Digital Forensics Subdomains: The State of the Art and Future Directions

For reliable digital evidence to be admitted in a court of law, it is important to apply scientifically proven digital forensic investigation techniques to corroborate a suspected security incident. Mainly, traditional digital forensics techniques focus on computer desktops and servers. However, recent advances in digital media and platforms have seen an increased need for the application of digital forensic investigation techniques to other subdomains. This includes mobile devices, databases, networks, cloud-based platforms, and the Internet of Things (IoT) at large. To assist forensic investigators to conduct investigations within these subdomains, academic researchers have attempted to develop several investigative processes. However, many of these processes are domain-specific or describe domain-specific investigative tools. Hence, in this paper, we hypothesize that the literature is saturated with ambiguities. To further synthesize this hypothesis, a digital forensic model-orientated Systematic Literature Review (SLR) within the digital forensic subdomains has been undertaken. The purpose of this SLR is to identify the different and heterogeneous practices that have emerged within the specific digital forensics subdomains. A key finding from this review is that there are process redundancies and a high degree of ambiguity among investigative processes in the various subdomains. As a way forward, this study proposes a high-level abstract metamodel, which combines the common investigation processes, activities, techniques, and tasks for digital forensics subdomains. Using the proposed solution, an investigator can effectively organize the knowledge process for digital investigation.


I. INTRODUCTION
The implementation of cybersecurity systems and processes is often seen to be inadequate in ensuring that the Confidentiality, Integrity, Availability, and Authenticity (CIAA) of information is achieved. As a result, digital forensic processes and techniques are often required to investigate potential security incidents and digital crimes if the CIAA The associate editor coordinating the review of this manuscript and approving it for publication was Lo'ai A Tawalbeh . is violated. This, if carefully reconstructed, may help in developing a security strategy that can be used in hardening systems. That notwithstanding, digital forensics as coined by a group of researchers in 2001 was presented as ''the use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from digital sources to facilitate or further the reconstruction of events found to be criminal or helping to anticipate unauthorized actions shown to be disruptive to planned operations'' [1]. Since this definition was proposed, various investigative frameworks and process models have also been developed that have a focus on digital forensics. Previously, many of these models were designed to facilitate the investigation of traditional computer systems, such as desktops and servers. However, digital forensics and investigations have transcended the classical desktop-server potential evidence retriever process [2]. The emergence of security incidents across these digital components including databases, computer networks, mobile devices, and the Internet of Things (IoT), the cloud, and across the network design edges has necessitated the need to develop digital forensic models, processes, and techniques suitable for their respective environments.
As a result of the above-mentioned changes, the digital forensic community is gradually experiencing exponential growth of research outputs that are dedicated to the development of tools and processes to recover different types of evidence and artifacts from these subdomains. Given that most of these tools and process models are contextual and issuespecific, there exists a propensity of a high-level domain problem, which is often associated with standardization. At its core, the lack of standardization for any given domain presents grounds for ambiguity, unregularized process, and context-dependent analysis. Taken together, these consequen-tial elements are a primary source of evidence dismissal during litigation. The lack of a uniform approach to corroborate any fact during a digital investigation can therefore lead to evidence inadmissibility. Furthermore, a lack of standardization could also introduce an investigative dilemma on the selection of appropriate processes and techniques for a given investigative procedure, in a specific subdomain.
This study sought to provide substantial insights into the lack of standardization by reviewing existing literature to identify the extent to which tools and techniques have been proposed by the various subdomain communities. More specifically, this study aims to highlight the different and heterogeneous practices that have emerged within the subdomains of mobile device forensics, network forensics, database forensics, and IoT forensics. A depiction of the various subdomains of digital forensics is further summarized in Figure 1.
Eight interconnected subdomains are identified in Figure 1. Whilst subdomains such as network forensics, multimedia forensics, and small device forensics can be defined as a compound subdomain, other subdomains can be defined as simple subdomains. As further highlighted in Figure 1, the scope of digital forensics has attempted to integrate forensic readiness as a component within the core components of digital forensics. Forensic readiness also referred to as proactive forensics, is a business-continuity concept (largely influenced by the requirements from different stakeholders) that is gaining wider adoption in each subdomain. The integration of forensic readiness into these subdomains has been defined as a potential avenue for the development of relevant digital forensic models and frameworks. However, as with any forensic discipline, the respective stakeholders are also required to work within a scientifically verifiable spectrum to aid evidence admissibility in any judicial proceedings. Moreover, these processes are often required to follow generally acceptable pre-defined or stipulated guidelines, as substantiated in the Daubert and Frye Judicial proceedings that pertain to forensic evidence admissibility.
As a step towards this direction, this study attempts to clarify the various methodologies and stipulated guidelines in the subdomains of digital forensics to articulate the convergent and divergent (where applicable) towards a unified generally acceptable guideline. Two supportive, yet distinctive subdomains, proactive forensics, and behavioral biometrics are further considered in this study, as is shown in Figure 1. Studies on proactive forensics approaches have mainly explored forensic readiness within the context of the ISO/IEC 27043: 2015 standard [3]- [9]. Proactive approaches propose that measures be implemented within a system under consideration in such a way that relevant and potentially useful pieces of digital evidence can be collected in a forensically sound manner before the occurrence of a digital incident. This approach can therefore provide a complementary source of digital artifacts for volatile environments or instances where potentially useful digital artifacts would otherwise be unavailable [10], [11].
Moreover, behavioral biometrics provides a complementary approach to generate behavioral attributes of digital artifacts in a manner that can be forensically preserved for digital investigation. Behavioral biometrics is the process of identifying, extracting, and presenting soft attributes of the user of a digital object(s), in such a way that an action or a series of actions can be attributed to a user with minimal ambiguity. This approach is gradually gaining wider adoption within the digital forensic subdomains, as highlighted in recent studies [12]- [17]. Given that behavioral biometrics is an integrated component within any subdomain, the potential of harnessing such a component for digital forensics further makes it a potentially useful component in the DF domain. Components of behavioral biometrics within the network domain include user-initiated network packet requests, network traffic usage patterns, as well as network burstiness characteristics [18]. Similarly, the behavioral composition of usage patterns can be extracted for computer forensics, mobile phone forensics, database forensics, software forensics (especially in identifying unique coding sequence and fingerprint of a software developer), as well as multimedia forensics.
To the best of the author's knowledge at the time of writing this paper, this is seen as the first study to provide such a comprehensive review of the subdomains within the DF domain while considering the other complementary components. Furthermore, the methodology utilized in this study presents an alternative approach to conducting a systematic literature review. This proposition is particularly relevant in the development of a domain-based knowledge base platform for digital forensics subdomains. A DF Knowledge Base (DF-KB) has been asserted as a potential approach towards a common DF lexicon and domain management [19]. The next section details the methodology used to develop the review process.
The remainder of this paper has been structured as follows: In Section II, a Research Methodology is discussed which is then followed by a discussion on Database Forensics in Section III. Mobile Forensics, Network forensics, and IoT Forensics are discussed in Sections IV, V, and VI respectively. A potential future direction is then given in Section VII which is then followed by a conclusion and a mention of future work in Section VIII.

II. RESEARCH METHODOLOGY
The purpose of this research is to highlight the different and heterogeneous practices that have emerged within the digital forensics' subdomains. A Systematic Literature Review (SLR) has been conducted as per the guidelines described by [20], as shown in Figure 2. The adapted approach follows a waterfall methodology, with the following steps 1) specification of the research questions; 2) development of the review protocol; 3) conducting the review using this protocol to identify relevant research; 4) Selection of appropriate repositories; 5) synthesizing the results, and 6) writing the review findings. To further clarify the content and direction of the review, the following research questions were used as a guide to the SLR process.
1. What approaches have been proposed in the literature that can guide digital forensic investigation of databases, small devices and systems, computer networks, the internet of things, device memory, and multimedia components? 2. What challenges (if any) are associated with conducting digital forensic investigations of the abovementioned subdomains?
To identify relevant literature, searches were undertaken using Web of Science, SpringerLink, IEEE Xplore, Scopus, and ACM Digital Library. These searches were undertaken using the following keywords shown in Table 1: The search employed in this study was specifically confined between the years 2000 and 05/2021. Additionally, the papers included in the search consisted of journal articles, conference papers, dissertations, books, and book chapters. All other papers were excluded from the search process, as such was deemed inappropriate as an academic resource. Furthermore, if a paper was found to be related to the study, its references were examined to identify further papers of interest. Hence, Google Scholar was used to locate further papers of interest in the study. The results from these searches were then analyzed to remove duplicated publications.  This resulted in a dataset of 11,993 publications. These publications were then reviewed, by reading the abstract, introduction, and conclusions sections to categorize the papers as ''related'' or ''non-related'' to forensically investigate one of the subdomains. This resulted in a second data set of 240 publications. Finally, the papers were examined and included in the study if they satisfied one of the following inclusion criteria: • the publication was related to the forensic study of one of the subdomains.
• the publication focused on investigating individual aspects of a subdomain, or • the publication focused on investigating underlying technologies that make up a subdomain.
The outcome of this final filtering resulted in a data set of 240 publications. These publications were then studied to identify the activities, processes, procedures, and challenges related to conducting forensic investigations of the four subdomains.

III. DATABASE FORENSICS
Database forensics is a significant field used to reveal database crimes. Numerous forensic investigation models, frameworks, processes, and tools have been proposed in the literature for database forensics as illustrated in Figure 3. However, these models are specific because of the complicatedness and multidimensionality of the Database Management Systems (DBMSs). This branch is still in need of more research into all types of database systems. This assertation is further echoed in several recent findings [21], [22], where the logic of harmonized database forensic model is conceptualized.
In [23]- [27], the authors assert that database forensics models might fail when applied to the investigation of database systems. This failure can be attributed to the diversity of database management systems (DBMS) and the multidimensionality of database systems. Besides, database forensics also focuses on one dimension (file system), which is primarily hinged on identifying, gathering, handling, storing, giving responses to incidents, and training [23]. Though, in some cases, it may be difficult to trace database incidents without a proportionate degree of cooperation amongst digital investigators regarding the analysis of the database [23]. Furthermore, database forensics practices do not cover the transactional database features. The challenge of multidimensionality and diversity of DBMS have made it difficult to develop a standardized approach for database forensics. Thus, the currently-used digital forensics models fail to cover the entire spectrum of database system concepts [28]. In general, database forensics research uncovered in the literature tends to focus on retrieving database contents along with metadata which suggests the accomplishment of various tasks regarding document evidence versus database incidents [29], [30]. A summary of the reviewed literature is presented in Table 2.
To elaborate on some instances, it should be noted that the authors [31] introduced an investigation process model that performs certain tasks to find relevant information on operations conducted on Oracle Database concepts. In the solution the study suggests four research processes: canceling the database operation, collecting data, reconstructing a database, and fixing the integrity of the database. In addition, [21] developed the Log Miner tool for the Oracle database to reconstruct the actions when the auditing features are turned off.
Several forensic investigation models have been proposed that have a focus on Oracle Database. For example, the first model showed the way an examiner can utilize an Oracle log file to reveal attacker events [37]. The binary format for the redo logs, which indicates the location of the evidence and how it was examined. This examination also determined the way evidence can be integrated into an event's timeline.
In addition, the study found out the way an attacker attempts to cover their tracks based on a failed attack and the way to spot it.
The second investigation of the forensic model suggests the way to recover evidence (in the case of Oracle objects) that have been deleted [38]. It helps investigators indirectly recover evidence from the data files of the server that has been compromised. Moreover, an entity with malicious intent can also drop the objects. However, using the Oracle DB Views and Tables, an investigator can locate the dropped objects such as OBJ$, IDL_UB1$, SOURCE$, IDL_CHAR$, and RECYCLEBIN$ tables.
A forensic model designed to capture the evidence of attacks against authentication mechanism, which leverages the Listener's log file and the audit trail is presented in [82]. This log file contains details of the connections to the database server, such as the Service Identifier (SID), the Internet Protocol (IP) address, and the instance name. On the other hand, the audit trail typically contains successful and unsuccessful login and logoff attempts. As a result, examiners can collect evidence against the authentication mechanism from the Listener's log file and the audit trail. This is predicated on the assumption that the audit trail is enabled in the respective DB.
The fourth investigation forensic model was introduced by [83]. This model concerns the disconnection of database servers from the network to capture volatile data. The evidence Collection process and Identification process are the  two investigation processes that have been offered to retrieve fragile data from the database server. In the Identification process, the database server is disconnected from the network and forensic environment, and forensic techniques are provided to move the data already captured.
On the other hand, in the Evidence Collection process, volatile data are gathered from compromised database servers. Forensic research is necessary to recover and carefully store the volatile data to be used in later analyses. It allows forensic inspectors to gather non-volatile data in a ''human-readable'' form, which can be observed more easily compared to its stored binary version.
The fifth model, which is termed the detection investigation forensic model, was designed in [35]. This model addressed the ways an examiner can find evidence of data theft when there is no auditing. Their model reveals the way an Incident Responder/DBA might determine in cases where such a breach of an Oracle Database server occurs in a case in which no audit trail exists, but the assumption is that an attacker has obtained unauthorized select access to data.
The researchers in [42] suggested the SQL server forensic analysis method in 2008. The method they proposed could be used to gather and analyze the evidence from the MSSQL server database. Four phases were involved in the method: preparing the investigation, verifying the incident, collecting artifact, and analyzing the collected artifact. This was completely focused on the SQL server database.
Moreover, in [49], the authors designed another database server detection and investigation process model. The main objective was the detection of database servers and the collection of required data. The model comprised three phases: detecting the server, gathering the data, and examining the data. Though, this model is not able to work on volatile artifacts.
In [46], the detection inconsistencies database model was formed for the aim of identifying and naming the bytes and interpreting them for the MySQL database system. Using that knowledge, the users will be capable of detecting the discrepancies that appear within a database. Nevertheless, according to Khanuja and Adane [29], no knowledge has not been found for multiple log files and cache for more analyses. The model made use of the MySQL database server log artifacts.
In addition, in [55], the researchers designed a reconstruction model to reconstruct the basic SQL statements from redo logs restoring the already-deleted or updated values. Although, their proposed model was centered upon the DML statements, and the basic DDL statement was overlooked.
The authors in [65] proposed a practical forensic approach in a way to reconstruct the basic SQL DDL statements, aiming at improving the previous approach.
In another study [29], a framework was introduced that can be used for identification, collection, analysis, validation, and documentation of digital evidence in such a way as to find out malicious tampering. The framework contained the following phases: Gathering and analyzing non-volatile data, Gathering, analyzing, reconstructing the volatile data, and making a comparison on the obtained results.
Regardless of the different database forensic domain knowledge projected for DBMS, several forensic tamper detection models and analysis algorithms of database systems have also been introduced by different scholars in the literature. For instance, [36] discovering methodology and scenario were proposed for the detection of covert database systems in a way to help investigators in the process of discovering and detecting covert database systems.
The researchers in [84] designed a model to efficiently collect digital evidence. It was able to gather evidence from a database business environment against authorized and unauthorized events. Their model made use of database features like triggers, replication, and log file backup.
In a scientific project [33], the authors designed a forensic tamper detection model capable of detecting a compromised database audit log by utilizing a strong one-way hash function. Nevertheless, it also suffered from a drawback as it was not able to analyze intruder activities and it failed to decide the time tampering occurs and which data were changed; it also was not efficient in identifying the adversary.
A model was introduced mainly for the investigation of a compromised database management system. Two examination processes were involved in the model, namely identification and collection. The former prepares database forensic layers, methods, as well as the forensic environment, whereas the latter allows the user to collect doubted database management system data and transfer them into a secure place for further forensic examinations.
In [67], the scholars proposed a model for collecting, preserving, and analyzing the database metadata against database attacks. Their proposed model contained four investigation processes: collecting and preserving, analyzing the anti-forensic attacks, analyzing the database attack, and preserving the evidence report.
In another study [69], a novel model was introduced aiming for reconstructing the database events in a way to effectively discover intruder actions. Two investigation processes involved were collecting and reconstructing the evidence. In the former, evidence is gathered through replicating sources, while in the latter the activities of the user are rebuilt, and malicious activities are detected.
Additionally, several forensic algorithms and tools have been proposed in the literature for database forensic. For example, tampering on the database audit log can be detected by using a strong one-way hash function [33]. Therefore, any compromised-on database audit log will detect. However, this algorithm cannot analyze intruder activities and decide when the tampering occurred, what data were altered, and ultimately, who the adversary is. Therefore, several forensic analysis algorithms have been developed for this purpose such as. Monochromatic, Red Green Blue (RGB), Red Green Blue Yellow (RGBY), Tiled-Bitmap, and a3D algorithms. These forensic algorithms have different capabilities to analyse collected data in terms of time and cost, for example, a Monochromatic algorithm can detect one corruption event, whereas RGB can detect two corruptions events, however, RGBY may detect more corruption events but with false alarms. The limitations of these algorithms include a lack of generalization and an inadequate characterization of the instance-space [58].
On the other hand, a few forensic tools have been proposed in the literature for the database forensic field which includes SQL Profiler (MS SQL Server) [85], ProfilerEventHandler (My SQL) [29], and Log Miner (Oracle DB) [32]. SQL Profiler is a graphical tool that allows system administrators to monitor events in an instance of MS SQL Server. It can gather and store a piece of complete information about each operation/event to a file or SQL Server table for subsequent analysis. The ProfilerEventHandler is a tool in MySQL that can be used to conduct profiling and trace events [29]. Log Miner tool has been developed by Wright [32] that allows a DBA or forensic analyst to reconstruct actions that took place on a database.
On the other hand, this paper involves the existing forensic works which focused on NoSQL database systems. For example, the study in [28] proposed a forensic investigation framework for the document stored in NoSQL DBMS based on its unique features. It consists of five phases which are: preparation, acquisition and preservation, distributed evidence identification, examination and analysis, and reporting and presentation. However, the proposed framework does not comprise the evaluation for the scheme of a database, or database forensic characteristics, for example, gathering logs for operation assessment.
A forensic tool was proposed by [86] to investigate the internal structure and data file format of one of the most widely used NoSQL DBMSs, MongoDB, and researched a method to recover deleted data. However, this tool does not support WiredTiger, the default storage engine in versions MongoDB 3.2 and higher.
Apart from the proposed existing works for the database forensic field, there are also a few review/survey papers proposed in the literature. For example, [87] proposed a review paper for database forensic investigation processes that presented a broad literature review of the database forensic field that will help domain researchers in realizing database forensic from different views, as well as discussed the issues and drawbacks and suggested some solutions for the revealed issues. Reference [88] conduced review on the database forensic field from 2009 to 2015. Only 282 articles have been discovered from 8 search engines. However, the authors focused on normal review, they didn't mention the limitations, challenges, issues, direction, or any proposed solution for the database forensic field. A study in [80] conducted a systematic literature review for the database forensic field for the period 2015 to 2017. Two search engines were used to collect data: science direct and IEEE Explore. The authors came with proposed a forensic analysis model for the database forensic field which is consists of five stages: defining, identifying, preparing, comparing, recovering, distributing, acquiring, carving, collecting, restoring, audit log, determining event, examining, and presenting, documenting, reporting. Compared with the existing review/survey papers, the current review paper has covered wide areas of the database forensic field as shown in Table 3.
Clearly, this paper covered several aspects of the database forensics field relative to existing review papers. It covered most of the database forensic tools, algorithms, processes, for both RDBMS and NoSQL database systems. The review presented in [87] focused on the database forensics field from an investigation process perspective only. Furthermore, the study reviewed 40 investigation process models of RDBMS, which do not cover the existing database forensic tools or VOLUME 9, 2021 algorithms. Also, the study did not cover the forensic perspective of the NoSQL database systems. Similarly, the review presented in [88] conducted a normal review, which failed to mention the limitations, challenges, issues, direction, or neither was any proposed solution for database forensic field provided. In a similar review of studies, a review of relational DBMS was considered [80]. The study proposed a forensic analysis process model for RDBMS. However, the study did not cover other aspects of the database forensic field. Based on the existing literature, the database forensic domain has suffered from numerous issues as shown in Figure 4: 1. Lack of Common Database Forensic Tool: Each database system has a specific forensic tool, for example, Oracle database forensic has Log Miner, and SQL queries and MSSQL server has specific SQL tools, etc. the common/generic database forensic tool is highly required. 2. Redundant Terminologies and Processes: Each database system have a specific investigation process and terminologies which produced numerous investigation terminologies and processes which make the database forensic field unstructured and unorganized amongst domain forensic practitioners. 3. Different Infrastructures and Multidimensional Nature of the Database Systems: One of the major limitations facing database forensic researchers and the forensic communities differing of database system infrastructure and multidimensional nature of these systems. each database system has a different logical and physical architecture, as well as has three dimensions (internal dimension, logical dimension, and external dimension). 4. Various Forensic Investigation Artifacts: The variety of database system architecture produced various and different forensic artifacts with similar names and different meanings. Thus, produced confusion among database forensic investigators. For example, log files in Oracle database forensics, equivalent five log files in the MySQL database forensics (error log, general query log, binary log, slow query log, and the relay log), equivalent four log files in the Microsoft SQL Server (Windows event log, SQL Server agent log, SQL Server error log and the transaction log), equivalent two log files in PostgreSQL (transaction log, and the Server log), equivalent three logfiles in Oracle database forensic (redo logs, the archived redo logs and the alert logs), equivalent two log files in the DB2 (database recovery log, and the diagnostic information log), and equivalent two log files in the Sybase database (the transaction log and the message log).

IV. MOBILE FORENSICS
Mobile forensics involves the recovery of digital evidence from mobile devices through the use of scientific investigation techniques [89], [90]. Mobile forensics has become a significant subdomain since, on the one hand, services based on mobile phones are increasingly growing and more users are getting attracted to them. On the other hand, mobile commerce and mobile computing are gaining wide adoption. With such relatively high adoption tendencies, coupled with the potential for misuse, this subdomain presents a major forensic and security consideration. This section introduces a brief review of mobile forensics literature as shown in Table 4. It further discusses the limitation and drawbacks associated with this subdomain. For example, the study in [91] tested wireless devices manufactured by BlackBerry from a forensic point of view. In another project [92], an innovative tool, called PDD, was introduced for memory imaging and forensic analyses of devices that run the Palm OSs for PDAs. The researchers in [93] and [94] suggested several processes, tools, and guidelines for PDAs, GSM, and Cellular mobile phones. In [95], a novel method was introduced for the extraction of evidence from internal memory and SIM cards in the case of GPSs, mobile phones, and PDAs. The researchers in [96] suggested a SIMbrush tool capable of extracting a full file system for Linux, mobile phones, and Windows platforms. In another study [97], an on-phone forensic tool was proposed for the extraction of pieces of evidence from active files on mobile phones. From the research in [98], the authors introduced a tool with the capacity of extracting pieces of evidence from internal flash memory CDMA mobile phones for Korea CDMA mobile phones.
The researchers in [99] worked on flasher devices of mobile phones. In [100], a database-driven approach was suggested for the evaluation of mobile phone acquisition tools. In another scientific project [101], a guideline was suggested for cell phones and a full discussion was provided concerning all of the acquisition types. In Breeuwsma et al [102], a recovery approach was offered for extracting both videos and images from memories of mobile phones flash. In another research [103], a recovery method was introduced for the extraction of evidence (both file and videos) already  removed from NAND flash memories. The authors in [104] proposed two approaches: an identity module programming for SIM cards and phone manager protocol filtering. In [105], a physical acquisition method was suggested for iPhone. The researchers in [106] provided a comprehensive discussion about the evaluation of mobile internal acquisition tools and logical acquisition. The authors in [107] introduced the hashing techniques applicable to mobile forensics. In [108], problems with Symbian forensics and all of the methods proposed in the literature for the acquisition purpose are discussed. In another project [109], from a forensics viewpoint, the Windows Mobile and Symbian ones were compared to each other. In [110], a certain process model was designed to analyze the Symbian smartphones from a forensic perspective (it included five phases). The researchers in [111] presented a discussion about all of the acquisition methods proposed for iPhone. In [112] an innovative method was introduced for Symbian devices on the basis of data reverse-engineering.
In a study conducted by [113], a model was designed for the extraction of messages, call recordings, contacts, documents, and scheduling together with all acquisition methods in a way to be applied effectively to Windows Mobile. In addition, the scholars in [114] made an effort to develop a model for the extraction of evidence from wireless connections in the case of Windows mobile.
In [115], an inclusive discussion was presented about the logical acquisition in the case of a Blackberry device. The authors in [116], designed a novel method and a device to acquire data from memory cards, including the memories of types of mini SD, SD, and MMC in the case of both Windows and Symbian mobile devices. The authors in [117], attempted to carry out the first studies into Android forensics and presented all of the methods adaptable for acquiring data from devices running with the Android system.
In [118], a discussion was presented regarding physical methods of data acquisition that can be used only in nonpassword protected devices utilizing the pseudo-physical acquisition for Windows Mobile. In another study [119], commonly-adopted methods for the extraction of evidence from GPS in mobile were discussed. In [120], tested the physical and logical techniques for acquiring data in the case of the Sony Xperia 10i. The researchers in [121] attempted to develop an innovative framework for forensic acquisition and analysis applicable to the devices with the Android system. In [122], a discussion was provided about three methods for extracting data such as photos, and messages from mobile phones. The authors in [123] presented all of the acquisition methods in literature and centered on how to recover the data already removed from smartphone devices; then, they introduced innovative methods for analyzing fragmented flash memories. In [140], a novel method, as well as a set of tools, were proposed to physically acquire evidence from volatile Android memories. The researchers in [145] attempted to suggest a way to analyze WhatsApp on Android-running smartphones from a forensic perspective. In [142], a logical data acquisition process was introduced in the case of Blackberry devices. The authors in [178] offered some techniques that can be effectively adopted to extract evidence from those Android smartphones that are encrypted. In [155], several support systems were introduced to efficiently preserve the evidence in Android phones. In another research [179], the authors attempted to compare the forensic acquisition methods proposed in the literature for Android devices. In [180], the researchers attempted to develop some techniques for the aim of interpreting the contents of raw NAND flash memory images. In [159], a full discussion was presented concerning the analysis of WhatsApp chat upon the smartphones running with the Android system in a way to recollect the already-removed messages. The authors in [162] introduced an adversary model for the facilitation of forensic investigation on mobile devices working with different systems such as iOS, Android, and Windows. The model was designed in such a way to be readily adaptable to the state-of-the-art technologies in mobile phones. In [181], the scholar offered a combination of suspicious pattern detection and criminal profiling methodology in case of two criminal actions with moderate-to-heavy involvement of mobile devices, low-level drug dealing, and cyberbullying. In [182], a novel approach was suggested validating the mobile forensics tools and the data that are stored upon the devices.
From this survey, it can be said that most of the current research works have not focused on fundamental and essential guidelines for establishing a baseline for the mobile forensic field. Rather, the focus has been on specific procedures and principles of technical issues in solving specific problems. Thus, the mobile forensic field suffers from issues such as: 1) Lack of unified mobile forensic model: due to the variety of the OS and infrastructure of the mobile devices, numerous MF models have been Offered in the literature. Each MF has a unique investigation/examination model which has different investigation processes and A further comparison of the current review with other existing reviews is given in Table 5. Following the diverse coverage areas of mobile forensics, existing reviews attempts to provide insight from a few coverage scopes. The current review provides comprehension that includes forensic readiness, and standardization. These notions have been largely ignored by existing review, yet they represent a growing body of research work on mobile forensics. The potential of a unified forensic framework has largely been overlooked in these previous reviews.

V. NETWORK FORENSICS
As defined in [186], network forensics either on-the-fly or post-mortem can be defined as the branch of digital forensics that addresses network-related investigation. This includes the identification, extraction, interpretation, event reconstruction, analysis, and documentation of network-related events in a way that ensures the evidential value and integrity of the collected data. Such evidential data are then used to corroborate, and or correlate informed hypotheses and assertions about a networking event. Therefore, network forensics, primarily, aims to explore network-based attacks through the identification and extraction of critical network-based indicators, which can potentially be used to complement network security posture, develop network readiness processes as well as enhance the probative evidential weight of potential network artifacts [187]- [189].
The growing trend of network-related threats and the increasing sophistication of network-based attacks have further necessitated the delineation of this subdomain. An offshoot of this subdomain can be further classified as cyber forensics, as most network-based attacks are depicted as cyberattacks. Today, numerous cyber-attacks or cybercrimes are occurring maliciously across the world. Network forensics has been shown to have the capacity to provide an investigative capability, capable of deterring and preventing (where possible) some complex cyber incidents. This field of study consists of numerous models applicable to process investigations. For instance, in [190], the authors introduced a distributed network logging model capable of adding cyber forensics over the internet. In addition, in [191], a network forensics model was developed, which was dependent upon distributed techniques. Such techniques are used to provide a single platform to gather forensic evidence automatically, effectively storing the collected data, and supporting the easy integration of well-known attribution methods. In another study [192], a dynamic forensic network model was designed based on an immune agent aiming for capturing and storing digital evidence that has leaked through the network. Their model comprises the distributed data agents and the forensic center.
In [193], the researchers introduced a generic network forensic process model through the extraction of the most important characteristics from currently-used digital forensic process models and incorporation of those characteristics in their model. In [194], a common model for network forensics in Infrastructure-as-a-Service (IaaS) has been developed. An architecture for ''Forensics-as-a-Service'' in a cloud management infrastructure has been defined. This architecture offers an authorized environment subjects that can use to remotely control the forensics process at the cloud provider. Both data acquisition and data analysis can be handled directly at the cloud provider. A reference model of a distributed cooperative network forensics system has been proposed by [195]. It can speed up the investigation and enhance the capability of the emergency response. The proposed model aims to put the misbehavior activities/traffics at the root of an adaptive location filter. This creates guidelines for discarding in advance or in real-time, evaluating the total supportive database to determine the possible misbehavior, restating the misbehavior for the investigation of forensics. The network forensics model is constructed on the scattered methods thus offering a unified model for automatic forensic evidence gathering and effective data storing, a supportive informal combination of recognized attribution approaches, active collaboration, and an attack attribution display production method to demonstrate hacking measures. Furthermore, a theoretic and official information model for forensic computerization on online community networks has been proposed by [100]. It contains an event-based knowledge model, which offers theoretical ideas that can support the building and explanation of the actions associated with the event under examination. The proposed model is applied through an ontology to offer a semantically rich and proper image of the concepts.
A novel network forensic framework, named ''Particle Deep Framework'', created on optimization and deep learning was provided by [101]. The optimization method based on Particle Swarm Optimization (PSO) to choose the hyperparameters of the Deep Neural Network (DNN) was used.
Through this review and analysis, numerous network forensic models, frameworks, and processes have been offered to give solutions for network crimes, however, they did not consider the whole stages of examination. Most of them depend on a general record scheme, where analytical and interaction data are distributed between various units, such as the police and insurance corporations. The advantage of such a scheme would be that during an examination, all related data could be easily accessible to forensic specialists, while its reliability would be secured via digital signatures. Nevertheless, most of the network forensic frameworks and models concentrated on data collection rather than studying the whole forensic investigation process as shown in Table 6. These frameworks and models produced some drawbacks such as the breach of confidentiality, as a user's information is delivered between the participants, and the additional difficulty that these models and frameworks need. Moreover, the existing frameworks and models concentrated on the protection and gathering stages of the investigation. Additionally, analyzing data, including the variety of data sources, data granularity, data integrity, data as legal evidence, and privacy issues are the major drawbacks of network forensics. These drawbacks can be put in the three general groups: technical, legal, and resource.
Through this survey, it is clear that network forensics as a subdomain suffers from the lack of a comprehensive model/framework that integrates the array of redundant and overlap network forensic concepts, processes, tasks, and activities. Table 7 shows a comparison between the current review paper and existing network forensic review papers.
Like the reviews on mobile forensics, existing reviews on network forensics have largely ignored the growing research on forensics readiness and attempts towards standardization. The current review, therefore, provides a holistic review of existing literature in the network forensics subdomain.

VI. IoT FORENSICS
Internet of Things (IoT) Forensics is a process of identifying, acquiring, organizing, investigating, and presenting an attempt to explain an attack with all required details [222]. The digital forensics techniques have not completely adopted IoT forensics since the currently used digital forensics tools and processes cannot satisfy the distributed nature and heterogeneity of the IoT infrastructures. The scholars who work in the digital forensics field of study have proposed several  conceptual process models capable of guiding forensic investigations, including IoT forensics. Different attempts made for the development of this branch of study are still at their initial steps, and the studies carried out in this context show an emphasis on developing theoretical process models based on hypothetical case studies. IoT forensics is generally conducted at three forensics levels, namely Network level forensics, Cloud level forensics, and Device-level forensics.
To the best of our knowledge, Internet of Things forensics has not been completely used so far in digital forensics techniques, and this is because the currently-used digital forensics tools and processes cannot satisfy the distributed nature and heterogeneity of the IoT infrastructures [6], [223], [224]. Therefore, collection, examination, and analysis of potential evidence from IoT environments, which can be employed as evidence acceptable to a court of law, make a big challenge VOLUME 9, 2021 to digital forensics investigators and Law Enforcement Agencies (LEAs) [225]. Several models have been designed aiming for guiding the forensic investigations, which involves also IoT as shown in Table 8. Such efforts are still in their infancy, and they are significantly focused upon developing theoretical process models based on hypothetical case studies.
For instance, the triage model of Next Best Thing (NBT) was developed responding to challenges that may arise during the forensic identification stage. It was aimed to help researchers to determine the potential evidence sources [255]. For NBT, it is recognized that devices together with any original evidence stored on them might get inaccessible or compromised because of different incidences such as destruction, theft, or tampering. As a result, investigators should be capable of recognizing the other elements of the IoT ecosystem, which pertain to the original device in question. This is since such elements could consist of items with evidentiary values.
In the same way, combining the techniques and resources from all of the digital forensic areas that are involved in an IoT investigation can shape a conceptual construct of IoT forensics [256]. Such a construct can be employed as a basis for the Forensic Aware IoT (FAIoT) model. The model proposed in the study makes use of a centralized and secure evidence logging, provenance, and preservation service to effectively address the problem of deficiency of standardization in the IoT ecosystem. On the other hand, the study did not discuss the practical context of the proposed model. The reason is that this issue has not been tested practically. Moreover, it encompasses only partial artifact acquisition. In [247], the authors introduced a model for performing the forensic investigation and tracing the source with the use of network forensics to detect the harmful packets within the infected device. In [227], an innovative IoT forensic model termed PRoFIT was designed, which made sure of privacy (ISO/IEC 29100:2011) standard in the course of forensic investigation. The researchers in [228] introduced an IoT real-time model comprising two investigation phases: the pre-investigation and the real-time investigation phases. This model works in a way to make sure of the collection of required data and evidence and preservation of the collected data and evidence during the investigation course. In another research [6], a novel readiness IoT forensics model termed Digital Forensic Readiness (DFR) was designed. In this model, an architecture was configured with the forensic capacity of the incorporation of DFR to the IoT domain; the main objective was to have appropriate planning and to get well prepared for security cases that may potentially take place within an IoT environment. The model comprises three different phases: proactive, IoT communication mechanism, and reactive process phases. The authors in [230] introduced a digital forensic investigation framework for IoT termed DFSF-IoT. Their framework is mainly centered upon the establishment of digital forensic readiness and the increase of the permissibility of the evidence that is taken out of a device through process concur-rency. The framework contains three processes: proactive, IoT forensics, and reactive processes.
The authors in [229] attempted to develop an applicationspecific digital forensics investigative model in the Internet of Things. Their model contained three independent mechanisms: Application-specific forensics, digital forensics, and forensic process. Based on the type of investigated application, information flows among these components. The notion of functional requirements and processes model were introduced by the researchers [114] with the use of the DFR process as a security component within an IoT-based environment. Their model introduces some aspects that are applicable as essential building blocks in the DFR technologies implementation process, which can guarantee security within the IoT-based environments.
In [243], a novel framework was designed and applied to the identification of IoT devices using their Genes, which results in the formation of the DNA structure of devices. In another research Scheidt and Adda [244], an innovative approach was proposed to the processes of forensic investigation and sharing data in a forensic environment. They also introduced models for the computation of the confidence values of an investigation in a way to make sure of an extremely valuable process for both retrieving and presenting the collected evidence.
In [252], a blockchain-assisted shared audit framework (BSAF) was designed. It can be used for the analysis of digital forensic data in an IoT platform. BSAF was found capable of detecting the source and/or cause of data scavenging attacks within virtualized resources (VR). To gain access to log and control management, this framework made use of blockchain technology. A forensic model was proposed in [245], and also it was discussed what is the best way to set up an IoT testbed/lab for training inexperienced forensic investigators and aid them in examining the devices of interest and potential evidential sources. The authors validated the performance quality of their proposed model by applying it to some case studies.
The researchers in [246] concentrated on examining how to extract and analyze forensic artifacts from the Google Home and Google Assistant apps installed on an Android smartphone and how to apply them to control a Google Nest device (Google Home Mini smart speaker). They attempted to contribute to the body of knowledge in this field by exploring and analyzing the client-centric and cloud-native forensic artifacts. In [257], IoT forensics was comprehensively reviewed. The authors, first, systematically discussed the issues related to IoT security. After that, they reviewed several significant issues in this field, including IoT forensics (by emphasizing the necessity of applying Artificial Intelligence (AI) to IoT forensics), state-of-the-art research, identifying opportunities, and the most important factors to succeed in the IoT forensics process. They also discussed the current challenges in IoT forensics and attempted to suggest effective solutions to them. Then, the paper ended with discussing some openresearch directions that are worth considering in this field. In [258], the authors suggested an IoT forensics taxonomy and discussed the challenges and limitations associated with IoT forensics. After that, a comparison was made between conventionally used digital forensics and IoT forensics. Then, two models introduced for IoT forensics investigation were reviewed. Remember that despite the many opportunities provided by IoT, it is also associated with some grave concerns in terms of privacy and protection. In addition, investigators face important challenges when discovering crime scenes in IoT-based applications. Based on the two models discussed, the authors concluded that the models proposed for IoT forensics investigation purposes work differently, and they suffer from different problems and deficiencies. As a result, there is not any specific standardized method or model applicable to IoT forensics investigations. The researchers in [248] attempted to present a concept methodology to carry out IoT forensics investigations using a conventionally used model as the reference. It was mainly aimed at collecting the common features of all IoT devices and systems into a concept proposal covering the entire investigation process in such a way that it could be relied upon as a general guideline and also be applied to developing effective processes for addressing specific IoT contexts. The key goal of the authors in [249] was to examine the significance of digital forensics readiness for companies, particularly from the perspective of IoT forensics. They attempted to identify and discuss the most important factors that affect the IoT forensics investigations. To end with, a readiness framework was proposed and validated in their study. In [250], a comprehensive preventive cyber forensic process model was derived with honeypots for the digital IoT investigation process. The model was designed in a way to help in a court of law to define the extent to which the investigative processes were reliable After reviewing the literature, Internet of Things Forensics suffers from numerous issues as shown in Figure 5:

The Difficulty of Supporting the Newer IoT Devices:
The current digital forensic tools and techniques do not support the newer IoT devices which created challenges for forensic practitioners to acquire data from these devices.

Lack of Strict Security Procedures:
Due to the absence of high-security procedures and policies, this technology has been revealed to have several weaknesses, which may cause cyber-incidents through the devices. 3. Difficulties in Applying the Investigation Process: IoT forensic has six main investigation processes. The challenge involves how to utilize these investigation processes in tandem with IoT actions. The IoT devices generate an enormous amount of data containing possible evidence where it will affect the investigation process. Therefore, it is hard to detect which device had been implicated in the crime, and it will take more time to discover which devices introduced the crimes. 4. Variety of Devices, OS, and Infrastructures: The diversity, different OS, and the different infrastructures of the IoT devices make the IoT more complicated and complex. This condition may lead to various corruption or exploitation by the attackers. Thus, the various devices, OS, and communication channels may influence the investigation process. 5. Lack of Log Standardization: The investigation resources such as network logs, process logs, and application logs from various resources may assist the investigators to find an obvious knowledge of the complete action in the device. Nonetheless, there is the absence of a standard for logs resources through the various systems.
6. Volatility of Evidence: The problems of evidence volatility in the IoT situation are much more difficult compared to traditional computing platforms, given that the sensor devices are low-memory devices.
Existing review literature on IoT forensics has largely ignored some of the content presented in this manuscript. For example, a comparative analysis is given in Table 8.
From the analysis presented in Table 9, the existing review literature did not consider the implication of forensic readiness and process standardization. The exclusion of these two coverage areas of IoT forensics presents a major oversight and limitation in the extant review literature. Therefore, the current review presents a holistic review. Furthermore, the current study proposed a harmonized model.

VII. POTENTIAL FUTURE DIRECTIONS
Through this empirical process, it is obvious that the DF field is a heterogeneous, complex, and unstructured domain, however wealthy domain for research. The study revealed and highlighted the different challenges and issues of the subdomains of mobile device forensics, network forensics, database forensics, and IoT forensics as shown in Figure 6. Thus, this section suggests a potential solution to address the identified research gaps as shown in Figure 6. These include: Subdomain-based metamodeling language: This can include attempts that aim to develop a formal language for the digital forensic domains using the metamodeling approach. It would, however, require initial metamodeling of the various subdomains that constitute the digital forensic domain. Domain-based ontology: like the metamodeling approach, the use of ontology and semantics have been explored as an approach to develop a standardized baseline for the domain. furthermore, the use of ontology for domain modeling towards domain language has also gained prominent concepts [267]- [269]. This approach can be used to reveal the degree of interdependencies among the various subdomains. Integrated framework for subdomains: studies have explored the potential of integrating diverse subdomain frameworks into a unified integrated framework. This logic can be adapted for the digital forensic domain. Investigation frameworks that can provide a reliable guide for developing a standard forensic process for the forensic domain remain a viable approach towards addressing some of the challenges identified in Figure 6. Harmonized integration process: Approaches that attempt to merge or harmonize processes from different subdomains present a potential to address the growing diversity of process models among the various subdomains. This can be further leveraged to develop a mechanism for a context-independent data collection process. However, this approach can further integrate semantic logic. In essence, the process of developing a harmonized approach can rely on the semantics TABLE 9. Comparative analysis of current review paper and existing review papers for IoT forensic field. associated with the respective subdomain, to prevent redundancies. Structured representation of subdomain data: this is a major challenge within the digital forensic subdomain. Approaches that attempt to formalize data representation, and structured query of potential digital artifacts evidence representation (in a context-independent manner) is a potential solution to data heterogeneity and the lack of a unified data format. Furthermore, the development of a structure representation is a required step towards forensic automation. Forensic automation has been considered as a futuristic approach for digital forensics, which has the potential to reduce the dependencies on human errors. Consequently, reduce investigation biases, enhance evidence reliability as well as reduce investigation time. Automation in this regard refers to the act of using machines to carry out some forensic processes with minimal or no human oversight. For instance, studies in Singh et al. [270] alluded to this assertion as a requirement for ransomware investigation.
As a step towards developing a subdomain metamodel, for example, this study further proposes a metamodeling approach as a complementary process towards a generic digital forensic domain modeling based on the following steps.

A. DEVELOP METAMODEL FOR DF SUBDOMAINS (SEMANTIC METAMODELING LANGUAGE)
Whilst several studies have attempted to develop a unified; one-stop-reference for these proliferating subdomains within digital forensics, there seems to exist a lack of comprehensive reference sources that consider, specifically, the respective state-of-the-art in digital forensics subdomains. Such a reference model provides a baseline for exploring the distinction and similarities among the various subdomains. Knowledge of such a semantic and syntactic relationship is essential in any knowledge system [16], [115], [116]. Due to the heterogeneity and complexity of the DF subdomains, this study further suggests developing a metamodel to organize, structure, unify, share, manage, reuse, and facilitate the investigation task among domain forensic practitioners. The suggested metamodel is hereinafter referred to as DF Metamodel VOLUME 9, 2021 (DFM). It can integrate the common forensic processes, concepts, activities, procedures, tasks, attributes, and operations of the DF subdomains. The methodology used to develop DFM as adapted from [117] as further explained: 1) Detect and nominate DF subdomains models: In this stage, the construction and validation models were detected and nominated. Numerous DF models were reviewed and investigated in the existing literature review. The model chosen for this research will be based on coverage features that were recognized in the earlier study [117]. Wide coverage of DF subdomains that are broadly applicable is required to fulfill the aim of developing DFM. Using a coverage metric can quickly indicate sourced model applicability. The model is said to have a high coverage value if the model can cover most DF subdomains processes highlighted in the literature (i.e., a general model). The model has a reduced amount of coverage value if the model only describes partial DF subdomains. 2) Extract DF subdomains investigation processes: in this step, the DF subdomains investigation processes will be extracted from the selected DF models. During the extraction, certain criteria will be adhered to, to identify a relevant and proper investigation process. The criteria that will be used to identify the DF processes were adapted from [118]. These criteria's will be utilized to avoid any missing or random process selections: Titles, abstracts, related works, and conclusions were excluded: the investigation process was either extracted from the diagram or the main textual model. The investigation process must have a definition, activity, or task; to recognize the purpose and meaning of the process. Irrelevant investigation processes not related to conducting DF subdomains will be excluded. Include explicit and implicit investigation processes from models.
3) Merging and Grouping of the Extracted DF Subdomains Investigation Processes: The extracted DF subdomains processes will be merged and grouped based on similarities in semantic meaning or functional meaning. All investigation processes having similar semantic meaning or functional meaning will be organized, merged, and grouped into separate groups. 4) Propose common DF subdomains investigation processes: This step aims to propose a common investigation process for every investigation group highlighted in Step 3. The investigation process which has a higher frequency would be proposed as a common investigation process. 5) Develop the DFM: the proposed common DF subdomains investigation processes will be used to develop the DFM. The relationships amongst these processes will be then identified. The initial results of the DFM will be developed in this step. 6) Validate and demonstrate the DFM: this step is used to validate the completeness, logicalness, and usefulness of the proposed DFM through two validation techniques namely: Comparison against other models, and Face validity. A comparison against other models is used to verify the completeness of the first version of the DFM against existing domain models. The output of this validation is the second version of the DFM. A Face validity technique is often used to validate the completeness and logicalness of the second version of the DFM. Consequently, a third version is generated. This process typically involves a confirmatory analysis process where knowledge experts in the discipline are identified and then required to verify the suitability, appropriateness, completeness, logical sequence of events, as well as overall contextual applicability of a given model.

B. INITIAL VERSION OF THE DF METAMODEL
The initial version of the DFM, as illustrated in Figure 7, consists of three levels: M2-Level (Metamodel), M1-Level (User Models), and M0-Level (User Data Models). The M2-Level contains meta-classes (meta-operations, and meta-attributes) which govern the behavior of the M1-Level. The M1-Level consists of Meta-Objects (metadata) that govern the behavior of the M0-Level. The M0-Level consists of the real data which represents the real scenarios of the DF subdomains. For example, the database forensic models in the M1-Level are instances of DFM, and the data models in the M0-Level are instances of M1-Level models. Thus, the DFM will allow domain forensic practitioners to instantiate/derive solution models for problems under investigation.
To demonstrate the capability of the DFM, a scenario of a compromised database server was stated by [38]: ''A DBA believes that one of his development servers has been compromised. No auditing was enabled. Is there any evidence to support a compromise that occurred? The requirement is to develop a specific verification model to check availability of any evidence to support a compromised happened in several development servers when auditing feature was absent''.
The main activity of this scenario includes checking the availability of evidence which entails several activities (e.g., Isolated Database Server (); Search Evidence (); and Identify Investigation Source (). Therefore, M1-Verification Model is required to verify the availability of evidence against a compromised development server when the auditing feature was absent.
The M1-Verification Model illustrated in Figure 8 consists of activities instantiated from the DFM. These activities were derived from different sharing activities from different DFM processes and concepts and have enough information to guide domain forensic practitioners to verify the availability of evidence against a compromised development server. The guidelines that have been offered

VIII. CONCLUSION AND FUTURE WORK
This paper presented the results of a systematic literature review that examines approaches for investigating four digital forensic subdomains, namely: database forensics, mobile forensics, network forensics, and IoT forensics. One of our observations is the lack of standardization across the four subdomains. For example, the study identified several different investigative models and processes proposed by the research communities for these subdomains, and many of these models and processes were designed to address a specific scenario or problem within the specific subdomain. As a result, very few, if any models from one subdomain could be translated to an investigation involving a different subdomain or across subdomain(s). Several potential future research directions were further identified both for each subdomain, and the digital forensic domain in general. In addition, a metamodeling approach was proposed to address one aspect of the identified problems. In future work, a systematic approach will be employed to validate the proposed metamodeling approach, to address the heterogeneity and complexity challenges in the digital forensics' subdomains.
SHUKOR ABD RAZAK (Senior Member, IEEE) is currently a Professor with Universiti Teknologi Malaysia. He is the author or coauthor for many journals and conference proceedings at national and international levels. His research interests include security issues for mobile ad-hoc networks, mobile IPv6, vehicular ad-hoc networks, and network security. He also actively conducts several types of research in digital forensic investigation, wireless sensor networks, and cloud computing.
GEORGE GRISPOS received the B.Sc. degree (Hons.) in computer networks from Middlesex University, England, and the M.Sc. degree in computer forensics and e-discovery, and the Ph.D. degree in computing science from the University of Glasgow, Scotland. He is currently an Assistant Professor of cybersecurity with the School of Interdisciplinary Informatics, College of Information Science and Technology, University of Nebraska at Omaha (UNO). His doctoral research focused on evaluating and enhancing the quality of data used by security incident response teams, with the aim of developing better lessons learned from security investigations. Prior to joining UNO, he worked with Lero-The Irish Software Centre in Limerick, Ireland, as a Postdoctoral Researcher. At Lero, his research focused on engineering forensic-ready software systems. His current research interests include domains of digital forensics and security processes and has experience in conducting research with several Fortune 500 organizations in the financial services and manufacturing sectors, and law enforcement agencies. BANDER ALI SALEH AL-RIMY received the B.Sc. degree in computer engineering from the Faculty of Engineering, Sana'a University, Yemen, in 2003, the M.Sc. degree in information technology from OUM, Malaysia, in 2013, and the Ph.D. degree in computer science from the Faculty of Engineering, Universiti Teknologi Malaysia (UTM), Johor Bahru, Malaysia, in 2019, with a focus on information security. He is currently a Senior Lecturer with UTM. His research interests include, but not limited to, malware, IDS, network security, and routing technologies. He was a recipient of several academic awards and recognitions, including, but not limited to, the UTM Alumni Award, the UTM Best Postgraduate Student Award, the UTM Merit Award, the UTM Excellence Award, the OUM Distinction Award, and the Best Research Paper Award.