International cybercrime has now become so extensive, underground suppliers are cropping up on the dark web offering easy access to the tools, programming frameworks, and services required to carry out cyberattacks.

“A notable example is Tox, a ransomware construction kit discovered by McAfee Labs on the dark web in May 2015. Briefly, the Tox framework can be customized and used to spread and coordinate infections in return for 20 percent of every ransom paid,” say the authors of “The Future of Digital Forensics: Challenges and the Road Ahead” in IEEE Security & Privacy magazine.

The researchers say today’s international cyberinfrastructures and data volumes are growing at unprecedented rates, creating a quandary for security experts and law enforcement agencies investigating cybercrimes.

Cybercriminals wreak havoc in a multitude of ways—identity theft, cyberbullying, data leakage, distributed denials of service, and malware attacks on medical devices and smart vehicles. They stand ready to bring businesses and governments to their knees.

“Cyberattacks can have a significant socioeconomic impact on both global enterprises and individuals. Therefore, cybercriminals should be promptly identified, and high-quality evidences of the attacks should be made available in the courtroom,” write researchers Luca Caviglione of National Research Council of Italy, Steffen Wendzel of Worms University of Applied Sciences, and Wojciech Mazurczyk of Warsaw University of Technology.

What can be done to stem the tide?

As cloud computing and the Internet of Things grow more sophisticated, so must the field of modern forensics.

Modern forensics methods cover three main areas: stored data and filesystem analysis, network forensics, and reverse engineering, which involves inspecting malware samples, traces, network traffic, and log files.

Challenges for digital forensics

The authors present six challenges that must be addressed if digital forensics efforts are to be effective in combatting cybercrime.

High speed and volumes

Properties of Internet of Things and cyber-physical systems devices

Properties of Internet of Things and cyber-physical systems devices and their effect on modern digital forensics.

Issues related to acquiring, storing, and processing large amounts of data for forensic purposes have been causing problems for at least a decade, and are now exacerbated by the availability and widespread marketing of digital information.

“The availability of gigabit class links and multimedia-rich contents accounts for an explosion in the volume of data to be stored and processed for collecting clues or detecting incidents. This is of particular relevance in the case of live network analysis, as the investigator might not be able to capture and store all the necessary traffic,” the authors say.

Explosion of complexity

Evidence is no longer confined within a single host but, rather, is scattered among different physical or virtual locations, such as online social networks, cloud resources, and personal network–attached storage units. For this reason, more expertise, tools, and time are needed to completely and correctly reconstruct evidence. Partially automating some tasks has been highly criticized by the digital investigation community, because it could quickly deteriorate the quality of the investigation.

“The technological advances in and proliferation of novel services account for a dramatic increase in the complexity that forensics professionals must manage,” say the authors.

Development of standards

“Despite technological advances, files are still the most popular digital artifacts to be collected, categorized, and analyzed. Thus, the research community has tried to agree on standard formats, schema, and ontologies—but without much success,” the authors say.

They add that investigations of cutting-edge cybercrimes might require processing information in a collaborative manner or using outsourced storage and computation. Therefore, a core step for the digital forensics community will be the development of proper standard formats and abstractions.

Privacy-preserving investigations

Nowadays, people bring into cyberspace many aspects of their lives, primarily through online social networks or social media sites. Unfortunately, collecting information to reconstruct and locate an attack can severely violate users’ privacy and is linked to other hurdles when cloud computing is involved.


Modern infrastructures are becoming complex and virtualized, often shifting their complexity at the border (such as in fog computing) or delegating some duties to third parties (such as in platform-as-a-service frameworks).

Thus, say the authors, “an important challenge for modern digital forensics will be executing investigations legally, for instance, without violating laws in borderless scenarios.”

Rise of antiforensics techniques

Defensive measures encompass encryption, obfuscation, and cloaking techniques, including information hiding.

Cooperation among international jurisdictions notwithstanding, investigating cybercrime and collecting evidence is essential in building airtight cases for law enforcement. For that, security experts need the best tools to investigate.

“Digital forensics is fundamental to investigations performed in a reality that’s often tightly coupled with its cyberextension. Modern digital societies are subject to cybercriminal activities and fraud leading to economic losses or hazards for individuals. Therefore, the new wave of forensics tools should be engineered to support heterogeneous investigations, preserve privacy, and offer scalability,” say the authors.


Related research on digital forensics and cyber crime in the Computer Society Digital Library: