Digital forensics is the key element in the detection, preservation, and analysis of digital evidence, and helps in the investigation of complex cybercrimes such as identity theft and corporate espionage. The study emphasizes the importance of methods for analyzing physical data storage devices and arrays in crime investigations, in particular for identifying key individuals in criminal networks, which can lead to critical information. The paper also discusses the main difficulties of implementing digital forensic tools, including legal restrictions, technical problems, human factors, high cost, and complexity of integration. The comparative analysis of digital tools for investigating cybercrime, including data collection, data analysis, and data structure management tools, is made. Particular attention is paid to the author's software “Cyber Evidence”, which offers a wide range of functions for analyzing electronic evidence and integrating with full data sources. This software allows cyber units and forensic experts to work efficiently with data, check for malware, and obtain digital evidence of cybercrime, making it one of the tools in the field of digital forensics.
In the digital era of growing cybercrime, the problem of the evolution of investigative techniques
arises, with digital forensics becoming a crucial component in the fight against online crime.
Digital forensics is a branch of forensic science that focuses on identifying, acquiring, processing,
analyzing, and reporting electronically stored data [
Digital forensics tools [
provide actionable intelligence that leads to successful prosecutions. However, the
implementation of digital forensics is not without its challenges; technical difficulties, such as the
rapid development of technology outpacing forensic capabilities, along with legal and ethical
concerns regarding
privacy
and admissibility
of evidence, complicate the investigative
environment. In addition, limitations inherent in current digital forensics technologies, such as the
inability to effectively analyze encrypted data, underscore the ongoing need for innovation and
adaptation in this area. Establishing best practices for digital forensics investigations, including
systematic protocols for processing evidence and ensuring the reliability of digital evidence, is
crucial to maximizing the effectiveness of these tools. With the multitude of digital forensics tools
available, a comparative analysis of their characteristics and capabilities is essential for
investigators to select the best solutions. Solutions should be tailored to specific cases, including a
thorough evaluation of both open-source and commercial options. As technology evolves, future
trends such as the integration of artificial intelligence into digital forensics [
The objectives of this study are:
Analyze the problems that arise when implementing digital forensics tools.
Compare the use of tools in the investigation of cybercrime.
Describe the author’s software Cyber Evidence.
The following methods were used in the study: analysis of scientific literature on digital forensics tools; analysis of social networks; analysis of resources and methods for collecting digital evidence; software development; testing of the author’s software to predict its further development; visualization of the data obtained to present the results of the study.
Digital forensics tools are indispensable in the modern fight against cybercrime, as they offer
important capabilities for both detecting and prosecuting cybercriminals. These tools are specially
designed to track information related to system or network breaches, and the information obtained
can be important for identifying criminals and further prosecuting them in a forensic investigation
[
When evaluating the effectiveness of digital forensics tools, social network analysis (SNA)
methods should be used [
The introduction of digital forensics tools, such as the US Integrated Automated Fingerprint
Identification System (IAFIS) and the UK National DNA Database (NDNAD), demonstrates their
key role in modern crime-solving and intelligence gathering [
The analysis of sources [
One of the main problems is the gap between the technological capabilities of digital forensics and the current legal framework. In many countries, legislation does not keep pace with rapid changes in technology.
International context. Collecting digital evidence often involves accessing data located outside
the jurisdiction of the country of investigation. For example, criminals may store their files on
servers located in countries with strict privacy laws or no international legal assistance
agreements. In 2020, the European Union faced a problem when data obtained through violation of
international cooperation procedures could not be used in court [
Maintaining confidentiality. Investigations often involve the extraction of data that contains the
personal information of third parties. For example, analyzing a suspect’s phone may reveal
messages, photos, or other information belonging to third parties who are not parties to the case.
This creates a conflict between the needs of the investigation and personal data protection
legislation, such as the GDPR in the European Union [
Adaptation to new technologies. The development of technology makes the work of digital forensic scientists more complex. For example, cloud-based technologies such as Amazon Web Services or Google Cloud allow criminals to quickly transfer data without having to physically seize the storage media. Another example is encryption, which is becoming a standard in many apps and services, such as Signal or WhatsApp. In such cases, access to data is often only possible through sophisticated technical solutions or cooperation with developers.
Data sets. The sheer volume of digital data is another challenge. For example, investigating a cybercrime may involve analyzing terabytes of information from a company’s servers or cloud storage. This requires high-performance systems and algorithms that can quickly process such data. However, even with modern technology, such investigations can take days or weeks.
Insufficient qualifications. The biggest challenge is staff training. For instance, the use of
sophisticated tools such as FTK [
Errors in the process. Even minor mistakes during data extraction or analysis can have serious consequences. For instance, if an investigator accidentally changes the metadata of a file, it can be seen as tampering and cast doubt on the reliability of the evidence.
The cost of licenses and equipment. Many modern digital forensics tools are commercial and cost
tens of thousands of dollars. For instance, a license for EnCase [
Additional costs. In addition to purchasing licenses, you need to consider the costs of staff training, technical support, software, and infrastructure upgrades. This creates a significant financial burden even for large organizations.
Inconsistencies in data formats. Digital forensics tools often use different data formats, which makes it difficult to use them in an integrated manner. For example, one tool may generate reports in XML format, while another only supports CSV. To combine such data, additional software or manual work is required.
Time spent on integration. It can take months to integrate a new tool into an existing system, especially if the organization is using legacy systems. For example, institutions running on older operating systems often have problems with compatibility with modern tools.
Increasing complexity of threats. Hackers are constantly improving their methods. For example,
ransomware has become more sophisticated, using double encryption and multi-level attacks. In
the case of the WannaCry attack in 2017 [
Use of anonymization. Anonymization via Tor or VPN makes it much more difficult for
criminals to identify the perpetrators. Even after the device is removed, all act ivities can be hidden
through encryption systems, anonymous accounts, and dynamic IP addresses [
A successful digital forensics investigation depends on several key steps to ensure both
thoroughness and accuracy. First and foremost, organizations must establish robust training
requirements for personnel involved in digital forensics investigations to ensure that they have the
necessary skills and knowledge to handle complex cases. This training should cover the
identification, handling, and storage of evidence, as these components are critical to maintaining
the integrity of evidence throughout the investigation process. In addition, assessing and
improving IT governance structures play a key role in supporting an effective digital forensics
strategy. They provide the necessary structure and policies to manage digital evidence and align
investigative practices with organizational goals. To increase preparedness, an organization should
adopt a proactive approach to digital forensics (ProDF) by implementing measures that strengthen
readiness for potential investigations or compliance tests. This includes defining clear goals, steps,
and deliverables for ProDF to ensure a structured and efficient investigation process [
When working with digital forensics tools, it is crucial to follow recommended protocols to
ensure the integrity and reliability of digital evidence. One of the main aspects of these protocols is
to follow best practices in forensic data processing [
example, when collecting data from a mobile device, software tools such as Cellebrite or XRY should be used to minimize the risk of data modification. In the case of analyzing a computer’s hard disk, methods of creating copies of the disk using write-blocker devices are used to ensure the preservation of original information.
suspect’s servers, it is necessary to use hash functions such as MD5 or SHA-256 to record the file’s checksum. This allows you to confirm that the data has not been altered during the investigation. Each step of evidence processing, including the transfer of evidence between experts, should be documented in the form of a “storage log.”
server, all actions should be documented, including the tools used, their versions, and the timestamps of each operation. The report should indicate which method was used, for example, exporting mail via IMAP or taking a snapshot of the server.
By implementing these practices, forensic investigators can effectively support court proceedings and ensure justice.
Comparison of digital forensics tools. Through a comparison of digital forensics tools [
Data extraction from phones, IoT devices
Supports many Expensive models, regular license, high updates system re Fewer features Proprietary Windows
Email format support, MailXaminer metadata/IP analysis Email conversion, Aid4Mail attachment analysis
Wide format support, Expensive multilingual license analysis The limited Fast processing free version lacks forensic
Memory adkpn/urpoamaclysepsssswsis/o,nredtwor Fprluege,inwsiudpeport lcCiomommitpmleaxnitdy-,line discovery Real-time Simple Only captures, memory interface, small no analysis capture size tools
Case database Intuitive creation, interface, easy Limited evidence case integration linkage management eadDmnoaactaulaiy/lm/steiesxntt/ scAuocpmcpuporlarettxe,fiflaest, cnEoexmwpepnulessixevrefso,r Data extraction, cloud integration, social media analysis
Supports many
data sources,
quick
processing
rEexspoeunrsciev-eh,eavy Commercial
Open-source tools can corroborate evidence found with other products, which underscores their
value in the verification process [
It is important to consider the tool’s search and indexing capabilities; cross-platform capabilities; and the tool’s ability to quickly process large volumes of digital forensic data. These criteria ensure that the selected tool meets the specific requirements of the investigation.
In the field of digital forensics, the choice between open-source and commercial tools involves weighing various factors such as cost, functionality, and support.
In the context of cybercrime investigations, we have created proprietary software that provides the following functions: Tools for data capture; Tools for analyzing digital evidence (RAID, RAW, etc.); Tools for data array recovery (Arsenal Image Mounter software is connected); Tools for analyzing mobile device operating systems (sleuthkit-4.12.0 framework is connected); Tools for analyzing registries (sleuthkit-4.12.0 framework is connected); Tools for analyzing various types of email (analogous to PSTViewer Pro). It is worth noting that part of the software functionality includes the OpenAI key API, which is used to obtain data on Verizon, Verifone API (mobile number databases), and digital embedded analytics of multimedia files. Artificial intelligence capabilities are built into Cyber Evidence and are used to analyze and provide analytics of multimedia files.
The name of the author’s software is Cyber Evidence. This is a digital forensic tool that provides an intuitive interface for analyzing images of mounted disks of various formats (*.iso, *.dd, *.E01, etc.) and includes some functionalities that help forensic experts extract and view the contents of various file and multimedia formats.
Features of the software product:
Mounting images: Mounts forensic disk images (Windows only).
Tree viewer: Navigate through the disk image structure, including partitions and files. Detailed file analysis: View file contents in various formats such as HEX, text, and application-specific formats.
Extract EXIF data: Extract and display EXIF metadata from photos.
View registry: View and explore Windows registry files.
Basic file recovery: Recover deleted files from disk images.
Integration with Virus Total API: Scan files for malware using the Virus Total API. Integration with Verizone API: Search for phone numbers in an international database for identification purposes.
Scanning and recovery: Thanks to the built-in AI of the Dan model package, it is possible to
recover deleted and damaged files [
E01 Image Verification: Verifies the integrity of E01 disk images.
Convert E01 to raw: Converts E01 disk images to a raw format.
Message decoding: Decode messages from base64, binary, and other encodings. When testing the application, the following was done.
Tested formats: The tool has been tested primarily with dd and E01 files. Although these formats are well supported, additional testing with other formats such as Ex01, Lx01, s01, and others is needed.
File systems are tested: Currently, the tool is tested only on the NTFS file system. To ensure wider compatibility, testing with other file systems such as FAT32, exFAT, HFS+, APFS, EXT4, and others is required.
Here are fragments of the program’s operation. The program allows you to open various types of files inside it without harming your PC. An example of opening a mounted rosatom.iso image containing files from the servers of this structure (Fig. 1). The system automatically scans for vulnerabilities in the image, but manual scanning is also available and then allows you to view the file structure and open various types of files without harming your PC. In the example above, you can view a pdf file. Here is an example of a general overview of all files on the mounted image (Fig. 2). You can determine the actual dates of creation and modification of files. An example of encryption and decryption code for collecting checksums is in Fig. 3. The following program snippet shows the connection of the artificial intelligence API to find vulnerabilities using VirusTotal, a cloud-based scanner for rootkits, randomizers, trojans, etc. This example shows the connection of both manual and automatic scanning in Fig. 4. Prospects for further research are seen in improving the software (and creating instructions for using the software) to expand the following functionality:
Live video/audio playback: Currently, the video and audio player temporarily store files before playing them, which can cause delays. The goal is to enable direct playback to speed up the experience.
Integrated file search and browsing: The file search function is not yet connected to the View tab, which displays HEX, text, application-specific views, metadata, and other details. This integration needs to be implemented.
Cross-platform image mounting: Image mounting currently only works on Windows using the Arsenal Image Mounter executable. The goal is to make this feature work on all platforms without relying on external executables.
File cutting and integration with viewers: The file-cutting functionality is not yet connected to the “Viewer Tab” where users can view HEX, text, application-specific views, and metadata. In addition, the current file cut process does not distinguish between deleted and uninstalled files; it “cuts” all files of the selected file type from the disk image.
Problems with color in dark mode: The program is currently experiencing some color display issues on Linux and macOS systems when using dark mode. Certain interface elements may be fuzzy or display incorrectly.
The results of this study highlight the important role of methods of digital data analytics in improving investigative outcomes by identifying key influencers in criminal networks, which can lead to the disclosure of critical information that might otherwise remain hidden.
Based on the analysis of using of digital forensics tools, the authors identify the main difficulties that may arise in their implementation, including legal restrictions (international context and confidentiality), technical challenges (adaptation to new technologies and data sets), human factor (lack of qualifications and errors in the process), high cost (cost of licenses and equipment, additional costs), complexity of integration (inconsistencies in data formats and time spent on integration), speed of cyber threats (increasing complexity of threats and the use of anonymization).
A comparative analysis and systematization of digital tools that can be used in the investigation of cybercrime is carried out. A list of titles of digital forensics tools is provided by key functionality, which includes Features, Advantages, Disadvantages, License Type, and Supported Platforms. Each of the proposed tools was recommended for use among software products: Data Acquisition Tools, Data Analysis Tools, Data Recovery Tools, Network Traffic Analysis Tools Mobile, Device Analysis Tools, Memory Analysis Tools, Email Analysis Tools, and Case Management Tools.
This study proposes the author’s software “Cyber Evidence,” which is a digital forensics tool
that provides a wide range of functions for analyzing and processing data in the context of
cybercrime. The software includes tools for capturing data, analyzing electronic evidence,
recovering information from disks, and integrating with APIs to retrieve data from various sources.
The system allows users (e.g., cyber specialists and/or forensic experts) to work with disk ima ges of
various formats, view file contents, obtain digital evidence of cybercrime, and check for malware
[
The research was carried out within the framework of: the complex scientific theme of the Faculty of Information Technologies and Mathematics “Mathematical methods and digital technologies in education, science, technology,” DR No. 0121U111924; the scientific theme of the Department of Information and Cyber Security named after Professor Volodymyr Buryachok of Borys Grinchenko Kyiv Metropolitan University “Methods and models of ensuring cyber security of information processing systems and functional security of software and technical complexes of critical infrastructure management,” DR No. 0122U200483, and the research by a grant from the Simons Foundation (1290607, O. L.).
While preparing this work, the authors used the AI programs Grammarly Pro to correct text grammar and Strike Plagiarism to search for possible plagiarism. After using this tool, the authors reviewed and edited the content as needed and took full responsibility for the publication’s content.