computer forensics research articles

An official website of the United States government

Here’s how you know

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

https://www.nist.gov/news-events/news/2022/05/nist-publishes-review-digital-forensic-methods

NIST Publishes Review of Digital Forensic Methods

Report documents the scientific foundations of digital evidence examination and recommends ways to advance the field..

The National Institute of Standards and Technology (NIST) has published Digital Investigation Techniques: A NIST Scientific Foundation Review . This draft report, which will be open for public comment for 60 days, reviews the methods that digital forensic experts use to analyze evidence from computers, mobile phones and other electronic devices.

The purpose of NIST scientific foundation reviews is to document and evaluate the scientific basis for forensic methods. These reviews fill a need identified in a landmark 2009 study by the National Academy of Sciences, which found that many forensic disciplines lack a solid foundation in scientific research.

To conduct their review, the authors examined peer-reviewed literature, documentation from software developers, test results on forensic tools, standards and best practices documents and other sources of information. They found that “digital evidence examination rests on a firm foundation based in computer science,” and that “the application of these computer science techniques to digital investigations is sound.”

“Copying data, searching for text strings, finding timestamps on files, reading call logs on a phone. These are basic elements of a digital investigation,” said Barbara Guttman, leader of NIST’s digital forensics research program and an author of the study. “And they all rely on fundamental computer operations that are widely used and well understood.”

The report also discusses several challenges that digital forensic experts face, including the rapid pace of technological change. “Digital evidence techniques don’t work perfectly in all cases,” Guttman said. “If everyone starts using a new app, forensic tools won’t be able to read and understand the contents of that app until they are updated. This requires constant effort.”

To address this challenge, the report recommends better methods for information-sharing among experts and a more structured approach to testing forensic tools that would increase efficiency and reduce duplication of effort across labs.

The report also recommends increased sharing of high-quality forensic reference data that can be used for education, training, and developing and testing new forensic tools.

NIST’s Digital Forensics Research Program , which was launched in 1999, develops methods for testing digital forensics tools and provides access to high-quality reference datasets. NIST also maintains a vast archive of published software, the National Software Reference Library , that is a critical resource for investigating computer crimes.

NIST scientific foundation reviews help laboratories identify appropriate limitations on the use of forensic methods, identify priorities for future research, and suggest steps for moving the field forward. These reviews are conducted as part of NIST’s Forensic Science Program , which works to strengthen forensic practice through research and improved standards. In 2018 Congress directed NIST to conduct these scientific reviews and appropriated funding for them.

Readers can submit comments on the draft report through July 11, 2022. NIST will host a webinar about the draft report on June 1, 2022. Instructions for submitting comments and registration information for the webinar are available on the NIST website .

An official website of the United States government

The .gov means it’s official. Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

The site is secure. The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

• Publications
• Account settings

Preview improvements coming to the PMC website in October 2024. Learn More or Try it out now .

• Advanced Search
• Journal List
• Sensors (Basel)
• PMC10819343

Cloud Digital Forensics: Beyond Tools, Techniques, and Challenges

Annas wasim malik.

1 Faculty of Information Technology, University of Central Punjab, Lahore 54590, Pakistan; [email protected] (A.W.M.); [email protected] (H.U.I.)

David Samuel Bhatti

Tae-jin park.

2 Nuclear System Integrity Sensing & Diagnosis Division, Korea Atomic Energy Research Institute (KAERI), Daejeon 34057, Republic of Korea

Hafiz Usama Ishtiaq

Jae-cheol ryou.

3 Department of Computer Science and Engineering, Chungnam National University, Daejeon 34134, Republic of Korea

Associated Data

Not applicable.

Cloud computing technology is rapidly becoming ubiquitous and indispensable. However, its widespread adoption also exposes organizations and individuals to a broad spectrum of potential threats. Despite the multiple advantages the cloud offers, organizations remain cautious about migrating their data and applications to the cloud due to fears of data breaches and security compromises. In light of these concerns, this study has conducted an in-depth examination of a variety of articles to enhance the comprehension of the challenges related to safeguarding and fortifying data within the cloud environment. Furthermore, the research has scrutinized several well-documented data breaches, analyzing the financial consequences they inflicted. Additionally, it scrutinizes the distinctions between conventional digital forensics and the forensic procedures specific to cloud computing. As a result of this investigation, the study has concluded by proposing potential opportunities for further research in this critical domain. By doing so, it contributes to our collective understanding of the complex panorama of cloud data protection and security, while acknowledging the evolving nature of technology and the need for ongoing exploration and innovation in this field. This study also helps in understanding the compound annual growth rate (CAGR) of cloud digital forensics, which is found to be quite high at ≈16.53% from 2023 to 2031. Moreover, its market is expected to reach ≈USD 36.9 billion by the year 2031; presently, it is ≈USD 11.21 billion, which shows that there are great opportunities for investment in this area. This study also strategically addresses emerging challenges in cloud digital forensics, providing a comprehensive approach to navigating and overcoming the complexities associated with the evolving landscape of cloud computing.

1. Introduction

Cloud computing is a framework that permits pervasive, user-oriented, and on-demand admittance to a shared pool of configurable computing assets over the cloud (internet) without direct active management by the user [ 1 ]. The primary benefits of cloud computing are not only limited to reduction in time and costs but also agility and scalability. The idea of cloud computing was originally linked to the concepts of distributed parallel computing, utility computing, and autonomic computing. Cloud computing has different models based on deployment and service delivery. Based on cloud deployment, there are four models: public cloud, private cloud, hybrid cloud, and community cloud while based on service delivery; models could be categorized as SaaS (Software as a service), PaaS (Platform as a Service), and IaaS (Infrastructure as a Service), as shown in Figure 1 [ 2 ]. Some leading corporations, including Amazon, Google, IBM, Microsoft, Dell Technologies, Hewlett Packard Enterprise, Cisco Systems, and Oracle, have invested in cloud computing and are offering individuals and businesses a range of cloud-based solutions. In the past few years, interest in adopting the cloud computing paradigm has increased not only in the IT industry but also in other sectors like banking, finance, education, health, utility, telecom, etc. According to a study in 2020, the presence of cloud-based applications or computing infrastructure in organizations had increased to 81% from 73% in 2018 [ 3 ]. It was forecasted that global end-user investments in public cloud services would grow in 2021 to USD 304.9 billion, up from USD 257.5 billion in 2020 [ 4 ]. The ability to use on-demand, adaptable cloud models for achieving cost-effectiveness and business continuity is motivating organizations to rapidly accelerate their digital business transformation plans. Cloud computing is envisioned as a potential future of computing, and there is no doubt that cloud tools and solutions are here to stay. Cloud computing is arguably the most significant technological advancement of the 21st century. However, as cloud computing gains more recognition worldwide, concerns are also being raised about the data security and privacy issues introduced through the adoption of this modern computing paradigm. Data security and privacy have consistently been primary issues in Information Technology. The concerns regarding data security and privacy become particularly serious in the cloud computing environment because data are scattered across various locations on different machines and storage devices, including personal computers, servers, and various mobile devices. Handling data security and privacy in cloud computing is more complex than in conventional information systems. While cloud services are helping remote workers effectively collaborate as part of a team, they are also opening new opportunities for cyber-criminals to conduct cyber frauds. According to a recent study, 92% of the participating organizations still report a cloud security readiness gap, and they are not comfortable with the security consequences of moving their workloads to the cloud environment [ 5 ]. According to IBM’s data breach report, the global average total cost of a data breach in the year 2020 was USD 3.86 million with the healthcare sector alone incurring the highest industry cost of USD 7.13 million [ 6 ].

Models of cloud services.

In the rapidly evolving digital landscape, data breaches have become a significant concern for organizations across various industries. When a data breach occurs, highly sensitive and confidential information can be compromised, leading to severe repercussions for the affected organization [ 7 ]. The aftermath of such incidents can include financial losses, damage to the organization’s reputation, erosion of customer trust, and potential legal consequences. The increasing frequency of data breaches has raised pertinent questions about the security of data stored in cloud computing environments. While cloud computing offers numerous advantages, including flexibility, scalability, and cost-effectiveness, it also introduces inherent security risks [ 8 ]. The shared nature of cloud infrastructure and the remote storage of data necessitate a meticulous examination of cloud security practices. Addressing intricate challenges, cloud forensics emerges as a specialized subset of digital forensics, focusing on investigating and mitigating security incidents intrinsic to cloud environments [ 9 , 10 ]. This involves identifying vulnerabilities and attack vectors to facilitate proactive security measures, while also contributing to evidence preservation, incident response planning, regulatory compliance, and the refinement of security strategies. The iterative process sharpens security measures, reinforces employee training, and offers insights for legal remedies and third-party risk management, thus nurturing a resilient and secure digital landscape. Expertise in both digital forensics and cloud technologies is pivotal for this distinctive approach [ 11 ]. Proficient practitioners in cloud forensics meticulously gather and maintain evidence in accordance with forensic norms, preserving its integrity and authenticity for potential legal proceedings. The five key phases of digital forensics, which include identification, preservation, collection, analysis, and reporting [ 12 ], will be discussed in Section 5.1 .

The prevalence and impact of data breaches underscore the criticality of cloud security. While cloud security encompasses measures to protect data and systems from unauthorized access and breaches, it is essential to differentiate cloud forensics within the broader scope of digital forensics. Carrier’s work [ 13 ] on file system forensic analysis highlights the distinction between general data security practices and forensic investigations tailored for legal evidentiary standards. Cloud forensics, as a specialized domain within digital forensics, plays a pivotal role beyond data security. It involves investigating incidents, preserving evidence in a manner suitable for court admissibility, identifying vulnerabilities, and facilitating data recovery. Understanding this distinction is crucial, as expert cloud forensics practices are not solely focused on data protection but also on collecting evidence that meets legal criteria. These practices are vital for safeguarding sensitive data, upholding trust in the digital ecosystem, and mitigating the potential fallout of data breaches in cloud computing environments. Cloud forensics analyzes logs, access controls, and user activities to identify vulnerabilities in cloud infrastructure that lead to data breaches [ 14 ]. It helps organizations enhance security and recover compromised or deleted data in complex environments [ 15 ]. However, experts face technological and legal challenges in cross-border data governance, necessitating collaboration with cloud service providers. Cloud forensics is crucial in investigating incidents, preserving evidence, mitigating fallout, safeguarding sensitive data, and upholding trust in the digital ecosystem [ 14 , 15 ].

Contributions

The contributions of this paper lie in its comprehensive exploration and analysis of the intricate realm of cloud digital forensics. The article presents an organized framework that delves into not only the fundamental concepts of cloud computing but also the crucial aspects of cloud security and its distinctive relationship with cloud forensics. By thoroughly examining the cloud digital forensic process model, the article highlights the essential stages of identification, preservation, collection, examination, analysis, and presentation, thereby providing a holistic understanding of the complexities involved in this domain. Furthermore, this paper meticulously investigates the challenges associated with cloud forensics, ranging from the identification phase to the presentation phase, shedding light on the intricacies and potential bottlenecks that forensic investigators might encounter. Additionally, the exploration of cloud legal and privacy concerns, along with the projection of the cloud digital forensics compound annual growth rate, further contributes to the comprehensive understanding of the dynamic landscape and its evolving trends. Finally, by identifying open problems and presenting future trends, this paper offers valuable insights into the potential advancements and emerging research directions in the field of cloud digital forensics.

This article is organized as follows: Section 1 presents the introduction; Section 2 focuses on related work; Section 3 explores cloud computing 201; Section 4 discusses cloud services and regulations; Section 5 explores cloud digital forensics; Section 6 explores cloud forensic challenges; Section 7 examines cloud legal and privacy concerns; Section 8 focuses on compound annual growth; Section 9 discusses open research problems; Section 10 focuses on handling emerging cloud digital forensic challenges; and Section 11 presents our conclusions and future work.

2. Related Surveys

Cloud computing has notably transformed every segment of our lives and the way of doing business. However, several data protection and security concerns are associated with cloud computing. Many studies have been conducted on data protection and security issues in cloud computing. These research works have emphasized the risks and vulnerabilities in cloud computing and also proposed some solutions, with cloud forensics being one of them. Cloud forensics not only helps in identifying vulnerabilities but also assists in recovering lost data. Ramachandra [ 16 ] discussed security implications based on deployment and delivery models in cloud computing. Moreover, he highlighted general vulnerabilities, attacks, and threats, and also proposed some countermeasures like end-to-end encryption and scanning for malicious activities. Mozumder [ 17 ] investigated and analyzed real-world cloud attacks and proposed prevention techniques against such malicious activities. M. Ahmed [ 18 ] presented a taxonomy of cloud threats. He also described six detailed case studies of cloud data breaches, which demonstrated some of the threats identified in the taxonomy. Furthermore, he applied recent cases of cloud data breaches to the taxonomy to establish whether the taxonomy holds true or not. Srijita Basu [ 19 ] covered essential cloud security loopholes in their study and emphasized the importance of understanding these security flaws to devise better countermeasures. The author also conducted a comparative analysis of various cloud security models. One of the many threats to data in the cloud environment is a data breach, which is either an intentional or unintentional disclosure of confidential information to a suspicious environment. Monjur et al. [ 20 ] presented a study on cloud data breaches in which they discussed that root factors for a data breach could be both technological and human factors, where most of the time technical factors could be predicted and not human factors as they are dynamic. Since cloud technology delivers on-demand services pertinent to software, platforms, or infrastructure, it is susceptible to numerous types of data breaches. Depending on the kind of data involved, a data breach can result in the destruction or corruption of databases, leakage of classified information, and theft of patents. To track down the potential origin of the data spill, determine what data were compromised, and estimate the total damage or loss caused by the data spill, cloud forensics are needed. Manral et al. [ 21 ] presented an extensive survey on cloud forensics classified based on a five-step forensic investigation procedure, discussing in-depth both challenges faced by investigators during cloud forensic investigation and existing cloud forensic solutions. Lei Chen et al. [ 22 ] examined novel cloud forensic approaches and tools with the intent to assist cloud forensic experts in forensic investigation procedures in the cloud environment as new threats arise. Khanafseh et al. [ 10 ] presented a detailed study on various architectures and solutions in all classes of digital forensics, with a particular focus on cloud forensics. Moreover, they discussed the limitations and drawbacks of existing forensic solutions, providing future research directions. Khan and Varma [ 23 ] focused their research on evidence collection and cloud forensic architecture, also implementing a machine learning-based forensic method for the SaaS and PaaS delivery architecture. A fundamental issue often faced by forensic investigators in an investigation is how to carefully and efficaciously collect, preserve, and analyze digital evidence. Fei Ye et al. [ 24 ] identified an important challenge that had not been adequately addressed so far in the published literature, that is, the credibility of cloud evidence in a multi-tenant cloud environment. Hence, they proposed a forensics tamper-proof framework (TamForen) for cloud forensics, which could be used in an unreliable cloud environment. The framework depends entirely on the cloud forensics system, independent of the daily cloud activities, implemented on a multi-layer compressed counting bloom filter (MCCBF). Intrusion detection is one of the major concerns in cloud forensics. Sebastian et al. [ 25 ] studied the challenges of cybercrimes in rapidly growing cloud computing. Traditional digital forensic methods were insufficient for investigating evidence in cloud platforms. They defined evaluation criteria for digital forensic techniques in IaaS, PaaS, and SaaS models, identifying gaps that require further research. Tummalapalli and Chakravarthy [ 26 ] proposed an intrusion detection framework for cloud forensics based on a two-level gravitational group search-based support vector neural network classifier with clustering and a low false-positive rate. Purnaye and Kulkarni [ 27 ] proposed a more generic level taxonomy of cloud forensics solutions and strategies that would help researchers gain more knowledge in this field of study. A comprehensive examination was conducted by Alenezi et al. [ 28 ] to identify and analyze the prominent challenges encountered in the domains of digital and cloud forensics. The review encompasses a wide spectrum of issues, including data acquisition, analysis, preservation, privacy concerns, and legal complexities. Emphasizing the critical nature of these challenges, this study underscores the imperative to address them effectively, thus ensuring the optimal utilization of digital and cloud forensics in investigative processes.

Table 1 underscores the significant impact of cloud computing on various aspects of life and business while acknowledging the emergence of numerous data protection and security concerns. The studies discussed in this review shed light on the vulnerabilities and risks in cloud computing, prompting the need for specialized cloud forensics and data provenance solutions to address these challenges. Through comprehensive analyses, these research works focused on security issues, cyber-attacks, and countermeasures, particularly within distinct cloud service models. Furthermore, the review highlighted high-profile data breach cases, revealing the urgency to strengthen cloud forensics practices and security measures to combat financial losses and compromised data. It emphasizes the continuous requirement for further research and innovative advancements in the field of cloud forensics to ensure the secure and efficient utilization of cloud computing while mitigating inherent security risks.

Related studies on cloud forensics.

3. Cloud Computing

Cloud computing is a revolutionary approach in information technology that leverages the internet to provide on-demand computing resources, transforming how data is stored, accessed, and processed [ 29 ]. This paradigm shift eliminates the reliance on local servers, allowing seamless access to applications, storage, and computing power from remote data centers. The three main service models within cloud computing are infrastructure as a service (IaaS), offering high control over infrastructure; platform as a service (PaaS), abstracting control for application development; and software as a service (SaaS), providing minimal control as users access hosted software applications [ 30 ]. The control levels of customers vary across different cloud service models, as shown in Figure 2 a. Cloud computing, depicted in Figure 2 b, empowers organizations and individuals by offering unparalleled scalability, flexibility, and cost-effectiveness. It continues to drive innovation, collaboration, and success in today’s fast-paced, data-driven world while opening up new possibilities for digital transformation, artificial intelligence, and advanced data analytics.

Architecture of cloud computing. ( a ) The variability of customer control levels across various cloud service models. ( b ) Cloud Computing Architecture.

3.1. Various Aspects of Data Security and Protection in the Cloud

Cloud security is crucial for businesses relying on cloud computing for essential services like data storage and processing. A robust approach includes strong access controls, encryption techniques, and continuous network traffic monitoring. Proactive patch management, security audits, and vulnerability assessments are essential for maintaining system integrity [ 31 ]. As cyber threats evolve, proactive countermeasures like intrusion detection systems and SIEM tools become essential [ 32 ]. A well-established cloud security strategy fosters user trust and ensures data protection [ 33 ]. Adherence to legal requirements and sector-specific standards, such as HIPAA in healthcare or GDPR in Europe, is also essential for maintaining client confidence in cloud systems [ 34 ]. These security aspects are discussed and summarized in Table 2 for quick reference.

Summary of various aspects of data security and protection in the cloud.

• Security objectives: In cloud computing, data are stored in remote locations, the physical locations of which are unknown and managed by the service provider. The risk factor here is that data may become compromised. Confidentiality is one of the hottest topics these days. Confidentiality means data can only be accessed by authorized users. Preservation of confidentiality increases the trust level of customers in the cloud service providers (CSPs) [ 35 ]. Integrity states that there should be no corruption or modification to the data placed in a remote location. Only authorized users and the data owner can recognize that data are in their original form and, after authorized modification, the latest version should be available. This ensures that the data are trustworthy and consistent [ 36 ]. Availability ensures that at the time of access, reliable access to the entire data is available for authorized users [ 37 ]. Data privacy refers to the extent of information a user wants to share publicly, and private data should remain inaccessible to anyone on the internet [ 38 ].
• Methods to achieve security objectives: Data confidentiality is safeguarded through encryption, where a private key transforms the data into an incomprehensible format during transmission. The security of this process hinges on the complexity of the key, affecting decryption time [ 39 ]. In cloud computing, identity-based encryption (IBE) verifies the identities of receivers during decryption for varied data access [ 40 ]. Alternatively, attribute-based encryption (ABE) links decryption to specific user attributes, allowing access only if attributes match, thereby enhancing data security [ 40 ].
• Identity and access management (IAM): Identity and access management (IAM) is a security feature in cloud computing that ensures secure access to cloud resources while maintaining the CIA (confidentiality, integrity, and availability) triad. It verifies user identity through federated directory services or directory as a service (DaaS) using SSO (single sign-on), authenticates login using modern authentication features, and provides access based on access rights defined through CSP (cloud service provider) management console [ 41 ]. IAM also includes role-based access management (RBAC) and privilege access management (PAM), allowing users to access resources based on their roles and administrative control [ 42 ].

Microsoft Azure information protection.

Cloud-shared responsibility model.

• Malicious insiders: Insider risk is one of the major data risks nowadays. Competitors may hire such employees or some employees might, for their personal benefits, provide data or their passwords to outside users to access data on their behalf. To mitigate this, security policies like Azure information protection, multi-factor authentication, data classification, etc., are deployed to secure data within organizational boundaries [ 45 ].
• Intentional data remanence: This occurs when data removed from the data servers or cloud data repository reside somewhere in the internal memory or cache, which can be recovered by competitors. CSPs provide this feature to automatically run a removal cycle after a specific period to clear such data from memory [ 46 ].
• Recovery plan objective (RPO): A policy is defined to store a copy of the critical data in a remote location with minimum RTO (recovery time objective). In cases of ransomware or cyber-attacks, when data services go down and data becomes unavailable, CSPs provide some disaster recovery plans, and customization options are also available. Data recovery is dependent on cost, RPO, latency, and geographic separation. Organizational IT representatives, along with other stakeholders, work to reduce these dependencies to achieve maximum RPO with minimum RTO. In case of any incident, a proper incident plan should be followed, and a report must be generated [ 47 ].
• Data segregation/multi-tenant services: CSP service provides a multi-tenancy feature in which multiple copies of data are created and stored at different storage locations. In case of a cyber-attack on one storage location, and it is down, the data will be available to the authorized user from another storage location [ 48 ].
• Data loss prevention: Data loss prevention (DLP) protects sensitive data at rest, in transit, and on endpoints to mitigate the risk of data loss, data theft, and cyber-attacks. The two most significant features are data classification and CASB (cloud access security broker). In data classification, rules are defined based on keywords; when any listed keyword is found in a file, the CSP will process that file according to predefined rules. CASB acts like a proxy server that monitors all activities and implements security policies defined by the CSP. With the emergence of BYOD and the rising aspect of shadow IT, tools like CASB must be implemented to add a security layer for data protection [ 49 , 50 ].

3.2. Data Protection Compliance Recommendations

To ensure compliance with data protection authority regulations, organizations should implement the following recommendations or policies [ 51 ]: an IAM policy, a disaster recovery plan, a data loss prevention policy, a data encryption policy, an incident response and risk management plan, vulnerability and penetration testing, a data resiliency plan, regular audits, email security, a network defense policy, controlled use of administrative rights, and regular security awareness sessions.

3.3. Attacks and Solutions

Data breaches, which can reveal sensitive information to unauthorized parties, have seen a significant increase from 2020 to 2022, with 1108 reported breaches in 2020 and 1862 in 2021. In 2022, there were 1802 breaches, indicating a slight decrease [ 52 ], as shown in Figure 5 . The 2023 Data Breach Report revealed a significant surge in publicly reported data compromises, with 951 incidents reported in the most recent quarter, a 114% increase from the previous quarter. These statistics highlight the evolving nature of data security challenges in the cloud, requiring increased vigilance and proactive measures to protect sensitive information. Some high-profile data breach cases in the cloud are listed in Table 3 [ 53 , 54 ]:

Incidents of data breaches in the cloud environment.

High-profile data breach cases in the cloud.

Financial losses from high-profile cloud data breaches are shown in Figure 6 to understand their global impact on world-class organizations.

Financial losses from high-profile cloud data breaches.

To counteract data breaches and security vulnerabilities in a cloud environment, as shown in Table 3 , the following solutions are recommended:

• Data encryption and privacy preservation: Utilize advanced encryption techniques to secure data during transmission and while at rest, rendering sensitive information unreadable and unusable in case of unauthorized access [ 68 ]. However, it is vital to acknowledge the limitations of encryption in isolation. The LastPass password manager data breach [ 67 , 69 ] serves as a significant case, demonstrating that encryption, while fundamental, might not guarantee absolute protection. This breach underscores the importance of complementing encryption with robust additional security measures, such as multi-factor authentication, stringent access controls, routine security assessments, and proactive breach response strategies. By integrating encryption within a comprehensive security framework, organizations can enhance their resilience against potential vulnerabilities and address evolving threats more effectively.
• Access control and identity management: Implement strict access controls based on the principle of least privilege, limiting user access to necessary data and services. Enforce multi-factor authentication (MFA) to add an extra layer of security to user accounts [ 70 , 71 ].
• Proactive security audits and vulnerability assessment: Conduct regular security audits and vulnerability assessments to identify potential weaknesses promptly. Penetration testing should be employed to simulate real-world attacks and uncover hidden vulnerabilities [ 72 ].
• Timely patch management: Keep software and applications updated with the latest security patches to prevent the exploitation of known vulnerabilities by malicious actors.
• Real-time security monitoring and incident response: Employ robust monitoring tools and intrusion detection systems to detect abnormal activities early. Establish a comprehensive incident response plan that outlines communication protocols, containment strategies, and recovery techniques.
• Employee education and training: Continuously educate and train employees in security awareness, familiarizing them with potential threats, phishing attacks, and best practices in data protection.
• Vendor assessment and compliance: Rigorously assess third-party cloud providers to ensure their security practices, certifications, and compliance align with the framework’s principles [ 73 ].

3.4. Incident Response in the Cloud

Cloud forensics is crucial in incident response strategies; it involves real-time monitoring and detecting cloud services. It helps organizations identify potential threats, assess the extent of breaches, and gather digital evidence for analysis. Immediate actions are essential to contain the incident, minimize damage, and preserve digital evidence. Key steps to be taken during a cloud security breach include:

• Isolate affected resources: Swiftly isolate compromised resources within the cloud environment to prevent the breach from spreading further.
• Alert relevant teams: Notify the incident response team, IT personnel, and pertinent stakeholders to ensure a coordinated response.
• Collect evidence: Initiate the collection of digital evidence related to the breach, which may involve capturing logs, system snapshots, and network traffic data.
• Preserve evidence: Maintain the integrity and chain of custody of digital evidence by adhering to best practices in forensic data handling.
• Forensic analysis: Engage cloud forensic experts to conduct a comprehensive analysis of the collected evidence. This analysis aims to delineate the breach’s scope, pinpoint vulnerabilities, and elucidate the methods and motivations of the attacker.
• Containment and remediation: Formulate and implement a strategy to contain the breach, remove malicious elements, and remediate vulnerabilities to prevent future incidents.
• Legal and regulatory compliance: Comply with relevant legal and regulatory obligations, including breach notification requirements that may vary based on jurisdiction and industry.
• Communication: Maintain open and transparent communication with stakeholders, including customers, partners, and regulatory authorities, providing updates on the incident, its repercussions, and the steps being taken to address it.

3.5. Cloud Security vs. Cloud Forensics: Understanding the Distinction

Cloud security and cloud forensics are two distinct domains in the cloud computing world; see [ 74 ] and Alenezi, et al. [ 75 ]. Cloud security focuses on proactive measures to protect data and resources, including network security, data encryption, and access control. It aims to prevent unauthorized access, data breaches, and potential threats [ 76 ]. Incorporating cloud forensics into a comprehensive security strategy is essential to address security threats like data breaches, DDoS attacks, and insider misconduct. Cloud forensics, on the other hand, is a reactive approach that investigates and analyzes incidents, breaches, or unauthorized activities, helping organizations learn from breaches and improve their security posture. Cloud security and digital forensics share similar techniques, but digital forensics strictly adheres to legal guidelines for court admissibility. Privacy laws hold distinct implications, especially when authorized by a judge to scrutinize specific data. In contrast, digital investigation [ 77 ] shares methodological similarities with digital forensics but does not necessarily adhere to the same rigorous legal prerequisites for court admissibility. It involves broader inquiries into digital systems, data analysis, and potential security breaches without the stringent legal mandate required for forensic evidence. While digital investigation may not demand identical legal authorization, it remains pivotal to uncovering insights, comprehending incidents, and fortifying organizational security measures. This distinction accentuates the vital role of legal context in digital forensics, ensuring compliance and admissibility within legal frameworks, while digital investigation focuses on thorough exploration and analysis of digital systems without identical legal requisites. Table 4 provides a concise summary, comparing cloud security and cloud forensics.

Comparison between cloud security and cloud forensics.

4. Cloud Services and Regulatory Landscape

Organizations from all sectors are increasingly turning to cloud service providers (CSPs) to address their needs for IT infrastructure, data storage, and software, in an era defined by digital transformation. The use of cloud services has reached previously unheard-of levels due to the appeals of cost reductions, scalability, and flexibility. But these changes are also accompanied by a complicated regulatory environment that demands a thorough knowledge of both technology and compliance. In this investigation, we examine how laws and cloud services interact, concentrating on the regulatory bodies in charge of this complex area. Several regulatory bodies around the world play crucial roles in overseeing and shaping the cloud services landscape:

• European Union Agency for Cybersecurity (ENISA): ENISA is entrusted with enhancing the overall cybersecurity of the European Union. It produces guidelines, recommendations, and best practices to address cybersecurity and regulatory challenges related to cloud services within the EU [ 78 ].
• General Data Protection Regulation (GDPR): While not a regulatory body itself, GDPR is a landmark data protection regulation established by the EU [ 79 ]. It has significant implications for cloud services by setting stringent standards for the processing and protection of personal data, even when they are stored or processed in the cloud.
• National Institute of Standards and Technology (NIST): NIST [ 80 ], under the U.S. Department of Commerce, provides a comprehensive framework for cloud computing that covers security, privacy, and interoperability. Their guidelines assist organizations in managing cloud-related risks effectively.
• International Organization for Standardization (ISO): ISO has developed various standards addressing cloud services, such as ISO/IEC 27017 [ 81 ] for security controls and ISO/IEC 27018 [ 82 ] for protecting personal data in the cloud. These standards offer a global benchmark for cloud-related best practices.
• Cloud Security Alliance (CSA): Although not a regulatory body, CSA [ 83 ] is an industry association that produces research, tools, and best practices to help organizations address cloud security challenges. Their guidance aids both cloud service providers and users in navigating security concerns.
• Federal Risk and Authorization Management Program (FedRAMP): Operated by the U.S. government, FedRAMP standardizes the security assessment and authorization process for cloud services used by federal agencies [ 84 ]. It ensures that cloud services meet stringent security requirements.
• Monetary Authority of Singapore (MAS): Notable beyond finance, MAS has issued guidelines on the adoption of cloud services for financial institutions [ 85 ]. These guidelines offer insights into managing risks and maintaining regulatory compliance while embracing cloud technology.

A comparison of these regulatory bodies is presented in Table 5 .

Comparative analysis of cloud regulatory bodies.

5. Cloud Digital Forensics

Cloud digital forensics is a specialized field that tackles cybercrime investigations in cloud environments, navigating multi-jurisdictional scenarios and evidence preservation protocols [ 88 ]. Its complexity is further exacerbated by the concept of multi-tenancy, and the evolving techniques and methodologies employed by cloud forensic experts [ 89 , 90 ].

5.1. The Cloud Digital Forensic Process Model

The National Institute of Standards and Technology (NIST) defines digital forensics as a meticulous process that encompasses the recovery, preservation, and analysis of digital data with meaningful applications in criminal investigations and prosecutions [ 91 ]. This process is equally applicable to cloud digital forensics, which involves addressing the unique challenges posed by cloud environments. The investigation journey in cloud forensics can be distilled into four pivotal stages [ 92 ], each contributing to the comprehensive understanding of a digital incident, as outlined below and depicted in Figure 7 . The forensic process consists of the following steps:

• Identification: Cloud forensics involves identifying and locating relevant cloud-based systems and applications, examining the service provider, services, and data types. Detecting crimes in the cloud is more challenging than traditional forensics, often starting with unauthorized resource usage complaints. New methods are needed to efficiently use existing tools and isolate cloud evidence.
• Preservation: The preservation stage is crucial for safeguarding digital evidence’s integrity, ensuring its legal use. It involves systematic data capture, secure storage, and documentation, acting as a digital custodian.
• Examination and analysis: The analysis phase in cloud forensics involves using tools and methodologies to examine digital evidence, uncovering insights through log files, network activity patterns, metadata decoding, and data recovery. This phase requires technical prowess and a discerning eye.
• Presentation: Cloud forensics aims to present investigative findings in a clear, concise manner, leveraging information as credible evidence in legal proceedings. This involves creating comprehensive reports, using visual aids, and offering expert testimony.

The cloud digital forensics process.

Cloud forensic procedures must adapt to diverse service delivery and deployment models, ensuring the integrity of collected evidence [ 93 ]. Rapid evolution of cloud environments necessitates timely capture and retention of evidence to prevent gaps in the evidential trail. Validation of cloud-based evidence in legal proceedings is essential, and techniques like hash codes, digital signatures, and encryption enhance confidence in the veracity of evidence. The robustness of evidence credibility is based on its secure preservation [ 94 ].

5.2. Cloud Digital Forensics Tools and Technologies

In the realm of cloud digital forensics, the availability of specialized tools plays a pivotal role in facilitating investigations within cloud computing environments. This section offers a comprehensive exploration of prominent cloud digital forensics tools, also listed in Table 6 , delineating their key functionalities and significance in uncovering digital evidence.

Summary of digital forensic tools and their features.

• Magnet AXIOM cloud: This tool offers comprehensive cloud data collection and analysis capabilities [ 95 ]. It supports various cloud services like AWS, Azure, and Google Cloud, allowing users to recover, examine, and preserve cloud-based evidence.
• Cellebrite UFED cloud analyzer: The UFED cloud analyzer enables the acquisition and analysis of data from cloud accounts, including social media, email, and storage services [ 96 ]. It supports a wide range of cloud providers and helps in uncovering digital evidence.
• Mandiant CloudLens: This tool by Mandiant, a FireEye company, provides visibility into cloud environments for security purposes [ 97 ]. It helps in detecting and investigating threats by monitoring cloud activities and analyzing logs.
• Volatility framework: Although not exclusively for the cloud, Volatility is a popular open-source memory forensics framework [ 98 ]. It is used to analyze memory dumps of virtual machines, including those in cloud environments, to identify signs of compromise.
• AccessData cloud extractor: This tool facilitates the collection and preservation of digital evidence from cloud storage services, social media platforms, and webmail providers [ 99 ]. It assists in building a comprehensive picture of a user’s online activities.
• AccessData cloud extractor: This tool facilitates the collection and preservation of digital evidence from cloud storage services, social media platforms, and webmail providers [ 99 ]. It assists in creating a comprehensive forensic copy of a user’s online activities.
• Oxygen forensic cloud extractor: Oxygen forensic cloud extractor [ 100 ] supports over 20 cloud services, enabling investigators to gather data from cloud storage, social media, and email accounts for digital forensics purposes.
• Autopsy: While not exclusively designed for cloud forensics [ 101 ], Autopsy is an open-source digital forensics platform that allows examiners to analyze evidence from various sources, including cloud storage services.
• BlackBag BlackLight: BlackLight [ 102 ] is a digital forensics solution that supports the analysis of data from both traditional devices and cloud services. It aids in extracting and interpreting data from cloud accounts.
• X-Ways Forensics: X-Ways Forensics is a versatile digital forensics tool that supports the examination of evidence from cloud storage services, email accounts, and other sources [ 103 ].
• Azure Security Center: Microsoft’s Azure Security Center [ 104 ] provides a cloud-native solution for threat protection across Azure and hybrid environments. It helps in detecting and responding to threats in cloud infrastructure.
• AWS CloudTrail: Amazon Web Services CloudTrail [ 105 ] logs all API calls made on an AWS account, allowing for detailed forensic analysis and audit trail creation.

Some other offline digital forensic tools are [ 106 ]:

• EnCase Forensic: EnCase is a widely used forensic software that provides comprehensive capabilities for acquiring, analyzing, and reporting digital evidence from various devices and file systems.
• AccessData forensic toolkit (FTK): FTK is a powerful forensic tool that allows investigators to collect, analyze, and examine data from computers and mobile devices. It includes advanced searching and analysis features.
• Forensic Falcon: This hardware-based solution offers both offline and live forensic capabilities, allowing investigators to analyze and image digital media in the field.
• Paladin Forensic Suite: Paladin is a live forensic system that can be booted from a USB drive. It includes a variety of open-source forensic tools and utilities for evidence collection and analysis.
• DEFT (Digital Evidence and Forensics Toolkit): DEFT is a Linux distribution specifically designed for digital forensics and incident response. It includes a collection of pre-installed forensic tools and utilities.
• Bulk Extractor: Bulk Extractor is a command-line tool designed to quickly and efficiently scan disk images for specific types of information, such as email addresses, credit card numbers, and URLs.
• Digital Forensics Framework (DFF): DFF is an open-source digital forensics platform that provides a modular and extensible framework for conducting forensic investigations.

6. Cloud Forensic Challenges

In this section, we provide an overview of the cloud forensics issues observed during the assessment of the relevant domain. Furthermore, we take it a step further and categorize the associated difficulties according to the cloud forensics procedure phases described. It must be noted that the majority of the issues discussed are primarily applicable to public clouds, with only a few exceptions applicable to private cloud designs. These challenges are discussed below, and their summarized view is provided in Table 7 for quick review.

Summary of challenges and recommendations for cloud digital forensics in different phases.

6.1. Identification Phase

• Retrieval of information from log files: Log files are crucial for investigations, but gathering them from cloud computing environments is complex due to cloud haziness and multi-tenant simulations, as clients have access to the application programming interface (API) only, making monitoring impossible [ 107 ]. In the IaaS cloud model, logs are essential for understanding virtual machine (VM) behavior, but their effectiveness may be limited due to restrictions imposed by cloud providers on storage, access, or sharing among multiple users [ 108 , 109 ]. Cloud service providers often neglect or conceal log collection services, posing challenges such as decentralization, fluctuation, preservation, accessibility, non-existence, lack of important data, and non-compatible log forms [ 110 ].
• Transient data: Cloud forensic challenges involve navigating the diverse behaviors of virtual machines (VMs) in IaaS service structures, such as Azure, Digital Ocean, and AWS, to preserve data during shutdown or restart phases. Understanding these nuances is crucial for forensic professionals to identify and preserve volatile data instances [ 111 , 112 , 113 , 114 ].
• Lack of physical accessibility: Data localization in the cloud is complex due to the global deployment of hardware equipment. Digital forensics assume direct access to hardware, but cloud forensics struggle due to the storage of information on physical devices and the fixed settings [ 112 ]. Data-containing hardware cannot be seized due to dispersed systems in separate jurisdictions. This issue is not relevant for geographically spread firms, where resources are housed on their premises [ 115 ].
• Identification at the client side: Proof can be found on both the supplier and client sides of the interface, particularly in SaaS and PaaS contexts. Investigators must quickly capture sterile data for forensic analysis, as the criminal may destroy it. Client-side data identification is crucial in investigations, but often difficult due to multiple jurisdictions [ 111 , 116 ].
• Vendor dependency-trust: The research emphasizes the importance of cloud service providers (CSPs) in the forensic process, but challenges arise when they hesitate to release information, especially in multi-tenant systems [ 117 ]. Dependence on CSPs in SaaS and PaaS models for evidence discovery raises authenticity concerns and reliance on non-expert personnel, potentially impacting the validity of forensic findings [ 107 , 118 ].
• SLA (service level agreement: Service level agreements (SLAs) may not include details about forensic investigations, as failure to provide such information can result in a cloud service provider’s lack of contractual obligation [ 119 ]. This is often due to a lack of customer understanding, lack of transparency, limits on trust, and foreign legislation. CSPs may not have the necessary knowledge or appropriate procedures to conduct forensic investigations in cloud systems [ 120 ].

6.2. Preservation and Collection Phase

• Integrity and stability in multi-tenancy and privacy: The quality and durability of proof are critical in cloud inquiries for IaaS, PaaS, and SaaS. Data retention, essential for evidence in multi-jurisdictional situations, poses challenges in compliance with laws. The reliability of evidence can be compromised, potentially rendering it inadmissible in court [ 108 ]. Authenticity issues further complicate cloud forensics, requiring increased trust from investigators in third parties for data authentication [ 118 ]. Ensuring data consistency in the dynamic cloud environment is also challenging [ 121 ].
• In-house staffing: This challenge spans all service types and stages, necessitating collaboration among technical researchers, legal consultants, and external experts with expertise in new technologies [ 120 ].
• Crime scene reconstruction in criminal investigations: In cloud forensics, reconstructing the crime scene is challenging, and recreating the entire sequence may be impossible if the responsible virtual machine terminates after malicious activity.
• Chain of custody: Maintaining the chain of custody is crucial for presenting evidence in court. Challenges arise from multi-jurisdictional legislation and CSP engagement, with the initial potential failure point often identified as the cloud service provider [ 119 ].
• Data imaging: In IaaS, creating a forensic image of a system or instance involves capturing a disk image of the virtual machine (VM) in a defined file format like EWF. Restarting or shutting down the VM does not destroy evidence, but if destroyed, it would be lost. In PaaS environments, relying on the central service provider (CSP) for data collection is crucial, but presents challenges, especially when data are managed by a third-party subcontractor [ 115 ].
• Bandwidth constraints: The amounts of data are rapidly expanding, leading to an increase in evidence. In the preceding paragraph, we discussed VM cloning within the IaaS model. Researchers need to obtain a forensic copy of the VM instances to collect information. While acquiring such extensive data imaging, they have to consider the available bandwidth due to the substantial volume of data involved.

6.3. Examination and Analysis Phase

• Insufficient forensic toolset: In cloud forensic investigations, the use of forensic tools is crucial, with various technologies designed for cloud-based digital forensics actively employed. However, a significant challenge lies in the lack of comprehensive vetting for accuracy and error rates in several commercial tools designed for remote investigations [ 115 ]. Initiatives like the computer forensics tool testing (CFTT) program, supported by the Department of Homeland Security (DHS), the National Institute of Justice, and the National Institute of Standards and Technology (NIST), aim to address this gap by providing measurable assurance of the accuracy of computer forensics tools used in cloud investigations [ 122 ]. The CFTT program develops specifications and test methods, and evaluates specific tools against these standards to enhance the reliability and credibility of forensic tools. These efforts are crucial for ensuring that forensic tools meet stringent accuracy benchmarks, supporting investigators and the legal community in effectively utilizing these tools within cloud forensic investigations [ 115 ].
• Large data volumes: The data volumes held in CSP storage facilities are enormous and are growing daily. Finding meaningful digital evidence might be complicated by the large amounts of data (petabytes of information) [ 123 ]. This has a direct impact on data processing to identify meaningful evidence for the purpose of the inquiry. Quick and Choo [ 124 ] further discuss this issue, noting that research gaps in data reduction methods, data mining, intelligence evaluation, and the utilization of open and closed-source information still exists. Appropriate collection and filtering of information must be created and implemented to handle the data quantity that exists in cloud infrastructures [ 112 ].
• Encryption: Cloud clients use encryption to protect against illegal activities. Investigating encrypted material requires expertise in obtaining keys and analyzing content. Accessibility of encryption keys is crucial, and evidence may be undermined if only the data owner can provide the key. Many CSPs also use encryption technologies [ 125 , 126 ].
• Log format standardization: Analyzing data obtained from service models is a costly operation, particularly when dealing with and identifying a variety of log types. When we are able to access a large number of various resources, combining log forms in the cloud is a complex process [ 120 ].

6.4. Presentation Phase

• Password or key retrieval: Cloud forensic investigations encounter distinct challenges, especially in accessing encrypted data without cooperation from involved parties. Advanced tools, such as John the Ripper and Hashcat [ 127 ], provide critical support by enabling password retrieval. Additionally, analyzing memory dumps offers avenues for retrieving encryption keys, enhancing investigators’ capabilities to overcome challenges posed by encrypted data in cloud forensic examinations.
• Testimonial complexity: The complexity of technical details may pose challenges in court comprehension, especially considering that juries typically consist of individuals with minimal understanding of computer systems. Therefore, it becomes crucial for investigators to transparently disclose their methods and procedures [ 115 ]. They must be prepared to provide a clear and easily understandable explanation of the cloud, digital forensics, and how they work, as well as clarify how the evidence obtained throughout the inquiry was preserved and recorded. Cloud computing is one of the more complex computer circumstances, and it can stump even the most technically savvy jury. As a result, every piece of evidence must be presented with care, and testimony from experts should be comprehensible to the members of the jury [ 128 ].
• Documentation and record keeping: Another issue is convincing the jury that the proof obtained throughout the investigation has been properly documented and that there had been no modifications to the evidence in prior phases. Researchers must ensure that all parties who participated in the investigation followed methodologies and standards to preserve the chain of custody of the obtained evidence. Electronic documentation encompasses all stages.

7. Cloud Legal and Privacy Concerns

Cloud digital forensics is a vital field; it focuses on the investigation and analysis of digital data stored in cloud computing environments, such as those operated by major service providers like Amazon Web Services (AWS), Microsoft Azure, or Google Cloud. This discipline plays a crucial role in uncovering digital evidence, particularly in cases involving cybercrimes, data breaches, or other malicious activities within the cloud [ 129 , 130 ]. One of the primary aspects integral to cloud digital forensics is a clear understanding of the legal and privacy considerations that come into play when dealing with data hosted in cloud infrastructures. When individuals and organizations opt to utilize cloud services for data storage and processing, they effectively entrust their sensitive information to third-party service providers. This scenario prompts important questions concerning data access, its methods, and the specific circumstances under which such access is granted. To delve further into these considerations [ 28 , 131 ]:

• Data ownership and control: When data are uploaded to the cloud, it is essential to understand that ownership and control can become somewhat blurred. Users technically own their data, but they delegate control over its storage and management to the cloud service provider. This delegation can complicate the process of accessing and analyzing data during a forensic investigation.
• Access rights: Investigating digital incidents in the cloud requires considering who has access to the data. Cloud service providers typically have physical and administrative access to the servers, and users access their data via web interfaces or APIs. Forensic experts must understand how these access mechanisms work and who has the authority to grant or revoke access.
• Data encryption and privacy: Many cloud service providers implement robust encryption measures to protect user data. This encryption ensures that even if unauthorized parties gain access to the physical servers, the data remain encrypted and unreadable. While encryption enhances privacy and security, it can pose challenges for forensic investigations, as gaining access to decryption keys may be difficult.
• Compliance and regulations: Various regions have distinct data protection and privacy regulations. For example, the General Data Protection Regulation (GDPR) [ 132 ] in the European Union establishes rigorous requirements for data management and privacy. While conducting investigations in cloud environments, forensic investigators must be mindful of and comply with these regulations. However, it is important to note that when authorized by a court to conduct digital forensics, investigators might operate under legal mandates that supersede certain privacy laws, prioritizing compliance with the court’s directives while maintaining confidentiality and following due legal processes.
• Cloud service provider policies: Cloud service providers often have their own terms of service and policies regarding data access and disclosure. These policies can impact the process of acquiring data for forensic analysis. Investigators need to be familiar with these policies and work within their constraints.

Incorporating legal considerations into cloud digital forensics involves navigating a wide range of laws and regulations that can vary across different regions. Forensic investigators must prioritize compliance with privacy laws, data protection regulations, and contractual agreements between cloud service providers and users. However, when authorized by a court to conduct digital forensics, practitioners may have different obligations that supersede certain privacy laws, as their actions are mandated by legal authorization and aimed at fulfilling court requirements while ensuring confidentiality and adherence to the legal process.

8. Economy Factor: Compound Annual Growth Rate (CAGR)

In the realm of cloud digital forensics, the concept of CAGR plays a pivotal role in understanding and quantifying the sector’s annual expansion. Just as in other industries, CAGR is a vital metric that accurately measures the annual growth of the cloud digital forensics global market. What sets CAGR apart is its ability to account for compounding effects, illustrating how each year’s growth leaves a lasting imprint on the overall trend spanning multiple years. Recent data analysis from market research [ 133 , 134 ] suggests significant growth potential in the global cloud digital forensics market. With a calculated CAGR of 15.9% from 2023 to 2031, the market is expected to witness robust expansion. In 2023, the market size was projected to be around USD 11.21 billion, and is expected to reach USD 36.53 billion by 2031. The data point to a promising upward trend and emphasize the escalating demand for cloud digital forensics solutions over the forecasted period. The graph in Figure 8 visually represents the projected growth trajectory of the cloud digital forensics market from 2023 to 2031, highlighting the anticipated market sizes for each year.

Forecasted growth of cloud digital forensics market (2023–2031).

This remarkable growth trajectory is, in large part, a response to the escalating incidents of cyber-criminal activities worldwide [ 135 ]. These include challenges such as cyber-attacks, industrial espionage, information security breaches, identity fraud, and financial fraud. To address these sophisticated threats, highly skilled digital forensics investigators are at the forefront, working tirelessly to preserve the digital trail of evidence and deliver justice in the digital age. Drawing upon the insights provided by the calculated market values from 2023 to 2031 [ 133 , 134 , 135 ], industry stakeholders, investors, researchers, and consultants gain a comprehensive understanding of the dynamic growth trajectory within the cloud digital forensics market. Spanning historical data from 2018 to 2022 and extending forecasts up to 2031, these statistics serve as an invaluable reference for current participants and prospective entrants navigating the evolving landscape of cloud digital forensics. Moreover, the current market shares held by prominent cloud service providers have reached unprecedented levels [ 136 ]. Projections indicate that major players, including Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform, are set to retain their dominance, collectively claiming a significant majority share of the global cloud services market by 2030. The graph in Figure 9 illustrates the market shares of leading cloud infrastructure service providers, providing a visual representation of their current standing in the market. As the demand for scalable and secure cloud solutions continues to surge, the strategic positions of these industry leaders are expected to shape the trajectory of the digital market, driving innovation, and molding the future of cloud computing services.

The cloud service provider market share.

9. Open Problems and Future Trends in Cloud Forensics

Cloud-based digital forensics presents a dynamic landscape with numerous emerging challenges and open issues in the domain of data investigation [ 137 , 138 ]. As businesses progressively embrace cloud services for data storage and processing, safeguarding the security and credibility of digital evidence within intricate cloud infrastructures remains a critical focus. Challenges involve navigating complex multi-tenant environments, tackling concerns about data privacy and sovereignty, and surmounting obstacles stemming from virtualized storage systems and shared resources. The incorporation of sophisticated cryptographic techniques like homomorphic encryption [ 139 ] and multiparty computation [ 140 ], in conjunction with evolving technologies, such as federated learning [ 141 ], introduces fresh hurdles for evidence collection and analysis. Moreover, the assimilation of blockchain-based cloud systems [ 142 ] brings forth complexities associated with decentralized data management and the validation of digital transactions. Additionally, ensuring the secure transmission and retention of data across diverse cloud environments while upholding data consistency and integrity persists as significant open challenges [ 27 ]. As the cloud landscape continues to evolve, the effective preservation and retrieval of digital evidence, the assurance of a secure chain of custody, and the resolution of intricacies linked with cloud-based data recovery persist as crucial open dilemmas, necessitating continuous research and advancement within the domain of cloud-based digital forensics.

Future Trends

• The landscape of cloud digital forensics is continually evolving, and researchers are actively exploring future directions to enhance forensic practices in the cloud. As cloud computing technologies advance, there is a growing need to adapt forensic methodologies to address emerging trends.
• One key area of exploration is the impact of emerging cloud technologies, such as containerization, microservices, and serverless computing [ 143 ], on digital forensics. These technologies introduce new challenges, particularly in the analysis of ephemeral and highly distributed computing environments. Researchers will need to develop techniques to effectively extract and preserve digital evidence in these dynamic settings.
• Technological advancements, including serverless computing, edge computing, and artificial intelligence (AI), are reshaping forensic practices in the cloud [ 144 ]. Serverless computing brings challenges related to event-driven architectures and the reconstruction of execution flows, which researchers will need to address. Edge computing, with its decentralized data processing, requires investigators to adapt to distributed environments. AI, on the other hand, has the potential to automate the detection of security incidents and anomalies, streamlining forensic processes.
• Advanced cryptographic techniques like federated learning, multi-party computation (MPC), and homomorphic encryption are also influencing cloud and digital forensics [ 145 ]. Federated learning enables model training without exposing raw data, posing questions about accessing and analyzing model updates while preserving data privacy. MPC allows secure computations on encrypted data, and homomorphic encryption enables computations on encrypted data without decryption. These techniques introduce both challenges and opportunities for forensic investigators, particularly in scenarios where data privacy is paramount.
• Blockchain and distributed ledger technologies (DLTs) [ 146 ] are gaining prominence in various industries and hold promise for digital forensics. Researchers are exploring how blockchain can be used to create tamper-proof logs and audit trails, enhancing the integrity and traceability of digital evidence. The decentralized nature of DLTs may also influence evidence collection and preservation, ensuring reliability and authenticity.

10. Strategizing for Emerging Challenges in Cloud Digital Forensics

The landscape of digital forensics is evolving rapidly with the advent of technologies like the Internet of Things (IoT), cloud-based services (CBSs), cyber-physical systems (CPSs), Blockchain, multiparty computation, federated learning, and the ubiquitous use of mobile devices [ 147 ]. Each of these advancements brings its unique set of challenges. IoT solutions introduce a plethora of interconnected devices, amplifying the complexity of data acquisition and analysis. CBSs and CPSs blur traditional boundaries, complicating the identification and preservation of digital evidence spread across diverse platforms. Blockchain technologies pose challenges in tracing and authenticating transactions due to their decentralized and immutable nature. Multiparty computation and federated learning raise concerns regarding data privacy and security, as sensitive information is accessed and utilized across multiple entities. Mobile devices, being an integral part of everyday life, add another layer of complexity due to their mobility, diverse operating systems, and evolving storage methods. Addressing these challenges necessitates proactive strategies that harmonize technological innovation with robust forensic methodologies to ensure effective investigation and resolution in the cloud-based, IoT-driven digital landscape. In this rapidly evolving landscape, navigating the technical challenges of cloud digital forensics requires a versatile toolkit and adaptable strategies. Encountering encrypted files holding crucial evidence often involves a primary but straightforward approach: requesting the password from the suspect. However, in scenarios where collaboration is unattainable, alternative strategies become crucial. Specialized tools like Hashcat and John the Ripper offer avenues for password cracking, presenting intricate solutions to access encrypted data. Integrating these methodologies underscores the importance of leveraging a spectrum of techniques within the evolving cloud-driven digital forensic arena. Moreover, frameworks such as a cloud forensic framework, digital forensic framework, and the application of machine learning principles for forensic methods emerge as essential components. These frameworks focus on data collection, analysis, architecture, and the enhancement of investigation efficiency within cloud environments, addressing challenges specific to different cloud service models. Such a comprehensive approach aligns with the dynamic nature of cloud-based digital forensics, ensuring experts can effectively navigate diverse challenges while upholding ethical and legal standards [ 23 , 148 ].

11. Conclusions

Cloud digital forensics is playing an indispensable role in today’s ever-evolving digital landscape. As cloud computing rapidly transforms the information technology (IT) landscape, it is crucial to understand its profound impact on digital forensics, affecting various stakeholders, from forensic investigators and equipment vendors to law enforcement agencies and corporate compliance and audit departments. With the increasing cross-national nature of cloud services, complexities arising from jurisdictional discrepancies and diverse data protection laws demand a refined approach from digital forensic specialists. Successful navigation of this complex regulatory landscape is essential to ensure both legal adherence and the safeguarding of individuals’ privacy in the digital sphere. The integration of artificial intelligence (AI), edge computing, and advanced cryptography into cloud environments presents both opportunities and challenges. AI can aid in automating certain forensic tasks and detecting anomalies, but it also introduces new vulnerabilities that forensic experts must address. Similarly, the use of blockchain and distributed ledger systems can enhance the integrity of digital evidence. Making use of these technologies offers tamper-proof data storage and verifiable chains of custody, providing a robust solution for preserving and presenting digital evidence in court. Collaborative research among stakeholders is needed to develop new techniques, tools, and best practices for cloud forensics, one of the growing fields. The promising investment prospects within the global cloud forensics industry have been clearly evidenced by the CAGR in 2023, which is ≈USD 11 billion, and is expected to reach ≈USD 36.53 billion in 2031.

Acknowledgments

We acknowledge Hassan Raza from the University of Central Punjab (Department of Computer Science) for improving the quality of images and graphics used in this manuscript.

Funding Statement

This work was supported by the National Research Foundation of Korea (NRF) grant funded by the Korean government Ministry of Science and ICT (MIST) (No. RS-2022-00144000 and RS-2022-00165225) and the Institute for Information & Communications Technology Planning & Evaluation (IITP) grant funded by the Korean government MSIT (No. 2022-0-01200, convergence security core talent training business (Chungnam National University)).

Author Contributions

Conceptualization, A.W.M. and D.S.B.; methodology, D.S.B. and T.-J.P.; validation, H.U.I.; formal analysis, J.-C.R.; resources, J.-C.R. and K.-I.K.; data curation, D.S.B. and A.W.M.; writing—original draft preparation, D.S.B. and A.W.M.; writing—review and editing, D.S.B. and H.U.I.; visualization, K.-I.K.; supervision, D.S.B.; project administration, D.S.B. and K.-I.K.; funding acquisition, K.-I.K. and J.-C.R. All authors have read and agreed to the published version of the manuscript.

Institutional Review Board Statement

Informed consent statement, data availability statement, conflicts of interest.

The authors declare no conflicts of interest.

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Research and Review on Computer Forensics

• Conference paper
• Cite this conference paper

• Hong Guo 19 ,
• Bo Jin 19 &
• Daoli Huang 19  

Part of the book series: Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering ((LNICST,volume 56))

Included in the following conference series:

• International Conference on Forensics in Telecommunications, Information, and Multimedia

936 Accesses

7 Citations

With the development of Internet and information technology, the digital crimes are also on the rise. Computer forensics is an emerging research area that applies computer investigation and analysis techniques to help detection of these crimes and gathering of digital evidence suitable for presentation in courts. This paper provides foundational concept of computer forensics, outlines various principles of computer forensics, discusses the model of computer forensics and presents a proposed model.

This paper is supported by the Special Basic Research, Ministry of Science and Technology of the People’s Republic of China, project number: 2008FY240200.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

• Available as PDF
• Read on any device
• Instant download
• Own it forever
• Compact, lightweight edition
• Dispatched in 3 to 5 business days
• Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Unable to display preview.  Download preview PDF.

Hui, L.C.K., Chow, K.P., Yiu, S.M.: Tools and technology for computer forensics: research and development in Hong Kong. In: Proceedings of the 3rd International Conference on Information Security Practice and Experience, Hong Kong (2007)

Google Scholar  

Wagner, E.J.: The Science of Sherlock Holmes. Wiley, Chichester (2006)

New Oxford American Dictionary. 2nd edn.

Tilstone, W.J.: Forensic science: an encyclopedia of history, methods, and techniques (2006)

Peisert, S., Bishop, M., Marzullo, K.: Computer forensics in forensis. ACM SIGOPS Operating Systems Review 42(3) (2008)

Ziese, K.J.: Computer based forensics-a case study-U.S. support to the U.N. In: Proceedings of CMAD IV: Computer Misuse and Anomaly Detection (1996)

Hailey, S.: What is Computer Forensics (2003), http://www.cybersecurityinstitute.biz/forensics.htm

Abdullah, M.T., Mahmod, R., Ghani, A.A.A., Abdullah, M.Z., Sultan, A.B.M.: Advances in computer forensics. International Journal of Computer Science and Network Security 8(2), 215–219 (2008)

National Institute of Justice.: Electronic Crime Scene Investigation A Guide for First Responders, 2nd edn. (2001), http://www.ncjrs.gov/pdffiles1/nij/219941.pdf

RCMP: Computer Forensics: A Guide for IT Security Incident Responders (2008)

International Organization on Computer Evidence. G8 Proposed Principles for the Procedures Relating to Digital Evidence (1998)

Baryamureeba, V., Tushabe, F.: The Enhanced Digital Investigation Process Model Digital Forensics Research Workshop (2004)

National Institute of Justice.: Electronic Crime Scene Investigation A Guide for First Responders (2001), http://www.ncjrs.org/pdffiles1/nij/187736.pdf

National Institute of Standards and Technology.: Guide to Interating Forensic Techniques into Incident Response (2006)

Casey, E.: Digital Evidence and Computer Crime, 2nd edn. Elsevier Academic Press, Amsterdam (2004)

National Institute of Justice.: Results from Tools and Technologie Working Group, Goverors Summit on Cybercrime and Cyberterrorism, Princeton NJ (2002)

Download references

Author information

Authors and affiliations.

Key Laboratory of Information Network Security, Ministry of Public Security, People’s Republic of China (The 3rd Research Institute of Ministry of Public Security), Room 304, BiSheng Road 339, Shanghai, 201204, China

Hong Guo, Bo Jin & Daoli Huang

You can also search for this author in PubMed   Google Scholar

Editor information

Editors and affiliations.

Department of Computer Science and Engineering, Shanghai Jiao Tong University, 800 Dong Chuan Road, 200240, Shanghai, P.R. China

Xuejia Lai  & Dawu Gu  & 

The 3rd Research Institute of Ministry of Public Security, 339 bi Shen Road, A 303, Zhang Jiang, Pu Dong, 210031, Shangahi, P.R. China

East China University of Political Science and Law, No. 555, Longyuan Road, Songjiang District, 201620, Shanghai, China

Yongquan Wang

Xidian University, P.O. Box 101, 710071, Xian, Shaanxi, P.R. China

Rights and permissions

Reprints and permissions

Copyright information

© 2011 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering

About this paper

Cite this paper.

Guo, H., Jin, B., Huang, D. (2011). Research and Review on Computer Forensics. In: Lai, X., Gu, D., Jin, B., Wang, Y., Li, H. (eds) Forensics in Telecommunications, Information, and Multimedia. e-Forensics 2010. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 56. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-23602-0_21

Download citation

DOI : https://doi.org/10.1007/978-3-642-23602-0_21

Publisher Name : Springer, Berlin, Heidelberg

Print ISBN : 978-3-642-23601-3

Online ISBN : 978-3-642-23602-0

eBook Packages : Computer Science Computer Science (R0)

Share this paper

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

• Publish with us

Policies and ethics

• Find a journal
• Track your research

Published: 16 February 2024 Contributors: Annie Badman, Amber Forrest

Digital forensics is the process of collecting and analyzing digital evidence in a way that maintains its integrity and admissibility in court.

Digital forensics is a field of forensic science. It is used to investigate cybercrimes but can also help with criminal and civil investigations. For instance, cybersecurity teams may use digital forensics to identify the cybercriminals behind a  malware  attack, while law enforcement agencies may use it to analyze data from the devices of a murder suspect.

Digital forensics has broad applications because it treats digital evidence like any other form of evidence. Just as officials use specific processes to gather physical evidence from a crime scene, digital forensics investigators follow a strict forensics process (also known as a chain of custody) when handling digital evidence to avoid tampering.

Digital forensics and  computer forensics  are often referred to interchangeably. However, digital forensics technically involves gathering evidence from  any  digital device, whereas computer forensics involves gathering evidence specifically from computing devices, such as computers, tablets, mobile phones and devices with a CPU.

Digital forensics and incident response (DFIR)  is an emerging cybersecurity discipline that integrates computer forensics and incident response activities to accelerate the remediation of cyber threats while ensuring that any related digital evidence is not compromised.

Digital forensics, or digital forensic science, first surfaced in the early 1980s with the rise of personal computers and gained prominence in the 1990s.

However, it wasn’t until the early 21st century that countries like the United States formalized their digital forensics policies. The shift toward standardization resulted from the rise of computer crimes in the 2000s and the nationwide decentralization of law enforcement agencies. With more crimes involving digital devices—and more individuals involved in prosecuting those crimes—officials needed procedures to ensure criminal investigations dealt with digital evidence in a way that was admissible in a court of law.

Today, digital forensics is only becoming more relevant. To understand why, consider the overwhelming amount of digital data available on practically everyone and everything. As society continues to rely more on computer systems and cloud computing technologies, individuals continue to conduct more of their lives online across an ever-increasing number of devices, including mobile phones, tablets, IoT devices, connected devices, and more.

The result is more data—from more sources in more formats than ever before—that investigators can use as digital evidence to analyze and understand a growing range of criminal activity, including cyberattacks, data breaches, and criminal and civil investigations. Additionally, like all evidence, physical or digital, investigators and law enforcement agencies must collect, handle, analyze and store it correctly. Otherwise, data may be lost, tampered with or rendered inadmissible in court.

Forensics experts are responsible for performing digital forensics investigations, and as demand for the field grows, so do the job opportunities. The Bureau of Labor Statistics estimates computer forensics job openings will increase 31 percent through 2029 (link resides outside ibm.com).

The  National Institute of Standards and Technology (NIST)  (link resides outside ibm.com) outlines four steps in the digital forensic analysis process.

Those steps include:

Identify the digital devices or storage media containing data, metadata or other digital information relevant to the digital forensics investigation. For criminal cases, law enforcement agencies will seize the evidence from a potential crime scene to ensure a strict chain of custody.

To preserve evidence integrity, forensics teams make a forensic duplicate of the data using a hard drive duplicator or forensic imaging tool. Following the duplication process, they secure the original data and conduct the rest of the investigation on the copies to avoid tampering.

Investigators comb through data and metadata for signs of cybercriminal activity.  Forensic examiners can recover digital data from a variety of sources, including web browser histories, chat logs, remote storage devices, deleted space, accessible disk spaces, operating system caches and virtually any other part of a computerized system.

Forensic analysts use different methodologies and digital forensic tools to extract data and insights from digital evidence.

For instance, to uncover "hidden" data or metadata, they might use specialized forensic techniques, like  live analysis , which evaluates still-running systems for volatile data, or  reverse steganography , which exposes data hidden using steganography (a method for concealing sensitive information within ordinary-looking messages). Investigators may also reference proprietary and open-source tools to link findings to specific threat actors.

Once the investigation is over, forensic experts create a formal report that outlines their analysis, including what happened and who may be responsible. 

Reports vary by case. For cyber crimes, they might have recommendations for fixing vulnerabilities to prevent future cyberattacks. Reports are also frequently used to present digital evidence in a court of law and shared with law enforcement agencies, insurers, regulators and other authorities. 

When digital forensics emerged in the early 1980s, there were few formal digital forensics tools. Most forensics teams relied on live analysis, a notoriously tricky practice that posed a significant risk of tampering.

By the late 1990s, the increased demand for digital evidence prompted the development of more sophisticated tools like EnCase and FTK, which allowed forensic analysts to examine copies of digital media without resorting to live forensics.

Today, forensic experts employ a wide range of digital forensics tools. These tools can be hardware or software-based and analyze data sources without tampering with the data. Common examples include file analysis tools, which extract and analyze individual files, and registry tools, which gather information from Windows-based computing systems that catalog user activity in registries.

Certain providers also offer dedicated open-source tools for specific forensic purposes—with commercial platforms, like Encase and CAINE, offering comprehensive functions and reporting capabilities. CAINE, specifically, boasts an entire Linux distribution tailored to the needs of forensic teams.

Digital forensics contains discrete branches based on the different sources of forensic data.

Some of the most popular branches of digital forensics include:

• Computer forensics  (or cyber forensics): Combining computer science and legal forensics to gather digital evidence from computing devices.
• Mobile device forensics : Investigating and evaluating digital evidence on smartphones, tablets, and other mobile devices.
• Database forensics : Examining and analyzing databases and their related metadata to uncover evidence of cybercrimes or data breaches.
• Network forensics:  Monitoring and analyzing data found in computer network traffic, including web browsing and communications between devices.
• File system forensics:  Examining data found in files and folders stored on endpoint devices like desktops, laptops, mobile phones, and servers.
• Memory forensics:  Analyzing digital data found in a device's random access memory (RAM).

When computer forensics and incident response —the detection and mitigation of cyberattacks in progress—are conducted independently, they can interfere with each other and negatively impact an organization. 

Incident response teams can alter or destroy digital evidence while removing a threat from the network. Forensic investigators can delay threat resolution while they hunt down and capture evidence.

Digital forensics and incident response, or DFIR, combines computer forensics and incident response into an integrated workflow that can help information security teams stop cyber threats faster while also preserving digital evidence that might be lost in the urgency of threat mitigation.

Two major benefits of DFIR include :

• Forensic data collection happening alongside threat mitigation. Incident responders use computer forensic techniques to collect and preserve data while they’re containing and eradicating the threat, ensuring the proper chain of custody is followed and that valuable evidence isn’t altered or destroyed.
• Post-incident review including examination of digital evidence. In addition to preserving evidence for legal action, DFIR teams use it to reconstruct cybersecurity incidents from start to finish to learn what happened, how it happened, the extent of the damage and how similar attacks can be avoided.

DFIR can lead to faster threat mitigation, more robust threat recovery, and improved evidence for investigating criminal cases, cybercrimes, insurance claims and other security incidents.

Experience up to a 55% improvement in alert investigation and triage with IBM innovations.

Identify and prevent serious threats and vulnerabilities from disrupting business operations.

Catch hidden threats before it’s too late with network visibility and advanced analytics.

DFIR combines two cybersecurity fields to streamline threat response while preserving evidence against cybercriminals.

Computer forensics involves gathering digital evidence from computing devices to ensure its admissibility in court.

Discover the latest threat intelligence and trends in cloud security and learn how to enhance your security posture using insights from IBM Security X-Force.

Cybersecurity threats are becoming more advanced, more persistent and are demanding more effort by security analysts to sift through countless alerts and incidents. IBM Security QRadar SIEM helps you remediate threats faster while maintaining your bottom line. QRadar SIEM prioritizes high-fidelity alerts to help you catch threats that others miss.

IEEE Account

• Change Username/Password
• Update Address

Purchase Details

• Payment Options
• Order History
• View Purchased Documents

Profile Information

• Communications Preferences
• Profession and Education
• Technical Interests
• US & Canada: +1 800 678 4333
• Worldwide: +1 732 981 0060
• Contact & Support
• About IEEE Xplore
• Accessibility
• Terms of Use
• Nondiscrimination Policy
• Privacy & Opting Out of Cookies

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity. © Copyright 2024 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.

An official website of the United States government, Department of Justice.

Here's how you know

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Digital Evidence and Forensics

Computers are used for committing crime, and, thanks to the burgeoning science of digital evidence forensics, law enforcement now uses computers to fight crime.

Digital evidence is information stored or transmitted in binary form that may be relied on in court. It can be found on a computer hard drive, a mobile phone, among other place s. Digital evidence is commonly associated with electronic crime, or e-crime, such as child pornography or credit card fraud. However, digital evidence is now used to prosecute all types of crimes, not just e-crime. For example, suspects' e-mail or mobile phone files might contain critical evidence regarding their intent, their whereabouts at the time of a crime and their relationship with other suspects. In 2005, for example, a floppy disk led investigators to the BTK serial killer who had eluded police capture since 1974 and claimed the lives of at least 10 victims.

In an effort to fight e-crime and to collect relevant digital evidence for all crimes, law enforcement agencies are incorporating the collection and analysis of digital evidence, also known as computer forensics, into their infrastructure. Law enforcement agencies are challenged by the need to train officers to collect digital evidence and keep up with rapidly evolving technologies such as computer operating systems.

On this page, find links to articles, awards, events, publications, and multimedia related to digital evidence and forensics.

• Improving the Collection of Digital Evidence
• New Approaches to Digital Evidence Acquisition and Analysis
• Sexual Assault Cases: Exploring the Importance of Non-DNA Forensic Evidence

Events and Trainings

• Advanced Digital Evidence
• Digital Evidence 101
• Digital Caseload Processing with the NIST National Software Reference Library
• View related awards

Publications

• Just Science Podcast: Just Building Partnerships to Advance Forensic Technology
• Just Science Podcast: Just Collecting Fingerprints Without Contact
• Just Science Podcast: Just Forensics in the Digital Age
• Find sites with statistics related to: Digital evidence forensics

Accessibility Links

• Skip to content
• Skip to search IOPscience
• Skip to Journals list
• Accessibility help
• Accessibility Help

Click here to close this panel.

Purpose-led Publishing is a coalition of three not-for-profit publishers in the field of physical sciences: AIP Publishing, the American Physical Society and IOP Publishing.

Together, as publishers that will always put purpose above profit, we have defined a set of industry standards that underpin high-quality, ethical scholarly communications.

We are proudly declaring that science is our only shareholder.

Research on Computer Forensics Technology Based on Data Recovery

Ruibo Duan 1 and Xiong Zhang 2

Published under licence by IOP Publishing Ltd Journal of Physics: Conference Series , Volume 1648 , Information technology Citation Ruibo Duan and Xiong Zhang 2020 J. Phys.: Conf. Ser. 1648 032025 DOI 10.1088/1742-6596/1648/3/032025

Article metrics

785 Total downloads

Share this article

Author e-mails.

[email protected]

Author affiliations

1 Yunnan College of Foreign Affairs & Foreign Language, China, 651700

2 Songming County Public Security Bureau, China, 651700

Buy this article in print

With the rapid development of information technology, fundamental changes have taken place in the way people work. However, computer crime has also become the main type of cases in the Internet era. Therefore, computer forensics technology has become an important research content of computer crime evidence collection. Firstly, this paper analyzes the relationship between computer forensics and data recovery. Then, this paper analyzes the steps of computer forensics. Finally, this paper analyzes the application of anti-forensics technology and computer forensics technology.

Export citation and abstract BibTeX RIS

Content from this work may be used under the terms of the Creative Commons Attribution 3.0 licence . Any further distribution of this work must maintain attribution to the author(s) and the title of the work, journal citation and DOI.

Infosecurity Magazine

Digital forensics news.

Digital Forensics is an emerging area of Information Security; discover best practice for topics such as data breach incident management, fraud detection, IT forensics for the enterprise and SIEM.

Scroll down for all the latest digital forensics news and articles.

Browse other Digital Forensics topics

• Data Breach Incident Management
• Fraud Detection
• IT Forensics
• Security Information and Event Management (SIEM)

Don’t miss out!

Subscribe to our weekly newsletter for the latest in industry news, expert insights, dedicated information security content and online events.

Latest news and features

#infosec2024: cyber resilience means being willing to learn from a crisis.

Chinese State-Sponsored Operation “Crimson Palace” Revealed

Sophos said the campaign aimed to maintain prolonged network access for espionage purposes

FBI Warns of Rise in Work-From-Home Scams

#Infosec2024 Ransomware: The Key Updates You Need to Know

Ticketmaster Confirms Breach Potentially Impacting 560 Million Users

Ticketing giant Live Nation has confirmed a May data breach involving tech supplier Snowflake

Authorized Push Payment Fraud Cases Surge 12% Annually

UK Finance figures reveal romance, purchase and investment scams drove up authorised push payment fraud in 2023

Chinese Duo Indicted For Laundering $73m in Pig Butchering Case

FCC Names and Shames First Robocall Threat Actor

Six Austrians Arrested in Multi-Million Euro Crypto Scheme

Android Flaw Affected Apps With 4 Billion Installs

White papers

2023 state of enterprise digital forensics and incident response, state of cybersecurity report 2022, predicts 2022: consolidated security platforms are the future – a gartner® report, on-demand webinars.

Incident Response: Four Key Cybersecurity Measures to Protect Your Business

The Growing Importance of Digital Forensics and Incident Response in Corporate Environments

The Infosecurity Magazine End of Year Xmas Quiz (Feat. The Beer Farmers)

Discover Unknown Vulnerabilities with Crowdsourced Security

Learn How to Reduce Business Costs with Ransomware Readiness

How a Threat Response Unit Unmasks a Hacker

How to Build Cyber Resilience Across the Entire Workforce

Leveraging Endpoint Security to Navigate the Modern Threat Landscape

Updating Your Active Directory Security to the Modern Threat Environment

How to Prepare Your Organization’s Response to the Next Cyber Incident

What’s hot on infosecurity magazine.

• Editor's Choice

#Infosec2024: Ransomware Ecosystem Transformed, New Groups “Changing the Rules”

Emailgpt exposed to prompt injection attacks, #infosec2024: cisos need to move beyond passwords to keep up with security threats, account takeovers outpace ransomware as top security concern, how to backup and restore database in sql server, why culture is the bedrock of cybersecurity, 70% of cisos expect cyber-attacks in next year, report finds, ransomware rises despite law enforcement takedowns, hardened ubuntu container images are now available in the iron bank, how to proactively remediate rising web application threats, how to optimize third-party risk management programs through nist csf 2.0, how to unlock frictionless security with device identity & mfa, why ddos simulation testing is critical for proactive network defense, disinformation defense: protecting businesses from the new wave of ai-powered cyber threats, adapting to tomorrow's threat landscape: ai's role in cybersecurity and security operations in 2024, #infosec2024: claire williams on leadership, cultivating a high performing team and overcoming adversity (video), #infosec2024: navigating the ransomware toll on victims with jason nurse (video), #infosec2024: ai red teaming provider mindgard named uk's most innovative cyber sme, #infosec2024: experts share how cisos can manage change as the only constant, #infosec2024: 104 eu laws have different definitions of cybersecurity.

IntoSecurity Podcast Episode 33

IntoSecurity Podcast Episode 32

IntoSecurity Chats, Episode 7: Jessica Barker

IntoSecurity Podcast Episode 31, brought to you by Thales

IntoSecurity Podcast Episode 30

IntoSecurity Chats, Episode 6 - Graham Cluley

IntoSecurity Podcast Episode 29, brought to you by Thales

IntoSecurity Podcast Episode 28

IntoSecurity Daily: Friday 6th August 2021

IntoSecurity Daily: Thursday 5th August 2021

More news and features, security breach exposes dropbox sign users.

Attackers accessed emails, usernames, phone numbers, hashed passwords and authentication information

Study Reveals Alarming Levels of USPS Phishing Traffic

Online Banking Security Still Not Up to Par, Says Which?

Leeds Talent Pool Attracts BlueVoyant's First UK Security Operations Center

Fraudsters Exploit Telegram’s Popularity For Toncoin Scam

MITRE Reveals Ivanti Breach By Nation State Actor

New Cyber-Threat MadMxShell Exploits Typosquatting and Google Ads

Zscaler also confirmed MadMxShell uses DLL sideloading and DNS tunneling for C2 communication

Insider Threats Surge 14% Annually as Cost-of-Living Crisis Bites

Report Suggests 93% of Breaches Lead to Downtime and Data Loss

New LockBit Variant Exploits Self-Spreading Features

Kaspersky also uncovered the use of the SessionGopher script to extract saved passwords

How To Bridge the Access Management Gap in Your Business’ Security Strategy

Exploring saas security with dora, next-gen infosec, how to prevent data leakages, top cloud misconceptions that could damage your organization, improve asset visibility in ot security with hybrid ai-cloud approaches.

Every print subscription comes with full digital access

Science News

Scientists are fixing flawed forensics that can lead to wrongful convictions.

Police lineups, fingerprinting and trace DNA techniques all need reform

Forensic science can help solve crimes, but some techniques and methods of analysis need improvement.

The Red Dress

Share this:

By Amber Dance

June 6, 2024 at 9:00 am

Charles Don Flores has been facing death for 25 years.

Flores has been on death row in Texas since a murder conviction in 1999. But John Wixted, a psychologist at the University of California, San Diego, says the latest memory science suggests Flores is innocent.

The murder Flores was convicted of happened during a botched attempt to locate drug money. An eyewitness, a woman who looked out her window while getting her kids ready for school, told the police that two white males with long hair got out of a Volkswagen Beetle and went into the house where the killing took place. The police quickly picked up the owner of the car, a long-haired white guy.

The police also suspected Flores, who had a history of drug dealing. He was also a known associate of the car owner, but there was a glaring mismatch with the witness description: Flores is Hispanic, with very short hair.

Still, the police put a “very conspicuous” photo of him in a lineup, says Gretchen Sween, Flores’ lawyer. “His [photo] is front and center, and he’s the only one wearing this bright-colored shirt, screaming ‘pick me!’”

But the eyewitness did not pick him. It was only after some time passed, during which the witness saw Flores’ picture on the news, that she came to think he was the one who entered the house. Thirteen months after she described two white men with long hair, she testified in court that it was Flores she saw.

Memory scientists have long been mistrustful of eyewitness reports because memory is malleable. But in recent years, Wixted says, research has shown that the initial lineup — the very first memory test — can be reliable. He argues that the witness’s initial rejection of Flores’ photo is evidence of innocence.

In 2013, Texas became the first state to introduce a “junk science” law allowing the courts to reexamine cases when new science warranted it. Sween has submitted hundreds of pages of arguments to get a judge to consider this new slant on memory science. So far, the Texas authorities have remained unconvinced.

“Our criminal justice system is generally slow to respond to any kind of science-based innovation,” laments Tom Albright, a neuroscientist at the Salk Institute for Biological Studies in La Jolla, Calif.

But researchers are pushing ahead to improve the science that enters the courtroom. The fundamental question for all forms of evidence is simple, Albright says. “How do you know what is right?” Science can’t provide 100 percent certainty that, say, a witness’s memory is correct or one fingerprint matches another. But it can help improve the likelihood that evidence is tested fairly or evaluate the likelihood that it’s correct.

“Our criminal justice system is generally slow to respond to any kind of science-based innovation.” Tom Albright, neuroscientist

Some progress has been made. Several once-popular forms of forensics have been scientifically debunked, says Linda Starr, a clinical professor of law at Santa Clara University in California and cofounder of the Northern California Innocence Project, a nonprofit that challenges wrongful convictions. One infamous example is bite marks. Since the 1970s, a few dentists have contended that a mold of a suspect’s teeth can be matched to bite marks in skin, though this has never been proved scientifically. A 2009 report from the National Academy of Sciences noted how bite marks may be distorted by time and healing and that different experts often produce different findings.

More than two dozen convictions based on bite mark evidence have since been overturned, many due to new DNA evidence.

Now researchers are taking on even well-accepted forms of evidence, like fingerprints and DNA, that can be misinterpreted or misleading.

“There are a lot of cases where the prosecution contends they have forensic ‘science,’ ” Starr says. “A lot of what they’re claiming to be forensic science isn’t science at all; it is mythology.”

Do the eyes have it?

Though research has been clear about the shortcomings of eyewitness memory for decades, law enforcement has been slow to adopt best practices to reduce the risk of memory contamination, as appears likely to have happened in Flores’ case.

The justice system largely caught on to the problem of memory in the 1990s, when the introduction of DNA evidence overturned many convictions. In more than 3,500 exonerations tracked since 1989, there was some version of false identification in 27 percent of cases, according to the National Registry of Exonerations . What’s become clear is that an eyewitness’s memory can be contaminated, as surely as if someone spit into a tube full of DNA.

Over the last decade, expert groups, including the National Academy of Sciences and the American Psychological A­ssociation , have recommended that police investigators treat a lineup — usually done with photographs these days — like a controlled experiment. For example, the officer conducting the lineup should be “blind” as to which of the people is the suspect and which are “fillers” with no known link to the crime. That way, the officer cannot subconsciously influence the results.

Those best-practice recommendations are catching on, but slowly, says Gary Wells, a psychologist at Iowa State University in Ames who coauthored the American Psychological Association recommendations. “We continue to have cases popping up, sort of right and left, in which they’re doing it wrong.”

Exonerating circumstances

Of over 3,500 exonerations in the United States tracked since 1989, problems with forensic evidence and eyewitness testimony each played a role in about a quarter of the cases (exonerations can have multiple contributing factors, so the bars total more than 100 percent).

Factors contributing to exonerations since 1989

One problem arises when the filler photos don’t match the witness’s description of a suspect, or the suspect stands out in some way — as Sween contends happened with Flores. Fillers should all have the same features as the eyewitness described, and not be too similar or too different from the suspect. For now, it’s on police officers to engineer the perfect lineup, with no external check on how appropriate the fillers are.

As a solution, Albright and colleagues are working on a computer system to select the best possible filler photographs. The catch is that computer algorithms tend to focus on different facial features than humans do. So the researchers asked human subjects to rank similarity between different artificially generated faces and then used machine learning to train the computer to judge facial similarity the way people do. Using that information, the system can generate lineups — from real or AI-generated faces — in which all the fillers are more or less similar to the suspect. Next up, the scientists plan to figure out just how similar the filler faces should be to the suspect for the best possible lineup results.

Proper filler selection would help, but it doesn’t solve a key problem Wixted sees in the criminal justice system: He wants police and courts to appreciate a newer, twofold understanding of eyewitness testing. First, eyewitnesses who are confident in their identification tend to be more accurate , according to an analysis Wixted and Wells penned in 2017. For example, the pair analyzed 15 studies in which witnesses who viewed mock crimes were asked to report their confidence on a 100-point scale. Across those studies, the higher witnesses rated their own confidence, the more likely they were to identify the proper suspect. Accurate eyewitnesses also tend to make decisions quickly, because facial memory happens fast: “seconds, not minutes,” Wixted says.

Conversely, low confidence indicates the identification isn’t too reliable. In trial transcripts from 92 cases later overturned by DNA evidence, most witnesses who thought back to the first lineup recalled low confidence or outright rejection of all options, according to research by Brandon Garrett, a law professor at Duke University.

The confidence correlation is appropriate only when the lineup is conducted according to all best practices, which remains a rare occurrence, warns Elizabeth Loftus, a psychologist at the University of California, Irvine. But Wixted argues it’s still relevant, if less so, even in imperfect lineups.

The second recent realization is that the very first lineup a witness sees, assuming police follow best practices to avoid biasing the witness, has the lowest chance of contamination. So a witness’s memory should be tested just once . “There’s no do-overs,” Wixted says.

Together, these factors suggest that a confident witness on the first, proper lineup can be credible, but that low confidence or subsequent lineups should be discounted.

Those recommendations come mainly from lab experiments. How does witness confidence play out in the real world ? Wells tested this in a 2023 study with his graduate student Adele Quigley-McBride, an experimental psychologist now on the faculty at Simon Fraser University in Burnaby, Canada. They obtained 75 audio recordings of witness statements during real, properly conducted lineups. While the researchers couldn’t be sure that the suspects were truly the criminals, they knew that any filler identification must be incorrect because those people were not connected to the crime in any way.

Face-to-face

During a photo lineup, an eyewitness is shown a suspect’s photo and filler photos, either simultaneously or sequentially, and asked to ID the suspect. An alternative approach doesn’t ask a witness to make an identification. Instead, the witness views pairs of photos, some of which include the suspect and some of which don’t. For each pair, the witness judges which person looks more like the potential perp. The procedure ranks each lineup face to see if the suspect was overall judged as most similar to who the witness saw.

Volunteers listened to those lineup recordings and rated witness confidence. Witnesses who quickly and confidently picked a face — within about half a minute or less — were more likely to pick the suspect than a filler image. In one experiment, for example, the identifications that ended on a suspect had been rated, on average, as 69 percent confident, as opposed to about 56 percent for those that ended up on a filler. Quigley-McBride proposes that timing witness decisions and recording confidence assessments could be valuable information for investigators.

Witnesses also bring their own biases. They may assume that since the police have generated a lineup, the criminal must be in it. “It’s very difficult to recognize the absence of the perpetrator,” Wells says.

In a 2020 study, Albright used the science of memory and perception to design an approach that might sidestep witness bias , by not asking witnesses to pick out a suspect from a lineup at all. Instead, the eyewitness views pairs of faces one at a time. Some pairs contain the suspect and a filler; some contain two fillers. For each pair, the witness judges which person looks more like the remembered perpetrator. Based on those pairwise “votes,” the procedure can rank each lineup face and determine if the suspect comes out as most similar. “It’s just as good as existing methods and less susceptible to bias,” Albright says.

Wixted says the approach is “a great idea, but too far ahead of its time.” Defense attorneys would likely attack any evidence that lacks a direct witness identification.

Putting fingerprints to the test

Fingerprints have been police tools for a long time, more than a century. They were considered infallible for much of that history.

Limitations to fingerprint analysis came to light in spectacular fashion in 2004, with the bombing of four commuter trains in Madrid. Spanish police found a blue plastic bag full of detonators and traces of explosives. Forensic experts used a standard technique to raise prints off the bag: fumigating it with vaporized superglue, which stuck to the finger marks, and staining the bag with fluorescent dye to reveal a blurry fingerprint.

Running that print against the FBI’s fingerprint database highlighted a possible match to Brandon Mayfield, an Oregon lawyer. One FBI expert, then another, then another confirmed Mayfield’s print matched the one from the bag.

Mayfield was arrested. But he hadn’t been anywhere near Madrid during the bombing. He didn’t even possess a current passport. Spanish authorities later arrested someone else, and the FBI apologized to Mayfield and let him go.

The case highlights an unfortunate “paradox” resulting from fingerprint databases, in that “the larger the databases get … the larger the probability that you find a spurious match,” says Alicia Carriquiry. She directs the Center for Statistics and Applications in Forensic Evidence, or CSAFE, at Iowa State University.

In fingerprint analyses , the question at hand is whether two prints, one from a crime scene and one from a suspect or a fingerprint database, came from the same digit ( SN: 8/26/15 ). The problem is that prints lifted from a crime scene are often partial, distorted, overlapping or otherwise hard to make out. The expert’s challenge is to identify features called minutiae, such as the place a ridge ends or splits in two, and then decide if they correspond between two prints.

Studies since the Madrid bombing illustrate the potential for mistakes. In a 2011 report, FBI researchers tested 169 experienced print examiners on 744 fingerprint pairs, of which 520 pairs contained true matches. Eighty-five percent of the examiners missed at least one of the true matches in a subset of 100 or so pairs each examined. Examiners can also be inconsistent : In a subsequent study, the researchers brought back 72 of those examiners seven months later and gave them 25 of the same fingerprint pairs they saw before. The examiners changed their conclusions on about 10 percent of the pairings.

Forensic examiners can also be biased when they think they see a very rare feature in a fingerprint and mentally assign that feature a higher significance than others, Quigley-McBride says. No one has checked exactly how rare individual features are, but she is part of a CSAFE team quantifying these features in a database of more than 2,000 fingerprints.

Computer software can assist fingerprint experts with a “sanity check,” says forensic scientist Glenn Langenburg, owner of the consulting firm Elite Forensic Services in St. Paul, Minn. One option is a program known rather informally as Xena (yes, for the television warrior princess) developed by Langenburg’s former colleagues at the University of Lausanne in Switzerland.

Xena’s goal is to calculate a likelihood ratio, a number that compares the probability of a fingerprint looking like it does if it came from the suspect (the numerator) versus the probability of the fingerprint looking as it does if it’s from some random, unidentified individual (the denominator). The same type of statistic is used to support DNA evidence.

To compute the numerator probability, the program starts with the suspect’s pristine print and simulates various ways it might be distorted, creating 700 possible “pseudomarks.” Then Xena asks, if the suspect is the person behind the print from the crime scene, what’s the probability any of those 700 could be a good match?

To calculate the denominator probability, the program compares the crime scene print to 1 million fingerprints from random people and asks, what are the chances that this crime scene print would be a good match for any of these?

If the likelihood ratio is high, that suggests the similarities between the two prints are more likely if the suspect is indeed the source of the crime scene print than if not. If it’s low, then the statistics suggest it’s quite possible the print didn’t come from the suspect. Xena wasn’t available at the time of the Mayfield case, but when researchers ran those prints later, it returned a very low score for Mayfield, Langenburg says.

Another option, called FRStat , was developed by the U.S. Army Criminal Investigation Laboratory. It crunches the numbers a bit differently to calculate the degree of similarity between fingerprints after an expert has marked five to 15 minutiae.

While U.S. Army courts have admitted FRStat numbers, and some Swiss agencies have adopted Xena, few fingerprint examiners in the United States have taken up either. But Carriquiry thinks U.S. civilian courts will begin to use FRStat soon.

Trace DNA makes for thin evidence

When DNA evidence was first introduced in the late 20th century, courts debated its merits in what came to be known as the “DNA wars.” The molecules won, and DNA’s current top status in forensic evidence is well-deserved — at least when it’s used in the most traditional sense ( SN: 5/23/18 ).

Forensic scientists traditionally isolate DNA from a sample chock-full of DNA, like bloodstains or semen from a rape kit, and then focus in on about 20 specific places in the genomic sequence. These are spots where the genetic letters repeat like a stutter, such as GATA GATA GATA. People can have different numbers of repeats in each spot. If the profiles are the same between the suspect and the crime scene evidence, that doesn’t confirm the two people are one and the same. But because scientists have examined the stutter spots in enough human genomes, they can calculate a likelihood ratio and testify based on that.

So far, so good. That procedure can help juries answer the question, “Whose DNA is this?” says Jarrah Kennedy, a forensic DNA scientist at the Kansas City Police Crime Laboratory.

But in recent years, the technology has gotten so sensitive that DNA can now be recovered from even scant amounts of biological material. Forensic scientists can pluck a DNA fingerprint out of just a handful of skin cells found on, say, the handle of a gun. Much of Kennedy’s workload is now examining this kind of trace DNA, she says.

“Human people do this work, and human people make mistakes and error.” Tiffany Roy, forensic DNA expert

The analysis can be tricky because DNA profiles from trace evidence are less robust. Some stutter numbers might be missing; contamination by other DNA could make extra ones appear. It’s even more complicated if the sample contains more than one person’s DNA. This is where the examiner’s expertise, and opinions, come into their assessments.

“Human people do this work, and human people make mistakes and errors,” says Tiffany Roy, a forensic DNA expert and owner of the consulting firm ForensicAid in West Palm Beach, Fla.

And even if Roy or Kennedy can find a DNA profile on trace evidence, such small amounts of DNA mean they haven’t necessarily identified the profile of the culprit of a crime. Did the suspect’s DNA land on the gun because they pulled the trigger? Or because they handled the weapon weeks before it ever went off?

“It’s not about the ‘who?’ anymore,” Kennedy says. “It’s about ‘how?’ or ‘when?’ ”

Such DNA traces complicated the case of Amanda Knox, the American exchange student in Italy who was convicted in 2009, with two others, of sexually assaulting and killing her roommate. DNA profiles from Knox and her boyfriend were found on the victim’s bra clasp and a knife handle. But experts later deemed the DNA evidence weak: There was a high risk the bra clasp had been contaminated over the weeks it sat at the crime scene, and the signal from the knife was so low, it may have been incorrect. The pair were acquitted, upon appeal, in 2015.

Here, again, statistical software can help forensic scientists decide how many DNA profiles contributed to a mixture or to calculate likelihood ratios. But Roy estimates that only about half of U.S. labs use the most up-to-date tools. “It keeps me awake at night.”

And Roy suspects the courts may at some point have to consider whether science can inform how a person’s DNA got on an item. Thus, she says, “I think there’s a new DNA war coming.” She doesn’t think the science can go that far.

When science saves the day

Change happens slowly, Wixted says. And Flores and others remain incarcerated despite efforts by Sween and others questioning faulty evidence.

One reason U.S. courts often lag behind the science is that it’s up to the judge to decide whether any specific bit of evidence is included in a trial. The federal standard on expert testimony, known as Rule 702 and first set out in 1975, is generally interpreted to mean that judges must assess whether the science in question is performed according to set standards, has a potential or known error rate, and has been through the wringer of scientific peer review. But in practice, many judges don’t do much in the way of gatekeeping. Last December, Rule 702 was updated to reemphasize the role of judges in blocking inappropriate science or experts.

In Texas, Sween says she’s not done fighting for Flores, who’s still living in a six-by-nine-foot cell on death row but has graduated from a faith-based rehabilitation program and started a book club with the help of someone on the outside. “He’s a pretty remarkable guy,” Sween says.

But in another case Wixted was involved with, the new memory science led to a happier ending.

Miguel Solorio was arrested in 1998, suspected of a drive-by shooting in Whittier, Calif. His girlfriend — now wife — provided an alibi. Four eyewitnesses, the first time they saw a lineup, didn’t identify him. But the police kept offering additional lineups, with Solorio in every one. Eventually, two witnesses identified him in court. He was convicted and sentenced to life in prison without parole.

When the Northern California Innocence Project and the Los Angeles County District Attorney’s Office took a fresh look at the case, they realized that the eyewitnesses’ memories had been contaminated by the repeated lineups. The initial tests were “powerful evidence of Mr. Solorio’s innocence,” the district attorney wrote in an official concession letter.

Last November, Solorio walked out of prison, a free man.

Investigating crime science

Some forensic techniques that seem scientific have been criticized as subjective and had their certainty questioned. That doesn’t necessarily mean they are never brought into court or that they’re meritless. For some techniques, researchers are studying how to make them more accurate.

Hair analysis

Experts judge traits such as color, texture and microscopic features to see if it’s possible a hair came from a suspect, but not to make a direct match. Analysis of DNA from hair has largely supplanted physical examination. But if no root is present, authorities won’t be able to extract a complete DNA profile. Scientists at the National Institute of Standards and Technology are analyzing whether certain hair proteins , which vary from person to person, can be correlated with a suspect’s own hair protein or DNA profile.

Fire scene investigation

Fire investigators once thought certain features, such as burn “pour patterns,” indicated an arsonist used fuel to spur a fast-spreading fire. In fact, these and other signs once linked to arson can appear in accidental fires, too, for example due to high temperatures or water from a firefighter’s hose. A 2017 report from the American Association for the Advancement of Science said identifying a fire’s origin and cause “can be very challenging and is based on subjective judgments and interpretations.”

Firearms analysis

A gun’s internal parts leave “toolmarks” on the bullet. Examiners study these microscopic marks to decide whether two bullets probably came from the same gun. A 2016 President’s Council of Advisors on Science and Technology report said the practice “falls short of the scientific criteria for foundational validity.” In 2023, a judge ruled for the first time that this kind of evidence was inadmissible. Researchers at NIST and the Center for Statistics and Applications in F­orensic Evidence, or CSAFE, are developing automated, quantifiable methods to improve objectivity.

Bloodstain pattern analysis

Experts examine blood pooled or spattered at a crime scene to determine the cause, such as stabbing, and the point of origin, such as the height the blood came from. While some of this is scientifically valid, the analysis can be complex, with overlapping blood patterns. In 2009, the National Academy of Sciences warned that “some experts extrapolate far beyond what can be supported.” CSAFE has compiled a blood spatter database and is working on more objective approaches.

More Stories from Science News on Science & Society

Privacy remains an issue with several women’s health apps

Should we use AI to resurrect digital ‘ghosts’ of the dead?

A hidden danger lurks beneath Yellowstone

Online spaces may intensify teens’ uncertainty in social interactions

Want to see butterflies in your backyard? Try doing less yardwork

Ximena Velez-Liendo is saving Andean bears with honey

‘Flavorama’ guides readers through the complex landscape of flavor

Rain Bosworth studies how deaf children experience the world

Subscribers, enter your e-mail address for full access to the Science News archives and digital editions.

Not a subscriber? Become one now .

Most Accessed Articles

A Survey on E- Commerce Online Shopping Volume-1 | Issue-1

Impact of Genetic Engineering on Agriculture Applications Volume-1 | Issue-1

Nanozymes Induced Air Purification- A State of the Art Review Volume-2 | Issue-1

Cloud Computing Challenges in Security Applications – A Review Volume-1 | Issue-1

Sustainability Initiative towards Supply Chain Inventory Management Volume-1 | Issue-1

A Detailed Review on Quantum Computing Technologies Volume-1 | Issue-1

Rapid Adaptation of Renewable Energy – A Review on Solar Energy, Types and Overview Volume-1 | Issue-1

Current Trends of Immune System Engineering in Healthcare Applications Volume-1 | Issue-1

A Detailed Analysis of Wafer Scale Integration and Multichip Modules Volume-1 | Issue-1

A Review on Artificial Intelligence Chip Volume-1 | Issue-1

Most Downloaded Articles

Statistical Analysis of Post-Covid Impact on Market Economy Volume-1 | Issue-1

Challenges and Opportunities for Online Learning in India Volume-1 | Issue-1

A Review on Waste Management in Green Computing Volume-1 | Issue-1

A Perspective Review on Hyperledger Fabric Access Control System Volume-1 | Issue-1

Volume - 2 | Issue - 2 | december  2023

Vijayakumar thangavel .

Department of ECE, M.P.Nachimuthu M.Jaganathan Engineering College, Chennimalai, India

10.36548/rrrj.2023.2.013

18 december, 2023.

A subfield of digital forensic science called computer forensics deals with evidence discovered on computers and digital storage devices. Computer forensics aims to detect, preserve, retrieve, analyse and communicate facts and views regarding the digital information by performing a forensically sound examination of digital media. The purpose of this study is to provide a brief discussion of computer forensics and related methods. Steganography is one of the most widely utilised of these approaches, and it will also be briefly discussed below.

Publisher Inventive Research Organization

Publication charges: nil.

Currently, subscription is the only source of revenue. The subscription resource covers the operating expenses such as web presence, online version, pre-press preparations, and staff wages.

To access the full PDF, please complete the payment process.

Subscription Details

CS50: Introduction to Computer Science

An introduction to the intellectual enterprises of computer science and the art of programming.

Associated Schools

Harvard School of Engineering and Applied Sciences

What you'll learn.

A broad and robust understanding of computer science and programming

How to think algorithmically and solve programming problems efficiently

Concepts like abstraction, algorithms, data structures, encapsulation, resource management, security, software engineering, and web development

Familiarity with a number of languages, including C, Python, SQL, and JavaScript plus CSS and HTML

How to engage with a vibrant community of like-minded learners from all levels of experience

How to develop and present a final programming project to your peers

Course description

This is CS50x , Harvard University's introduction to the intellectual enterprises of computer science and the art of programming for majors and non-majors alike, with or without prior programming experience. An entry-level course taught by David J. Malan, CS50x teaches students how to think algorithmically and solve problems efficiently. Topics include abstraction, algorithms, data structures, encapsulation, resource management, security, software engineering, and web development. Languages include C, Python, SQL, and JavaScript plus CSS and HTML. Problem sets inspired by real-world domains of biology, cryptography, finance, forensics, and gaming. The on-campus version of CS50x , CS50, is Harvard's largest course. 

Students who earn a satisfactory score on 9 problem sets (i.e., programming assignments) and a final project are eligible for a certificate. This is a self-paced course–you may take CS50x on your own schedule.

Instructors

David J. Malan

You may also like

CS50's Understanding Technology

This is CS50’s introduction to technology for students who don’t (yet!) consider themselves computer persons.

CS50 for Lawyers

This course is a variant of Harvard University's introduction to computer science, CS50, designed especially for lawyers (and law students).

Using Python for Research

Take your introductory knowledge of Python programming to the next level and learn how to use Python 3 for your research.

Join our list to learn more

Thank you for visiting nature.com. You are using a browser version with limited support for CSS. To obtain the best experience, we recommend you use a more up to date browser (or turn off compatibility mode in Internet Explorer). In the meantime, to ensure continued support, we are displaying the site without styles and JavaScript.

• View all journals
• Explore content
• About the journal
• Publish with us
• Sign up for alerts
• 31 May 2024

What is science? Tech heavyweights brawl over definition

• Fred Schwaller

You can also search for this author in PubMed   Google Scholar

X owner Elon Musk (left) and artificial-intelligence pioneer Yann LeCun sparred on the social-media platform about scientific publications. Credit: Slaven Vlasic/Getty for The New York Times, Benjamin Girette/Bloomberg via Getty

If you do research and don’t publish it, is it science? That’s the question at the heart of an ongoing debate on X between entrepreneur Elon Musk and pioneering computer scientist Yann LeCun. Over the past few days, the conversation sprawled into a brawl about the definition of science, attracting thousands of commentators including researchers of all stripes.

The discussion started on 27 May, after Musk posted on the social-media platform X (formerly Twitter): “Join xAI if you believe in our mission of understanding the universe, which requires maximally rigorous pursuit of the truth, without regard to popularity or political correctness.” (Musk founded the company xAI to build artificial intelligence (AI) capable of enhanced reasoning. Its first product is a generative-AI chatbot called Grok.)

Thousands of scientists are cutting back on Twitter, seeding angst and uncertainty

LeCun, chief AI scientist at tech giant Meta, is known for his foundational work in deep learning and neural networks. He called out the post, saying that Musk “claims to want a ‘maximally rigorous pursuit of the truth’ but spews crazy-ass conspiracy theories on his own social platform”. It escalated quickly , with Musk questioning what science LeCun had done in the past five years. LeCun, who also holds an academic post in AI at New York University in New York City, replied: “Over 80 technical papers published since January 2022. What about you?”

LeCun then posted saying “if you do research and don’t publish, it’s not Science”. He argued that research is only ‘science’ when it is collected as a body of knowledge, tested for correctness and reproducibility and then published. “Technological marvels don’t just pop out of the vacuum. They are built on years (sometimes decades) of scientific research,” he said . Without sharing that scientific information, “technological progress would slow to a crawl”.

LeCun’s definition of science sparked a backlash. Some people criticized him for not mentioning that science is not just a collection of facts, but is often considered a systematic method . Another tech entrepreneur — Palmer Luckey, who developed the virtual-reality headset Oculus — condemned the idea that “people who don’t publish their research for peer review will die bitter and forgotten”. Still others argued that scientific experiments done at companies are often kept private; even outside the private sector, 40% of data from academic and government scientists goes unpublished, according to some estimates .

“LeCun still misses the very essence of how science works. Saying ‘science is only science if it is published’ gatekeeps the idea that science is a method of understanding that people can use in their daily lives,” says Peter Coveney, a computer scientist at University College London.

The importance of feedback

LeCun later clarified his definition, posting: “science progresses through the collision of ideas, verification, analysis, reproduction, and improvements. If you don’t publish your research *in some way* your research will likely have no impact.”

He also hinted in his posts that there is need for more openness in AI research, in particular the source code underlying neural networks. Coveney and philosopher of science Janet Stemwedel at San José State University in California agree with LeCun on this point, especially amid criticisms that AI algorithms — such as those underlying the chatbot ChatGPT and text-to-video tool Sora, made by OpenAI in San Francisco, California, and AlphaFold3 , the protein-structure-prediction tool created by Google DeepMind in London — are being developed and launched without the publication of their code.

“The big issue is that you need to expose your knowledge claims to rigorous examination, and you need to be responsive to the feedback that emerges from that,” says Stemwedel. She added that philosophers of science now see responsiveness to feedback as a cornerstone of modern definitions of science, alongside principles such as the utility of science for making predictions and providing explanations.

Coveney pointed to the development of generalist AI tools, which aim to interpret data and produce advanced reasoning abilities without being specifically trained for individual tasks. “At the heart of it is a large language model like ChatGPT, but they implement what’s called foundation models to solve problems.” He says that it’s questionable how scientific their methods are, even when their processes can be scrutinized by scientists.

Twitter changed science — what happens now it’s in turmoil?

xAI, for instance, is making the AI tools that it develops open source. “Musk argues that we can provide scientific explanations by using explainable AI like xAI, thereby replacing conventional ways of doing science,” says Coveney. “The problem is that a machine ingesting scientific literature and then creating statistical inferences does not confer understanding to the machine. It’s not an objective and rational way of creating scientific theories.”

Debated definition

The definition of science will always be contentious, says Stemwedel, who has studied how scientists use Twitter and X. Before Musk took over, Twitter had a beneficial role in overall discussions about science, and people showed that science could be responsive to feedback. “Early discussions showed objectivity is not a property of individual scientists, but rather of the collective efforts of a knowledge-building community. In the Musk era , I’m afraid things have gotten less responsive to reason.”

Amid the debate, Coveney says that it’s crucial to maintain the fundamental ideas of science that stem from the Enlightenment.

“The central element is, if you can’t have an objective discussion, then you’re not doing science, because you’re just articulating your opinions,” he says. The irony, adds Coveney, is that this is exactly what was happening during the debate on X.

doi: https://doi.org/10.1038/d41586-024-01626-z

Reprints and permissions

Related Articles

• Scientific community

FBI asks scientists for trust in taking anti-Asian bias seriously

News 07 JUN 24

I was denied tenure — how do I cope?

Career Feature 06 JUN 24

‘Rainbow’, ‘like a cricket’: every bird in South Africa now has an isiZulu name

News 06 JUN 24

Jaw-dropping views of the Milky Way and more — May’s best science images

News 04 JUN 24

Harassment of scientists is surging — institutions aren’t sure how to help

News Feature 21 MAY 24

Mount Etna’s spectacular smoke rings and more — April’s best science images

News 03 MAY 24

Faculty Positions in School of Engineering, Westlake University

The School of Engineering (SOE) at Westlake University is seeking to fill multiple tenured or tenure-track faculty positions in all ranks.

Hangzhou, Zhejiang, China

Westlake University

High-Level Talents at the First Affiliated Hospital of Nanchang University

For clinical medicine and basic medicine; basic research of emerging inter-disciplines and medical big data.

Nanchang, Jiangxi, China

The First Affiliated Hospital of Nanchang University

Professor/Associate Professor/Assistant Professor/Senior Lecturer/Lecturer

The School of Science and Engineering (SSE) at The Chinese University of Hong Kong, Shenzhen (CUHK-Shenzhen) sincerely invites applications for mul...

Shenzhen, China

The Chinese University of Hong Kong, Shenzhen (CUHK Shenzhen)

Faculty Positions& Postdoctoral Research Fellow, School of Optical and Electronic Information, HUST

Job Opportunities: Leading talents, young talents, overseas outstanding young scholars, postdoctoral researchers.

Wuhan, Hubei, China

School of Optical and Electronic Information, Huazhong University of Science and Technology

Sign up for the Nature Briefing newsletter — what matters in science, free to your inbox daily.

Quick links

• Explore articles by subject
• Guide to authors
• Editorial policies

We've detected unusual activity from your computer network

To continue, please click the box below to let us know you're not a robot.

Why did this happen?

Please make sure your browser supports JavaScript and cookies and that you are not blocking them from loading. For more information you can review our Terms of Service and Cookie Policy .

For inquiries related to this message please contact our support team and provide the reference ID below.

Watch CBS News

DNA from fork leads to arrest of Florida man 15 years after uncle killed in NYC

By Kerry Breen

Updated on: May 31, 2024 / 4:11 PM EDT / CBS News

A man in Florida has been indicted on a second-degree murder charge in the 2009 killing of his uncle in New York City after authorities say DNA collected from a discarded fork linked him to the crime.

Rosario Prestigiacomo, 64, was stabbed to death at his Queens home on Feb. 10, 2009, according to a news release from the Queens County District Attorney's Office. A neighbor heard a disturbance and called police, who found Prestigiacomo face down in a pool of blood. The investigation found that he had been stabbed 16 times in the face, neck, torso and extremities, and that he had blunt-force injuries as well. 

Blood swabs were collected from the location, according to the district attorney, and the city's medical examiner used the material on them to create DNA profiles for the victim and an "additional unknown male." The second profile was entered into databases, but did not match any profiles currently in the system. 

The case remained cold until March 2022. That's when the district attorney's office and the NYPD cold case squad joined forces with Othram, a private laboratory, and the U.S. Department of Homeland Security to use forensic genetic genealogy to try to learn more about the second person. Forensic genetic genealogy uses genetic research and DNA analysis to try to identify DNA profiles. 

Othram was able to use advanced DNA testing to create a "comprehensive genealogical profile" from blood left at the murder scene, the district attorney said. Meanwhile, the NYPD's Forensic Investigations Division used databases and public records to build a family tree of the victim to try and determine possible suspects.

That family tree helped lead investigators to Anthony Scalici, Prestigiacomo's nephew. Scalici, now 41, lived in Boynton Beach, Florida. 

Detectives from the NYPD and the Boynton Beach Police Department surveyed Scalici in Florida, working to obtain a DNA sample. On Feb. 17, 2024 — almost exactly 15 years after his uncle was murdered — police were able to retrieve a discarded fork that Scalici had used. 

That fork was analyzed and a DNA profile matched the unknown DNA found at the murder scene, the district attorney said. Matching DNA was also recovered from under Prestigiacomo's fingernail. 

United States Marshals, the Boynton Beach Police Department and the NYPD's Regional Fugitive Task Force arrested Scalici on May 14. He was extradited to New York City on Wednesday. 

The New York Times reported that Scalici's lawyer, David Cohen, said his client had pleaded not guilty. He is being held at Rikers Island, the Times reported, and will next appear in court on July 8. 

Scalici faces up to 25 years to life in prison if convicted.

Invesitgators say at this time the motive is unclear, CBS New York reported .

The district attorney's office said this is the first time forensic genetic genealogy has been used to identify and arrest a homicide suspect in New York City. 

"I formed a Cold Case Unit to bring closure to grieving families and seek justice on behalf of victims," said district attorney Melinda Katz in the news release. "This case is an example of the perseverance and determination of the investigators on this, and every cold case, and highlights the successful partnership formed between my office and the NYPD Cold Case Squad. Defendants should not be able to evade justice no matter how much time has passed."

• Melinda Katz
• New York City

Kerry Breen is a news editor at CBSNews.com. A graduate of New York University's Arthur L. Carter School of Journalism, she previously worked at NBC News' TODAY Digital. She covers current events, breaking news and issues including substance use.

More from CBS News

23-year-old sought in deaths of her 3 elderly roommates caught

Women suspected in double-homicide arrested by SWAT team in Arizona

Details emerge after Tulsi Gabbard's aunt allegedly killed by friend

New York judge seen shoving officer during brawl to be replaced

Computer Science

Tech computer science professor wins Kinslow Engineering Research Award

• Published Monday Jun 3, 2024

Assistant Professor of Computer Science Maanak Gupta has won Tennessee Tech’s prestigious Kinslow Engineering Research Award for his paper: “From ChatGPT to ThreatGPT: Impact of Generative AI in Cybersecurity and Privacy.”

The College of Engineering presents the award each year to a faculty member for the best paper published in a professional journal. Gupta’s paper, of which he is principal and first author, was published Aug. 1, 2023, in IEEE Access journal.

“I am humbled and excited for this recognition,” Gupta said. “The award is a testament of the impactful research we are doing in our Applied and Basic Cybersecurity (ABCyS) lab at the intersection of generative AI and cybersecurity. This award is also a recognition to my students, who are relentlessly working on cutting edge research.” 

Since its publication, Gupta’s paper has been cited 200 times and downloaded more than 50,000 times.

Allen MacKenzie, Ph.D., associate dean of research for the College of Engineering, said during the award ceremony: “In this work, Gupta and his team provide critical understanding of the cybersecurity consequences of the evolution of generative AI models such as ChatGPT and Google Bard. They present the vulnerabilities of AI and how it can be exploited by malicious users to exfiltrate information by bypassing the AI’s ethical rules. It is critical work amid a new era of AI-aided attacks, unleashing known and unknown transformations in cyberattacks to help us understand the risk and develop an effective defense, as well as provide a future direction for enhancing cybersecurity.”

Gupta, who has more than 95 published research articles to his credit, received his Ph.D. in computer science from the University of Texas at San Antonio. His research interests include secure cyber physical systems, Internet of Things, cloud computing, malware analysis, and security solutions assisted by artificial intelligence and machine learning. His research has been funded by the National Science Foundation, NASA, Department of Defense and National Security Agency.

He has received two Tennessee Tech Wings Up 100 awards, which are presented to top faculty who bring in $100,000 or more in external funding for research, and he is invited regularly as a keynote speaker at conferences worldwide. He has worked as a postdoctoral research fellow at the Institute for Cyber Security, was recognized as the 2016 RSA Security Scholar and received the 2019 Computer Science Outstanding Doctoral Dissertation research award from UT San Antonio.

The Kinslow Engineering Research Award commemorates Professor Emeritus Ray Kinslow, whose career at Tennessee Tech spanned 32 years. He led the Department of Engineering Science and Mechanics for 25 of those years and was a prolific researcher, especially in hypervelocity impact.

Department of Computer Science

Tennessee Tech Family Connection

College of Engineering Calendar

Lean More About Our Programs

Degree Information

Top Careers

Student Success

Experience Tech For Yourself

Visit us to see what sets us apart.

• College of Engineering
• Latest News
• Research News
• Social Media

Quick Links

• Tech at a Glance
• Majors & Concentrations
• Colleges & Schools
• Student Life
• Research at Tech
• Tech Express
• Current Students
• Faculty & Staff
• Mission and Vision
• Facts about Tech
• University Rankings
• Accreditation & Memberships
• Maps & Directions
• Board of Trustees
• Office of the President
• Strategic Plan
• History of Tech
• Parents & Family
• International
• Military & Veteran Affairs
• Tuition & Fees
• Financial Aid
• Visit Campus
• Scholarships
• Dual Enrollment
• Request Information
• Office of the Provost
• Academic Calendar
• Undergraduate Catalog
• Graduate Catalog
• Volpe Library
• Student Success Centers
• Honors Program
• Study Abroad
• Living On Campus
• Health & Wellness
• Get Involved
• Student Organizations
• Safety & Security
• Services for Students
• Upcoming Events
• Diversity Resources
• Student Affairs
• Featured Researchers
• Research Centers
• ttusports.com
• Student Resources
• Faculty & Staff Resources
• Bookstore/Dining/Parking
• Pay Online - Eagle Pay
• IT Help Desk
• Strategic Planning
• Office of IARE
• Student Complaints