Digital_Forensics_Toolkit_Phase_2_Report_Final (2)

VISVESVARAYA TECHNOLOGICAL UNIVERSITY
“JNANA SANGAMA”, BELAGAVI - 590 018
PROJECT PHASE - II REPORT

on
“Digital Forensics Toolkit for Evidence Extraction
and Analysis”
Submitted by
Anupam Krishna V 4SF21CS021

Joseph Mathew 4SF21CS064
Mohammad Ashbar 4SF21CS085
Vamsi Krishna Praneeth Yeddula 4SF21CS182
In partial fulfillment of the requirements for the VII semester
BACHELOR OF ENGINEERING
in
COMPUTER SCIENCE & ENGINEERING
Under the Guidance of
Ms. Chaithra S
Assistant Professor, Department of CSE
at
SAHYADRI
College of Engineering & Management
An Autonomous Institution
MANGALURU
2024 - 25
SAHYADRI
Adyar, Mangaluru - 575 007
Department of Computer Science & Engineering
CERTIFICATE
This is to certify that the phase - II work of project entitled “Digital Forensics Toolkit
for Evidence Extraction and Analysis” has been carried out by Anupam Kr-
ishna V (4SF21CS021), Joseph Mathew,(4SF21CS064), Mohammad Ashbar
(4SF21CS085), Vamsi Krishna Praneeth Yeddula (4SF21CS182), the bonafide
students of Sahyadri College of Engineering and Management in partial fulfillment of the
requirements for the VII semester of Bachelor of Engineering in Computer Science and
Engineering of Visvesvaraya Technological University, Belagavi during the year 2024 - 25.
It is certified that all suggestions indicated for Internal Assessment have been incorpo-
rated in the Report deposited in the departmental library. The project report has been
approved as it satisfies the academic requirements in respect of project work prescribed
for the said degree.
———————————– ——————————— ———————————-

Project Guide HOD Principal
Ms. Chaithra S Dr. Mustafa Basthikodi Dr. S S Injaganeri
Assistant Professor Professor & Head Principal
Dept. of CSE Dept. of CSE SCEM
External Viva-Voce
Examiner’s Name Signature with Date
1. ........................................ ......................................
2. ........................................ ......................................
SAHYADRI
Adyar, Mangaluru - 575 007
Department of Computer Science & Engineering
DECLARATION
We hereby declare that the entire work embodied in this Project Phase - II Report
titled “Digital Forensics Toolkit for Evidence Extraction and Analysis” has been
carried out by us at Sahyadri College of Engineering and Management, Mangaluru under
the supervision of Ms. Chaithra S, in partial fulfillment of the requirements for the
VII semester of Bachelor of Engineering in Computer Science and Engineering.
This report has not been submitted to this or any other University for the award of any
other degree.
Anupam Krishna V (4SF21CS021)
Joseph Mathew (4SF21CS064)
Mohammad Ashbar (4SF21CS085)
Vamsi Krishna Praneeth Yeddula (4SF21CS182)
Dept. of CSE, SCEM, Mangaluru

Abstract
The rapid development of technology leads to more vulnerable digital devices and tech-
nology which results in more chances of digital crimes, necessitating exact and proper
tools for digital forensics. This project provides a comprehensive digital forensics toolkit
developed to help forensic investigators in the data evidence extraction, analysis, and stor-
age of digital evidence. The toolkit integrates with various modules that helps in data
analysis, network analysis, file integrity, and metadata extraction. Its modular interac-
tion framework allows the analysts for easy involvement of new features, and real-time
analysis of file data and real-time network traffic monitoring.To ensure the integrity and
admissibility of evidence, the toolkit is developed for industry-level protocols and includes
proper encryption techniques. User-friendly design and logging functionalities for ease
of use for investigators with no technical expertise. Testing demonstrates high accuracy
and efficiency in detecting and storing digital evidence, which makes it a valuable toolkit
in digital forensics.
i
Acknowledgement
It is with great satisfaction and euphoria that we are submitting the Project Phase - II
Report on “Digital Forensics Toolkit for Evidence Extraction and Analysis”. We
have completed it as a part of the curriculum of Visvesvaraya Technological University,
Belagavi in partial fulfillment of the requirements for the VII semester of Bachelor of
Engineering in Computer Science and Engineering.
We are profoundly indebted to our guide, Ms. Chaithra S, Assistant Professor, De-
partment of Computer Science and Engineering for innumerable acts of timely advice,
encouragement and we sincerely express our gratitude.
We also thank Dr. Suhas A Bhyratae and Ms. Prapulla G, Project Coordinators,
Department of Computer Science and Engineering for their constant encouragement and
support extended throughout.
We express our sincere gratitude to Dr. Mustafa Basthikodi, Professor and Head, De-
partment of Computer Science and Engineering for his invaluable support and guidance.
We sincerely thank Dr. S. S. Injaganeri, Principal, Sahyadri College of Engineering

and Management, Sahyadri Educational Institutions,who have always been a great source
of inspiration.
Finally, yet importantly, we express our heartfelt thanks to our family and friends for
their wishes and encouragement throughout the work.
Anupam Krishna V (4SF21CS021)

Joseph Mathew (4SF21CS064)
Mohammad Ashbar (4SF21CS085)
Vamsi Krishna Praneeth Yeddula (4SF21CS182)
ii
Table of Contents
Abstract i
Acknowledgement ii
Table of Contents v
List of Figures vi
List of Tables vii
1 Introduction 1
1.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.3 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.4 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.5 Definitions, Acronyms, and Abbreviations . . . . . . . . . . . . . . . . . 3
1.6 Structure of the Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2 Literature Survey 5
2.1 Related Works / Problem Background / Literature Survey Papers . . . . 5
2.1.1 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.1.2 Research Gaps Identified . . . . . . . . . . . . . . . . . . . . . . . 24
3 Problem Statement 25
3.1 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
4 Software Requirements Specification 27

4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4.2 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4.3 User Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4.4 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
iii
4.4.1 Hardware Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 28
4.4.2 Software Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 28
5 System Design 30
5.1 Architecture Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
5.1.1 Proposed Methodology . . . . . . . . . . . . . . . . . . . . . . . . 30
5.1.2 Overall Description . . . . . . . . . . . . . . . . . . . . . . . . . . 31
5.2 Use-Case Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
5.3 Data Flow Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5.4 Module Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5.5 Functional Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
5.6 Nonfunctional Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 36
5.7 GUI Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
5.8 Module-Wise Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
6 IMPLEMENTATION 40
6.1 Setting up an Execution Environment . . . . . . . . . . . . . . . . . . . . 40
6.1.1 Software Tools, Technology Description, and Installation . . . . . 40
6.1.2 Hardware Description, Installation and Usage . . . . . . . . . . . 41
6.1.3 Interface Description . . . . . . . . . . . . . . . . . . . . . . . . . 41
7 TESTING AND VALIDATION 42

7.1 Testing Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
7.1.1 Unit Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
7.1.2 Integration Testing . . . . . . . . . . . . . . . . . . . . . . . . . . 42
7.1.3 Functional Testing . . . . . . . . . . . . . . . . . . . . . . . . . . 42
7.2 Test Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
7.3 Performance Benchmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
8 Results and Discussion 44

8.1 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
8.1.1 Module Performance with Snapshots . . . . . . . . . . . . . . . . 44
8.2 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
9 Project Plan 49
9.1 Timeline of Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
iv
10 Conclusion and Future Enhancements 52
10.1 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
10.2 Future Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
References 54
v
List of Figures
1.1 Structure of Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
5.1 System Architecture Design . . . . . . . . . . . . . . . . . . . . . . . . . 30

5.2 File Analysis Use Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
5.3 Network Monitoring Use Case . . . . . . . . . . . . . . . . . . . . . . . . 32
5.4 Data Work Flow Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5.5 File Analysis Work Flow Diagram . . . . . . . . . . . . . . . . . . . . . . 34
5.6 Malware Detection Work Flow Diagram . . . . . . . . . . . . . . . . . . 34
5.7 Email Forensics Work Flow Diagram . . . . . . . . . . . . . . . . . . . . 35
5.8 Network Monitoring Work Flow Diagram . . . . . . . . . . . . . . . . . . 35
5.9 GUI Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
8.1 File Analysis page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

8.2 Network Monitor page . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
8.3 Protocol distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
8.4 Active Connection Dashboard . . . . . . . . . . . . . . . . . . . . . . . . 46
8.5 Port Analysis Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
8.6 Network Statistics and History . . . . . . . . . . . . . . . . . . . . . . . . 47
8.7 Malware Detection Dashboard . . . . . . . . . . . . . . . . . . . . . . . . 47
8.8 Email Forensics Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . 48
9.1 Timeline of Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
vi
List of Tables
7.1 Module Wise Test Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

7.2 Efficiency for each Module . . . . . . . . . . . . . . . . . . . . . . . . . . 43
vii
Chapter 1
Introduction
1.1 Overview
The Digital Forensics Toolkit is a software solution developed to help forensic investiga-
tors and cyber security professionals analyze digital evidence extracted from data storage
devices, system files, applications, and other relevant sources. These toolkits vary across
several domains, including file analysis, network monitoring, e-mail forensics, malware
detection, but they all share common functionalities. Using the newest technologies,
from React to Node. js and Material-UI, making it user-friendly and highly functional
for forensic needs. It uses advanced statistical methods (such as Shannon’s Informa-
tion Theory for entropy-based file examination, complemented with rule-based pattern
matching and heuristic approaches. These methods increase the precision and depend-
ability of forensic studies. The entropy calculation, for instance, can identify obfuscated
or packed data embedded in files, while metadata extraction offers information about file
provenance and characteristics.
1.2 Scope
It provides various forensic features in digital investigation. Key features are:
• File Analysis: It provides metadata extraction and entropy based analysis to detect
malware files.
• Network Monitoring: Gives real-time packet checking, anomaly detection, and

recording of network.
1
Digital Forensics Toolkit for Evidence Extraction and Analysis Chapter 1
• Malware Detection: It uses heuristic algorithms and signature comparison to check

malwares.
• Email Forensics: Analyze email headers, attachments, and metadata to check va-
lidity and protect from phishing attempts.
The toolkit is used for:

1. Forensic Analysts: Investigators in collecting, analyzing, and providing digital evi-
dence.
2. Cybersecurity Teams: Experts detects and analyze threats in real-time.
3. Organizations: Businesses use tools to investigate security risks and provide regulation
with cybersecurity laws.
1.3 Motivation
The increase of cybercrimes such as stealing data , ransomware attacks, and phishing
attacks has created a crucial need for forensic toolkits. Present tools often lack the
versatility and combination required to handle the risk of modern cyber attacks. This
project was inspired by:
1. Advanced Cyber Threats: Modern cybercrimes often involve many factors, such as
corrupted files, malicious emails, and confidential network access. A organised toolkit is
crucial for the challenges.
2. Real-Time Capabilities: Various existing tools focus only on post-incident analysis.
Real-time monitoring and prevention are important for mitigating threats before any
damage happen.
3. Easy Use: Forensic toolkit should be user-friendly, helping analysts to do investigations
efficiently without proper training.
1.4 Purpose
The main purpose of the Digital Forensics Toolkit is to help forensic inspection by:
1. Providing a web Application: Provides multiple forensic tools into one system, reduces
the need for switching between multiple software.
2. Enhancing Accuracy: Advanced algorithms and statistical techniques to ensure accu-
rate analysis.
Department of Computer Science and Engineering, SCEM, Mangaluru Page 2

3. Efficiency: Automates repetitive processes, such as file scanning and metadata extrac-
tion, providing investigators to focus on important parts of the investigation.
1.5 Definitions, Acronyms, and Abbreviations

• Entropy: A quantity of randomness in data, often used to detect hidden information.
• Metadata: Provides detail information about other data.
• API (Application Programming Interface): A protocol that allows software applications
to communicate with each other.
• GUI (Graphical User Interface): An interface that allows users to interact with the
project.
• Packet Investigation: The process of analyzing data packets that is send over a network
to detect anomalies or malicious data.
1.6 Structure of the Report

1. Introduction: Purpose, scope, and key features.
2. Literature Survey: Provides related works, inspect research gaps, and provide contri-
butions of this project.
3. Problem Formulation: Defines the problem, gives the objectives, and describes the
challenges faced.
4. System Design: Architectural design, functional and non-functional requirements, and
use cases.
5. Implementation: Provides the setup of the execution environment, dataset, and de-
velopment of each parts of the project.
6. Results and Discussions: Gives experimental results, analysis, and insights from mod-
ule testing.
7. Conclusion and Future Enhancements: Provide the summary of the project’s achieve-
ments and improvements needed.
This structure gives a flow design, which makes it easy to understand the project’s
objectives, methodology, and results.

Figure 1.1: Structure of Report

Chapter 2
Literature Survey
2.1 Related Works / Problem Background / Litera-

ture Survey Papers
L. Klasen et al. [1] of the International Association of Forensic Sciences (IAFS2023) pre-
pared a presentation on the impact of digital forensics on crime resolution in the digital
age. The research indicates that the swift progression of modern technologies, such as AI,
IoT, drones, and cryptocurrency, has facilitated new criminal operations, necessitating
advancements in digital forensics. They address the difficulties of obtaining digital evi-
dence in criminal cases and underscore that collaborative networks, ethical principles for
crime prevention/prevention, and innovative tools are necessary to counter new threats.
The suggestion is to employ ”good AI” as a counterweight to ”evil AI,” but keeping
balancing the increased power of forensic tools with individual privacy. In addition, the
report stresses that ”training, education and political advocacy must also address the
rapid growth of digital technologies and its implications for forensic investigation.”.
J. Najar et al. [2] showcased their findings at the 2023 conference. At the IEEE Inter-
national Conference on Big Data (BigData), the FVT is a new technology that utilizes
advanced visual analytics to improve cyber threat hunting. A proactive and iterative ap-
proach to uncovering cyber threats involves identifying and reducing attacks that bypass
conventional security measures. According to the study, it is crucial to incorporate visu-
alization into the analytical workflow to provide cybersecurity professionals with valuable
insights. The FVT tool provides analysts with the ability to identify, analyze, and re-
act to cyber threats by analyzing complex data patterns, anomalies, or correlations. In
addition, the authors showcase the toolkit through real-life scenarios and highlight its po-
5
tential to enhance situational awareness and risk management. The article also explains
the ways in which FVT has been continuously improved and integrated into EU-funded
research projects, emphasizing its significant role in cybersecurity.
A. R. Hakim et al. [3] whose paper published in IEEE on April 26, 2023, high-
lights the mounting worldwide concern of data breaches.”An Innovative Digital Forensic
Model for Data Breach Investigation”, published in the journal, is an example of a new
approach.The study reveals that there is no specific protocol for investigating such in-
cidents, especially one with the ability to answer all 5WH questions (what), who(s),
when(place), why and how). A new type of digital forensic investigation is suggested
by the authors, which sorts through evidence and presents artifacts in relation to data
breach phases. This framework seeks to expand the scope of 5WH analysis, enabling
investigators in their systematic review of data breaches. To verify its effectiveness, the
framework was utilized in an enterprise-level data breach case study, which answered all
5WH questions.By offering complete solutions to the 5WH questions, this research high-
lights its effectiveness in addressing digital security breaches, setting new standards for
emerging and developing frameworks for data breach analysis.
Wu Tina et al. [4] has reviewed almost 800 articles on digital forensic tools created
since 2014.The researcher’s 2020 study, ”Digital Forenic Tools: Recent Advances and
Enhancing the Status Quo.”. Across different branches of digital forensic, has identified
62 tools and highlight the need for ongoing technological advancements. In order to
facilitate the collection and analysis of digital evidence, they emphasize the need for tool
reliability and accessibility.
Precilla M. Dimpe et al. [5], In her 2017 paper, ”Impact of Using Unreliable Digital
Forensic Tools,” discusses the impact that unsuitable tools have on successful forensic
investigations. In legal proceedings, consistent results are only ascertainable if the tools
used are reliable and can be trusted. The paper examines how the use of unsuitable digital
forensic tools can lead to unreliable results, which significantly impacts the integrity of
forensic investigations. It emphasizes the necessity for reliable tools in maintaining the
credibility of forensic evidence and suggests that inconsistencies in tool performance can
compromise legal proceedings.
G. Maria Jones et al. [6], In their 2022 paper, ”An Insight into Digital Forensics:
History, Frameworks, Types, and Tools,” discuss the evolution and foundational aspects
of digital forensics, including its history, methodologies, and frameworks. The chapter
explores the various types of digital forensics and the tools employed in evidence collection

and analysis. It emphasizes the critical role of structured frameworks in ensuring the
reliability and accuracy of forensic investigations. Furthermore, the authors highlight
the importance of advanced tools in addressing the challenges posed by rapidly evolving
technologies and underscore the need for continuous innovation to keep forensic practices
aligned with the dynamic nature of digital evidence.
Soumi Banerjee et al. [7], In their 2022 paper, ”Digital Forensics as a Service: Analy-
sis for Forensic Knowledge,” discuss the concept of Digital Forensics as a Service (DFaaS)
and its application in forensic investigations. The chapter highlights how DFaaS enables
the efficient collection, processing, and analysis of digital evidence through cloud-based
solutions. It emphasizes the importance of collaboration among stakeholders to enhance
forensic knowledge and streamline investigations. The authors further explore the ben-
efits of DFaaS, such as scalability, accessibility, and cost-effectiveness, while addressing
potential challenges like data security and privacy concerns in adopting such solutions.
Anita Patil et al. [8], In their 2022 paper, ”Roadmap of Digital Forensics Investigation
Process with Discovery of Tools,” outline a comprehensive roadmap for conducting digital
forensic investigations. The chapter emphasizes the importance of following structured
processes to ensure the accuracy and reliability of findings. It explores various digital
forensic tools and their applicability at different stages of the investigative process, high-
lighting the need for constant evaluation and upgrading of these tools to address emerging
technological challenges. The authors also stress the importance of collaboration among
forensic experts, law enforcement, and technology developers to enhance investigative
methodologies and ensure the integrity of digital evidence.
Adnan Ahmed et al. [9], In their 2022 paper, ”Privacy of Web Browsers: A Challenge
in Digital Forensics,” examine the privacy challenges posed by web browsers in digital
forensic investigations. The chapter discusses how modern web browsers incorporate
features designed to protect user privacy, which can complicate evidence collection and
analysis. The authors highlight the need for advanced forensic tools and techniques to
address these challenges while maintaining the balance between user privacy and effective
forensic practices. They also explore potential solutions for extracting digital evidence
without violating legal and ethical boundaries, emphasizing the importance of adhering
to privacy laws and regulations during investigations.
Mohamed Chahine Ghanem et al. [10], In their 2023 paper, ”D2WFP: A Novel
Protocol for Forensically Identifying, Extracting, and Analysing Deep and Dark Web
Browsing Activities,” the authors introduce a novel protocol named D2WFP designed to

help digital forensic investigators collect and analyze evidence from the deep and dark
web. The protocol provides a structured approach for identifying and extracting relevant
artifacts, enhancing the effectiveness of investigations involving these hidden parts of the
internet. The paper also highlights the challenges posed by deep and dark web activities
and suggests solutions to ensure effective forensic analysis.
Fran Casino et al. [11], In their 2022 paper, ”Research Trends, Challenges, and
Emerging Topics in Digital Forensics,” the authors provide an in-depth exploration of
the current landscape in digital forensics, focusing on the latest research trends and the
challenges faced by forensic experts. The paper identifies significant emerging topics such
as cloud forensics, mobile device forensics, and the role of machine learning and artifi-
cial intelligence in forensic investigations. It also highlights the growing complexity of
digital evidence due to advancements in technologies like encryption, virtualization, and
the Internet of Things (IoT). The authors discuss how these technological developments
pose new challenges for forensic practitioners, including the need for specialized tools and
techniques to handle increasingly complex data. Additionally, the paper emphasizes the
importance of collaboration between researchers, law enforcement agencies, and industry
professionals to address these challenges. It concludes by suggesting potential areas for
future research, such as improving data recovery techniques, enhancing privacy protec-
tion in investigations, and developing standardized forensic methodologies to ensure the
integrity of evidence.
Dipo Dunsin et al. [12], In their 2023 paper, ”A Comprehensive Analysis of the Role
of Artificial Intelligence and Machine Learning in Modern Digital Forensics and Incident
Response,” the authors delve into the growing influence of artificial intelligence (AI) and
machine learning (ML) in digital forensics and incident response. The paper explores how
AI and ML techniques are being integrated into various stages of forensic investigations,
from data collection and analysis to pattern recognition and threat detection. It high-
lights the potential of AI-driven tools to automate tedious tasks, enhance the accuracy of
evidence analysis, and assist forensic experts in identifying emerging cyber threats. The
authors also discuss the challenges of incorporating AI and ML into forensics, including
issues related to the interpretability of algorithms, data bias, and the ethical implications
of using automated systems in legal proceedings. Furthermore, the paper emphasizes the
need for further research to refine AI-based forensic tools and develop methods to ensure
that these technologies can be used reliably and ethically in criminal investigations
Annas Wasim Malik et al. [13], In their 2022 paper, ”Cloud Digital Forensics: Be-

yond Tools, Techniques, and Challenges,” the authors explore the rapidly evolving field
of cloud digital forensics. They provide a detailed analysis of the challenges faced by
digital forensics investigators when dealing with cloud-based environments, including is-
sues related to data storage, jurisdictional complexities, and the dynamic nature of cloud
computing. The paper highlights the limitations of traditional digital forensic techniques
in cloud environments and emphasizes the need for new tools and methodologies. It also
discusses the unique characteristics of cloud-based evidence, such as the shared responsi-
bility model, the need for cloud-specific forensics tools, and the challenges of preserving
the integrity of evidence. The authors suggest that as cloud technology continues to
evolve, digital forensics must also adapt to ensure effective investigations and evidence
collection in the cloud.
Krishna Sanjay Vaddi1 et al. [14], In their 2023 paper, ”Enhancements in the World
of Digital Forensics,” the authors explore recent advancements and improvements in the
field of digital forensics. The paper examines the integration of emerging technologies such
as artificial intelligence, machine learning, and cloud computing, which are transforming
the landscape of forensic investigations. It discusses how these technologies have led
to the development of more efficient and accurate forensic tools, enabling investigators
to process large volumes of data and detect complex digital evidence more effectively.
The authors also highlight challenges related to privacy, data integrity, and the ethical
implications of using advanced forensic techniques. The paper concludes by emphasizing
the need for continuous innovation in digital forensics tools and methodologies to keep
pace with the rapid advancements in technology and cyber threats.
Alec Noland et al. [15], In their 2022 paper, ”Current Challenges of Digital Foren-
sics,” the authors provide an in-depth review of the major obstacles faced by digital
forensic professionals in contemporary investigations. The paper focuses on the increas-
ing complexity of digital evidence, including the challenges posed by cloud storage, mobile
devices, and encrypted data. The authors also discuss the limitations of current forensic
tools and methodologies, which struggle to keep up with the rapid evolution of technology.
Additionally, the paper addresses the issue of jurisdiction, as digital evidence often spans
multiple legal boundaries, complicating investigations. The authors suggest that inter-
disciplinary collaboration, improved tool development, and better education for forensic
practitioners are essential to overcoming these challenges and ensuring the effectiveness
of digital forensic investigations.
Graeme Horsman et al. [16], In their 2019 paper, ”Tool Testing and Reliability Issues

in the Field of Digital Forensics,” the author addresses the challenges associated with
the testing and reliability of digital forensic tools. The paper highlights the critical
importance of ensuring the tools used in forensic investigations are both effective and
reliable to ensure that evidence is collected and analyzed without compromise. Horsman
discusses the inherent issues in testing forensic tools, including the difficulty of replicating
real-world conditions and the rapid evolution of technology that can outdate forensic
tools quickly. He also explores the risks of using unreliable tools, such as the potential
for inaccurate evidence or tool failure during critical stages of an investigation. The
paper emphasizes the need for standardized testing protocols, greater transparency in tool
performance, and collaboration between the developers, users, and researchers to ensure
that digital forensic tools maintain their credibility and reliability in legal proceedings.
Asheesh Tiwari et al. [17], In their 2022 paper, ”Developing Trends and Challenges
of Digital Forensics” The paper focuses on the growing importance of digital forensics
in addressing the increasing threats of data breaches and cybercrimes. Digital forensics
involves identifying, acquiring, analyzing, and reporting digital evidence, using specialized
techniques to discover traces of cybercrimes. With the rise of cyber threats, such as
data breaches and information hacks, the demand for digital forensics has surged. The
field is crucial in preserving and analyzing digital evidence in various forms, including
IoT forensics, cloud forensics, network forensics, and social media forensics. The paper
highlights recent trends in these areas and emphasizes the need for forensic investigators to
streamline the complex digital landscape. It also addresses the importance of preserving
digital evidence to ensure its integrity, ensuring that evidence is not compromised and
can be presented in court without alteration. This research provides valuable insights
into the role of digital forensics in contemporary cyber investigations.
Sanjeev Shukla et al. [18], In their 2020 paper which was held for ”ICCNS ’20:
Proceedings of the 2020 10th International Conference on Communication and Network
Security” In their work, ”Email Spoofing Detection Using Memory Forensics,” the au-
thors address the challenge of detecting email spoofing, a common type of email attack
where the sender’s email address is manipulated to appear genuine. The paper builds
on previous research and proposes a novel approach using memory forensics to detect
spoofed emails. Instead of capturing the entire memory dump, the approach focuses on
extracting the browser’s live running processes and analyzing email headers. This method
reduces the size of the memory dump, speeding up the detection process. Additionally,
the authors introduce a detection algorithm that overcomes limitations of previous meth-

ods, such as message ID-based detection failures, by using nslookup to fetch MX records
for more accurate identification of genuine emails. The paper emphasizes the advantage
of using memory forensics in email spoofing detection, as it ensures non-repudiation of
the user’s digital footprint in physical memory. Performance analysis shows that the task
can be completed in approximately one minute with high accuracy and minimal false
positives, all without disrupting the normal operation of the machine.
Maryam Hina [19], In her 2021 paper, ”Email Classification and Forensics Analysis
using Machine Learning,” the author explores the challenges posed by the massive in-
crease in email data, which complicates the management and forensic analysis of emails.
While emails have traditionally been classified based on factors like sender, size, and
date, there is a growing need for content-based classification. The paper introduces a
multi-label email classification approach to organize emails, particularly for forensic in-
vestigations involving large datasets, such as disk images of email servers. A comparative
study of machine learning algorithms for email classification is presented, with Logistic
Regression being identified as the most accurate method, outperforming Naive Bayes,
Stochastic Gradient Descent, Random Forest, and Support Vector Machine. The exper-
iments, conducted on benchmark datasets, show that Logistic Regression achieves the
highest accuracy of 91.9 percentage when using bi-gram features. This method could
significantly aid investigators in solving email-related crimes by providing efficient and
accurate email classification for forensic analysis.
Reza Montasari [20], In his 2021 paper, ”Next-Generation Digital Forensics: Chal-
lenges and Future Paradigms,” the author addresses the rapid advancements in Infor-
mation and Communications Technology (ICT), including the Internet of Things (IoT),
Cloud-Based Services (CBS), Cyber-Physical Systems (CPS), and mobile devices, which
have greatly benefited technologically advanced societies. However, these technologies
have also introduced new security threats, leading to an increased need for Digital Foren-
sic Investigations (DFIs) and a growing backlog of cases for law enforcement agencies
(LEAs) worldwide. The paper evaluates the current state of Digital Forensics (DF) and
highlights two key contributions. First, it identifies the most challenging technical ob-
stacles faced by LEAs and Digital Forensic Experts (DFEs). Second, it proposes specific
future research directions aimed at helping both LEAs and DFEs develop new approaches
to combat cyber-attacks. The study emphasizes the need for innovative research to ad-
dress the growing complexity of digital forensics in the face of emerging security threats.
Nina Sunde [21], In her 2019 paper, ”Cognitive and Human Factors in Digital Foren-

sics: Problems, Challenges, and the Way Forward,” the author highlights the importance
of digital forensics as a growing field within forensic science. Previous research on miscar-
riages of justice and misleading evidence has identified human error, particularly cognitive
bias, as a significant issue in forensic disciplines. Despite this, digital forensics has not yet
fully addressed the impact of cognitive bias on its processes. The paper aims to contribute
to a more scientifically robust digital forensics domain by examining cognitive bias as a
potential source of error. The author presents an analysis of seven specific sources of
cognitive and human error in the digital forensics process and discusses potential coun-
termeasures. The paper concludes that while some cognitive biases are common across
forensic disciplines, others are unique to digital forensics due to its specific characteristics.
The study calls for new research directions that focus on understanding and mitigating
cognitive and human factors in digital forensics to enhance the reliability and accuracy
of forensic investigations.
Aaron Jarrett and Kim-Kwang Raymond Choo [22], In their 2021 paper, ”The Impact
of Automation and Artificial Intelligence on Digital Forensics,” the authors explore the
integration of Artificial Intelligence (AI), including Machine Learning and Deep Learning,
and automation within the field of digital forensics. AI and automation are currently revo-
lutionizing various industries by enhancing efficiency, accuracy, and cost-effectiveness. In
digital forensics, AI-powered technologies are being employed to automate and streamline
forensic processes, reducing the need for manual labor and decreasing costs, which in-
creases the potential return on investment. The paper highlights how AI and automation
are being adopted by law enforcement agencies, particularly in the US, to improve the
accuracy and impact of digital forensic investigations. By incorporating these technolo-
gies, forensic teams can process and analyze digital evidence more effectively, ultimately
enabling the resolution of more cases. The authors emphasize that the ongoing advance-
ments in AI and automation are set to significantly enhance the field of digital forensics,
providing greater efficiency and more reliable results in investigating digital crimes.
Noora Al Mutawa et al. [23], In their 2019 paper, ”Behavioural Digital Foren-
sics Model: Embedding Behavioural Evidence Analysis into the Investigation of Digi-
tal Crimes,” the authors address the limited adoption of Behavioural Evidence Analysis
(BEA) within the digital forensics investigation process, despite its recognized poten-
tial. The paper proposes the Behavioural Digital Forensics Model, a multidisciplinary
approach that incorporates BEA into the in-lab investigation of seized devices involved
in interpersonal digital crimes (i.e., crimes involving human interactions between offend-

ers and victims). The model was designed based on the application of traditional BEA
phases to 35 real cases and was evaluated using five digital crime cases from the Dubai
Police archive. The study reveals that the BEA-driven model offers several advantages
over traditional digital forensics methods. It enables a more focused investigation, helps
identify the location of additional relevant evidence, and provides deeper insights into
victim/offender behaviors, including the possible motivations and modus operandi of of-
fenders. The model also facilitates a better understanding of the dynamics of the crime
and, in some cases, allows for the identification of suspects’ collaborators—something
that traditional methods failed to uncover. The paper highlights the potential of BEA
to improve the effectiveness of digital forensics investigations by integrating behavioral
analysis into the process.
Mark Scanlon et al. [24], In their 2023 paper, ”ChatGPT for Digital Forensic In-
vestigation: The Good, the Bad, and the Unknown,” the authors explore the potential
applications and limitations of ChatGPT (GPT-3.5, GPT-4) within the field of digital
forensics. The paper assesses the impact of Large Language Models (LLMs) such as GPT-
4 on various digital forensic tasks, including artefact understanding, evidence searching,
code generation, anomaly detection, incident response, and education. Through a series
of experiments, the authors examine the strengths and risks of ChatGPT in these use
cases. They highlight that while there are some low-risk applications where ChatGPT
could be useful, such as assisting with certain analytical tasks, its broader use in digital
forensics is hindered by concerns related to uploading evidence, as well as the need for the
user to possess sufficient knowledge to detect inaccuracies and mistakes in the responses.
The paper concludes that ChatGPT could serve as a supporting tool in digital forensics,
but its reliability and utility are limited by current technology and user expertise.
Gulshan Kumar et al. [25], In their 2021 paper, ”Internet-of-Forensic (IoF): A
Blockchain-Based Digital Forensics Framework for IoT Applications,” the authors propose
a new framework to address the challenges of digital forensics in the Internet-of-Things
(IoT) paradigm. The paper highlights issues such as the heterogeneity of devices, lack
of transparency in evidence processing, and cross-border legalities in cloud forensics. To
overcome these challenges, the authors introduce the Internet-of-Forensics (IoF) frame-
work, which utilizes blockchain technology to ensure decentralization, transparency, and
distributed computing in digital forensic investigations. IoF includes a blockchain-based
case chain for managing chain-of-custody and evidence chains, and it applies consensus
mechanisms to address cross-border legal concerns. The framework also incorporates

programmable lattice-based cryptographic primitives to reduce complexity and optimize

power usage, making it suitable for a wide range of IoT devices. Through experiments
and comparisons with existing frameworks, the paper demonstrates IoF’s efficiency in
terms of time consumption, memory and CPU utilization, gas consumption, and energy
analysis, establishing it as a promising solution for IoT digital forensics.
Jung Hyun Ryu et al. [26], In their 2019 paper, ”A Blockchain-Based Decentralized
Efficient Investigation Framework for IoT Digital Forensics,” the authors address the
challenges posed by the Internet of Things (IoT) in digital forensics. They highlight the
limitations of current forensic tools and frameworks, which fail to handle the heterogene-
ity and distribution inherent in IoT environments. To overcome these issues, the authors
propose a blockchain-based digital forensics framework specifically designed for IoT in-
frastructures. In this framework, all communications from IoT devices are recorded on
the blockchain as transactions, enhancing the chain of custody process and ensuring the
integrity and security of digital evidence. The decentralized nature of blockchain tech-
nology makes data preservation more reliable, while the public distributed ledger allows
transparent verification of the investigation process by all stakeholders, including device
users, manufacturers, investigators, and service providers. The authors support their pro-
posal with a proof-of-concept simulation, demonstrating the feasibility and effectiveness
of their model for IoT digital forensics.
Alisha Asquith et al. [27], In their 2019 paper, ”Let the Robots Do It! – Taking a Look
at Robotic Process Automation and Its Potential Application in Digital Forensics,” the
authors explore the role of automation in addressing challenges faced by digital forensics,
particularly in handling increasing caseloads, large volumes of digital data, and tight
deadlines within the criminal justice system. The paper introduces Robotic Process
Automation (RPA) as a potential solution for improving the efficiency of digital forensic
examinations. It discusses the benefits of mechanizing parts of the forensic process and
highlights the challenges in developing reliable automation capabilities. The authors
provide two case studies to demonstrate possible areas where RPA could be applied
and offer an objective evaluation of the technology’s potential impact on improving the
efficiency and effectiveness of digital forensics. The paper ultimately debates whether
automation has a place in enhancing digital forensic workflows.
Sara Ferreira et al. [28], In their 2021 paper, ”Exposing Manipulated Photos and
Videos in Digital Forensics Analysis,” the authors discuss the growing challenge of de-
tecting tampered multimedia content, particularly in the context of cybercrimes such as

fake news, digital kidnapping, and ransomware. The paper presents a machine learning-
based method using Support Vector Machines (SVM) to differentiate between genuine
and manipulated photos and videos, including deepfake content. The method was im-
plemented in Python and integrated into the popular digital forensics tool, Autopsy. By
applying a Discrete Fourier Transform (DFT) to digital photos and video frames, the
method extracts simple features to identify tampered multimedia. The results of the
5-fold cross-validation showed an impressive performance, achieving average F1-scores
of 99.53 percentage for photos, 79.55 percentage for videos, and 89.10 percentage for a
combination of both types of content. While deep learning techniques like Convolutional
Neural Networks (CNN) outperformed the SVM-based method, the reduced processing
time and competitive results make the DFT-SVM approach suitable for integration into
Autopsy for automated digital forensic investigations.
Ezz El-Din Hemdan et al. [29], In their 2021 paper, ”An Efficient Digital Forensic
Model for Cybercrimes Investigation in Cloud Computing,” the authors present a Cloud
Forensics Investigation Model (CFIM) designed to address the challenges of investigating
cybercrimes in cloud environments. As organizations increasingly adopt cloud computing
for its cost-effective services, the paper highlights the complexities of digital forensics in
the cloud due to issues such as virtualization, distribution, and the dynamic nature of
cloud systems. The proposed model introduces the concept of Forensic as a Service
(FaaS), which allows digital forensics to be conducted through a forensic server on the
cloud side. This approach is shown to provide a more efficient and timely solution for
investigating cybercrimes in the cloud, helping investigators navigate the intricate legal,
organizational, and technical challenges. The investigational results demonstrate that the
system can assist digital forensics professionals in conducting investigations in a proficient
manner.
Xiaolu Zhang et al. [30], In their 2020 paper, ”IoT Botnet Forensics: A Comprehensive
Digital Forensic Case Study on Mirai Botnet Servers,” the authors present a comprehen-
sive digital forensic analysis of the Mirai botnet, a well-known IoT bot malware family.
While previous research has focused on the botnet architecture and the source code of
Mirai and its variants through traditional malware analysis, this study is the first to
fully and forensically analyze the infected devices and network devices associated with
the Mirai botnet. The authors set up a fully functioning Mirai botnet network architec-
ture and conduct an in-depth forensic investigation on various components, including the
attacker’s terminal, command and control (CNC) server, database server, scan receiver,

loader, and the network packets generated. The paper highlights the forensic artifacts left
on these devices, such as IP addresses of bot members, and explores methods for remote
artifact acquisition, without needing direct physical access to the botnet server. The
research offers tactical insights for forensic investigators, guiding them on which devices
to target for acquisition and investigation to obtain the most valuable evidence.
Mehran Pourvahab et al. [31] in their 2019 paper, ”Digital Forensics Architecture
for Evidence Collection and Provenance Preservation in IaaS Cloud Environment Using
SDN and Blockchain Technology,” present a novel digital forensics architecture aimed at
enhancing the reliability of evidence collection and preservation in cloud environments.
This architecture addresses the problem of centralized evidence collection, which min-
imizes the reliability of digital evidence, by using Software-Defined Networking (SDN)
and Blockchain technology in an Infrastructure-as-a-Service (IaaS) cloud. The proposed
system collects and preserves evidence in a distributed blockchain network, ensuring
decentralized storage and traceability.To prevent unauthorized access, a Secure Ring
Verification-based Authentication (SRVA) scheme is introduced, and Harmony Search
Optimization (HSO) is employed to optimally generate secret keys. Data is encrypted
based on its sensitivity using the Sensitivity Aware Deep Elliptic Curve Cryptogra-
phy (SA-DECC) algorithm, and the history of data is recorded as metadata within the
blockchain, with each block containing a Merkle hash tree built using the Secure Hashing
Algorithm-3 (SHA-3).The system also integrates Fuzzy-based Smart Contracts (FCS) to
allow users to trace their data. The forensic analysis is conducted by constructing a
Logical Graph of Evidence (LGoE) collected from the blockchain. Experimental results
demonstrate that the proposed architecture offers promising performance improvements
in response time, evidence insertion and verification time, communication overhead, key
generation time, and encryption and decryption efficiency. The system shows its potential
for improving cloud forensics by ensuring more secure and efficient evidence handling.
Jian Du et al. [32] in their 2022 paper, ”Digital Forensics as Advanced Ransomware
Pre-Attack Detection Algorithm for Endpoint Data Protection,” address the increasing
threat of ransomware, which has caused significant harm to individuals, organizations,
and public services. With over three million users affected and ransom payments ex-
ceeding 25 billion in 2019, the paper proposes an intelligent solution for detecting ran-
somware pre-attacks on endpoint systems using a combination of K-Nearest Neighbors
(KNN) and density-based machine learning algorithms.The paper emphasizes the impor-
tance of data preprocessing and feature engineering techniques in enhancing the KNN

algorithm for ransomware detection. The proposed method offers a more effective way to
detect and prevent ransomware pre-attack execution, improving the security posture of
endpoint systems. The algorithm’s superior predictive capabilities make it a promising
tool for anti-malware and anti-ransomware solution providers to enhance their detection
solutions. The results indicate that the KNN and density-based algorithm outperforms
other machine learning approaches, offering higher accuracy for ransomware detection
and providing valuable support for cybersecurity professionals and vendors.
Dohyun Kim et al. [33], in their study in 2020 ”A Study on the Digital Forensic
Investigation Method of Clever Malware in IoT Devices,” address the escalating threat
of sophisticated malware targeting IoT devices and interconnected systems. These mal-
wares exploit social engineering techniques to infiltrate networks, leveraging the constant
connectivity of IoT devices to mobile and computing systems. The study proposes a digi-
tal forensic framework for rapidly detecting and analyzing intelligent malware on devices
running Android and Linux operating systems. By classifying malware characteristics
and applying digital forensic techniques, the research enhances malware investigation ca-
pabilities. The proposed method was validated through two real-world malware cases,
demonstrating its effectiveness in identifying and analyzing malware intrusions. The
findings provide valuable insights and tools for improving IoT security and combating
increasingly advanced malware in IoT ecosystems.
Syed Shakir Hameed Shah et al. [34],in their work in 2022 ”Memory Forensics-Based
Malware Detection Using Computer Vision and Machine Learning,” address the growing
threat posed by sophisticated malware, including Advanced Persistent Threats (APTs).
With the increasing accessibility of tools like malware constructors, email flooders, and
spoofers, creating malware variants has become easier even for non-technical users. Tra-
ditional malware detection techniques, such as static and dynamic analyses, are often in-
effective against new malware variants, especially those residing in a computer’s volatile
memory, and demand substantial expertise, training time, and memory. To overcome
these limitations, the authors propose a computer vision-based malware detection method
focused on memory forensics. Their technique extracts memory dump files from a vir-
tualized environment, transforms them into image formats, and applies contrast-limited
adaptive histogram equalization and wavelet transform to enhance contrast and reduce
entropy. Using machine learning classifiers such as support vector machine, random for-
est, decision tree, and XGBOOST, they train models on image datasets with dimensions
of 112 × 112 and 56 × 56. The method achieves an accuracy of 97.01 percentage, with

a precision of 97.36 percentage, recall of 95.65 percentage, and F1-score of 96.36 per-
centage. The findings highlight the technique’s efficiency in feature preparation, leading
to superior performance in accuracy, speed, memory usage, and classification metrics,
surpassing many existing approaches.
Muhammad Ali et al. [35], in their work in 2019 ”A Proactive Malicious Software
Identification Approach for Digital Forensic Examiners,” address the challenges faced by
investigators in differentiating between legitimate user actions and malware-driven activ-
ities, especially in cases where malware is responsible for criminal actions. Traditional
reliance on Anti-Virus (AV) tools has proven inadequate due to the rise of zero-day at-
tacks and errors in AV systems. To enhance investigative efficiency, the authors explore
malware behavior across various Windows operating systems (Windows 7, 8.1, and 10)
by analyzing interactions of 90 malware samples from three prevalent categories—Trojan,
Worm, and Bot—along with 90 benign samples through the Windows Registry. Their
study identifies significant patterns in how malware modifies key Registry areas, enabling
the development of predictive models for malware detection. Using classifiers such as
Neural Network, Random Forest, Decision Tree, Boosted Tree, and Logistic Regression,
the authors found that the Boosted Tree classifier provided over 72 percentage accuracy in
classifying malware types. This proactive approach offers investigators a faster, indepen-
dent alternative to AV tools, allowing them to identify potential malware more effectively.
The integration of these findings into forensic tools holds promise for streamlining digital
investigations and improving accuracy in malware detection.
Francesco Zola et al. [36], in their work in 2023 ”Temporal Analysis of Distribution
Shifts in Malware Classification for Digital Forensics,” investigate the challenges posed by
the evolving nature of malware on machine learning (ML)-based malware classification
models. While ML approaches demonstrate high accuracy in static scenarios, their perfor-
mance deteriorates over time due to malware’s rapid evolution, a phenomenon known as
concept drift, which exposes stakeholders to security risks when models become outdated.
The authors propose a three-step approach to explore forensic implications of model fail-
ures. First, they evaluate the impact of concept drift using a rolling window approach for
training dataset selection. Second, they assess model drift by analyzing varying amounts
of temporal information in the training dataset. Finally, they conduct misclassification
and feature analyses to identify drift causes and enhance result interpretation. Their find-
ings reveal that even models trained on larger datasets are susceptible to performance
drops over time, underscoring the need to train models on recent data and retrain them

periodically to mitigate concept drift and maintain classification performance, offering

valuable insights for improving malware detection in digital forensics.
David Okore Ukwen et al. [37], in their work in 2021 ”Review of NLP-based Systems
in Digital Forensics and Cybersecurity,” examine the increasing adoption of Artificial
Intelligence (AI), particularly Natural Language Processing (NLP), by digital forensics
and cybersecurity professionals to address cybercrime. NLP and AI applications in these
fields encompass areas such as data mining, knowledge representation, pattern recog-
nition, and expert systems. The paper provides a comprehensive literature review on
the role, applications, challenges, and future directions of NLP-based systems in digital
forensics and cybersecurity. It serves as both a guide for researchers and practitioners to
understand the current state of the field and a roadmap for future advancements, em-
phasizing the potential of AI and NLP in enhancing the efficiency and effectiveness of
cybercrime combat strategies.
Amir Djenna et al. [38], in their work in 2023 ”Artificial Intelligence-Based Malware
Detection, Analysis, and Mitigation,” address the increasing sophistication of malware
as a major cyber threat, emphasizing its ability to evade detection and hinder real-time
digital forensic investigations. The authors propose a novel approach combining dynamic
deep learning-based methods with heuristic strategies to detect and classify five modern
malware families: adware, Radware, rootkit, SMS malware, and ransomware. Their
research highlights the use of artificial intelligence and cybersecurity analytics to enhance
malware detection, analysis, and mitigation capabilities, contributing to the development
of resilient cyber systems. Validation using a dataset of recent malware demonstrates
the model’s effectiveness and efficiency, with experimental results showing that behavior-
based deep learning combined with heuristic approaches outperforms static deep learning
methods in malware detection and classification.
Davide Maiorca et al. [39], in their work in 2019 ”Digital Investigation of PDF Files:
Unveiling Traces of Embedded Malware”, explore the increasing sophistication of mal-
ware, with a focus on PDF malware as a significant threat in the cybersecurity landscape.
The authors provide an overview of contemporary attack techniques employed to dissemi-
nate malicious PDFs and discuss the digital forensic analysis tools available to investigate
such threats. This work emphasizes the critical need for advanced methodologies to detect
and analyze traces of embedded malware within PDF files.
Jason Thomas et al. [40], in their work in 2019 ”Enterprise Cybersecurity: Investi-
gating and Detecting Ransomware Infections Using Digital Forensic Techniques” (2019),

examine the escalating problem of ransomware in an increasingly technology-driven world.

The paper highlights the severe consequences of ransomware, including encrypted storage
systems, halted productivity, and long-term damage. While many firms have integrated
security technologies like intrusion protection systems to address ransomware, smaller
organizations often lack access to or integration of these tools. The authors emphasize
that cybercriminals frequently target such unprotected environments. They argue that
even without advanced automated security capabilities, system administrators can lever-
age system utilities, applications, and digital forensic techniques to detect and combat
ransomware. The paper reviews the literature on ransomware, identifies challenges in
addressing ransomware infections, and offers recommendations for detection and investi-
gation.
Ilker Kara et al. [41], in their work in 2023 ”Fileless Malware Threats: Recent Ad-
vances, Analysis Approach Through Memory Forensics and Research Challenges” (2019),
address the rising sophistication of fileless malware, which can evade traditional security
mechanisms. The authors underscore the limited studies on this threat, particularly con-
cerning classification and threat scale, which has hindered comprehensive analysis. Their
research explores recent advancements in fileless malware prevention and detection while
outlining future research challenges. They propose an analytical approach centered on
attack strategies and attributes, simplifying feature extraction and reducing processing
load without requiring decompression or unpacking for analysis. Applying this method
to a real case study revealed critical details about the Kovter malware, including its de-
tection, mechanisms, and attack methods. This approach demonstrates advantages as a
novel technique for detecting fileless malware and protecting systems from cyber threats.
The paper also provides insights into fileless malware threats and reviews current methods
and techniques used for their detection and analysis.
Xiaoyu Du et al. [42], in their work in 2020 ”SoK: Exploring the State of the Art and
the Future Potential of Artificial Intelligence in Digital Forensic Investigation” (2023),
address the pervasive issue of multi-year digital forensic backlogs faced by law enforce-
ment agencies globally. The growing volume of cases and data overwhelms digital forensic
investigators, necessitating innovative solutions. The authors highlight artificial intelli-
gence (AI) as a promising approach to tackle these challenges, particularly in automating
evidence processing. Their research summarizes existing AI-based tools and methodolo-
gies in digital forensics, emphasizing their potential to expedite analysis and significantly
enhance case-processing capacities. Moreover, the paper discusses current challenges as-

sociated with these AI applications and explores their future impact on digital forensic
investigations.
Bishwajeet Pandey et al. [43], in their work in 2024 ”Efficient Usage of Web Foren-
sics, Disk Forensics, and Email Forensics in Successful Investigation of Cyber Crime”,
present a comprehensive survey of existing research and best practices in web forensics,
disk forensics, and email forensics. The authors observe that all forensic investigation
processes share five fundamental phases: evidence identification, collection, examination,
assessment, and reporting. However, each forensic domain employs specialized tools tai-
lored to its unique requirements. The paper emphasizes the importance of intelligent
tool selection, identifies current challenges in these forensic domains, and explores future
research trends aimed at addressing these issues. To enhance the study, the authors
include case studies demonstrating practical applications in each domain: investigating
price changes in an e-commerce shopping cart for web forensics, extracting system files
using FTK Imager for disk forensics, and analyzing the ”Show Original” feature in Gmail
for email forensics. These case studies illustrate the diverse applications and critical
importance of forensic tools in cybercrime investigations.
Leslie F. Sikos [44], in his 2020 paper ”Packet Analysis for Network Forensics: A
Comprehensive Survey”, presents an in-depth exploration of packet analysis techniques,
particularly deep packet inspection (DPI), in network forensics. The paper highlights
how packet analysis can trace network traffic to uncover malicious activities such as
data breaches, malware infections, and intrusion attempts, and reconstruct data like
images, documents, and email attachments. Sikos also discusses the role of AI-powered
methods in enhancing network traffic classification and pattern identification, improving
the detection of advanced cyber threats. Additionally, the paper examines the legal
implications of digital evidence, outlining which types are admissible in court, and reviews
the capabilities of hardware appliances and packet analyzer software in network forensics,
emphasizing their importance in effective forensic investigations.
Arafat Al-Dhaqm et al. [45], in his 2021 paper ”Digital Forensics Subdomains: The
State of the Art and Future Directions”, discusses the growing need for digital forensic
investigation techniques beyond traditional computer desktops and servers, as advances
in digital media and platforms have led to the emergence of new subdomains like mobile
devices, databases, networks, cloud platforms, and the Internet of Things (IoT). The
paper emphasizes the importance of applying scientifically proven techniques to ensure
reliable digital evidence is admissible in court. Al-Dhaqm highlights that many exist-

ing investigative processes are domain-specific, leading to ambiguities and redundancies

in the literature. To address this, the paper presents a digital forensic model-oriented
Systematic Literature Review (SLR) that synthesizes the various practices and identi-
fies inconsistencies across subdomains. A key finding is the high degree of redundancy
and ambiguity in investigative processes. To resolve these issues, the study proposes
a high-level abstract metamodel that combines common investigation processes, activi-
ties, techniques, and tasks across digital forensics subdomains, offering a more organized
approach for forensic investigators.
Afnan Asasfeh et al. [46], in their 2023 paper ”Exploring Cyber Investigators: An
In-Depth Examination of the Field of Digital Forensics”, provide a comprehensive lit-
erature review of digital forensics, examining its historical development, methodologies,
tools, and the legal and ethical considerations involved. The paper underscores the im-
portance of digital forensics in the digital era, highlighting its growing relevance in both
cybersecurity and law enforcement. Asasfeh and colleagues emphasize the field’s role in
uncovering digital evidence, safeguarding privacy, and ensuring data integrity, all while
upholding justice. The review also addresses the evolving challenges and patterns within
the discipline, offering insights into the future directions of digital forensics and proposing
innovative solutions to the complexities it faces.
Marta Fuentes-Garcı́a et al. [47], in their 2021 paper ”Present and Future of Net-
work Security Monitoring”, review the state-of-the-art in Network Security Monitoring
(NSM), focusing on its critical role in detecting security incidents and ensuring the se-
curity of modern networks amid the rising threat of cyberwarfare. The paper introduces
a new taxonomy for the functionalities and modules of an NSM system, providing a
valuable framework for both researchers and practitioners to assess current NSM tools
and deployments. Fuentes-Garcı́a and colleagues organize popular NSM tools based on
this taxonomy and identify key challenges in implementing NSM in contemporary net-
work environments, such as Software Defined Networks (SDN) and the Internet of Things
(IoT).
Humaira Arshad et al. [48], in their 2019 paper ”Evidence Collection and Forensics on
Social Networks: Research Challenges and Directions”, explore the emerging field of social
media forensics, emphasizing the potential of social media evidence in criminal investi-
gations. The paper discusses the complexities of collecting and presenting social media
evidence in court, highlighting the challenges of ensuring the process is legally sound
while respecting individuals’ privacy rights. Arshad and colleagues point out the difficul-

ties faced by legal practitioners and investigators due to the dynamic and heterogeneous
nature of social media. They argue that with sophisticated tools, forensic investigators
can effectively manage the large and diverse content of social media to collect legally
admissible evidence. The paper also examines the current state of evidence acquisition,
admissibility, and jurisdiction in social media forensics, outlining the key challenges in
collecting, analyzing, presenting, and validating social media evidence in legal contexts.
Additionally, the authors identify research gaps and propose future research directions in
the field.
Christos Karagiannis et al. [49], in their 2021 paper ”Digital Evidence and Cloud
Forensics: Contemporary Legal Challenges and the Power of Disposal”, address the com-
plexities of handling digital evidence in criminal investigations, particularly when that
evidence is stored in cloud environments. The paper identifies three main legal challenges
posed by cloud-based technologies: territoriality (the loss of location), possession (cloud
content ownership), and confiscation procedures (issues related to user authentication
and data preservation). Karagiannis and colleagues thoroughly evaluate the existing le-
gal frameworks in the U.S., Europe, and internationally, exploring how these laws interact
with the challenges of cloud forensics. They propose the concept of the ”Power of Dis-
posal,” a new legal notion that combines technical, organizational, and legal perspectives
to address these challenges and offer a multidisciplinary solution with global implications
to mitigate the identified legal hurdles.
Michael Martin Losavio et al. [50], in their 2019 paper ”The Juridical Spheres for
Digital Forensics and Electronic Evidence in the Insecure Electronic World”, explore
the growing importance of digital forensics and electronic evidence in the context of
both traditional and cybercrimes. The paper highlights the challenges posed by the
vast amounts of data collected and stored across multiple jurisdictions, emphasizing the
complexities of using digital forensics and electronic evidence within the boundaries of
national laws. Losavio and colleagues discuss the intersection of legal frameworks in
transnational cases, noting the potential for harmonization or conflicts. They stress the
need for both juridical and technical coordination between nations to ensure effective
transnational law enforcement, as forensic technology must align with the legal rules of
the involved jurisdictions. The paper further examines the evolving legal landscape of
digital forensics and speculates on how regulations may develop in the future to address
the growing challenges in this field.

2.1.1 Limitations
The field of Cyber forensics has evolved in modern era, with multiple tools and techniques
developed to help investigators.
However, many existing tools have limitations, which are:
• Integration Aspects: Present tools are domain-specific, that focuses on either file
analysis, network monitoring, or malware detection, without providing a single
platform.
• Lacking Real-Time Capabilities: Many old tools perform post-incident analysis,

lacking the ability to detect and respond to threats in real time.
• Inadequate Application: With increasing reliability on cloud storage, existing tools

fail to provide the unique challenges of forensics.
• High Cost: Multiple forensic tools are expensive, making them difficult to access to
smaller organizations or individual analysts.
• Complexity: Many tools require proper training, limiting their usability for ordinary
users.
2.1.2 Research Gaps Identified
1. Entropy-Based Analysis: Lack of utilization of statistical techniques like entropy

for detecting hidden or corrupted data.
2. Integration of Various Platform: Lack of robust solutions for analysis of data for
various application and recovering deleted data.
2. User Friendly Interface: Lack of focus on creating simple GUIs for forensic tools.
4. Combinative Solutions: Lack of tools that integrate many forensic domains into a
single system.

Chapter 3
Problem Statement
Cyber forensic investigations have become important in identifying, mitigating cyber-

crimes. These investigations demand accurate tools to analyze vast data such as files,
networks, emails. However, the current forensic tools have significant limitations. Present
forensic tools are domain-specific, which requires analysts to switch between multiple
tools to handle multiple forensic operation. These processes have inefficiency, in process-
ing time, and potential loss of evidence. Present traditional tools are unable to provide
advanced analyses. Entropy-Based file analysis that is Essential for detecting hidden,
encrypted data. Real-Time network anomaly detection is critical for identifying active
threats. Complex GUIs of forensic tools are designed with complicated interfaces, making
them difficult for non-experts to adopt easily. Retrieving deleted or corrupted files for
evidence. These challenges is why the need for a advance solution for these limitations,
providing investigators with the tools necessary for efficient, accurate, and user-friendly
Cyber investigations.
For developing an integrated Cyber forensic toolkit that has multiple forensic domains
like file analysis, network monitoring, malware detection, email forensics, converge into
a single platform. The toolkit will provide efficient and accurate data analysis while
enabling the modernisation of collected evidence
3.1 Objectives
• Integrate many forensic capabilities into a single toolkit to make investigations
efficient and reduce dependency on multiple tools.
• Provide advanced methods such as:
25
1. Shannon’s Entropy for detecting hidden information.
2. Heuristic Algorithms for abnormality detection in network activity.
• Provides real-time network monitoring and anomaly detection to identify and re-
spond to cyberattacks properly.
• Include features for analyzing files integrity.
• Design a simple and attractive GUI using Material-UI to provide understanding for
both experts and non-experts.
• Make the toolkit with a modular design to allow future enhancements while main-
taining current security measures for handling confidential data.

Chapter 4
Software Requirements Specification
4.1 Introduction
The Digital Forensics Toolkit is a web-based application that provides cyber forensics
investigators and security analysts with various tools for file analysis, network moni-
toring, malware detection, email forensics. The system aims to provide efficient digital
investigation by providing a single platform for various forensic analysis tasks.
4.2 Purpose
The purpose of this software is to provide a single platform for digital forensics analysis,
automate simple forensic analysis process, provide secure analysis of digital evidence, gen-
erate reports for further analysis, provide real-time monitoring and detection of suspicious
network.
4.3 User Characteristics

The system is prepared for the various user types:
1. Digital Forensics Investigators
Technical experts in Cyber forensics, have proper understanding of file systems and data
analysis, sense of network protocols, experience with proper evidence undertaking proce-
dures.
2. Security Analysts Have knowledge in malware detection, knowledge in network
security, rules of threat detection, familiarity with lots of security analysis tools.
27
3. System Administrators
System administration professionals, understanding of user access management, knowl-
edge of security protocols and regulations, experience in network monitoring.
4.4 Interfaces
4.4.1 Hardware Interfaces
• Computing Requirements
Minimum Server Requirements:
- Processor: Intel Xeon or AMD EPYC (8+ cores)
- RAM: 16GB minimum, 32GB recommended
- Storage: 1TB SSD for system and database
- Network: Gigabit Ethernet connection
Client Requirements:
- Processor: Intel i5/AMD Ryzen 5 or better
- RAM: 4GB minimum
- Storage: 50GB available space
- Network: Good internet connection
• Network Hardware
- Network Interface Cards (NICs) used for data packet capture
- Network switches that supports port mirroring
- Hardware firewalls
4.4.2 Software Interfaces
• Operating System Compatibility
Server:
- Linux (Ubuntu 20.04 LTS or newer)
- Windows Server 2019 or newer

Client:
- Windows 10/11
- macOS 11 or newer
- Linux (major distributions)
• Development Tools
Frontend:
- Node.js 16.x or newer
- React 18.x
- Material-UI 5.x
- Vite build tools
Backend:
- Node.js runtime
- Express.js framework
- MongoDB drivers
• Integration Interfaces
- RESTful API endpoints
- WebSocket connections for real-time data
- Network capture interfaces

Chapter 5
System Design
5.1 Architecture Diagram
Figure 5.1: System Architecture Design
5.1.1 Proposed Methodology
The proposed methodology is designed to comprehensively process and analyze data from
diverse sources to ensure accurate and efficient detection of anomalies and threats. Data
30
input is gathered from multiple channels, including files stored locally, network traffic, and
email communications. During the preprocessing phase, different techniques are applied
depending on the data source. For file data, metadata and content are systematically
extracted to provide essential insights into the structure and details of the files. In the
case of network monitoring, the methodology involves capturing packets and analyzing
traffic patterns to identify unusual activities that may indicate potential security issues.
For email data, preprocessing focuses on parsing headers to trace the origin and path of
the email, while also examining attachments for potentially harmful content.
The analysis phase is tailored to address specific challenges posed by different data
types. An entropy-based approach is employed for detecting anomalies in files, leveraging
statistical measures to identify deviations from expected patterns. For network analysis
and malware detection, heuristic methods are utilized to assess behaviors and characteris-
tics that deviate from normal baselines, enabling the identification of previously unknown
threats. Additionally, signature-based scanning complements the heuristic approach by
comparing data against known threat signatures for efficient malware detection. The
methodology ensures that findings and insights are presented in a user-friendly inter-
face, facilitating clear communication and understanding of results for both technical
and non-technical users. This structured approach enhances the overall effectiveness and
accessibility of the analysis process.
5.1.2 Overall Description
The system operates as a single application that allows forensic analysts to switch be-
tween different features of toolkit easily. By combining functionalities, it eliminates the
inefficiencies of using multiple tools. Each module works independently and provide vi-
sualization to provide complete insights.
5.2 Use-Case Diagram

Use Case 1: File Forensics

Figure 5.2: File Analysis Use Case
Use Case 2: Network Monitoring
Figure 5.3: Network Monitoring Use Case

5.3 Data Flow Diagram
Figure 5.4: Data Work Flow Diagram
5.4 Module Diagram

• File Analysis:

Figure 5.5: File Analysis Work Flow Diagram
• Malware detection:
Figure 5.6: Malware Detection Work Flow Diagram
• Email Forenics:

Figure 5.7: Email Forensics Work Flow Diagram
• Network Monitoring:
Figure 5.8: Network Monitoring Work Flow Diagram
5.5 Functional Requirements

File Analysis: Upload and process many file types, with functions for metadata extrac-
tion, hash generation, data analysis.
Network Monitor: This function enables real-time monitoring of network activity, that
includes packet capture, protocol analysis, and bandwidth monitoring.

Email Forensics: Can analyze email headers, verify SPF/DKIM records, and examine
attachments for malicious information. The module includes phishing detection, spam
analysis, and visualization of email transfer patterns.
Malware Detection: This module provides analysis of files to detect malware, utilizing
signature-based detection, heuristic analysis. Users can analyze monitor API calls and
network activity.
Audit and Logging: The system maintains records of user activities, suspicious network
activity.
5.6 Nonfunctional Requirements

Performance:
Ensure the toolkit can analyze large amount of data in real time without any issues.
Optimize algorithms for fast entropy calculation and network analysis.
Security:
Has secure encryption for sensitive information. Restrict access to unauthorized users
with role-based authentication.
Usability:
Provide an attractive GUI with simple and minimum learning option. Include tooltips
and documentation for each feature.

5.7 GUI Design
Figure 5.9: GUI Design
The GUI is made using Material-UI of React, focusing on simple understanding and
accessibility.
It has several features:
Main Dashboard:
Displays data and modules information.
Provides quick access to each modules.
File Analysis Page:
Users can upload files and it will give extracted metadata and entropy information.
Network Monitoring Page:
Monitor network traffic in real time using some graphs, calculate bandwidth charts.
Provide anomalies for easy understanding.
Email Forensics Page:
Provide tools for analyzing email headers files.
Malware Detection Page:
Provide rules and signature based malware detection of malicious and hidden files.

5.8 Module-Wise Algorithm

1. File Analysis Module
The File Analysis is designed to analyze files, extract metadata, detect anomalies, and
detect malicious content.
Algorithms Used:
Entropy Calculation (Shannon’s Information Theory):
Purpose: Provides files with information about entropy values that may indicate com-
pression, encryption.
Steps:
It will read file content as a byte stream.
Calculate the frequency of each byte value (0–255) and calculate entropy.
Metadata Extraction:
Purpose: Provides file information such as timestamp, type of file, and hash generation.
Steps:
Parse file headers with file-type libraries.
Extract features like timestamps, file size, and file format.
Hash-Based Comparison:
Purpose: Helps in file integrity and detect malicious files.
Steps:
Create a cryptographic hash (e.g., MD5, SHA-256) for the file. Compare the hash against
a database of file hashes (e.g., malware signatures).
Detect mismatches or known pattern.
2. Network Monitoring Module
The network monitoring provides real-time network traffic analysis to detect anomalies
and active threats.
Algorithms Used:
Packet Sniffing:
Purpose: Analyze captured network packets.
Steps:
Used pcap to capture live traffic.
Provide packet details (source IP, destination IP, payload, protocol).
Anomaly Detection Algorithm:
Purpose: Detect abnormal traffic patterns.

Steps:
Create a baseline for local network activity (e.g., average packet size, traffic volume).
Monitor real-time traffic and compare to baseline.
Flag anomalies with statistical methods or heuristics.
3. Malware Detection Module
The malware detection module identifies malicious scripts hidden in files.
Algorithms Used:
Pattern Matching:
Purpose: Detect malicious code in files.
Steps:
Provide rules or signatures for known malware data.
Scan files for matches.
Flag files containing malicious data.
Heuristic Analysis:
Purpose: Detect malwares based on behavioral pattern.
Steps:
Analyze file.
Match against already defined heuristics for suspicious activity.
Flag files showing malicious pattern.
4. Email Forensics Module
The email forensic analyzes data of an email to detect malicious attachments.
Algorithms Used:
Header Analysis:
Purpose: Evaluate email by analyzing headers.
Steps:
Analyze headers such as From, To, Reply-To, and Received.
Check for anomalies in sender address or abnormal IP addresses.
Verify DKIM, SPF, and DMARC records.
Attachment Analysis:
Purpose: Detect malicious attachments.
Steps:
Scan email for malware signatures using pattern matching.
Entropy analysis on attachments.
Detect suspicious attachments.

Chapter 6
IMPLEMENTATION
The implementation involves setting up the execution environment, combining software

and hardware parts, preparing and testing of modules, and ensuring functionality of all
features without any problem.
6.1 Setting up an Execution Environment
6.1.1 Software Tools, Technology Description, and Installation
• Core Technologies
Node.js (v14.0 or higher)
Express.js for API development
MongoDB for database
Installation Steps
o Install Node.js dependencies
npm install express mongoose crypto multer
o Security libraries
npm install jsonwebtoken bcrypt
o File analysis libraries
npm install mime-types fs-extra
o Network monitoring libraries
npm install systeminformation pcap
40
• Development Tools
VS Code for development
Postman for API testing
MongoDB Compass for database management
6.1.2 Hardware Description, Installation and Usage
• Minimum Hardware Requirements

Processor: Intel Core i5 or equivalent
RAM: 8GB minimum
Storage: 256GB SSD
Network: Ethernet/Wi-Fi adapter
• Recommended Hardware
Processor: Intel Core i7 or equivalent
RAM: 16GB
Storage: 512GB SSD
Network: Gigabit Ethernet
6.1.3 Interface Description
• API Endpoints
-File Analysis
POST /api/file/analyze
GET /api/file/results/:id
-Malware Detection
POST /api/malware/scan
GET /api/malware/report/:id
-Network Monitoring
GET /api/network/stats
GET /api/network/security
-Email Forensics
POST /api/email/analyze
GET /api/email/report/:id

Chapter 7
TESTING AND VALIDATION
The Digital Forensics Toolkit go through proper testing to ensure the reliability, accuracy,
and efficiency of each module. This section outlines the testing methodologies, test cases,
validation processes, and performance benchmarks for the toolkit.
7.1 Testing Methodology
7.1.1 Unit Testing
Each module has to be tested individually to validate each functionalities.

Example: Entropy calculation, hash generation, network packet capture.
7.1.2 Integration Testing
Tests the interactions between modules to support easy communication.

Example: File analysis gives metadata and hashes that is used to malware detection.
7.1.3 Functional Testing
Evaluate that the toolkit performs all existing functionalities as it is supposed to.
Example: Upload a file and receive a proper forensic result.
7.2 Test Cases
42
Module Objective Input Result

File Analysis Calculate entropy, Any type of file Provides entropy val-
metadata extraction, ues, metadata infor-
and hash generation mation, and hash gen-
eration
Network Moni- Detect network pack- Traffic logs with good Detects anomalies
toring ets for any anomalies internet connection with packet details
in real-time and network trans- like protocols, ports,
mission etc.
Malware Detec- Detect malware files Any type of file with Detects suspicious
tion using heuristic algo- known malware signa- files with details
rithm ture
Email Forensics Analysis of email Any type of email Detects malicious
headers and attach- with malicious content emails and phishing
ments for malicious attempts
content
Table 7.1: Module Wise Test Case
7.3 Performance Benchmarks
Module Metric Results

File Analysis Time took for analysis of Can process 1GB file in un-
each file of various types der 1 minute.
and size.
Network Monitoring Number of data packets an- 10,000 packets without any
alyzed per second. issues.
Malware Detection Accurate detection of mal- 95% precision.
wares.
Email Forensics Phishing detection in 92% with minimum false
emails. positives.
Table 7.2: Efficiency for each Module

Chapter 8
Results and Discussion
Finalyzing the results obtained from implementation and testing of the Digital Forensics
Toolkit, what are its strengths, module for improvement and enhancements, and its
potential help in digital forensic investigations.
8.1 Results
The results are based on the successful execution and implementation of all modules
of the toolkit and providing metrics like precision, performance benchmarks, and user
feedback.
8.1.1 Module Performance with Snapshots
File Analysis Module:

Total Files: 1000
Successful Analysis: 985
Failed Analysis: 15
Average Processing Time: 1.2 seconds
Accuracy: 98.5
44
Figure 8.1: File Analysis page
Network Monitoring Module:

Total Connections: 10000
Suspicious Connections: 150
Blocked Connections: 50
Average Bandwidth: 100 Mbps
Peak Bandwidth: 500 Mbps
Figure 8.2: Network Monitor page

Figure 8.3: Protocol distribution
Figure 8.4: Active Connection Dashboard
Figure 8.5: Port Analysis Dashboard

Figure 8.6: Network Statistics and History
Malware Detection Module:

Samples Analyzed: 500
Malware Detected: 125
Suspicious Files: 75
Clean Files: 300
Detection Rate: 96.8
Figure 8.7: Malware Detection Dashboard
Email Forensics Module:

Emails Analyzed: 2000
Phishing Detected: 150
Malicious Attachments: 75

Suspicious Links: 200

Average Processing Time: 0.8 seconds
Figure 8.8: Email Forensics Dashboard
8.2 Discussion
The Digital Forensics Toolkit project helps in providing a combined solution for the
analysis of digital data, detecting malware, monitoring network traffic, email forensics,
and recovering corrupted files. This project combines multiple modules that works with
each other to make it more efficient for forensic analysts, security inspector, and inves-
tigators in detecting and mitigating cyber threats. This project provides a solution for
easy access, no external software is required, no installation is need for users, just go on
web application and become a cyber investigator. Various module is integrated into the
project and future development is also ongoing for cloud security analysis which provides
us the integrity of the cloud in case of a breach. Small buisnesses and individuals can do
much more from this that they could have done from expensive and big Toolkits.

Chapter 9
Project Plan
9.1 Timeline of Project

The timeline of the project is displayed using a Gantt chart, which provides a visual
representation of the project’s tasks, progress achieved, and their respective timeframes.
Each task is represented by a horizontal bar, with the length of the bar corresponding to
the duration of the task.
The chart is organized as shown below:
Phase 1: Planning and Preparation

Literature Review (June)
• Conduct a proper literature review on present Forensic analysis.
• Identify the challenges and weaknesses of present methods.
Phase 2: Requirement Analysis

Requirement Analysis (June-July)
• What are required features.
• Track the requirements are actually helping the idea or not.
Phase 3: Problem Statement Finalization

Problem Statement Finalization (June-July)
• Problem statement should be done on the literature review data.
Phase 4: Design
Design of Software (July-August)
• Design the software on the basis of present requirements and constraints.
49
Phase 5: Implementation
Implementation of Software (August)
• Implement the developed software using required software tools and code.
Phase 6: Testing and Validation

Testing and Validation
• Conduct the testing of your working software to ensure it meets the proposed require-
ments.
• Validate the efficiency of the software using test cases and real-world cases.
Phase 7: Refinement and Optimization

Refinement and Optimization (September)
• Optimize the code based on test results.
• Improve the software’s performance and effectiveness against threats.
Phase 8: Documentation
Documentation and Final Report (October)
• Prepare a document for the whole project processes, including installation, design,
implementation, and testing.
• Final report should be detailing the project results, findings, and enhancements.
Phase 9: Final Review and Adjustments

Final Review and Adjustments (November)
• Do a final reviewing of the project.
• Improve the project based on feedback and findings from the final report.
Phase 10: Project Completion

Project Completion (November)
• Complete the project and ensure all objectives are done.
• Deployment and presentation of the final project.

Figure 9.1: Timeline of Project

Chapter 10
Conclusion and Future

Enhancements
10.1 Conclusion
The Digital Forensics Toolkit properly addresses the challenges faced in cybercrime inves-
tigations by giving a single, scalable, and efficient platform for forensic analysis. Because
of the integration of file analysis, network monitoring, malware detection, email forensics,
the toolkit helps in complex forensic processes and improves the accuracy and make the
investigation fast. Digital Forensic toolkit provide multiple forensic domains into a single
toolkit to eliminate the issues caused by switching between different tools. Providing
methods such as entropy-based analysis, heuristic malware detection, and metadata ex-
traction gives exact accurate results. Network monitoring and anomaly detection process
in real-time, addressing suspicious threats fast.
GUI and API integration makes it easy to use for both experts and ordinary people. The
toolkit helps investigators to detect cybercrimes, analyze digital evidence, and enhance
cybersecurity defenses. The Digital Forensics Toolkit provide a major step forward in
modern era of digital investigations. It provide connection to significant gaps in existing
forensic tools by offering an integrated solution specially prepared for the complexities of
today’s cybercrimes.
10.2 Future Enhancements

The toolkit works well but there are many opportunities for enhancement and improve-
ments.
52
Machine Learning and AI Integration: Develop AI models for more complex anomaly
detection and malware detection. With the use of natural language processing (NLP)
which can improve phishing email detection and content analysis. Need support for ad-
ditional cloud storage platforms like AWS, Google Drive, and Azure. Implementation of
advanced recovery techniques for deleted files and integrity of cloud systems.
Modular and Scalable Design: Modules should function as individual components
that can be combined with larger systems. It should be scalable to handle large scale
organization networks and data.
Cross-Platform Compatibility: Develop the toolkit so that it can work on mobile
devices and low hardware systems. Development of web browser based better versions
for easy access and handling.
Enhanced Security Features: Inbuilt encryption and secure logging functions to pro-
tect sensitive data. Create multi-factor authentication (MFA) so that only authorized
individual can access the toolkit.
Automated Reporting and Visualization: Should generate customizable reports
synopsis of forensic findings. Can use proper data visualization tools to represent analysis
results.
Collaboration Tools: Create further features for collaborative investigations, which
allows multiple investigators to work on a single case effectively. Addition of version
control can help in investigation logs and evidence.

References
[1] Lena Klas´en, Niclas Fock, Robert Forchheimer, ”The invisible evidence: Digital
forensics as key to solving crimes in the digital age”. In 23rd triennial meeting of the
International Association of Forensic Sciences (IAFS),2023.
[2] Jihane Najar, Marinos Tsantekidis, Aris Sotiropoulos, and Vassilis Preve-
lakis.”Enhancing Cyber Threat Hunting: A Visual Approach with the Forensic Vi-
sualization Toolkit”. IEEE International Conference on Big Data (BigData),2023.
[3] Arif Rahman Hakim, Kalamullah Ramli, Teddy Surya Gunawa, Susila
Windarta.”A Novel Digital Forensic Framework for Data Breach Investiga-
tion”.10.1109/ACCESS.2023.3270619
[4] Tina Wu, Frank Breitinger, Stephen O’Shaughnessy.”Digital forensic tools: Recent
advances and enhancing the status quo”.Forensic Science International: Digital In-
vestigation,Volume 34, September 2020, 300999.
[5] Precilla M. Dimpe and Okuthe P. Kogeda.”Impact of Using Unreliable Digital Foren-
sic Tools”.Proceedings of the World Congress on Engineering and Computer Science
2017 Vol I, WCECS 2017, October 25-27, 2017, San Francisco, USA
[6] G. Maria Jones, S. Godfrey Winster, ”An Insight into Digital Forensics: History,
Frameworks, Types, and Tools,” in Handbook of Research on Digital Transforma-
tion, Industry Use Cases, and the Impact of Disruptive Technologies, Mangesh M.
Ghonge, Sabyasachi Pramanik, Ramchandra Mangrulkar, Dac-Nhuong Le (Eds.),
First published: 14 January 2022
[7] Soumi Banerjee, Anita Patil, Dipti Jadhav, Gautam Borkar, ”Digital Forensics as
a Service: Analysis for Forensic Knowledge,” in Handbook of Research on Digital
Transformation, Industry Use Cases, and the Impact of Disruptive Technologies,
54
Mangesh M. Ghonge, Sabyasachi Pramanik, Ramchandra Mangrulkar, Dac-Nhuong
Le (Eds.), First published: 14 January 2022.
[8] Anita Patil, Soumi Banerjee, Dipti Jadhav, Gautam Borkar, ”Roadmap of Digi-
tal Forensics Investigation Process with Discovery of Tools,” in Handbook of Re-
search on Digital Transformation, Industry Use Cases, and the Impact of Disruptive
Technologies, Mangesh M. Ghonge, Sabyasachi Pramanik, Ramchandra Mangrulkar,
Dac-Nhuong Le (Eds.), First published: 14 January 2022.
[9] Adnan Ahmed, Abdul Rehman Javed, Zunera Jalil, Gautam Srivastava, Thippa
Reddy Gadekallu, ”Privacy of Web Browsers: A Challenge in Digital Forensics,” in
Proceedings of the International Conference on Genetic and Evolutionary Computing
(ICGEC 2021), part of the Lecture Notes in Electrical Engineering series (LNEE,
vol. 833), First Online: 04 January 2022,
[10] Mohamed Chahine Ghanem, Patrick Mulvihill, Karim Ouazzane, Ramzi Djemai,
Dipo Dunsin, ”D2WFP: A Novel Protocol for Forensically Identifying, Extracting,
and Analysing Deep and Dark Web Browsing Activities,” Journal of Cybersecurity
and Privacy, vol. 3, no. 4, pp. 808–829, Published: 15 November 2023.
[11] F. Casino, T. K. Dasaklis, G. P. Spathoulas, M. Anagnostopoulos, A. Ghosal, I.

Borocz, A. Solanas, ”Research Trends, Challenges, and Emerging Topics in Digital
Forensics: A Review of Reviews,” IEEE Access, 2022.
[12] Dipo Dunsin, Mohamed C. Ghanem, Karim Ouazzane, Vassil Vassilev, ”A Com-
prehensive Analysis of the Role of Artificial Intelligence and Machine Learning in
Modern Digital Forensics and Incident Response,” Forensic Science International:
Digital Investigation, vol. 48, 301675, March 2024.
[13] Annas Wasim Malik, David Samuel Bhatti, Tae-Jin Park, Hafiz Usama Ishtiaq, Jae-
Cheol Ryou, Ki-Il Kim, ”Cloud Digital Forensics: Beyond Tools, Techniques, and
Challenges,” Sensors, vol. 24, no. 2, 433, Published: 10 January 2022.
[14] Krishna Sanjay Vaddi, Dhwaniket Kamble, Raj Vaingankar, Tushar Khatri, Pranil
Bhalerao, ”Enhancements in the World of Digital Forensics,” IAES International
Journal of Artificial Intelligence (IJ-AI), vol. 13, no. 1, pp. 680–686, October 2023.
[15] Alec Noland, ”Current Challenges of Digital Forensics,” Themis: Research Journal
of Justice Studies and Forensic Science, vol. 12, no. 1, Article 1, 2022.
55
[16] Graeme Horsman, ”Tool Testing and Reliability Issues in the Field of Digital Foren-
sics,” Digital Investigation, vol. 28, pp. 163–175, March 2019.
[17] A. Tiwari, V. Mehrotra, S. Goel, K. Naman, S. Maurya, R. Agarwal, ”Developing

Trends and Challenges of Digital Forensics,” in Proceedings of the 5th International
Conference on Information Systems and Technology, 2021.
[18] Sanjeev Shukla, Manoj Misra, Gaurav Varshney, ”Identification of Spoofed Emails
by Applying Email Forensics and Memory Forensics,” in ICCNS ’20: Proceedings
of the 2020 10th International Conference on Communication and Network Security,
pp. 109–114.
[19] Maryam Hina, Mohsan Ali, Abdul Rehman Javed, Gautam Srivastava, Thippa
Reddy Gadekallu, Zunera Jalil, ”Email Classification and Forensics Analysis Us-
ing Machine Learning,” in Proceedings of the 2021 IEEE International Conference
on Software and Computer Applications (SWC), Atlanta, GA, USA.
[20] R. Montasari, R. Hill, ”Next-Generation Digital Forensics: Challenges and Future

Paradigms,” in Proceedings of the 2019 IEEE 12th International Conference on
Global Security, Safety and Sustainability, 2019.
[21] Nina Sunde, Itiel E. Dror, ”Cognitive and Human Factors in Digital Forensics: Prob-
lems, Challenges, and the Way Forward,” Digital Investigation, vol. 29, pp. 101–108,
June 2019.
[22] Aaron Jarrett, Kim-Kwang Raymond Choo, ”The Impact of Automation and Arti-
ficial Intelligence on Digital Forensics,” First Published, April 6, 2021.
[23] Noora Al Mutawa, Joanne Bryce, Virginia N.L. Franqueira, Andrew Marrington,
Janet C. Read, ”Behavioural Digital Forensics Model: Embedding Behavioural Ev-
idence Analysis into the Investigation of Digital Crimes,” Digital Investigation, vol.
28, pp. 70–82, March 2019.
[24] Mark Scanlon, Frank Breitinger, Christopher Hargreaves, Jan-Niclas Hilgert, John
Sheppard, ”ChatGPT for Digital Forensic Investigation: The Good, the Bad, and
the Unknown,” Forensic Science International: Digital Investigation, vol. 46, Sup-
plement, 301609, October 2023.
56
[25] Gulshan Kumar, Rahul Saha, Chhagan Lal, Mauro Conti, ”Internet-of-Forensic
(IoF): A Blockchain-Based Digital Forensics Framework for IoT Applications,” Fu-
ture Generation Computer Systems, vol. 120, pp. 13–25, July 2021.
[26] Jung Hyun Ryu, Pradip Kumar Sharma, Jeong Hoon Jo, Jong Hyuk Park, ”A
Blockchain-Based Decentralized Efficient Investigation Framework for IoT Digital
Forensics,” The Journal of Supercomputing, vol. 75, pp. 4372–4387, February 15,
2019.
[27] Alisha Asquith, Graeme Horsman, ”Let the Robots Do It! – Taking a Look at
Robotic Process Automation and Its Potential Application in Digital Forensics,”
Forensic Science International: Reports, vol. 1, 100007, November 2019.
[28] Sara Ferreira, Mário Antunes, Manuel E. Correia, ”Exposing Manipulated Photos
and Videos in Digital Forensics Analysis,” J. Imaging, vol. 7, no. 7, pp. 102, June
24, 2021.
[29] Ezz El-Din Hemdan and D.H. Manjaiah, ”An Efficient Digital Forensic Model for Cy-
bercrimes Investigation in Cloud Computing,” Multimedia Tools and Applications,
vol. 80, pp. 14255–14282, January 22, 2021.
[30] Xiaolu Zhang, Oren Upton, Nicole Lang Beebe, and Kim-Kwang Raymond Choo,
”IoT Botnet Forensics: A Comprehensive Digital Forensic Case Study on Mirai
Botnet Servers,” Forensic Science International: Digital Investigation, vol. 32, Sup-
plement, April 2020.
[31] Mehran Pourvahab and Gholamhossein Ekbatanifard, ”Digital Forensics Archi-

tecture for Evidence Collection and Provenance Preservation in IaaS Cloud En-
vironment Using SDN and Blockchain Technology,” IEEE Access, vol. 7, pp.
153349–153364, 14 October 2019.
[32] Jian Du, Sajid Hussain Raza, Mudassar Ahmad, Iqbal Alam, Saadat Hanif Dar, and
Muhammad Asif Habib, ”Digital Forensics as Advanced Ransomware Pre-Attack De-
tection Algorithm for Endpoint Data Protection,” Journal of Electrical Engineering
and Technology, vol. 17, no. 4, 2022,
[33] Dohyun Kim, Yi Pan, and Jong Hyuk Park, ”A Study on the Digital Forensic In-
vestigation Method of Clever Malware in IoT Devices,” IEEE Access, vol. 8, pp.
224487–224499, Dec. 2020.
57
[34] Syed Shakir Hameed Shah, Abd Rahim Ahmad, Norziana Jamil, and Atta ur
Rehman Khan, ”Memory Forensics-Based Malware Detection Using Computer Vi-
sion and Machine Learning,” Electronics, vol. 11, no. 16, p. 2579, Aug. 2022.
[35] Muhammad Ali, Stavros Shiaeles, Nathan Clarke, and Dimitrios Kontogeorgis, ”A
proactive malicious software identification approach for digital forensic examiners,”
Journal of Information Security and Applications, vol. 47, pp. 139–155, Aug. 2019.
[36] F. Zola, J. L. Bruse, and M. Galar, ”Temporal analysis of distribution shifts in

malware classification for digital forensics,” 2023 IEEE European Symposium on
Security and Privacy Workshops, 2023.
[37] D. O. Ukwen and M. Karabatak, ”Review of NLP-based systems in digital forensics

and cybersecurity,” 9th International Symposium on Digital Forensics and Security,
2021.
[38] A. Djenna, A. Bouridane, S. Rubab, and I. M. Marou, ”Artificial Intelligence-Based

Malware Detection, Analysis, and Mitigation,” Symmetry, vol. 15, no. 3, p. 677,
2023.
[39] D. Maiorca and B. Biggio, ”Digital investigation of PDF files: Unveiling traces of
embedded malware,” IEEE Security and Privacy, 2019.
[40] J. E. Thomas, R. P. Galligher, M. L. Thomas, and G. C. Gallilgher, ”Enterprise cy-

bersecurity: Investigating and detecting ransomware infections using digital forensic
techniques,” Computer and Information Science, vol. 12, no. 3, pp. 72–80, 2019.
[41] I. Kara, ”Fileless malware threats: Recent advances, analysis approach through
memory forensics and research challenges,” Expert Systems with Applications, vol.
214, 15 March 2023.
[42] X. Du, C. Hargreaves, J. Sheppard, F. Anda, A. Sayakkara, N.-A. Le-Khac, and M.

Scanlon, ”SoK: exploring the state of the art and the future potential of artificial
intelligence in digital forensic investigation,” ARES ’20: Proceedings of the 15th
International Conference on Availability, Reliability and Security, Article No. 46,
pp. 1-10, 2020.
[43] B. Pandey, P. Pandey, A. Kulmuratova, and L. Rzayeva, ”Efficient usage of web

forensics, disk forensics, and email forensics in successful investigation of cyber
58
crime,” International Journal of Information Technology, vol. 16, pp. 3815–3824,
2024.
[44] L. F. Sikos, ”Packet analysis for network forensics: A comprehensive survey,” Foren-
sic Science International: Digital Investigation, vol. 32, p. 200892, March 2020.
[45] A. Al-Dhaqm, R. A. Ikuesan, V. R. Kebande, S. A. Razak, G. Grispos, and K.-K.

R. Choo, ”Digital forensics subdomains: The state of the art and future directions,”
IEEE Access, vol. 9, pp. 152476–152502, October 2021.
[46] A. Asasfeh, N. A. Al-Dmour, H. Al Hamadi, W. Mansoor, and T. M. Ghazal, ”Ex-

ploring cyber investigators: An in-depth examination of the field of digital forensics,”
in 2023 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, 2023.
[47] M. Fuentes-Garcı́a, J. Camacho, and G. Maciá-Fernández, ”Present and future of

network security monitoring,” IEEE Access, 2021.
[48] H. Arshad, A. Jantan, and E. Omolara, ”Evidence collection and forensics on social
networks: Research challenges and directions,” Digital Investigation, vol. 28, pp.
126-138, March 2019.
[49] C. Karagiannis and K. Vergidis, ”Digital Evidence and Cloud Forensics: Contem-
porary Legal Challenges and the Power of Disposal,” Information, vol. 12, no. 5, p.
181, April 2021,
[50] M. M. Losavio, P. Pastukov, S. Polyakova, X. Zhang, K. P. Chow, A. Koltay, J.

James, and M. E. Ortiz, ”The Juridical Spheres for Digital Forensics and Electronic
Evidence in the Insecure Electronic World,” First published: 20 May 2019.
59

Digital_Forensics_Toolkit_Phase_2_Report_Final (2)

Uploaded by

Copyright:

Available Formats

Digital_Forensics_Toolkit_Phase_2_Report_Final (2)

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Digital_Forensics_Toolkit_Phase_2_Report_Final (2)

Uploaded by

Copyright:

Available Formats

VISVESVARAYA TECHNOLOGICAL UNIVERSITY

“JNANA SANGAMA”, BELAGAVI - 590 018

PROJECT PHASE - II REPORT

Anupam Krishna V 4SF21CS021

Department of Computer Science & Engineering

———————————– ——————————— ———————————-

Department of Computer Science & Engineering

Anupam Krishna V (4SF21CS021)

Joseph Mathew (4SF21CS064)

Mohammad Ashbar (4SF21CS085)

Vamsi Krishna Praneeth Yeddula (4SF21CS182)

Dept. of CSE, SCEM, Mangaluru

We sincerely thank Dr. S. S. Injaganeri, Principal, Sahyadri College of Engineering

Anupam Krishna V (4SF21CS021)

List of Tables vii

4 Software Requirements Specification 27

7 TESTING AND VALIDATION 42

8 Results and Discussion 44

1.1 Structure of Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

5.1 System Architecture Design . . . . . . . . . . . . . . . . . . . . . . . . . 30

8.1 File Analysis page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

9.1 Timeline of Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

7.1 Module Wise Test Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

• Network Monitoring: Gives real-time packet checking, anomaly detection, and

• Malware Detection: It uses heuristic algorithms and signature comparison to check

The toolkit is used for:

Department of Computer Science and Engineering, SCEM, Mangaluru Page 2

1.5 Definitions, Acronyms, and Abbreviations

1.6 Structure of the Report

Department of Computer Science and Engineering, SCEM, Mangaluru Page 3

Figure 1.1: Structure of Report

Department of Computer Science and Engineering, SCEM, Mangaluru Page 4

2.1 Related Works / Problem Background / Litera-

Department of Computer Science and Engineering, SCEM, Mangaluru Page 6

Department of Computer Science and Engineering, SCEM, Mangaluru Page 7

Department of Computer Science and Engineering, SCEM, Mangaluru Page 8

Department of Computer Science and Engineering, SCEM, Mangaluru Page 9

Department of Computer Science and Engineering, SCEM, Mangaluru Page 10

Department of Computer Science and Engineering, SCEM, Mangaluru Page 11

Department of Computer Science and Engineering, SCEM, Mangaluru Page 12

Department of Computer Science and Engineering, SCEM, Mangaluru Page 13

programmable lattice-based cryptographic primitives to reduce complexity and optimize

Department of Computer Science and Engineering, SCEM, Mangaluru Page 14

Department of Computer Science and Engineering, SCEM, Mangaluru Page 15

Department of Computer Science and Engineering, SCEM, Mangaluru Page 16

Department of Computer Science and Engineering, SCEM, Mangaluru Page 17

Department of Computer Science and Engineering, SCEM, Mangaluru Page 18

periodically to mitigate concept drift and maintain classification performance, offering

Department of Computer Science and Engineering, SCEM, Mangaluru Page 19

examine the escalating problem of ransomware in an increasingly technology-driven world.

Department of Computer Science and Engineering, SCEM, Mangaluru Page 20

Department of Computer Science and Engineering, SCEM, Mangaluru Page 21

ing investigative processes are domain-specific, leading to ambiguities and redundancies

Department of Computer Science and Engineering, SCEM, Mangaluru Page 22

Department of Computer Science and Engineering, SCEM, Mangaluru Page 23

• Lacking Real-Time Capabilities: Many old tools perform post-incident analysis,

• Inadequate Application: With increasing reliability on cloud storage, existing tools

2.1.2 Research Gaps Identified

1. Entropy-Based Analysis: Lack of utilization of statistical techniques like entropy

Department of Computer Science and Engineering, SCEM, Mangaluru Page 24