A Comprehensive Survey on Computer Forensics: State-of-the-art, Tools, Techniques, Challenges, and Future Directions

With the alarmingly increasing rate of cybercrimes worldwide, there is a dire need to combat cybercrimes timely and effectively. Cyberattacks on computing machines leave certain artifacts on target device storage that can reveal the identity and behavior of cyber-criminals if processed and analyzed intelligently. Forensic agencies and law enforcement departments use several digital forensic toolkits, both commercial and open-source, to examine digital evidence. The proposed research survey focuses on identifying the current state-of-the-art digital forensics concepts in existing research, sheds light on research gaps, presents a detailed introduction of different computer forensic domains and forensic toolkits used for computer forensics in the current era. The proposed survey also presents a comparative analysis based on the tool’s characteristics to facilitate investigators in tool selection during the forensics process. Finally, the proposed survey identifies and derives current challenges and future research directions in computer forensics.


I. INTRODUCTION
In this age, where everything is being digitalized, criminals are using modern technologies to attack governments, businesses, and individuals [1], [2], [3], [4]. The most recent example is a cyberattack in a US state Baltimore, where attackers stole a National Security tool and caused thousands of systems to freeze. The attack lasted for three weeks, disrupting emails, real estate sales, water bills, health alerts, and several other services. The annual cost of suffering is increasing rapidly; in fact, the experts have projected it to rise to $6 trillion by 2021 1 [5], [6], [7]. Computer forensics techniques are used in civil, administrative, and criminal cases; however, an intelligent selection of tools is vital in criminal investigations. Computer forensics has a close link with human behavior. Forensics can provide psychologi-cal conditions and traits of human behavior. Behavioural Evidence Analysis (BEA) within computer forensics helps to understand the psychology and behavior according to a particular case [8]. The investigators use several tools to perform forensic procedures to obtain inevitable evidence against criminals to hold them responsible in the court of law. This paper discusses computer forensic domains, available open-source and proprietary analysis tools, and presents their feature-based comparison.
Computer forensic information can be extracted from applications such as software, databases, the web, and emails [9]. Since the computer is allowed to communicate and share the required information, investigations revealing network information might help [10]. Also, emerging technologies like virtualized systems, distributed computing, and cloud computing have posed challenges in the field of forensics [11], [12]. In this era of technology, the evidence is extracted from various hardware devices such as memory cards, smart cards, dongles, cameras, biometric scanners, routers, pagers, printers, answering machines, GPS systems. We present an analysis of critical characteristics for forensic examination of acquired evidence. Forensic readiness planning, evidence acquisition methods, protocols, protection of evidence integrity, and legal aspects of forensic investigations are beyond this study's scope.
From a technical perspective, the decision of choosing digital forensic tools for evidence examination is made by the investigator according to the unique nature and requirements of the case [13], [14]. However, a forensic tool would be a good choice if it has the versatility to work across multiple platforms, multiple operating systems, the ability to analyze more than one file system, the extend-ability of applying scripting languages to automate repetitive functions and tasks, automation of significant features and has good product support. In general, a forensic toolkit providing more features in one product/suite and multi-platform support would be more helpful. Careful and in-depth study of each tool's features can help investigators pick the most appropriate tool for investigation, thus saving investigation time and effort. Investigators can focus on other investigations such as case preparation, evidence collection, maintaining chain of custody, and report generation. This paper performed an indepth study of tools and their features. The surveys reported in the past are limited to facilitate forensic investigators to pick a suitable forensic tool. Some previous research works such as [15], [16], [17], [18], [19] focused more on providing an overview of digital forensics methodologies, finding errors in toolkits, and research directions but did not provide any guideline to investigators for intelligent selection of appropriate toolkit for evidence analysis. Table 1 presents the comparison of the existing research papers. Focus Limitation [15] Overview of digital forensics Limited overview [16] Overview of abstraction layer for errors in toolkits Focused on error in toolkits [17] Overview of digital forensics toolkits Limited features and toolkits [18] Overview of digital forensics toolkits Brief overview of features and toolkits [19] Comparative study between forensics application tools Limited features, limited toolkits, no challenges and future direction [20] Overall forensics investigation Limited description of digital forensics toolkits

A. RESEARCH CONTRIBUTION
Several researchers presented surveys on computer forensics [20], [21], [22], [23], cloud forensics [24], [25], [26], [27], and mobile forensics [28], [29], [30], [31], but this is the first survey that provides current state-of-the-art on computer forensics, techniques, and their comparison. The main contributions of this paper are as follows: • The proposed research survey identifies the current state-of-the-art digital forensics concepts in existing research and sheds light on research gaps. • Presents a detailed introduction of different computer forensic domains and forensic toolkits used for computer forensics in the current era. • Provides a comparative analysis based on the tool's characteristics to facilitate forensics investigators during the digital forensics process. • The proposed research survey also identifies challenges and provides insights and future research directions in computer forensics.

B. SURVEY STRUCTURE
The rest of the paper is organized as follows: section I-C provide a background of the proposed research work; section II reviews the computer forensic domains including operating system, file system, live memory, web, email, network, and multimedia forensics; section III includes details about powerful computer forensic toolkits such as autopsy, Redline, Belkasoft, OS, Prodiscover, XWays, Encase, and FTK; section V presents a detailed discussion of toolkits based on features in each domain; section V-A presents future research direction regarding proposed research work and section VI summarizes the survey and presents future research directions.

C. RESEARCH BACKGROUND
The focus of digital forensics is on the objects situated on different types of digital devices such as mobile phones, digital cameras, computer systems, and other digital devices.

II. COMPUTER FORENSIC ANALYSIS
Digital data exists in several formats and types. Therefore, several types of analysis and examples of common digital analysis types are defined by the Digital Forensics Research Workshop (DFRWS) [65]. Authors in [17] have explained the process and the flow of a digital forensic investigation. Log forensics For efficient log displaying, storing, querying, processing, and loading, the author designed and developed a novel graphical system called GrAALF. [55] Computer forensics The author analyzed data recovery and computer forensics relationships and analyzed computer forensics and anti-forensics application technology. [56] Computer Forensics The author discussed computer forensics methods, including rules for data extraction, evidence management, and change of custody. [57] Computer forensics For the admissibility of evidence and to overcome legal issues related to digital evidence in court author discussed the computer forensics investigation process. [58] IoT forensics To protect user's privacy and secure data sharing author proposed the digital witness technique. For IoT forensics author also applied the PRoFIT technique. [59] IoT forensics By analyzing the weaknesses and strengths of IoT forensics author investigate current research work. The forensics processes, forensics data processing, forensics layers, forensics models, forensics tools, and phases author classify and categorize the literature. [60] Computer forensics The author presented a detailed survey on the mitigation of privacy issues in the cloud for computer forensics. The author also presented future recommendations regarding privacy issues in cloud computing. [61] IoT Forensics For the author of the smart application study, the readiness and complexity of devices for the assistance in the investigation. The author also presented forensics methodology and smart applications related tools. [62] Computer forensics The proposed paper provides the researchers and readers valuable information about forensics, the current status of forensics, and anti-forensics techniques. [63] Computer forensics In this paper, the author proposed a novel technique for investigators regarding correlating evidence, analysis process with the help of numerous forensics tools. [64] Memory forensics The author investigates different limitations regarding memory forensics included data change issues, data incompleteness, executable file, process inconsistencies, and data incompleteness. [32] Memory forensics The author presented a survey on computer memory forensics, including future research directions in memory forensics, how technological changes influence memory forensics such as operating systems, and regarding the current generation, the author providing critical analysis of techniques used in forensics.

Proposed survey Computer and Mobile forensics
In this survey, we perform a comparative analysis of forensics toolkits based on their characteristics, discuss computer and mobile forensics domains and cover diverse forensic toolkits used for computer and mobile forensics investigations. We also discuss forensic challenges and future research directions.
The process of investigation starts right after the incident is reported or a crime is detected [66]. After that, the investigator follows the steps shown in Figure 1. First, The investigation starts by identifying the suspect machine or object used in crime or violations. After the crime is detected, an investigator starts collecting evidence from the objects identified to be included in the crime. Next, the investigator examines the objects and generates a report on the findings. Finally, the last step is to report the findings and catch the suspect [67]. Figure 2 represents the breakdown of the computer forensic domains. In later sections, we focus on the details of each computer forensic domain.

A. OPERATING SYSTEM FORENSICS
Operating System Forensics is the process of retrieving useful information from the operating system of the computer or mobile device in question [15]. The aim of collecting this information is to acquire empirical evidence against the perpetrator. An operating system (OS) is an application that is the first thing to execute when a computer system starts [68]. This helps to examine configuration files and output data of the OS to determine which event might have occurred. [69], [70], [71] are some of the existing research surveys in the operating system forensics domain. OS Forensics allows its users to identify suspicious files and activity with hash matching, drive signature comparisons, emails, memory, and binary data 2 [72]. It lets users extract forensic evidence from computers quickly with advanced file searching and indexing and enables this data to be managed effectively. It supports Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2000, 2003, 2008 (for 32-bit and 64-bit platforms). OSForensics is available on trial as well as the paid version. This tool's prominent features are Misnamed file searching, Drive signature comparison, Hidden disk areas.

B. FILE SYSTEM FORENSICS
The file system is highly valued in computing as all files would mess up without it. There will be no clue where data is placed, where a specific piece of data starts, and where it ends. Each file system instance has a unique size, but its underlying structure allows any computer that supports the type of file system to process it [68]. There are different types of file systems. Each one has a different structure and logic, speed, flexibility, security, size, etc. Some file systems are designed to be used for a specific application. For example, the ISO 9660 file system is designed specifically for optical discs [16]. Different storage devices use different media that support different file systems like SSDs. Another excellent example of a file system can be Random Access Memory (RAM) as a temporary file system for short-term  use. Some other file system provides file access via a network protocol such as NSF and SMB [73]. The key features of file systems are filenames, directories, metadata, and space management. The analysis of the file system depends on data that exists inside of a partition or disk. This typically involves processing data to extract the contents of a file or recovering the contents of a deleted file. File system analysis examines data in a volume (i.e., a partition or disk). The file system process includes listing the files in a directory, recovering deleted content, and viewing a sector's contents [74]. [75], [76], [77] are some of the existing research surveys in the file system forensics domain. Table 3 presents the available operating system with supported file types.  [78]. RAM allows accessing data in such a way to produce transparent information, which could not be possible otherwise [79], [80]. This can help to reveal hidden processes, malware trying to hide information, toolkits. [81], [82] are some of the existing research surveys in the live memory forensics domain.

D. WEB FORENSICS
Web activities are performed on a web browser that provides an interface between the user and the Internet [83], [84]. The forensic information can be retrieved from web storage record sessions, searches, a history where complete user activity is placed [85], [86]. Every OS and Browser has its way to keep these records that can be analyzed to trace a crime [87]. [76], [88], [82] are some of the existing research surveys in the web forensics domain.

E. EMAIL FORENSICS
Communication via the Internet uses emails as mainstream for communication. Email forensics is a process of collecting evidence from emails since an email is an electronic communication over the Internet that carries messages to deliver files, documents, and other transaction elements [89], [90], [91]. An email, when transmitted, contains the source, content, actual sender and receiver information, date/time, protocols, and server information. Email services used could either be webmail or a local mailbox [92]. [30], [20], [89] are some of the existing research surveys in the email forensics domain.

F. NETWORK FORENSICS
Network packets can be examined using the Open Systems Interconnection (OSI) model to interpret the raw data into an application-level stream. Network forensic analysis focuses on monitoring network traffic and investigating the attack source. The objective of this analysis is to put plans in place before a security breach occurs [76], [1], [93]. The methods used for this objective are 'Catch it if you can' and 'Stop, look and listen,' which eventually covers the outline that includes identity threat, collecting evidence, examining data, analyzing and concluding data, presenting the analysis, and responding to attacks. [24], [94], [77] are some of the existing research surveys in the network forensics domain. Figure 3 defines the OSI model layers in detail.

G. MULTIMEDIA FORENSICS
Today users enjoy smartphones, high bandwidth connection, rich media, and cheap storage. People share massive multimedia content on social sites in the form of images, audio, and video, etc. [96]. Digital image analysis is the latest digital forensics trend due to its validation of the history of an image by exploring, analyzing, and retrieving information about the image [97]. Moreover, two more essential areas in the image forensic domain are identifying the imaging device that captured the image and detecting traces of forgeries. Digital visual media nowadays is one of the principal means of communication. Digital images are the target of many digital investigations because some are contraband [98], [99]. This type of analysis looks for information about where the picture was taken and who is in the picture. Image analysis also includes examining images for evidence of stenography. Video analysis can automatically analyze video to detect and determine temporal and spatial events, while forensic video analysis compares and evaluates video in legal matters [100], [101]. Digital video is used in security cameras, personal video cameras, and webcams. Investigations of online predators can sometimes involve the examination of digital video from webcams [102]. This type of analysis examines the video for the identity of objects and the location where it was shot. Forensic video analysis and audio analysis have been used in various high-profile cases, international disagreements, and conflict zones [103]. [103], [22], [104] are some of the existing research surveys in the multimedia forensics domain.

H. OTHERS
Instant messenger forensics to examine pieces of evidence collected through instant messenger applications, chat, and shared data. Media/USB/Memory card forensics helps analyze removable media investigations-Malware forensics helps identify malware objects and their behavior [105], [46], [106], [107]. Some other computer forensics domains, such as cloud forensic are used to examine crimes committed using cloud platforms, and database forensics help investigate data storage and privacy-related crimes [24], [108].

III. STATE-OF-THE-ART COMPUTER FORENSIC TOOLS
Whenever a crime is related to the virtual world, then it is called cybercrime [109], [110], and it falls in the area of digital forensic. With time and in the era of intelligent devices and technologies, the nature of cybercrimes has diversified. Identify theft and espionage [55], [111], [112], [113], intellectual property theft, information leakage, harassment, phishing, denial of services (DoS), and cyber defamation are some of the most common attacks nowadays [114].
Generally, digital forensics involves preservation, extraction, identification, analysis of data, and generating a report [17]. Several digital investigation tools are available nowadays to ease the job of a forensic investigator. These tools are limited to their tasks. For example, some tools are appropriate for tasks such as: • Attribution -metadata and logs used to attribute actions to an individual. For example, personal documents on a computer drive might identify its owner. • Alibis & statements -provided by those involved can be cross-checked with digital evidence. • Intent -helps find objective evidence of a crime and can also be used to prove the intent. • Evaluation of source file artifact and meta-data used to identify the origin of a particular piece of data; for example, older versions of Microsoft Word embedded a Global Unique Identifier into files which identifies the computer it was created on, showing if a file was produced on the digital device being examined or obtained from elsewhere (e.g., the Internet). • Document authentication -associated with "evaluation" metadata associated with digital documents can be easily modified (e.g., by changing the computer's clock, you can affect the creation date of a file) and helps detect & identify "falsification"/evidence manipulation. • Malware identification -to identify malware's dynamic behavior by observing changes in system and network logs.

A. AUTOPSY SLEUTHKIT
The Sleuth Kit provides disk image analysis and file recovery feature 3 . It allows an investigator to analyze volume and file system data. It is widely used by law enforcement agencies, military, and corporate examiners. This plug-in framework allows incorporating additional modules to analyze file contents and build automated systems [115]. In addition, the library can be incorporated into more comprehensive digital forensics tools, and the command-line tools can be directly used to find evidence. An autopsy is a digital forensics platform and graphical interface to The Sleuth Kit and other digital forensics tools 4 [115]. The Sleuth Kit and Autopsy are free tools and support Windows, Linux, OS X, and other Unix platforms. This kit's prominent features are collaboration, web artifact, registry analysis, email analysis, and android support.

B. REDLINE
Redline is another toolkit that provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis and develops a threat assessment profile [116]. Redline can perform an audit and collect all running processes and drivers from memory, file-system metadata, registry data, event logs, network information, services, tasks, and web history. Supported operating systems are Windows XP, Windows Vista, Windows 7, Windows 8 (32-bit and 64-bit), and Windows 10 5 .

C. BELKASOFT EVIDENCE CENTER
Belkasoft Evidence Center(BEC) is a commercial forensic tool available with the trial version. It makes it easy for an investigator to acquire, search, analyze, store, and share digital evidence found inside the computer, mobile devices, RAM, and cloud. This toolkit can quickly extract digital evidence from multiple sources by analyzing hard drives, drive images, cloud, memory dumps, IOS, Blackberry, Android backups, GrayKey, UFED, OFB, Elcomsoft, TWRP images, JTAG, and chip-off dumps. Evidence Center automatically analyzes the data source and lays out the most forensically important artifacts for the investigator to review, examine more closely, or add to the report [51]. It supports all Windows platforms, macOS, Unix-based systems (such as Linux, FreeBSD) 6 . Some critical features provided by Belkasoft are Data Carving, Live Memory Analysis, Enhanced Live RAM, Analysis, Kernel-mode RAM Capturer, JumpList Analysis.

D. PRODISCOVER BASIC
ProDiscover is designed to be a single application allowing forensics examiners to collect, analyze, manage, and report on computer disk evidence 7 . It simplifies computer forensics case management. When required, investigators can collect time zone, web browsing activities, and device information through a report. ProDiscover is a paid toolkit with its basic version available for free. It allows the investigators to perform live analysis. It also uses patent-pending technology and a process called Connect Collect Protect, which helps the user connect to a device, gather data, and analyze the situation during any security issue or data breach. This tool's other prominent features are inspection and search of hardware protected areas, Boolean search, Malware discovery hash sets, Automatic reports.

E. XWAYS FORENSICS
X-Ways Forensics is an advanced working environment for computer forensic examiners. Its proprietary source is available online 8 . X-Ways Forensics runs much faster, finds deleted files and search hits that the competitors will miss, does not have any hardware requirements, does not depend on setting up a complex database. X-Ways Forensics is an integrated computer forensic software that is based on the WinHex hex and Disk Imager [117]. It is part of an efficient workflow model where computer forensic examiners share data and collaborate with XWays Investigator investigators. Some key features of Xways are complete access to disks, RAIDs, images, Carving, PhotoDNA hashing, Disk Imaging, Password Recovery.

F. ENCASE
Encase is one of the broadly utilized criminological tools in the world. Reportedly, 90% of the investigators utilize this tool. 93% of the banks, 100% of the government offices, 75% of the power wholesalers, and 80% of the Universities in the U.S. use Encase 9 encase,encase1. The examination life cycle is nearly similar to that as portrayed in [17] beginning with an examination at that point gathering information, investigating it, and producing a report. This toolkit's key features are large-scale reports, Carving, Memory acquisition, Disk Imaging, Password Recovery.

G. FTK
Access Data Group is the creators of FTK 10 . They provide training and certification of forensic tools [18]. More than 130,000 administering bodies, law offices use FTK. It can investigate PCs, networks, and mobiles, and searching is faster than other tools. Some key features of FTK are Network data, Data transfer, detection, Internal viewer, Disk Imaging, Password Recovery.

H. MAGNET AXIOM
Magnet Axiom provides the functionality to recover digital evidence from the most sources and use robust and intuitive Analytics tools to efficiently analyze data in one case file 11 Furthermore, Magnet Axiom has the functionality to recover data from Smartphones, Computers, and the Cloud. Magnet Axiom also provides the functionality to examine evidence across all the sources in one case file. Finally, it also provides surface and shares insights with powerful analytics and reporting tools.

I. OTHERS
In each computer forensic domain, tools are specifically designed for a particular domain. Some of the well-known tools for data recovery are Blade, Recuva, Recover My Files, CrowdStrike, and CrowdResponse that are used to deal with cyber incidents such as identify the attacker and eradicating them; Volatility framework provides the functionality of live memory analysis, ExifTool detects the image file formats, Free Hex Editor Neo is used for binary file editing, Bulk Extractor ignores all the types of the file system so that any file gets supported to run on the bulk extractor. DSi USB Write Blocker does not allow criminals to write into USB, HxD helps edit the hex files, COFEE extracts evidence from a Windows computer, and EPRB provides encryptiondecryption functionality. Increasing cybercrimes intelligently has made it necessary to develop innovative computer forensic tools to investigate intelligently. New tools are being developed, and existing tools are being improved to address forthcoming issues. Table 4 presents the detailed summary of the above-mentioned forensic tools.

IV. COMPARATIVE ANALYSIS
This section provides a high-level taxonomy for the computer forensic toolkit to provide the best toolkit for the investigators. We present a review of significant characteristics of computer forensic toolkits comprising of (a) license, (b) platform, (c) supported image formats, (d) domains, and (e) tool interaction as illustrated in Figure 4.
Forensic toolkits are initially compared based on available features and then domain-specific features. The toolkits discussed in the previous section are analyzed and compared generally and then concerning the domain.

A. GENERAL ANALYSIS
Firstly, we present the analysis of computer forensic domains based on available features such as licensing status, supported operating system, and image format.

1) Licensing Status
While selecting a toolkit for forensic analysis, an important aspect is to know what kind of license it possesses. Open source forensic tools are available and modified as per the investigation requirement. Freeware tools are available, but the proprietor only defines a set of features. Commercial tools have monthly, yearly, or contracted periods of subscriptions. 11 https://www.magnetforensics.com/products/magnet-axiom/ Some commercial tools provide trial versions with limited functionality for a short duration.

2) Supported Operating System
A toolkit that supports multiple operating systems (with multiple file systems) can help investigators. Some tools are operating system-specific and cannot be used on other platforms.   Table 5 shows a general comparison of toolkits discussed in Section 5 based on their licensing statement, supported OS, and supported image file system. Autopsy, ProDiscover Basic, and FTK are toolkits with an open license and support raw and encase image formats. These toolkits also support almost all versions of the Windows Operating system, and ProDiscover Basic supports Linux OS. Belakasoft Evidence Center (BEC) and OSForensics support diverse image formats and can be used where multiple evidence images of different storage devices are available in diverse formats. BEC can perform quick extraction from sources such as hard drives, memory dumps, UFED, JTAG, and chip-off dumps.

B. DOMAIN WISE ANALYSIS
Forensic investigations are performed to investigate for different purposes. The nature of the investigation required is determined based on the nature of the committed crime. For one case, evidence found in Instant Messenger (IM) application may be of more value, and for another, audio files may be more worthy of observing. This section presents a detailed analysis of the computer forensic domains in which an investigator can be interested. We identified significant features provided by forensic tools in each domain and compared tools with others. We have picked domain-specific tools and analyzed their features for comparison. For example, we have observed Network Miner, Volatility, and some other tools.

1) Operating System Forensics
The operating systems produce many valuable operating system artifacts that can be further used as pieces of digital evidence [118]. In the case of Windows OS, the most common sources of such artifacts are the Recycle Bin, Windows event logs, LNK files, and prefetch files are shown in Table  6.
• LNK files: The link file is windows shortcut files that contain metadata. It usually provides timelines, target size, serial number, network volume share name, file attributes. • Prefetch files: These files are designed to speed up the application startup process. They contain lots of valuable information about applications used, including their run count, last run date, time, executable name, and size. • Event Log: It is a logging system that maintains application systems, security logs, and server-based logs. These logs are stored in pre-defined formats to record all necessary information regarding an event. Event Log records contain a "magic number" or unique identifier [119]. • Recycle Bin: It covers the functionality to recover deleted files. If a user simply deletes some files, its copy is retained in the recycle bin and can be restored if required; this is known as soft delete. • Services Analysis: It covers the analysis of components of windows services from the acquired image. • Registry: Registry viewer displays the content of registry hive files, shows value names, data, and can export registry keys and their subkeys to a text file. • Installed Program Scanning for programs installed on the operating system. • User Activity: The User Activity module scans the system for evidence of user activity, such as accessed websites, USB drives, wireless networks, and recent downloads. This is especially useful for identifying the user's trends and patterns and any material accessed recently. • Passwords: Retrieve passwords and product keys that have been stored by various applications and web browsers on the system. • AmCache: A registry file called Amcache.hve is used to store information associated with running programs in the Windows operating system. Several important artifacts are stored in Amcache.hve files related to different actions performed by the user such as running portable applications, installation of applications, or running host-based applications from an attached external portable device. • Timeline: For each unallocated and existing metadata structure, timeline analysis took the metadata values from the file system and arranged them accordingly, from the recent to the earliest, and interpreted and viewed by the forensic analyst for investigation purposes.
• Telemetry: Telemetry is an automated communication process; this data is used to improve application health, customer experiences, monitor security, quality, and process performance. • SRUM: Forensic analysts use data collected using SRUM to correlate user activities and even paint a picture of user activity with processes, data transfer, network-related events, and more. We performed a study on Autopsy, Redline, BEC, OS-Forensics, ProDiscover Basic, XWays, Encase, and FTK analyzer and identified the features mentioned above by these toolkits. Table 6 summarizes our findings where it can be seen that Belkasoft Evidence Center and OSForensics are promising tools in this domain. FTK also provides most of the features except for the analysis of Windows service.

2) File System and Disk Forensics
Storage disks have defined mechanisms, structures, and RAID configurations to store and retrieve data. The disk is divided into small units such as tracks and sectors to manage its operations efficiently [49], [120]. The operating system manages data in files, and each OS has a specific file system. The file system structure contains information to keep data in files secure, precise, and easily accessible when needed. File system forensic analysis examines data in a volume (i.e., a partition or disk) and interprets it as per the file system. There are many results from this process, but examples include listing the files in a directory, recovering deleted content, and viewing the contents of a sector [16], [73]. In addition, files such as paging, hidden, configuration, swapped, encrypted, misnamed, and deleted can be helpful. The following features of a forensics toolkit broadly cover the requirements for file system and disk forensics: • File system explorer: The user maintains files and folders in a hierarchical structure to keep data separated and easy to access. A forensic tool that provides the abil-VOLUME 4, 2016 ity to analyze a file format must present this hierarchical view so that it is as easy for an investigator to view as it would have been for the suspect. • Deleted file search & retrieval: Deleted file entries get removed from the file system, but the deleted content of files can still be found through carving. Recovery of such data/files is critical for the investigator, hence it is an essential forensic feature. It is supported by all toolkits shown in Table 7. • Slack space: Slack space is the portion of the disk occupied by the file but has not been thoroughly utilized. It may contain the residue of a file that previously existed in this portion and may contain a clue to find evidence. A forensic tool capable of retrieving such portions can be a handful for the investigator. This feature is available in each tool listed in Table 7. • HEX viewer: At the lowest level, files exist in the form of bits. Usually, hex values are analyzed by the investigator to have a clear picture of events, especially the metadata that can be obtained and analyzed in hex form. • Carving: In cases where the metadata about the files has been deleted, file carving is employed to recover the data within the files. • Volume Shadow Copy Service: Volume Shadow copies are backup copies of windows files taken during the ordinary course of using a machine. The shadow copy search modules aids in the forensic analysis of these files. • Registry: Windows Operating system maintains a registry to manage its task and record user activities and programs. Windows Registry is one of the richest sources of digital evidence. Computer configurations recently visited web pages and opened documents, connected USB devices, and many other artifacts that can all be acquired by examining registry hives and keys. • Malware analysis: As malicious software can damage a system, the researchers have detected the patterns to avoid these damages. Malware analysis includes various methodologies, like timeline reconstruction and com-parison of malware hashes. A tool differentiating these files would be a preference for the investigators. • Hibernation/Paging/Swap Files: If an investigator receives a turned-off system, hibernation, swap, and paging files would be pretty helpful. The system's current state and most recent RAM content are dumped to disk if a system is hibernated. Page and swap files are maintained on disk to utilize the RAM effectively. Identification, extraction, and analysis of hibernation/paging/memory dump files are vital for file system forensics. • RAID reconstruction: An essential part of File System analysis is reconstructing a RAID map when given a set of disk images [118]. The information must be stored on disk in different RAID configurations based on the required balance between reliability, availability, performance, and capacity. Table 7 depicts our analysis and findings using the features mentioned above, where Belkasoft Evidence Center and FTK prove to be promising tools in this domain. Redline is the most immature tool in this domain. XWays support all necessary features, but it would be a wrong choice if the system received for investigation is powered off. Magnet Axiom provides all feature except RAID reconstruction.

3) Live Memory Forensics
A few years back, digital forensics procedures were mainly based on Static analysis of the system. The typical step to perform static analysis was "pulling the plug" so that information on the disk does not change [121], [80]. With the advancement of technology (i.e., the increased storage capacity of the disk, etc.) and techniques (i.e., Data Encryption, password protection, memory-resident malware, etc.), the importance of volatile data existing on Memory (RAM) is realized. RAM is an intermediate memory between processor and secondary storage. It enables access to running process information, associated DLLs, handles, open files, decrypted data, registry, user password and activities, connection & session details. RAM analysis allows accessing data in ways that produce transparent information,  which otherwise could not have been possible [79]. This can help reveal hidden processes, malware hiding information, decrypted data/passwords, and many other interesting pieces [122].
Operating systems manage their activities through kernels residing in RAM by defining kernel and user spaces. The kernel performs memory, resource, and device management by maintaining complex data structures. Several tools are designed to perform memory forensics using specialized techniques to access memory structure. In this part of the paper, we have compared some memory forensic tools based on attributes or features required to perform analysis [78]. Volatility, Rekall, F-response, and Windows Scope are specific tools to support live memory forensic analysis. Some of the prominent features which are provided by live memory tools are as follows: • Command Line/Graphical User Interface(CLI/GUI): Some tools provide a user-friendly GUI, while others provide only a command-line interface, and some provide both. • Remote access: An investigator may want to capture the memory remotely to be analyzed. Tools can load agents to the victim machine and perform required operations remotely. • Acquisition: As the acquisition is the initial phase of digital forensics, this attribute shows if the tool can dump the memory by itself or not. Several challenges are associated with memory acquisition, i.e., Volatility of data, loading new processes, and modifying memory. Since analysis is performed on a separate system, some tools only support analysis, not acquisition. • Multi-user: Multiple investigators working on the same case may require a tool that allows multiple users to maintain their activities separately. So memory forensics tools are also analyzed on this basis. • Supported formats: The growth of technology has introduced new techniques to acquire memory dumps. For example, Windows allows hibernation, which creates hiberfile.sys on disk, so system states and processes can be restored on power-up. Similarly, VMware produces a .vmem file that can be analyzed, and this file can be extracted and analyzed in some tools. A list of memory dump formats supported by the tool is given in Table 4. • Source OS: Every operating system has its specific structure to manage operations in memory. To analyze a memory dump, it is necessary to know which forensic tools support OS versions. • Carving: Memory dump contains several data structures that may yield forensic information, known extraction techniques for memory are traversing, pool tag scanning, or pattern-based extraction. In traversing, information is extracted through doubly link lists (i.e., Process list, DLLs list, etc.). A search for pool tags can help reveal unlinked objects or the ones that try to hide. It is also possible to scan dumps for specific patterns to reveal something. This feature is available with every toolkit mentioned in Table 9. • Data recovery: A tool can recover data that has been deleted, corrupted, or hidden in memory. Since the deleting of objects generally deletes object entry, it leaves associated content and some relevant information. It is recoverable as long as not overwritten. This feature is supported by every tool mentioned in Table 9. • Slack space: If a tool can look in space reserved for a data structure where part of it is not currently in use and contains the left-overs of previously existing data, it may lead to evidence [123]. This feature is available in every tool shown in Table 9. • Static or live analysis: The live analysis is performed on critical systems that should not be powered off, or a longer time is required to image RAM of large size [35]. It is inherently inconsistent but somehow useful against anti-forensic techniques, affecting the static analysis [124]. The live analysis feature is also supported by all tools shown in Table 9. • Swap space: Memory creates swap space to allow optimal access to the current application. This space holds information of processes not yet active, yet recoverable [124] and may contain forensic evidence as discussed by Savoldi [123]. • Graphical access view: A tool may provide an output that can be presented graphically to better view how VOLUME 4, 2016 objects are related/linked to each other, either through its embedded viewer or a third-party viewer.
Volatility, Rekall, F-Response, Redline, Encase, Belkasoft Evidence Center, and Windows Scope have prominently used memory forensics tools. Table 8 presents the analysis and findings of these tools based on generic features such as licensing status, supported platforms, interface information (CLI/GUI), supported memory formats, and source operating system. Volatility seems a better choice with multi-OS and multi-format support and open licensing status but with a command-line interface.
In Table 9, we present an extensive feature-wise analysis of memory forensic tools. Malware detection, rootkit identification, timeline analysis are the core features of all these tools. Rekall and Volatility are appropriate choices with an open license. Belkasoft is the most promising propriety tool but does not support the operating system other than windows.

4) Web Forensics
Most of the web activities are performed using a web browser, and web application linked with the browsers [125]. Complete user activity is placed in web storage records, and many artifacts related to emails, visited web pages, chats, search queries can be retrieved. Every OS and browser manages these artifacts differently, and a careful OS and browserspecific analysis can help trace a crime [87], [126]. Authors in [127] presented a forensic model to investigate web activity, where the disk and live memory images are acquired to access web activity and search engine records. Later, a sort match or statistical analysis is performed to establish a correlation with a specific crime as discussed in [128], [129], [130]. These activities can critically represent human behavior. The worth observing features of web forensic tools presented in Table 10 are as follows: • Supported browsers: Each browser application has its structures to manage data, and it is necessary to know which browser's support is provided by a forensic tool. A generic forensic tool supporting multiple browsers would be a better choice for an investigator in general [127]. • Bookmarks: Since a user can bookmark important links (URLs) that they have to use frequently, a correlation can be established by obtaining important links a criminal might be using. • History: A browser maintains a record of each website visited and keeps it for a specific time duration. Some useful information like when and how frequently a website has been visited, by whom, and the activity performed on that website is information that can be processed intelligently. • Cookies: Cookies are used by browsers to keep user browsing information, manage necessary web functionalities (Add-ons, items on display, etc.), and are helpful in traffic analysis. Getting access to these can reveal name, domain, content, path, creation, and expiry times.
• Downloads: The browser keeps the information and files downloaded from websites. Some cases may require investigation by observing downloaded files. • Search queries: Browsers log every searched keyword.
An investigator might be interested in determining a suspect is searching profile concerning a particular crime, such as which search engine is used, which keywords have been searched, and when. • Cache: To have faster access to data and to maintain some information about previous sessions, websites keep requested data in cache files. URL, content type, file size, accessed date and time, server time, expiry time, server response, eTag, cache-control can be extracted through the cache.
General and feature-specific comparison of well-known toolkits in the forensic web domain can be observed in Table  10 and 11 respectively. For example, encase and Redline has maximum multi-browser support and supports most web forensics, while ProDiscover basic does not support database queries.

5) Email Forensics
Email is an electronic communication over the Internet that carries messages to deliver files, documents, and other transaction elements. An email, when transmitted, contains the source, content, actual sender and receiver information, date/time, protocols, and server information. Email services used could either be webmail or a local mailbox. A criminal can misuse email to send viruses, worms, or trojan and may transmit phishing emails, spam, or perform other illegitimate activities. Email forensics uses header analysis, sender fingerprints, server-side, and network device-based investigation or software embedded identifier. For analysis of forensic tools for email analysis, we have chosen the following features: • Header: According to [131], a thorough investigation of email headers should include: examining the sender's email address, examining message initiation protocol (HTTP vs. SMTP), examining message ID, and examining the sender's IP address. The renowned ones include OST and PST files (MS Outlook), and NSF (Lotus Notes) files, mbox, and Maildir (which are the two primary local mail storage formats used by Linux email clients), and Apple Mailbox [97]. In addition, the investigation includes system files analysis (pagefile.sys, swapfile.sys, and hiberfil.sys) in webmail [118]. This also includes investigation supporting artifacts such as protocols used (SMTP or HTTP) metadata, keyword searching, port scanning, etc. [132]. • Email type: This entry describes if the tool has support to perform analysis in online or offline mode. • Modules: Describes which modules are used by the tool to view emails • Search option: A tool can perform routine searches, indexed searches, attachment, and connection graph     Table 12 presents a comparative analysis of features provided for email forensics in chosen toolkits. Belkasoft Evidence center seems the most powerful toolkit with offline and online email analysis features and supports multiple mailboxes.

6) Network Forensics
Most of the cyber-attacks are also performed using networks [133]. A network is a collection of devices connected to communication. The network can be classified based on nature (LAN/MAN/WAN), accessibility (public/private/hybrid), and medium (wired or Wireless) [99]. User accountability while communicating on the network is essential. Forensic analysis of networks is critical. [134] presented taxonomy to carry out network forensic processes.
Network forensics refers to determining the source of the attack and collecting evidence by proactive monitoring and analyzing network traffic that is highly dynamic and volatile. A network comprises several essential components like a switch, router, firewall, Intrusion detection system, IoT devices. [135], [136], [137], [138], [139]. Information is distributed and can be collected and analyzed based on several features. There are specialized tools used for network forensics: Network Miner, LogRythm, PLIXER, NIKSUN, Nmap, and XPLiCO are some of the well-known network forensic tools [140]. The following features have been identified for comparison: • NetFlow: A tool capturing packet can reveal the source and destination addresses, protocols used to communicate among nodes, summarize conversation/session period, and several packets captured. In addition, the tool may present protocol-specific statistics such as RTP Stats, Response time, TCP re-transmissions, VoIP calls, etc. This necessary feature is available with all the tools mentioned above. • OS fingerprints: Operating systems are an essential consideration to design and implement security control on either the network or the local machine. Therefore, a tool must determine the OS fingerprint to narrow down the problem. • Port scanner: It allows probing a system for open ports, which could help establish if the system was exposed to a particular kind of attack. • Banner grabber: In support of port scanning, it allows determining what services and which of their versions were running on the system's open ports.
• Threat analysis: Some tools may detect intrusion patterns using IDS/IPS capabilities and determine threat impact levels by heuristic methods. • Recover Data: Several vital contents such as files, emails, and VoIP data are regular communication over the Internet. Therefore, a tool recovering these from network traffic can be helpful for forensic investigation. Besides, a tool can reassemble raw PDUs from multiple TCP segments and reveal import contents. • Extract user credentials: Since network packets contain passwords and other sessions, critical information to authenticate users over the internet/network, a forensic tool can detect and extract such critical information to serve the investigator's purpose. • Encrypted traffic: Traffic encryption is an increasing trend, as experts recommend to make your conversation secure. Although encryption on network traffic prevents deep packet inspection, there are tools to detect and prevent attacks. This is provided by all the tools shown in Table 14. • Log collection: As the network devices maintain logs for security and audit purposes, a tool can collect these logs and produce information regarding the particular event that led to a cyber-attack. • Remote analysis: A network forensic tool can perform forensic analysis by connecting remotely and may present an analysis report to maintain a record. The authors in [141] presented critical research areas like social networks and cloud computing forensics. A general comparison of tools specific for network forensic based on licensing status and supported OS can be found in Table 13 and comparison concerning specific features can be found in Table 14. It can be observed that except PLIXER, all the network forensic tools are open source tools, and Nmap supports most of the operating systems. However, the banner grabber feature is provided by Nmap only, and XPliCO can perform data recovery only.

7) Multimedia Forensics
In this technology era, users enjoy intelligent devices, high bandwidth connections, and bulks of diverse storage space. Using different software platforms, people share massive multimedia content on social sites in images, texts, audio, software, and videos [142]. This rise has also caused an increase in cybercrimes, including harassment, content forgery, intellectual property theft, and repudiation. Governments need continuous monitoring to combat such crimes. However, it is a complex task for the investigator to go through all the records for a particular event. Automating the investigation process and using the multimedia forensic tool can be a solution discussed in 12 and [143].
Digital visual media represents one of the principal means of communication nowadays. Digital images are the target   This type of analysis looks for information about where the picture was taken and who is in the picture. Image analysis also includes examining images for evidence of stenography.
Video analysis can automatically analyze video to detect and determine temporal and spatial events, while forensic video analysis compares and evaluates video in legal matters [100]. Digital video is used in security cameras, personal VOLUME 4, 2016 video cameras, and webcams. Investigations of online predators can sometimes involve digital video from webcams. This type of analysis examines the video for the identity of objects and the location where it was shot. Forensic video analysis has been used in various high-profile cases, international disagreements, and conflict zones. The following features should be available with any multimedia forensics tool: • Image authentication: Image ballistics is used to match metadata & file structure for available device features (i.e., Digital Camera, Make & Model, etc.). Active authentication can be performed by obtaining the embedded watermark or digital signature while recording or sending, usually performed to keep copyrights. At the same time, images without embedded code can passively access themselves for integrity. • Clarification: Classifying video footage means removing noise, interlacing lines, and video graininess. Transient items like rain and snow are removed, revealing hidden details. Blurring caused by interlacing, lens blur, and camera/subject motion is reduced, and images are significantly improved with multi-frame and velocity reconstruction processing technologies for the best enhancement job available. • Image sequence compilation: It converts a set of images into a video for analysis or courtroom presentation. • Highlighting or Pixelation: This focuses the viewer on a user-defined area of interest to provide insight into the case. • Reconstruction of Distorted Video/ Image: An image that is only partially visible at any one time as a complete image. For example, a car passes by, but only part of the car is visible as it passes by. We create a mosaic image that stitches the whole car and renders it to a still. • Interlacing and de-interlacing: This functionality allows for loss-less conversion between interlaced and progressive video. • Object Detection: This module is used to detect any object in an image or video, as a human, car, or weapon.
InstaForensics, Amped, Cognitech, FMDES, AMR, and detective are essential specialized tools for multimedia forensics. The detailed comparison of these tools based on the features mentioned above is presented in Table 15: IntaForensics and Cognitech and promising tools providing various features.
In this section, we analyzed eight computer forensic toolkits in general, and then we had a detailed study on features provided by these toolkits in different computer forensic domains.
According to its unique requirements, a forensic investigator handles each case, maintaining set protocols for evidence collection, acquisition, examination, and reporting while maintaining a chain of custody and preserving evidence's integrity. The choice of a forensic tool depends on case requirements. However, in some cases, he needs to make choices based on features supported by that tool. This work's primary goal is to help the investigator decide on selecting forensic toolkits. This section proposes a mathematical scoring model to compare the forensic toolkits in general and then their strength in each forensic domain. A feature supported by a forensic toolkit is given 2 points, and in case of no support, it is given 0 points. We have assigned equal weights to all features since one feature may be necessary in one forensic investigation case while another may not be important. Therefore, all features are treated equally in the proposed model. Total points of supported features are summed up, and the score is normalized between 0 and 100.
The scores of toolkits are calculated using Equation (1) to rank the best toolkit. Scores are ranked between 0 and 100 where 100 is maximum score indicating best toolkit.
where S represents the overall score of the tool t, n denotes the total number of tools, f is the score of a particular feature that a tool supports, and F is the total number of features in the tool. Table 16 shows the scores obtained by various forensic toolkits for 9 features to rank tools for operating system analysis. For example, the table depicts that for investigation of operating system artifacts using open source tools FTK, Autopsy, Redline, and Pro-Discover Basic version scored 100, 60, 55, and 55 respectively. In contrast, proprietary toolkits such as Encase, Belkasoft, OSForensics, and XWays scored points with the percentage of 66, 88, 88, 66, respectively, out of 100. Thus, our study suggests using FTK or OSForensics from propriety toolkits to investigate the operating system. Table 17 includes a total score and percent score in the file system and disk forensics domain for 9 features. FTK and Autopsy scored 100 and 88 percent among open-source toolkits, and among proprietary toolkits, Belkasoft scored the highest percentage of 100, OSForensics, and XWays scored 88 Encase scored 77 out of 100. Our study suggests using FTK and Autopsy as a freeware tool and Belkasoft as a paid tool to investigate the file system and disk. Belkasoft provides the unique functionality of RAID Reconstruction not provided by any other toolkit.
The comparative score for the investigation of live memory artifacts based on FSM using seven features is shown in    Six investigation tools for multimedia forensics were also analyzed using FSM, and scores are shown in Table 22. Our study suggests using instaforensic or cognitive as their FSMbased score is highest along all tools used in this study to investigate multimedia artifacts. Figure 5 summarizes our findings based on our proposed Feature Scoring Model (FSM). Initial feature-based analysis in each computer forensic domain and then scored-based analysis of toolkits revealed that FTK is the most appropriate toolkit for investigating operating system artifacts as it enables the user to perform services analysis. FTK is the best choice for file system and disk forensic and outclasses all other forensic toolkits for email-related investigation.       tems and provides most of the required features. Multimedia artifacts can be examined using instaforensics or Cognitech toolkits effectively, as shown in Figure 8.

V. DISCUSSION
Cybersecurity attacks continue to grow in number and sophistication, and the costs of these incidents are more sub- stantial than ever before [144]. With the increasing rate of cybercrimes worldwide of diverse nature and complexity, ranging from content forgery, financial data frauds to cyber terrorism with large groups and government involvement, the need for computer forensic algorithms, solutions, and tools have arisen [145], [146], [147], [148]. As a result, governments and organizations have started taking this up seriously and developing and applying laws and standards related to cybercrimes, digital evidence, search and seizure methods, evidence recovery, investigation, and reporting processes. Cybercriminals are growing more sophisticated in their use of technologies that allow them to hide their conduct better than ever. Financial losses caused to large organizations on an ongoing basis have compelled them to either employ a computer forensic agency or hire computer forensic investigators to protect them from attacks and solve cases by performing competent and thorough investigations in a reduced time frame. The investigators must follow the investigation process abiding by the local laws and established standards, ensuring evidence's integrity and proving a case in a court of law.
In this study, our findings based on FSM show that FTK forensic toolkit outperformed other toolkits in four major fields of computer forensic (i.e., operating system forensics, file system forensics, web forensics, email forensics) while Belkasoft Evidence Center outperformed other toolkits in live memory forensics domain. Network miners outperformed other toolkits in the network forensics domain. Magnet axiom only covers the artifacts collected from data recovery, which is the reason behind its low scores. An excellent forensic tool helps investigators sort and analyze the large volumes of data obtained through different sources. An intelligent selection of tools based on supported features using our proposed Feature Scoring Model would reduce investigation time and effort. We observed in this study that several features provided by video and audio forensic tools are limited and time taking, and real-time forensic solutions for video/audio/network stream data are missing.
The results of digital forensic tools must be repeatable and reproducible to assess "trueness and precision." Repeatability ensures that independent test results are obtained with the same method, identical test items, in the same laboratory, by the same operator, using the same equipment within short intervals. Reproducibility ensures that the test results are obtained with the same method on identical test items in different laboratories with different operators using different equipment. The investigator must follow a repeatable and well-documented set of steps such that every iteration of analysis gives the same findings. In this study, we relied on the information provided by vendors and users of forensics toolkits; therefore, the repeatability and reproducibility of results produced by these toolkits are not assessed.

A. FUTURE RESEARCH DIRECTIONS
Cybercriminals wreak havoc in many ways: identity theft, money laundering, personal security, ensuring against blackmailing, unauthorized access to private data, averting sexual provocation, corruption, and other such cybercrimes where advanced information and delicate data are included. Current digital forensics presents a variety of unique challenges. There exist some technological challenges, legal challenges, and resource challenges during the investigation. Generation of Structured Data: One of the significant future research challenges is generating structured data from hybrid data efficiently and automatically. Future researchers should consider the operating system for the generation of structured data and the standard for the semistructured formats used for different data types. Domain Case Study: In the future, a case-specific study can be conducted for each domain to assess the repeatability and reproducibility of results generated by each forensic toolkit. Advance Forensic Tools: The future work incorporates the mapping of advanced digital forensic tools and improvement of information precision, high-speed evidence collection, reduction of evidence complexity, consistent and up-to-date quality of tools and investigation techniques, evidence security, use of blockchain in evidence handling, and other protection measures by carrying out a comparative investigation on available forensic tools. Machine Learning and Deep Learning for Forensic: In this era of fast technologies, automated forensic tools using machine learning and deep learning algorithms are required to learn from the usage behaviors of users by observing system logs and generating an alarm or taking actions for all anomalous behaviors of users beforehand [149]. These behaviors may likely be reported and analyzed on a dedicated machine separately. Proactive Forensic Approach: A proactive forensic approach can be a good solution for crime prevention. Automated post-breach software forensic tools collecting evidence proactively without compromising user privacy are required. Anti-Forensic Tools: Having anti-forensic tools aligned with operating systems can be a solution for large organizations to combat internal cyber-attacks. Speaker identification solutions from large volumes of audio data and objection detection and identification solutions from bulks of image and video data need to be designed and improved. For example, an investigator might be interested in observing videos containing a specific type of weapon or in observing people of a VOLUME 4, 2016 particular age group or gender [150]. Digital Forensic Ontologies: The standardization of digital forensic ontologies is another significant future research challenge in this field because most of the frameworks and techniques used in the existing research literature apply custom applications and domains. The use of proprietary implementations avoids the ultimate use and global deployment of digital forensic tools. AI and Digital Forensic: AI is the future of digital forensic from the perspective of automation. The researchers should identify AI's role in the "Evidence Analysis" phase. In the future, digital forensic AI will process data, develop hypotheses that can be presented in the court of law. Blockchain for Forensics: Blockchain can offer several applications for a digital forensics investigation, including evidence collection, preservation, evidence validation, evidence analysis. Researchers can use blockchain for digital forensics, as with blockchain, traceability can be achieved, and also the records will be immutable.

B. CHALLENGES
Technological Challenges: Technological challenges include whole drive encryption, overwritten memory data, deep wiped storage disk, forged data, anti-forensics tools, scale and cloud resources, the fast evolution of devices, shift towards IoT, malware attacks, execution of crime from safe places, and Botnet attacks [151], [152], [153], [154]. Legal Challenges: In case of legal challenge, investigators have to keep the integrity of evidence, and the investigator has to investigate without damaging the accused or the organization's privacy. Resource Challenges: Researchers' challenge in the digital forensics domain is the nonavailability of benchmarks and standard data sets to facilitate comparisons on research findings. In addition, resource challenges include massive time consumption in evidence collection, limited tools for investigation, number of investigators, and distributed pieces of evidence; These are some challenges that need to be addressed. Figure 9 provides an overview of Digital Forensics Challenges.

VI. CONCLUSION
This paper presented the current state-of-the-art research on computer forensics and sheds light on research gaps. The core findings of this extensive research is to provide a detailed analysis of computer forensic domains and toolkits used for each computer forensic domain investigation. We presented a detailed comparative analysis of computer forensic domains and proposed a scoring model for paid and unpaid toolkits based on different features to help investigators choose a potential toolkit for a particular situation depending on the subtleties. The investigator can likewise focus on a potential toolkit for forensic investigations, provide proof of compliance, and ensure a reduction in investigation time. Each tool has its qualities and shortcomings that require attention while using them in a particular situation. The investigators can utilize our exploration as a manual to contrast their toolkits under use with other toolkits and possibly invoke improvements in forensic tools.
Future work: In the future, we intend to cover more studies on digital forensics tools and techniques included live forensics, registry forensics, and adversary machine learning, and deep learning forensics techniques.
Limitations: Most of the forensics tools used in the survey are available for free or trial versions because the paid tools are too expensive and difficult for students and researchers to purchase for experiments purposes.