=Paper=
{{Paper
|id=Vol-3016/paper9
|storemode=property
|title=Success factors and challenges in digital forensics for law enforcement in Sweden
|pdfUrl=https://ceur-ws.org/Vol-3016/paper9.pdf
|volume=Vol-3016
|authors=Milagros D. Cervantes Mori,Joakim Kävrestad,Marcus Nohlberg
|dblpUrl=https://dblp.org/rec/conf/stpis/MoriKN21
}}
==Success factors and challenges in digital forensics for law enforcement in Sweden==
https://ceur-ws.org/Vol-3016/paper9.pdf
Success Factors and Challenges in Digital Forensics for Law
Enforcement in Sweden
Milagros D. Cervantes Mori 1, Joakim Kävrestad 1, and Marcus Nohlberg 1
1
University of Skövde, Högskolevägen 1, 541 28, Skövde, Sweden
Abstract
The widespread use of communication and digital technology has affected the number of devices
requiring analysis in criminal investigations. Additionally, the increase in storage volume, the
diversity of digital devices, and the use of cloud environments introduce more complexities to the
digital forensic domain. This work aims to supply a taxonomy of the main challenges and success
factors faced in the digital forensic domain in law enforcement. The chosen method for this
research is a systematic literature review of studies with topics related to success factors and
challenges in digital forensics for law enforcement. The candidate studies were 1,428 peer-
reviewed scientific articles published between 2015 and 2021. A total of twenty-eight primary
studies were analyzed by applying thematic coding. Furthermore, a survey of digital forensic
practitioners from the Swedish Police was held to triangulate the results achieved with the
systematic literature review.
Keywords 1
Digital forensics, computer forensics, success factors, opportunities, challenges, issues, law
enforcement
1. Introduction
The digital forensics domain is new in comparison to traditional forensics. [1] defines digital forensics
as: “the application of science to the identification, collection, examination, and analysis of data while
preserving the integrity of the information and maintaining a strict custody for the data”. As the world
becomes more digitalized, digital evidence in criminal investigations increases. Digital evidence is data of
evidentiary value gathered from digital devices during forensic examinations. In modern criminal
investigations, digital evidence plays an essential role in many types of crimes ranging from true cyber
crimes such as computer intrusions to traditional crimes where the criminals benefit from opportunities
provided by the digitalized society [2]. This includes, for instance, drug trade, fraud, and child exploitation,
where digital platforms are used for marketing, communication, and payments [3], [4]. Furthermore, digital
evidence is a critical part of the fight against organized crime, where recovery of communication between
criminals or using geolocation to position digital devices can be crucial for investigators [5].
The act of securing digital evidence from digital devices is typically performed by forensic examiners
employed by law enforcement agencies. Being a relatively new discipline, digital forensics has been
overseen in an ad-hoc manner but has received more attention in recent years [6]. A forensic examiner is
required to apply great care to ensure that the evidence produced holds up to high legal standards [7]. In
essence, a forensic examiner is supposed to provide unbiased results using transparent and robust methods
that allow for external assessment. Further, the forensic examiner is expected to provide an investigation
with important data, often in a timely manner [2].
Digital forensics has experienced progress in formalizing, standardizing, and formulating digital
forensic processes and approaches. For instance, ISO/IEC 27037:2012 supplies guidelines for handling
7th International Workshop on Socio-Technical Perspective in IS development, October11-12, 2021 (STPIS'21)
EMAIL: mcervantesmori@hotmail.com (A. 1); Joakim.kavrestad@his.se (A. 2); marcus.nohlberg@his.se (A. 3)
©️ 2021 Copyright for this paper by its authors.
Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0).
CEUR Workshop Proceedings (CEUR-WS.org)
100
�digital evidence during specific activities such as identification, collection, acquisition, and preservation
[8]. On the other hand, the NIST provides practical guidance on how to perform computer and network
forensic activities from an IT perspective [1]. Moreover, the National Criminal Justice Reference Service
(NCJRS) shares guidelines and information about digital forensic procedures and processes specifically
applied to law enforcement [9], and the National Police Chiefs’ Council has identified three core challenges
that digital forensic science faces, and that need to be addressed [10]. Given the significant role that digital
evidence plays in modern crimes, the importance of effective forensic practices that adhere to strict legal
principles cannot be understated. For one, even individual users now often hold several digital devices,
each with an increasing room for data storage, making the amount of data in a typical forensic examination
challenging [11]. Further, data is often stored in different geographical locations, making many forensic
examinations subject to different jurisdictions with added legal overhead [7]. Third, the increasing use of
cloud applications means that forensic examinations must interact not only with different legal systems but
also with different cloud providers [7]. In that sense, NISTIR 8006 categorizes and discusses the forensics
challenges faced when responding to incidents in cloud-computing environment [12]. To support future
forensic practices, we argue that there is a need to further understand the emergent challenges facing
modern-day forensics. While digital forensics can easily be perceived as a technical practice, it is highly
dependent on the environment where it is performed. This study perceives digital forensics as socio-
technical and argues that its success depends not only on the examiners' ability to perform technically sound
examinations. Examiners or prosecutors request those examinations, and the forensic examiners need to
understand what the examination is expected to produce. Further, the forensic examiners will ultimately
report their findings back to the investigation and subsequently a court. The members of the investigation
and courtroom must be able to interpret the findings and assess their value correctly. As such,
interdisciplinary communication is central to digital forensics, making it technical and social in nature. In
fact, the forensic process often includes repeated communication between the forensic expert and the
investigator [2]. In summary, digital forensics originates a social-technical process that can only be fully
understood by looking at both technical and social aspects [13], [14].
This study seeks to identify challenges and success factors for digital forensics within law enforcement.
A systematic literature review (SLR) which includes recently published research in this domain was
applied. A survey was distributed among forensic examiners within the Swedish Police to validate and
extend the results of the SLR. This study highlights challenges and success factors within digital forensics
and can, as such, guide future research as an outline for important research directions. It can also serve as
a reference for decision-makers seeking to strengthen digital forensic practices.
2. Method
Qualitative research can include multiple data collection methods, such as document studies, surveys,
interviews, and observations [15]. This study combines two different techniques to explore the research
questions, an SLR, and a practitioners' survey. The purpose of using these two methods is to rely on data
from diverse sources to triangulate the findings [16]. It also allows us to compare findings from the research
community with opinions gathered from practitioners. Both methods, as well as the reasons for choosing
them, are explained in the following subsections.
2.1. Systematic Literature Review
An SLR is the most appropriate method to address the research questions because it allows us to:
Understand and explain the current situation of digital forensics in law enforcement.
Acknowledge the success factors and challenges faced in digital forensics in law enforcement.
Identify digital forensic challenges that deserve more attention.
The method followed in this SLR is based on the guidelines provided by [17] (3-phase method) and
[18] (9 steps), which are represented in Figure 1.
101
�Figure 1: SLR Methodology Applied in this Study (based on [17] and [18])
The process is described in the following sections.
2.1.1. Bibliographic Database
The choice of the bibliographic databases was based on the recommendations from previous work like
[19] who identify IEEE Xplore and Science Direct as relevant electronic sources, [17] recommend Scopus
due to its extensive database of abstracts and citations, and [18] who states that Web of Science is a
multidisciplinary database that indexes relevant journals across disciplines. Additionally, Taylor & Francis
was also included as one of the bibliographic sources, because the authors found a high number of relevant
publications related to digital forensics in law enforcement during an exploratory pilot search. The five
bibliographic databases chosen as sources for this SLR are summarized in Table 1.
Table 1
Nominated Databases
Source URL
IEEE Xplore https://www.ieeexplore.ieee.org
ScienceDirect https://www.sciencedirect.com
Web of Science https://www.webofknowledge.com
Scopus https://www.scopus.com
Taylor & Francis https://www.tandfonline.com
To define the scope of this work and focus on recent studies, one inclusion criterion is to include studies
published between the years 2015 to 2021. Other criteria are to include only peer-reviewed conference
102
�papers and journal articles in published English. The risk of getting duplicate studies is also considered and
addressed as part of the exclusion criteria. The inclusion and exclusion criteria defined for this work are
summarized in Table 2.
Table 2
Inclusion and Exclusion Criteria
Inclusion Criteria Type
Studies that discuss success factors or challenges of digital forensics Content
in law enforcement
Published from 2015 to 2021 Publication date
Conference papers and journal articles Research design
Peer-reviewed Content
English Publication language
Exclusion Criteria Type
Do not fulfill all the inclusion criteria Content, publication, design
Duplicates (appear in more than one database) Content
Cannot be accessed (require additional login) Publication access
2.1.2. Study Selection
A practical selection of studies based on the application of the inclusion and exclusion criteria and a
methodological selection to identify the most relevant studies was made following five steps:
1. Apply the search query to each one of the chosen bibliographic databases
2. Store and organize the candidate studies using a reference management software
3. Apply a first scanning to exclude studies based on titles and keywords
4. Apply another scanning to exclude duplicate studies
5. Apply a third scanning to exclude studies based on their content
To complement the selection of primary studies, backward searching suggested by [20] was also used.
The backward searching started with the compilation of references from the already selected primary
studies. The previously defined inclusion and exclusion criteria were applied to the candidate studies from
the backward searching. The final group of primary studies is composed of the studies found during the
study selection process and the studies found from backward searching.
2.2. Thematic Analysis
The primary studies are analyzed using thematic coding. According to [21], this is a flexible method to
evaluate qualitative data. The process starts with the repeated reading of the primary studies and continues
with looking for patterns related to success factors and challenges in digital forensics. During this stage, it
is necessary to take notes that can later be used for coding. Once a general knowledge about the content of
the data is achieved, the next step is to assign initial codes that are going to aid in the definition of themes.
The coding themes are classified into two groups, one for success factors and the other for challenges.
Depending on the preliminary results, subcategories can also be defined. Once the themes are defined, the
extracts corresponding to the themes must be revised to verify coherence, and if required, redefine the
themes and re-code as well. An assessment for each theme is conducted. To ease the understanding of the
analysis, the content of the themes needs to be described, and themes with similarities can be grouped.
Once the analysis from the primary studies is completed, the findings are to be used in the survey design.
The findings from the SLR and the survey are planned to be integrated to achieve confirmation and
completeness. For confirmation purposes, the findings from the SLR are going to be counterbalanced with
the ones from the survey. While for completeness purposes, the survey is going to add an in-depth
understanding of the topic.
103
�2.3. Qualitative Data Collection
In this case, a survey was used as qualitative data collection method and to extend the scope of the
research [14]. The survey was formulated based on the findings from the SLR, and targeting the digital
forensic practitioners belonging to the Swedish Police.
The survey allowed the authors to validate the outcome from the SLR by identifying challenges and
success factors that were perceived as most important by the community of practitioners. The data
collection was done by using a questionnaire with multiple-choice and open-ended questions. Some
questions gathered basic information about the respondents (role and years of experience in the domain),
while other questions were based on a predefined list of success factors constructed with the outcomes from
the SLR. In the multiple-choice question, the respondents had to select the three most relevant success
factors from a list. In the open-ended question, the respondents could point out other success factors that
they considered relevant but were not specified in the list. A similar approach was followed with the
questions that gathered information about the challenges in the domain.
To avoid potential problems concerning the reliability and validity of the responses, the
recommendation from [27] to use local languages in written and verbal communication was followed, and
the survey originality created in English was translated to Swedish. The questionnaire included brief
instructions to answer the questions and a description of the purpose of the survey. The survey was
delivered to the potential respondents in an electronic format via a Google Form link.
The aim of the survey was to gather information that could reinforce and improve the outcomes from
the SLR by supplying new insights based on the opinions of the practitioners. However, the authors
acknowledge the limited generalizability of the findings [14].
2.3.1. Target Group
The target group was composed of about two hundred digital forensic practitioners belonging to the
Swedish Police. The participation in the survey was voluntary and anonymous, and at the time of this
writing, sixteen respondents completed the questionary.
3. Results and Analysis
This section summarizes the results and analysis from both the SLR and the survey.
3.1. Systematic Literature Review
The SLR followed the steps and recommendations provided by [12] and [13]. The following subsections
describe in detail the process and generated results.
3.1.1. Search Process
The search process was based on the application of a search query into electronic databases. This process
was executed by applying an automated search to conferences proceedings and journal papers from 2015
to 2021. Since different electronic sources supply different functionalities, minor adjustments to the base
search query are needed. When possible, advanced searches are used.
The base search query, including Boolean operators and wildcards, is as follows:
(digital OR computer) AND forensic* AND law AND (success OR progress OR opportunit* OR
improvement*) AND (challenge* OR problem* OR issue* OR failure*)
104
�3.1.2. Study Selection Process
The automated search query was applied to all the selected databases on February 23rd, 2021 and
supplied a total of 1,428 candidate studies. After a first scanning based on titles and keywords, full copies
of 71 remaining studies were obtained and organized. After a second scanning based on the inclusion and
exclusion criteria, the number of selected candidate studies was narrowed to 60. After reading the content
from the 60 studies, 22 studies were chosen as primary ones. The details corresponding to this part of the
process are presented in Table 3.
Table 3
Selection of Studies using Automated Search
Source Candidate Selection Based on:
Studies Title/Keywords Incl./Excl. Criteria Content
IEEE Xplore 25 4 3 2
ScienceDirect 170 20 20 6
Web of Science 29 10 3 0
Scopus 44 10 7 4
Taylor 11,60 27 27 10
Total 1,428 71 60 22
The backward searching applied to the preliminary group of 22 primary studies supplied 1,137 more
candidate studies. After a first scanning based on titles and keywords, 30 studies were considered relevant
to the topic, and full copies were obtained. After a second scanning based on the inclusion and exclusion
criteria, 18 studies were chosen for the next step. After reading the contents of those studies, six studies
remained as primary ones. The results corresponding to steps 5 to 8 are summarized in Table 4.
Table 4
Selection of Studies using Backward Searching
Source Candidate Selection Based on:
Studies Title/Keywords Incl./Excl. Criteria Content
Backward searching 1,137 30 18 6
The primary studies were stored and organized using the reference management software Zotero. A
unique identifier (from A1 to A28) was assigned to each primary study to ease the analysis and discussion
of the results. The studies were organized in alphabetic order based on the authors' last names to distribute
these identifications. The type of studies is represented by 'J' for journal article and 'C' for conference paper.
The list of the twenty-eight primary studies is presented in Table 5.
Table 5
List of Primary Studies
Id Author(s) and Year Title Type
A1 Amann, P., & James, J. I. (2015) Designing robustness and resilience in digital J
investigation laboratories
A2 Arshad, H., Jantan, A. B., & Digital Forensics: Review of Issues in Scientific J
Abiodun, O. I. (2018) Validation of Digital Evidence
A3 Casey, E. (2019) The chequered past and risky future of digital J
forensics
A4 Christou, G. (2018) The challenges of cybercrime governance in the J
European Union
105
�Id Author(s) and Year Title Type
A5 Dlamini, S., & Mbambo, C. (2019) Understanding policing of cybe-rcrime [sic] in J
South Africa: The phenomena, challenges and
effective responses
A6 Du, X., Le-Khac, N.-A., & Scanlon, Evaluation of Digital Forensic Process Models C
M. (2017) with Respect to Digital Forensics as a Service
A7 Harichandran, V. S., Breitinger, F., A cyber forensics needs analysis survey: Revisiting J
Baggili, I., & Marrington, A. (2016) the domain's needs a decade later
A8 Harkin, D., Whelan, C., & Chang, The challenges facing specialist police cyber- J
L. (2018) crime units: An empirical analysis
A9 Henseler, H., & van Loenhout, S. Educating judges, prosecutors and lawyers in the J
(2018) use of digital forensic experts
A10 Jordaan, J., & Bradshaw, K. (2015) The current state of digital forensic practitioners C
in South Africa.
A11 Kanta, A., Coisel, I., & Scanlon, M. A survey exploring open source Intelligence for J
(2020) smarter password cracking
A12 Karie, N. M., & Venter, H. S. Taxonomy of Challenges for Digital Forensics J
(2015)
A13 Kebande, V. R., & Ray, I. (2016) A Generic Digital Forensic Investigation C
Framework for Internet of Things (IoT)
A14 Kebande, V. R., & Venter, H. S. On digital forensic readiness in the cloud using a J
(2018) distributed agent-based solution: Issues and
challenges
A15 Lanier, M. M., & Cooper, A. T. From papyrus to cyber: How technology has J
(2016) directed law enforcement policy and practice
A16 Lillis, D., Becker, B. A., O'Sullivan, CURRENT CHALLENGES AND FUTURE RESEARCH C
T., & Scanlon, M. (2016) AREAS FOR DIGITAL FORENSIC INVESTIGATION
A17 Luciano, L., Baggili, I., Topor, M., Digital Forensics in the Next Five Years C
Casey, P., & Breitinger, F. (2018)
A18 Montasari, R., & Hill, R. (2019) Next-Generation Digital Forensics: Challenges and C
Future Paradigms
A19 Morgan, R., & Benson, S. (2018) Australasian Forensic Science Summit 2016: J
Future technology and research towards 2030
A20 Morgan, R. M., & Levin, E. A. A crisis for the future of forensic science: Lessons J
(2019) from the UK of the importance of epistemology
for funding research and development
A21 Omeleze, S., & Venter, H. S. Digital forensic application requirements J
(2019) specification process
A22 Page, H., Horsman, G., Sarna, A., A review of quality procedures in the UK forensic J
& Foster, J. (2019) sciences: What can the field of digital forensics
learn?
A23 Rappert, B., Wheat, H., & Wilson- Rationing bytes: Managing demand for digital J
Kovacs, D. (2021) forensic examinations
A24 Reedy, P. (2020) Interpol review of digital evidence 2016—2019 J
A25 Sunde, N., & Dror, I. E. (2019) Cognitive and human factors in digital forensics: J
Problems, challenges, and the way forward
A26 van Beek, H. M. A., van den Bos, Digital forensics as a service: Stepping up the J
J., Boztas, A., van Eijk, E. J., game
Schramp, R., & Ugen, M. (2020)
A27 Vincze, E. A. (2016) Challenges in digital forensics J
106
� Id Author(s) and Year Title Type
A28 Waziri, I., & Sitarz, R. (2015) Cyber forensics: The need for an official C
governing body
3.2. Thematic Coding
The primary studies were subjected to a thematic analysis following the procedure presented by [21].
The studies were read several times, and information relevant to the aim of the study was found and
extracted. Those extracts were later classified based on the answers provided to the research questions.
Qualitative codes were assigned, and similar codes were grouped to form themes. This process was
followed to identify both the success factors and the challenges in separate stages.
Once the preliminary list of success factors was ready, the next step was to evaluate which codes should
be kept and which could be merged or regrouped. It is important to mention that the list of success factors
is not intended to be an exhaustive list, but a reflection of the success factors considered by the authors of
the primary studies. Moreover, since the list of success factors did not happen to be as extensive as the one
for challenges, it was not needed to consider categories to classify the success factors.
About the challenges, the content of the selected primary studies shows that the challenges in digital
forensics are a major concern in the research community, which is reflected not only in the greater number
of studies focused on challenges, but the extension of the discussion dedicated to them. Twenty studies out
of twenty-eight focused on challenges as their main topic and included a limited discussion about success
factors. Six studies out of twenty-eight discussed challenges alone, and two studies only presented success
factors.
Moreover, the extensive list of challenges compiled from the analysis required a classification into
categories. Only five studies (A11, A12, A14, A18, and A27) out of the twenty-six that focused on
challenges supplied some type of categorization. Those categorizations were used as a baseline to formulate
seven categories that are used to present the analysis of the challenges. These seven categories are not
intended to be exhaustive and could be extended or updated. Besides, due to the nature of certain challenges,
it can be possible to classify some of them into more than one category. In that case, and to avoid duplication
of information, such a challenge is placed only into one category that suits it better. Additionally, some
challenges that turned out not to be straightforward to categorize were located into the category 'other
challenges'.
The themes mapped into success factors and challenges in digital forensics for law enforcement are
presented in the following sections.
3.2.1. Finding 1: Success Factors in Digital Forensics for Law Enforcement
From the analysis of the primary studies, twelve success factors were identified. Some of the primary
studies discuss more than one success factor. The twelve success factors and some references to specific
studies are as follows:
1. 'Cooperation and knowledge exchange' is acknowledged as a success factor, particularly in the
form of active national workshops to "reassess the community's accomplishment towards
improving state of the art in the field" (A17, pp. 12). Another example was the educational
experience of university students from Norway and the USA who co-created and analyzed digital
forensic data (A24).
However, several studies also agree that more needs to be done in terms of cooperation.
2. 'Digital Forensic as a Service (DFaaS) supporting investigations' is considered beneficial due to the
possibility of saving costs and freeing up forensic and law enforcement personal to focus on their
caseload (A6).
3. 'Cloud systems dealing with a large volume of evidence' through distributed parallelization
represent a success factor in the field (A6, pp. 7).
4. 'Best practices applied to domain' is a key factor. Some examples to highlight are the Best Practice
Manual (BPM) prepared by the European Network of Forensic Science Institutes (ENFSI) in 2015
107
� and the active role of both the Scientific Working Group on Digital Evidence (SWGDE) and the
NIST (A9).
5. 'Novel solutions supporting the domain in storing, exchanging, and facilitating access to
information and tools are already assisting law enforcement agencies' (A11).
6. 'Digital information used as digital evidence' supports investigators in tracking transactions,
messages, and diverse digital media (A2).
7. 'Triage process saving time for practitioners' is also considered beneficial for the specialists who
attend crime scenes (A24).
8. 'Training opportunities for law enforcement officers' are supported by organizations like the
National White Collar Crime Center (NW3C) offering training at no cost, and the Consortium of
Digital Forensic Specialists dedicated to improving digital forensics as a profession (A27).
9. 'Professional satisfaction working in the domain' is highlighted from the results of research applied
in a case study in Australia (A8).
10. 'Criteria of competence for digital forensic practitioners' have been developed in both international
standard bodies and digital forensics standards bodies (A10).
11. 'IoT-connected devices as digital evidence' supply many benefits to digital forensics, however,
privacy challenges are acknowledged (A18).
12. 'Government initiatives to support the domain', like the one promoted by the United Kingdom's
Minister for Policing and Fire services appealing for a collaborative review of the quality and
sustainability of forensic science service provision (A24).
The success factors and the primary studies that cover them are summarized in Table 6. Minor
adjustments to the description of some success factors have been made to improve the visual presentation
of the results.
Table 6
Success Factors by Studies
Topic Studies
1 Cooperation and knowledge exchange A1, A3, A4, A9, A17, A19, A24, A25, A26
2 DFaaS supporting investigations A2, A6, A16, A18, A23, A26
3 Cloud systems dealing with large volume of A6, A11, A12, A14
evidence
4 Best practices applied to the domain A1, A6, A9, A16
5 Novel solutions supporting the domain A2, A6, A11, A15
6 Digital information used as digital evidence A2, A15
7 Triage process saving time from specialists A23, A24
8 Training opportunities for law enforcement officers A24, A27
9 Professional satisfaction working in the domain A8
10 Criteria of competence for practitioners A10
11 IoT devices as digital evidence A18
12 Government initiatives to support the domain A24
Total number of studies 22
Figure 2 illustrates the success factors and the corresponding primary studies in a linear dendrogram.
The size of the spheres standing for each success factor is proportional to the number of studies dedicated
to it.
108
�Figure 2: Representation of the Success Factors (authors' own)
3.2.2. Finding 2: Success Factors in Digital Forensics for Law Enforcement
From the analysis of the primary studies, seven categories of challenges were identified as follows:
A. Resource-related challenges: This category considers the assets the organizations require for their
normal operations, including the personnel as a key asset.
B. Technical challenges: This includes the challenges caused by new devices, software, tools,
protocols, or any technological solution. Technical challenges have a broad coverage due to the
growing number of seized devices, increasing data storage, and the complexity of environments
like cloud systems (A11, A14).
C. Organizational challenges: Those challenges are related to institutions, their internal structure, their
management, and their interaction with others.
D. Legal challenges: Related to issues that are originated in the legal system, court of law,
prosecutions, and the admissibility of digital evidence (A11).
E. Operational challenges: Challenges faced by the organizations while executing their duties,
especially in incident detection, response, and prevention (A12, A27).
F. Human-related challenges: Challenges specifically targeting the human factor. They include issues
related to unintentional outcomes like errors or biases introduced into the digital forensic process
due to human iteration (A22, A25).
G. Other challenges: This category holds challenges not included in previous categories.
The challenges classified into the seven categories and the primary studies that cover them are presented
in Table 7. Some primary studies discuss more than one challenge. Minor adjustments to the description of
some challenges have been made to improve the visual presentation of the results.
Table 7
Challenges by Studies
Topic Studies
A Resource-related challenges
109
� Topic Studies
1 Lack of formal training/continuous education A1, A7, A10, A11, A12, A17, A19, A22,
A23, A24, A25, A27
2 Insufficient qualified staff A1, A4, A7, A8, A10, A11, A12, A23, 27
3 Lack of funding A1, A7, A8, A15, A17, A20, A27
4 Inefficient knowledge management A1, A2, A3, A12, A19, A24
5 Absence of accreditation/regulation of the A10, A17, A22, A27, A28
profession
6 Limited access to latest technology A11, A12, A15, A23
7 Limited information sharing A4, A17
8 Unavailability of datasets for testing A17, A24
9 Talent drain A1
B Technical challenges
1 Complexity of cloud computing A2, A6, A7, A11, A12, A14, A16, A17, A18,
A24, A27
2 Heterogeneity of tools, methods, and data sources A2, A7, A10, A12, A16, A17, A18, A23,
A24, A27
3 Use of encryption A2, A7, A11, A12, A14, A17, A18, A27
4 Elevated use of IoT devices A2, A6, A11, A13, A16, A17, A18, A24
5 Complexity in volume and distribution of evidence A3, A6, A12, A16, A17, A18, A23, A27
6 Availability of anti-forensic techniques A2, A12, A16, A18, A24
7 Lack of validation of tools A17, A20, A21
8 Need for improvement of open-source tools A7, A27
9 Unrestrained use of drones A15, A24
10 Use of cryptocurrency A24
C Organizational challenges
1 Lack of standardization/best practices A1, A2, A12, A13, A14
2 Insufficient quality management A3, A10, A22, A23, A24
3 Inconsistent cooperation A4, A5
4 Lack of awareness in cyber-crimes A5, A15
5 Lack of collaboration A17, A18
6 Incongruences between organizations and policies A17
D Legal challenges
1 Different jurisdictions A1, A3, A4, A11, A12, A14, A16, A18, A24
2 Difficulties in attribution of crimes A1, A3, A4, A14, A18, A24, A27
3 Invasion of privacy A2, A3, A7, A17, A27, A28
4 Complexity of legal processes and systems A2, A12, A24, A28
5 Inadmissibility of digital evidence A11, A12
E Operational challenges
1 Demanding workload/backlog A8, A18, A23, A27
2 Inappropriate evidence management A1, A4, A12
3 Unsuitable chain of custody A1, A18, A23
4 Difficulties in data acquisition A12, A16, A27
5 Lack of scientific validation A2, A24
6 Insufficient timeframes for analysis A19, A24
7 Issues in seizure of digital evidence A23, A27
8 Irreproducibility of examinations A21, A24
9 Use of different terminology A24
F Human-related challenges
1 Human errors and biases A3, A22, A24, A25, A28
2 Interpretative errors A3, A24
110
� Topic Studies
3 Deficiencies in explicability A3
4 Issues understanding digital examinations A23
G Other challenges
1 Renewed trends in crime A1, A12, A15, A16, A23,
2 Lack of trust in the digital forensic process A2
1 Renewed trends in crime A1, A12, A15, A16, A23
Total number of studies 26
The challenges and their classification into categories are illustrated in a linear dendrogram in Figure 3.
Following each challenge, there is a number in parenthesis that corresponds to the number of primary
studies dedicated to that challenge. The size of the spheres representing the challenges is proportional to
the number of studies.
Figure 3: Representation of the Challenges (authors' own)
111
�3.3. Survey
The survey was designed based on the findings from the SLR. The questions used in the survey were
translated to Swedish and distributed to the population of digital forensic practitioners from the Swedish
Police (about two hundred potential respondents) via a Google Form link on May 17th 2021. Their
participation in the survey was voluntary and anonymous. Besides, there were no questions that could be
used to find out the identity of the respondents. Only sixteen respondents completed the survey. The number
of respondents was not representative, and the results from the survey cannot be generalized to the digital
forensic practitioners from the Swedish Police. However, these results are considered to be useful and
provide some insights from the respondents.
To report the results from the open questions, a pseudonym was assigned to the respondents based on
the order they completed the survey, from Respondent 1 to Respondent 16. The analysis of the results is as
follows:
i. Concerning success factors in digital forensics for law enforcement, a list of success factors
identified during the SLR was provided to the respondents. They were asked to choose the three
most relevant. The success factors chosen by the respondents are as follows:
- 'Novel solutions supporting the domain' chosen by 11 respondents
- 'Cooperation and knowledge exchange' chosen by 9 respondents.
- 'Professional satisfaction working in the domain' chosen by 9 respondents.
Each of the remaining success factors was chosen by one to seven respondents, which means that
the respondents neglected none of the success factors listed in the survey.
Moreover, some respondents supplied some success factors that they considered were not included
in the list, for example:
- Respondent 5: "Good dialog with investigators and prosecutors. Legal support to access the
cloud."
- Respondent 12: "Humility between digital forensic practitioners should be encouraged. One
should be able to ask any question."
- Respondent 16: "Legislation in Sweden and international cooperation."
ii. Concerning challenges in digital forensics for law enforcement, a list of challenges found during
the SLR was provided to the respondents. They were asked to choose the three most relevant. The
challenges chosen by the respondents are as follows:
- 'Legal barriers imposed on criminal investigations' chosen by 11 respondents.
- 'Limited access to the latest technology (software and hardware)' chosen by eight
respondents.
- 'Demanding workload/backload (too much to do)' chosen by seven respondents.
Four challenges that were not considered relevant for any of the respondents were: 'heterogeneity
of tools,' 'lack of standardization/best practices,' 'ethical issues,' and 'renewed trends in crime.'
When asked about challenges that were not necessarily in the list but were considered relevant, the
respondents' opinions were as follows:
- Respondent 2: "Political barriers, politicians get involved in things they do not understand."
- Respondent 3: "Psychological distress due to the exposure to sensitive material."
The opinion from Respondent 3 is supported by [24] in their research about techniques to reduce
the exposure of digital forensic investigators to child sexual abuse material.
- Respondent 5: "A big challenge is that there is not enough staff. Many investigations are affected
because of that."
This argument corresponds to the challenge identified as 'insufficient qualified staff,' considered in
the category resource-related challenges, and supported by nine primary studies: A1, A4, A7, A8,
A10, A11, A12, A23, and A27 (see Table 7).
- Respondent 16: "Financial resources to be able to employ the right qualified staff."
In general terms, the challenge identified by Respondent 16 is already considered in the challenge'
lack of funding', included in the category resource-related challenges; and discussed in seven
primary studies: A1, A7, A8, A15, A17, A20, and A27 (see Table 7).
iii. Concerning other comments about success factors and challenges, two respondents showed
concern about training and education as follows:
112
� - Respondent 5: "Training in legislation for digital forensic practitioners is missing. It would be
faster and better to investigate if we have a better knowledge about legislation..."
The opinion from Respondent 5 is reflected in the challenge identified as 'lack of formal
training/continuous education' included in the category resource-related challenges, and
supported by twelve primary studies (Table 7); especially A17 that emphasizes the lack of
multidisciplinary approaches in educational programs.
- Respondent 12: "The approach on how to get knowledge must be extended. There is so much
free [training] available that is not considered due to a conservative perspective…"
The opinion from Responder 12 is reinforced by the studies A24 and A27, which consider as
success factor the 'training opportunities for law enforcement officers' (Table 6).
4. Discussion
The rapid progress in technology has changed how people interact, communicate, work, and deal with
data; crime is not exempt from taking advantage of technological innovations. Criminals are early adopters
of technology and have managed to integrate it into their illegal activities. Additionally, criminals have
redesigned crime into cyber-aided and cybercrimes. On the other hand, digital sources' diversity, quantity,
and complexity make it difficult for digital forensic practitioners to find digital evidence relevant to
criminal investigations. Digital forensics is facing a wide variety of challenges. Researchers tend to focus
their attention on challenges tackled by specific digital forensic disciplines like IoT forensics, cloud
forensics, and multimedia forensics. Apart from the attention those disciplines deserve, a taxonomy of
challenges in the field can facilitate addressing solutions where it is more required and suitable and orient
future work aiming to improve the digital forensic domain.
This work aimed to identify success factors and challenges in digital forensic for law enforcement based
on available and published scientific literature. One criterion for the selection of primary studies was to
include publications from the last seven years. This timeframe is appropriate, considering the dynamic
technological environment that surrounds the field. The initial plan for this study was to do an SLR and
interviews with digital forensic practitioners from the Swedish Police. Interviews with practitioners could
certainly supply an in-depth perspective on the topic. However, due to time constraints and certain
limitations caused by the social distancing required to combat the pandemic, the interviews were replaced
by a survey distributed via the Internet.
Concerning the validity of the research methods, the SLR was done following guidelines and
recommendations from recognized academics, which are scientifically verified and widely applied by the
research community. The steps followed during the execution of the SLR have been explained and
documented with enough details to facilitate the reproducibility of the process. To minimize the potential
impact of search bias, a combination of search terms based on keywords from the research questions was
arranged and the search for primary studies was also complemented with a backward search. Additionally,
to avoid database bias, an extensive number of candidate studies was gathered from six different electronic
databases. On the other hand, the survey targeting the digital forensic practitioners from the Swedish Police
was used as a qualitative data collection method. Even though the number of respondents to the survey was
limited, the information gathered from the answers is a qualitative dataset that adds value to the research
by providing some insights from the point of view of the respondents who are experts in digital forensics
applied to law enforcement. Finally, there are no ethical issues that arise from conflicts of interest.
5. Conclusions
The thematic analysis applied to the primary studies has provided valuable information to identify the
success factors and challenges of digital forensics in law enforcement. Practitioners and researchers
acknowledge the success factors in the field. However, the main focus of the research community is
oriented to deal with the challenges in the domain with less emphasis on success factors or opportunities,
which is evident in both the number of studies and the extension of the discussion dedicated to challenges
in comparison to success factors.
About the aim of this work, and to the best of our knowledge, no similar studies are dedicated to
identifying success factors of digital forensics for law enforcement. However, some efforts to supply
113
�classifications of challenges in digital forensics have been made by [25], [26], and [27]. These studies are
valuable and were used as a baseline to elaborate the taxonomy of challenges in digital forensics for law
enforcement presented in this work. Moreover, the contribution of this work is to have addressed both
topics' success factors and challenges.
Regarding the results, the research community tends to focus mostly on two categories of challenges:
technical and resource-related, with less recurrence in legal, operational, organizational, and human-related
challenges (in that order). This situation puts in evidence the need for more research in organizational and
human-related challenges. Additionally, researchers and practitioners agree that laws and legal procedures
to combat crime do not evolve fast enough, and there is room for more research in this area as well. Two
technical areas that seem to capture recurrent attention from researchers are the cloud environment and the
IoT devices and the specific challenges that these technologies represent for the digital forensic domain.
Moreover, the results of this work also reveal that challenges identified almost twenty years ago by [28]
and related to education/training and certification, data acquisition, tools, the legal justice system, and lack
of funding are still prevalent in the digital forensic domain.
On the other hand, the opinions of the sixteen digital forensic practitioners from the Swedish Police who
answered the survey are considered valuable because they are based on their work experience in the
domain. Besides, the outcomes of the survey confirm the findings from the SLR and put in evidence gaps
between what the research community considers relevant to investigate and the needs perceived by digital
forensic practitioners. Moreover, both researchers and practitioners also agree on the need for
improvements in communication, collaboration, and best practices in the domain, among other issues.
Ethical, Societal, and Scientific Impacts
Concerning the SLR, this work does not cause any negative ethical impact in terms of privacy and
confidentiality because the analysis is based on publicly available studies that can be accessed by whoever
is interested in the topic of digital forensics in law enforcement. Moreover, no personal, sensitive, neither
confidential information about the authors of the primary studies is exposed. On the other hand, the survey
to digital forensic practitioners grants anonymity to the responders; and does not disclose any critical or
sensitive information that could be misused.
This work is expected to contribute with a positive societal impact in terms of providing reliable
knowledge about the state of the art of digital forensics for law enforcement, specifically related to the
success factor and challenges. Besides, within the framework of the agreement between the University of
Skövde and the Forensic Department of the Swedish Police from Västra Götaland to do research applied
to the forensic methodology, the results of this work are planned to be shared with representatives from the
Swedish Police, extending the target readers outside of the academic community.
This work relies on the scientific evidence from the primary studies that answered the research questions
proposed in this research. The review process was performed following a scientific method that ensures
transparency and reproducibility of the results. On the other hand, even though the sample reached with the
survey is not statistically representative, the answers reflect the point of view of sixteen digital forensic
practitioners. Finally, the scientific impact of this work relies on the possibility to guide future research by
pointing out the challenging areas that are more relevant for the practitioners (respondents to the survey).
Future Work
More work needs to be done in the identification of success factors and opportunities in the domain.
About the challenges, the outcomes from the survey reflect the need to consider the practitioners' opinions
when addressing research in the area.
An area that deserves more attention and investigation is human-related challenges. For instance, the
psychological distress digital forensics can experience after continuous exposure to illicit content (like child
sexual abuse) is a topic that has not captured enough attention from the researchers. This topic is
particularly important because it can be addressed from different perspectives, which may require
multidisciplinary approaches.
6. Acknowledgments
114
� The authors want to thank the regional cybercrime center in the police region west of the Swedish Police
for their cooperation with valuable discussions and assistance in forwarding the survey.
7. References
[1] National Institute of Standards and Technology (2006). Guide to integrating forensic techniques into
incident response (NIST SP 800-86; 0 ed., p. NIST SP 800-86). https://doi.org/10.6028/NIST.SP.800-
86.
[2] Kävrestad, J., Fundamentals of Digital Forensics: Theory, methods, and real-life applications, 2nd ed.,
Springer International Publishing, 2020. DOI:10.1007/978-3-030-38954-3.
[3] Duxbury, S. W., & Haynie, D. L., Building them up, breaking them down: Topology, vendor selection
patterns, and a digital drug market's robustness to disruption, Social Networks, 52 (2018), pp. 238-
250. DOI:10.1016/j.socnet.2017.09.002.
[4] Seigfried-Spellar, K. C., Assessing the psychological well-being and coping mechanisms of law
enforcement investigators vs. digital forensic examiners of child pornography investigations, Journal
of Police and Criminal Psychology, 33(3) (2018), pp. 215-226. DOI:10.1007/s11896-017-9248-7.
[5] Murray, D., Trouble on line for criminals using encrypted phones, Australasian Policing, 13(1) (2021),
pp. 10-11. ISSN: 1837-7009.
[6] Sunde, N., & Dror, I. E., Cognitive and human factors in digital forensics: Problems, challenges, and
the way forward, Digital investigation, 29 (2019), pp. 101-108. DOI:10.1016/j.diin.2019.03.011.
[7] Losavio, M. M., Pastukov, P., Polyakova, S., Zhang, X., Chow, K. P., Koltay, A., James, J., & Ortiz,
M. E., The juridical spheres for digital forensics and electronic evidence in the insecure electronic
world, Wiley Interdisciplinary Reviews Forensic Science, (2019), e1337. DOI:10.1002/wfs2.1337.
[8] International Organization for Standardization (2012). Information technology – Security techniques
– Guidelines for identification, collection, acquisition and preservation of digital evidence (ISO/IEC
Standard No. 27037:2012). Retrieved January 6, 2021 from https://www.iso.org/standard/44381.html.
[9] National Criminal Justice Reference Service (NCJRS) (2021). About NCJRS. [Online]. Retrieved June
5, 2021 from https://www.ojp.gov/ncjrs.
[10] National Police Chiefs’ Council (2020). Digital Forensic Science Strategy. Retrieved September 26,
2021 from https://www.npcc.police.uk/Digital%20Forensic%20Science%20Strategy%202020.pdf.
[11] Caviglione, L., Wendzel, S., & Mazurczyk, W., The future of digital forensics: Challenges and the
road ahead, IEEE Security & Privacy, 15(6) (2017), pp. 12-17. DOI:10.1109/MSP.2017.4251117.
[12] National Institute of Standards and Technology (2020). NISTIR 8006 NIST Cloud Computing Forensic
Science Challenges. Retrieved September 26, 2021 from
https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8006.pdf.
[13] Leitch, S., & Warren, M. J., ETHICS: The past, present and future of socio-technical systems design,
in: Proceedings of the IFIP International Conference on the History of Computing, Brisbane, Australia,
September 2010, pp. 189-197. Springer, Berlin, Heidelberg.
[14] Nouh, M., Nurse, J. R., Webb, H., & Goldsmith, M., Cybercrime investigators are users too!
Understanding the socio-technical challenges faced by law enforcement, in: Proceedings of the
Workshop on Usable Security (USEC), San Diego, CA, 24 February 2019, pp. 1-11.
DOI:10.14722/usec.2019.23032.
[15] Creswell, J., & Poth, C., Qualitative inquiry and research design: choosing among five approaches,
4th ed., Sage Publications, 2018. ISBN 978-1-5063-3020-4.
[16] Arksey, H. & Knight, P., Interviewing for social scientists, an introductory resource with examples,
Sage Publications, 1999. ISBN 0 76 1 9 5869.
[17] Kitchenham, B., & Charters, S., Guidelines for performing systematic literature reviews in software
engineering, EBSE Technical Report EBSE-2007-01 (2007).
http://cdn.elsevier.com/promis_misc/525444systematicreviewsguide.pdf.
[18] Fink, A., Conducting research literature reviews, from the Internet to paper, 5th ed., Sage Publications,
2019. ISBN 978-1-4833-0103-7.
[19] Brereton, P., Kitchenham, B. A., Budgen, D., Turner, M., & Khalil, M., Lessons from applying the
systematic literature review process within the software engineering domain, Journal of Systems and
Software, 80(4) (2007), pp. 571-583. DOI:10.1016/j.jss.2006.07.009.
115
�[20] Wohlin, C., Guidelines for snowballing in systematic literature studies and a replication in software
engineering, in: Proceedings of the 18th International Conference on Evaluation and Assessment in
Software Engineering - EASE '14, London, 13-14 May 2014, pp. 1-10.
DOI:10.1145/2601248.2601268.
[21] Braun, V. & Clarke, V., Using thematic analysis in psychology, Qualitative Research in
Psychology, 3:2 (2006), pp. 77-101. DOI:10.1191/1478088706qp063oa.
[22] Wohlin, C., Runeson, P., Höst, M., Ohlsson, M. C., Regnell, B., & Wesslén, A., Experimentation in
software engineering. Springer, 2012. ISBN 978-3-642-29044-2.
[23] Bujra J., Lost in Translation? The Use of Interpreters in the Fieldwork, in: Desai, V., & Potter, R.
B. (Eds.), Doing development research, Sage Publications, 2006. ISBN10 1 4129 02843.
[24] Sanchez, L., Grajeda, C., Baggili, I., & Hall, C., A Practitioner Survey Exploring the Value of Forensic
Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM),
Digital Investigation, 29 (2019), pp. 124-142. DOI:10.1016/j.diin.2019.04.005.
[25] Kanta, A., Coisel, I., & Scanlon, M., A survey exploring open source Intelligence for smarter password
cracking, Forensic Science International: Digital Investigation, 35 (2020), pp. 1-11.
DOI:10.1016/j.fsidi.2020.301075.
[26] Karie, N. M., & Venter, H. S., Taxonomy of Challenges for Digital Forensics, Journal of Forensic
Sciences, 60(4) (2015), pp. 885-893. DOI:10.1111/1556-4029.12809.
[27] Reedy, P., Interpol review of digital evidence 2016-2019, Forensic Science International: Synergy, 2
(2020), pp. 489-520. DOI:10.1016/j.fsisyn.2020.01.015.
[28] Rogers, M. K., & Seigfried, K., The future of computer forensics: A needs analysis survey, Computers
& Security, 23(1) (2004), pp. 12-16. DOI:10.1016/j.cose.2004.01.003.
116
�