, ii	i-iii	i-iii		i-v		i, ii		i			i, ii	i-iii	i, ii
DFMDFI-2011	First Tier – Preparation (Identification, Authorization & Communication)				Second Tier – Interaction (Collection, Preservation and Documentation)				Third Tier- Reconst. (Examination, Exploratory testing, and Analysis)					Fourth Tier–Presentation (Result, Review, Report)
	i-iv, vi, vii, x			i	i-iii		ii-v		i		i-iii			i	i	i
SDFIM- 2011	Preparation		• Securing the Scene • Survey & Recognition • Docu. of Scene • Comm. Shielding		Evidence Collection		Preservation		Examination		Analysis			Presentation	Result & Review
	i-vii, x		i, ii	i, ii	i, ii		i-v		i		i, ii			i, ii, iii	i	i
ICDFFCC- 2012	Evidence Source Identification and Preservation				Collection				Examination and Analysis					Reporting and Presentation
	i, iv, viii		i, ii	i-iii	i-iii				i, ii		i, ii			i-iii	i
ESDFIM-2013	Preparation		Acquisition and Preservation Phase						Examination and Analysis Phase				Information Sharing Phase	Presentation Phase	Review Phase
	i-viii		i, ii	i-ii	i, iii, iv		i, iii-v		i, ii		i, ii		i	i-iii	i, ii	i
HEIM-2013	Preparation (Notification, Authorization, Preparation)		Crime Scene Investigation (Preservation, Identification, Collection, Examination, Transportation)					Lab Examination (Examination, Secure Storage, Report Generation)							Conclusion (Reconstruction, Dissemination)
	ii, iii, v-vii, x		i, ii	i, ii	i		iii, v	iv	i		i			i-iii	i-iii	i

* Note: For details refer to Section 5.

(only paragraph numbers of phases discussed in Section 5 have been referred in the top row of the table). The shortfalls of each of the previous models can be seen in this table, and none of the previous models/framework and approach meets all the phases/steps of the model proposed in this paper.

A detailed comparison is drawn in following paragraphs between the proposed model and the 2013 models of ESDFIM and HEIM, which address the limitations of earlier models.

6.1. Comparison with ESDFIM

ESDFIM meets most of the phases and steps of the proposed model. However, the proposed model outperforms it in the following.

• ESDFIM misses the step regarding awareness of the incident and investigation amongst the investigators and the entire organization, and issuance of notification regarding start of investigation process, as included in Preparation and Readiness Phase of proposed model.
• ESDFIM does not include the requirement to formulate an acquisition plan after identifying the potential sources of evidence at the crime scene. With the latest development in computing technologies and widespread adoption of technical gadgetry in daily life, investigators need to formulate an acquisition plan after the survey of crime scene, to cater for new devices which may not have been planned earlier. The same is covered in Survey & Recognition Phase of the proposed model.
• ESDFIM is silent on handling of privileged information expected to be contained in potential source, as included in the Acquisition Phase of the proposed model. This has emerged as a critical requirement in the context of latest privacy-related standards and laws like GDPR, CCPA and CPRA (discussed in Section 3.5.2).
• ESDFIM specifies the need to maintain the chain of custody when collecting evidence, yet it fails to guarantee this during transportation. This aspect is addressed in the Preservation Phase of the proposed model.
• ESDFIM does not specify the requirement of sharing the results of investigations with other investigating bodies. Keeping in view the fast evolving nature of technologies, sharing of investigation results amongst investigation community can be of great benefit. Same has been covered in the Result Phase of the proposed model.
• ESDFIM does not specify the disposal of evidence after completion of the investigation process. Since some of the evidence can contain privileged information (related to privacy, proprietary or business secrets etc), its secure disposal is a critical issue with legal bindings. The same has been covered in the Review Phase of the proposed model.

6.2. Comparison with HEIM

HEIM generally has similar steps as that of the proposed model, but phases and sequence of steps are not consistent with the proposed model. The proposed model outperforms HEIM in the following.

• HEIM does not include numerous important steps of Preparation & Readiness Phases of the proposed model including initial assessment of expected crime scene, planning and strategy to carry out investigation, ensuring requisite capabilities with investigators to deal with booby traps and remote interference with potential evidence and awareness about investigation within organization.
• Similar to ESDFIM, HEIM does not explicitly mandate the creation of an acquisition plan after determining potential evidence sources at a crime scene. This aspect is addressed in the Survey & Recognition phase of the proposed model.
• Similar to ESDFIM, HEIM does not address how to manage privileged information likely to be present in potential sources, as outlined in the Acquisition and Preservation phases of the proposed model.
• HEIM neither spells out the requirement to ensure integrity of evidence nor asks for maintenance of Chain of Custody in any step, which are a mandatory requirement and mentioned in the proposed model.
• Obtaining and maintaining multiple copies of digital evidence are critical requirements in any forensic investigation process. HEIM does not include these steps. Same is covered in Preservation Phase of the proposed model.
• Examination and analysis are two distinct activities, former to be carried out at crime scene and latter to be done under laboratory environments. HEIM has combined these activities into examination step. Moreover, reconstruction of crime also falls part of Analysis but HEIM has included it in conclusion step.
• Sharing of forensic investigation activities with law enforcement agencies to obtain criminal profile of suspect mentioned in Information Sharing Phase of the proposed model, is missing on HEIM.
• Similar to ESDFIM, HEIM does not specify the disposal of evidence after the completion of the investigation process. The same has been covered in the Review Phase of the proposed model.

7. Conclusions

The evolution of digital forensics has followed an inconsistent path, closely tied to the development of computing technologies and their misuse trends. This paper analyzes prominent digital forensics models from the last two decades, identifying their shortcomings concerning the latest standards and regulatory/legal requirements. To address these gaps, the article proposes an all-inclusive digital forensics process model that aligns with international standards and the needs of the law enforcement community. However, despite the advancements in digital forensics, existing models, standards, and tools are not fully equipped to handle the latest developments in computing technologies, such as cloud computing, IoT, Cyber Physical System (CPS), blockchain, and cryptocurrency. Emerging dimensions like cloud forensics and IoT forensics require the development of relevant standards, tools, and techniques to effectively address the challenges posed by these technologies. Encryption and privacy have become critical challenges for digital forensics and remain major hurdles to overcome. The research community is actively working on developing appropriate digital forensics techniques and frameworks to address these challenges. In conclusion, digital forensics continues to evolve, driven by advancements in technology and the changing landscape of cybercrimes. Addressing the complexities brought about by new computing technologies, ensuring privacy, and handling encryption present ongoing research challenges for the digital forensics community.