1.1. Research Background

In today’s networked world, both cybercrime and cybersecurity are interconnected. The development of future IT trends depends on the security of existing networks and online services. It is imperative for the safety and economic development of all countries that cybersecurity measures be strengthened, and that critical infrastructure data be protected. The security of the Internet, and the protection of Internet users, have become an integral part of both the development of new services and the management of running services by governments and other business organizations (Ptaszynski et al., 2017).

According to Grover et al. (2016), national cybersecurity and critical infrastructure protection strategy places a strong emphasis on preventing cybercrime. These laws when enacted should be passed to prevent criminal acts or other issues of information and communication infrastructures, as well as acts that endanger the security of national key infrastructures. Cybersecurity presents global and far-reaching legal, technical, and institutional concerns that can only be met by a well-coordinated strategy that takes into account the roles of numerous players and current efforts while operating within an international framework (Edwards et al., 2018).

1.2. Cybercrime

A crime committed through a computer or computer network is referred to as a cybercrime. However, due to the rising frequency of these occurrences, handling and mitigating cybercrime incidents (CIs) has received considerable scientific interest in recent years. Similarly, the term cybercrime is frequently used interchangeably with other criminal activities connected to technology such as cyberterrorism and cyberwarfare, which causes complications (Nisioti et al., 2023). According to Morgan (2020) of Cybersecurity Ventures, worldwide cybercrime expenditures will rise by 15% per year over the next five years, reaching $10.5 trillion annually by 2025, up from $3 trillion in 2015. This is the largest transfer of economic wealth in history, threatening incentives for innovation and investment.

Moreover, this is increasing the number of disasters that cause harm in a year, which will be more profitable to criminals than the global trade in all major illegal drugs combined. Data damage and destruction, stolen money, loss of productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, and post-attack disruptions to normal corporate operations are among the most vulnerable problems caused by this threat (Hill & Swinhoe, 2022). In April 2019, it was revealed that two datasets from Facebook applications had been released to the public. More than 530 million Facebook account details were collected. This data was openly available two years later in April 2021, indicating considerable and actual criminal intent about the data (Pitchkites, 2022).

Data breaches can have devastating effects on hundreds of millions, if not billions, of people. The extent of data breaches has expanded in tandem with the rise of digital technology as cyber-criminals take advantage of people’s increasing reliance on electronic information. One of the cyberattacks that knocked down the Yahoo server in 2016 was suspected to have been carried out by a hacker group. These hackers were reported to have gained access to the account information of more than a billion Yahoo users as the company was being acquired by Verizon (Hill & Swinhoe, 2022). However, about three billion Yahoo user accounts were compromised less than a year later. In 2020, the Internet Crime Complaint Center (IC3) of the FBI had its busiest year combating cybercrime, with a record number of Americans reporting being victims of cyberattacks. Since the beginning of 2020, the IC3 has witnessed a rise in phishing, spoofing, extortion, business email compromise attacks, and online fraud aimed at those displaced by the coronavirus pandemic (Pitchkites, 2022). In the same year, the IC3 of the FBI received 69% more cybercrime reports than in 2019. The global fight against the 2019 Coronavirus pandemic is continuing, while cybercrime abroad is growing exponentially (Interpol, 2020; Monteith et al., 2021).

1.3. Cybercrime Victimization of Businesses

Data breaches, distributed denial of service (DoS) attacks, phishing, and ransomware attacks are some of the threats that affects businesses who fall victim to cyber-criminals. Research on the effects of ransomware and associated complications on data breaches has triggered serious problems, as noted by Agrafiotis et al. (2018). Certain characteristics, actions, and cybersecurity practices inside businesses are associated with a higher risk of being victimized and more severe repercussions (Connolly et al., 2020). However, a thorough knowledge of the fundamental tools and processes used to hunt down cyber-criminals is a crucial aspect of information security, for the simple reason that having expertise in these technologies makes the tasks of security professionals easier and more efficient. Professionals in the security field may enhance their abilities to deter criminal behavior by acquainting themselves with and adapting to a variety of technology and tactics. Understanding these approaches may assist them in extending their perspectives as security professionals using their experiences while using technology across different domains (Baig et al., 2017; Horan & Saiedian, 2021). Similarly, despite these security measures, cybercriminals are always developing new strategies for executing cyberattacks. There are three separate layers of Internet crime, which consist of the “open” or “surface” online, the “deep” web, and the “dark” web. To prevent these criminal acts, investigators must be acquainted with the technologies and tactics that enable them to access and utilize the abundance of information accessible on different platforms including social networks. For instance, investigators may examine information on Bitcoin transactions on the dark web to gain insight into allegations of misconduct (Tymoshenko et al., 2022).

1.4. Research Purpose

The purpose of this study is to explore and analyse existing techniques for preventing and mitigating cybercrime from the researcher’s point of view, particularly in the context of the current trend of IT services adoption. The Internet’s simplicity, speed, and anonymity have created a new platform for criminals to expand their operations through cybercrime. The introduction of new advanced technologies such as social networks has resulted in cybercriminals implementing new patterns that are more mysterious and damaging to organizations and individuals. Cybercrime causes business owners to lose billions of dollars each year. However, it can take various forms, including financial crimes such as online fraud, abuse, computer attacks, and tolerance or encouragement of unlawful behavior such as gambling, child pornography, and copyright infringement.

1.5. Research Questions

i. What are the common approaches used by cyber-criminals in launching their attacks?

ii. Why is cybercrime on the rise, and how can it be prevented?

iii. How prevalent is online crime? And how do forensic investigation techniques help in mitigating this menace?

1.6. Research Objectives

i. To examine and explore the approaches utilized by cybercriminals in carrying out their attacks to exploit individuals.

ii. To propose strategies for preventing cybercrime and implementing effective measures to adequately address it.

iii. To investigate the critical role played by forensic investigation techniques in mitigating cybercrimes.

3.1. Cybersecurity Incidents

A cybersecurity incident refers to an attempt or actual breach of an organization’s information security system and it can cause severe consequences for the organization, such as reputational damage and financial loss (Sultan, 2021). One instance of a cybersecurity incident is the Equifax data breach that occurred in 2017. Equifax, a major credit bureau in the United States, experienced a cyberattack that resulted in the exposure of personal data belonging to roughly 143 million individuals. The attackers exploited a flaw in Equifax’s website software, which enabled them to obtain unauthorized access to sensitive information like social security numbers, birth dates, and addresses (Bernard et al., 2017). The incident inflicted financial loss and significant harm to Equifax’s reputation. Another illustration of a cybersecurity incident is the 2020 SolarWinds supply chain attack. A group thought to be associated with the Russian government conducted the attack by exploiting vulnerability in the software of SolarWinds, a leading provider of network management software. The attackers manipulated the software’s code to insert a backdoor, which allowed them to gain access to the systems of SolarWinds’ customers, including multiple US government agencies (The White House, 2021). The attack had grave national security implications and led to increased scrutiny of supply chain security in the technology industry.

Generally, cybersecurity incidents are critical threats that can cause severe consequences for both individuals and organizations. The Equifax data breach and SolarWinds supply chain attack demonstrate how cyber-criminals can exploit software and system weaknesses to gain access to sensitive information. Therefore, organizations need to implement effective cybersecurity measures and regularly update their systems to prevent and mitigate the impact of cybersecurity incidents (Sultan, 2021).

According to Tsakalidis et al. (2019), CI Architecture provides a full cybercrime embodiment through feature identification, offense categorization processes, threat severity labeling, and a completely innovative Adaptive Reaction Policy (ARP) that identifies and connects the necessary stakeholders for preventative measures and response activities. The authors designed an architecture consisting of four unique, complementary components that result in a manually made ARP that will in the future be built automatically. The objective is to create a complete platform for the automated management of cybercrime. Fig. 1 depicts the proposed CI Architecture, which consists of four components (I, II, III, and IV). It provides a systematic approach to effective CI management with the objectives of generating insights and patterns about CIs, monitoring and evaluating the threat severity of CIs, and developing actionable and appropriate response policies and guidelines for organizations, individuals, and LEAs. The negative repercussions that these ideas could have in the actual world on various sorts of attacks are another instance. According to Tsakalidis et al. (2019), there has been a rise in the frequency of CIs in recent decades, and this trend is projected to continue. The economic impact of cybercrime has also increased in recent years and is expected to further rise by 2025. As a result, there is a pressing need for substantial enhancements in cybersecurity. In response to this, both national and international organizations have been implementing comprehensive techniques for managing cybersecurity incidents on a larger scale. This can be seen in Fig. 2, which illustrates the classification of these incidents.

새창으로 보기

Fig. 2

An overview of the core elements of cybercrime incident architecture. Adapted from the article of Tsakalidis et al. (Computers & Security, 2019;83:22-37).

3.2. Cybersecurity Challenges

Unfortunately, cyber-criminals have become proficient in turning their illicit activities into lucrative businesses. Sophisticated hacking tools, including those used in zero-day attacks, are readily available on the black market, allowing more people to pose a significant threat to the stability of networks and the overall cyber infrastructure. With the increasing reliance on mobile phones for daily tasks such as banking, office communication, and social media, the vulnerability of mobile networks to manipulation by hackers has also increased (Misra & Arumugam, 2022). This has led to a need for high levels of security, such as voice and facial recognition. The Internet of Things (IoT) has also become a significant target for hackers since they can control all devices through a single access point. Cybersecurity challenges are ongoing and continuously evolving, requiring equally evolving and updated countermeasures. Third-party sellers are also at risk of cyberattacks, which can be challenging to prevent due to the most protected areas being the employees themselves.

There is a significant gap between the level of preparedness and the type of cybersecurity issue at hand, with many businesses being aware of the risks but falling short in their responses. The increasing threat posed by cyber-criminals highlights the importance of taking proactive measures to prevent and mitigate cybersecurity breaches (Maalem Lahcen et al., 2020). Businesses must stay up-to-date with the latest cybersecurity technologies and techniques to ensure their networks and devices are protected from attacks. They must also take into account the human factor, such as employee training and awareness, to prevent human error from leading to security breaches. It is also crucial for businesses to collaborate with other stakeholders, such as government agencies and security experts, to share information and resources to combat cyber threats effectively. As technology continues to evolve, so do the methods of cyberattacks, and it is crucial to remain vigilant and adaptable in the face of evolving threats (Al-Khater et al., 2020).

4.1. Cyberstalking

Cyberstalking, in its broadest terms, refers to stalking performed with the use of a computer. Stalking is defined as “persistently harassing and threatening behavior, such as following a person, appearing at a person’s house or place of business, making harassing phone calls, leaving notes or things, or vandalizing a person’s property” (Arfaj et al., 2022). A cyberstalker is someone who pursues another person in this manner while using a computer. Stalking and harassment are defined as persistent communication via electronic methods (e-mail, instant messaging). In April of 2000, an extraordinary case of cyberstalking occurred in California. According to Nisioti et al. (2023), the defendant of the committed crime pled guilty in this case to charges that he attempted to solicit the rape of a female social acquaintance. However, one of the persons arrested, named Dellapenta, said in online personal advertisements and chat forums that the woman had always fantasized about being raped and played the victim. In his replies to the advertisements, he disclosed the woman’s confidential information, including instructions on how to defeat her security system. Six of those who replied to her ad were aggressive and threatened to rape her if they had the chance, or threaten another person. Finally, the FBI and Sheriff worked together to catch Dellapenta. He was found guilty and condemned to jail for six years. However, there are other, less common types of cyberstalking (Dimitriadis et al., 2020). Because it is commonly aimed at persons who have not specifically requested it, spam or unsolicited electronic mail may also be considered a kind of cyberbullying.

4.2. Cyber Terrorism

Cyber terrorism is an illegal act that involves violence against individuals and properties, often driven by political, racial, or ideological motives (Al-Khater et al., 2020). This type of cybercrime often creates fear, anxiety, and violence among people and can also result in sabotage and destruction of properties, such as computers and networks, thereby affecting the availability and integrity of information (Lewis et al., 2017). The Internet is frequently used by terrorists to spread propaganda, recruit individuals, manipulate public opinion, and disrupt national infrastructure, including transportation, dams, traffic lights, and energy facilities. For instance, the Ukrainian attack on a power grid in December 2015, which was initiated with a phishing email, is an example of cyber terrorism (Al-Khater et al., 2020). Certain cyber-terrorist activities instil fear and disrupt citizens, which can also influence political decision-making. The adverse economic effects, property damage, and violence resulting from cyber terrorism can result in fatalities and impact the unity of society (Internet Crime Complaint Center (IC3), 2020).

4.3. Cyberbullying

The increased usage of technology and social media among individuals of varying ages and genders has raised the likelihood of unwanted conduct, such as bullying. Bullying is a highly negative experience, especially during childhood, and is most commonly experienced by children, teenagers, and women. Bullying can cause emotional and mental distress and can impact an individual’s character (Lewis et al., 2017). Victims of bullying may receive hostile and offensive tweets, messages, or posts that may include threats of violence or harassment (Nandhini & Sheeba, 2015). Cyberbullying is a form of cybercrime that encompasses activities aimed at causing harm to an individual, including but not limited to identity theft, credit card theft, bullying, stalking, and psychological manipulation (Arfaj et al., 2022). Table 1 outlines some of the different types of cyberbullying that victims may encounter. Table 1 outlines several cyber bullying types that a victim may experience.

4.4. Phishing Attacks

Phishing attacks are a type of online scam in which an attacker poses as a trustworthy entity, such as a bank or a social media platform, to trick a victim into giving up sensitive information like usernames, passwords, credit card numbers, or other personal data (Horan & Saiedian, 2021). Phishing attacks can be delivered via email, text messages, phone calls, or even social media messages. The messages may contain links to fake websites that look like legitimate ones but are designed to steal the victim’s login credentials or other sensitive information (Al-Khater et al., 2020). Social engineering and online identity theft, also known as “phishing,” occur when malicious actors create fraudulent websites to deceive users into divulging sensitive information. According to the Anti-Phishing Working Group (APWG), there were over 1.2 million unique phishing attempts documented in 2016 alone.

However, one common method employed in these attacks is domain squatting, particularly through typo squatting, where misspelled or slightly altered versions of popular domain names are registered with malicious intent. Another technique involves the use of Internationalized Domain Names (IDNs) to carry out homograph attacks, where visually similar characters from different languages are used to masquerade as well-known domains. The APWG defines phishing as a form of online identity theft that utilizes deceptive emails to redirect individuals to fake websites, tricking them into revealing personal or financial information such as credit card numbers, account credentials, and social security numbers (Nikkel, 2020). Victims may receive an email containing a link to a fraudulent website as part of the phishing scheme. Clicking on the link leads them to a website that appears to be a legitimate platform, like eBay, for example. Despite various mitigation efforts such as email filters, the removal of phishing websites, and the use of browser plugins to warn users about potentially harmful pages, the problem of phishing attacks remains a persistent challenge (Guo et al., 2021).

4.5. Ransomware Attacks

The motive behind widespread ransomware attacks is the expectation of receiving a ransom (Connolly et al., 2020). The objective of ransomware is to block victims’ access to their data and demand a ransom payment in return for restoring access (Kolodenker et al., 2017). An end-to-end framework for analysing Bitcoin-based cybercrime was developed by Ariffin and Ahmad (2021). From the point at which victims obtained Bitcoins to the point at which the operators cashed them out, the authors tracked all financial activities. The approach for forecasting future ransomware transactions within a ransomware family is novel, efficient, and manageable. The authors found that their method was more accurate than popular heuristic and machine learning (ML)-based approaches. Meanwhile, other authors have developed their methods for detecting ransomware, which led to the development of ground-breaking new techniques. Kolodenker et al. (2017) presented PayBreak as an automated proactive defensive strategy to counter ransomware. This strategy is predicated on the fact that hybrid encryption with symmetric session keys is used for safe file encryption on the target PC. However, the data was recovered from 12 of 20 distinct families of real-world ransomware in tests by PayBreak’s authors. Similarly, one way to identify ransomware is by a graph-based technique, as proposed by Moussaileb et al. (2018). Over 700 unique ransomware variants were examined in this analysis of real-world threats. Exploring the file system on a thread-by-thread basis was shown to be enough for detecting malicious applications.

4.6. Online Child Pornography

The term “online child pornography” refers to the distribution of unlawful media involving and directed at adolescents, as well as the sexual exploitation of children by adults who utilize the Internet for this purpose (Akbari et al., 2022). The distribution or possession of child pornography is a federal violation under Title 18 of the United States Code (USC), sections 2252 and 2252A. Furthermore, as mentioned in 47 USC 223, it is prohibited to provide any kind of child pornography to a minor. According to the Business Software Alliance, the FBI’s Cyber Crimes Program’s Innocent Photos National Initiative is entrusted with investigating crimes like these on a national basis. In certain regions, the FBI collaborates with local law enforcement (Internet Crime Complaint Center (IC3), 2020).

5.1. Digital Forensics Investigation

Digital forensic investigation is the process of collecting, analysing, and preserving electronic data as evidence in a legal case or investigation (Horsman, 2020). This type of investigation is typically used to identify and gather evidence related to cybercrimes, such as hacking, data breaches, intellectual property theft, and online fraud. The digital forensic investigation process involves several stages (Hemdan & Manjaiah, 2021).

a) Identification: Determine the scope of the investigation and identify the potential sources of digital evidence.

b) Preservation: Secure the digital evidence in a way that ensures its integrity and authenticity, preventing any alteration, deletion, or destruction of the evidence.

c) Collection: Collect the digital evidence using forensically sound techniques such as imaging the hard drives or copying the data from other devices.

d) Analysis: Analyse the digital evidence to identify relevant information, such as the nature of the cyberattack, the attacker’s identity, and the extent of the damage caused.

e) Presentation: Present the findings of the investigation clearly and concisely that is admissible in a court of law.

Digital forensic investigations require specialized tools, techniques, and expertise to ensure that the evidence collected is reliable and admissible in court (Kohn et al., 2013). Therefore, it is important to involve experienced digital forensic investigators and legal professionals to ensure that the investigation is conducted properly, and the evidence is presented in a way that meets legal requirements (Marshall, 2021).

The term “digital forensic investigation,” or DFI, refers to the process of gathering and analysing digital evidence such as data and files to establish facts for use in legal proceedings. Criminal investigations often include a post-mortemexamination of digital evidence using forensic procedures.

Therefore, the results of these investigations might be considered by the court, since they were obtained through scientific procedures and techniques. Since electronic media is too fragile to physically inspect, a tool is normally employed to verify the integrity of the digital data (Hemdan & Manjaiah, 2021). To withstand judicial review, any digital forensic investigation must provide acceptable digital forensic evidence. In general, an investigation aims to discover more about a recent incident (Horsman, 2020). The primary purpose of establishing a potential root cause is to ensure that the investigation can withstand court scrutiny if the situation warrants it. Nevertheless, any investigation must be carried out with caution to guarantee that the investigator’s conduct is such that the validity of the evidence supplied cannot be questioned (Marshall, 2021).

5.2. Prospective Digital Evidence

The concept of digital evidence as a distinct element with unique properties and characteristics based on functionality and origin was introduced by Carrier and Spafford (2004). While digital data possesses a physical form, it may not be immediately apparent in computer-based crimes, highlighting the significance of digital evidence for forensic investigators. A reliable framework that ensures the traceability of digital evidence plays a crucial role in detecting potential security incidents, identifying their sources, and understanding their history (Bennett & Diallo, 2018; Lutui, 2016). However, the admissibility, legality, and reliability of digital evidence can vary across countries and require careful examination.

During the examination of digital evidence, it is essential to adhere to fundamental forensic processes, including identification, preservation, acquisition, authentication, and analysis (Turnbull & Randhawa, 2015). Similarly, as the sources of digital evidence have expanded due to advancements in digital technology, investigators must establish reliable sources for each type of digital evidence collected during the investigation. Relying on inaccurate sources of digital evidence can be more detrimental than not using any sources at all, emphasizing the importance of employing scientifically proven methods when collecting potential digital evidence (Casino et al., 2021). However, it is crucial for any scientific procedures utilized in digital forensics to adhere to specific scientific principles and be based on measurable and scientifically established standards (Casino et al., 2021; Horsman, 2018; Javed et al., 2022).

5.3. Digital Evidence Traceability

Digital evidence traceability refers to the ability to track and document the chain of custody and the history of digital evidence, from its creation or acquisition to its presentation in court or other legal proceedings use (Al-Dhaqm et al., 2017). It is a critical component of digital forensics investigations and is essential to ensure the admissibility and reliability of digital evidence in court (Casey & Souvignet, 2020). The traceability of digital evidence requires meticulous documentation and record-keeping at each stage of the investigation, including the collection, preservation, analysis, and presentation of the evidence. This documentation should include the names and contact information of the individuals involved in each stage, the date and time of each activity, and a detailed description of the actions taken, and the tools and techniques used (Turnbull & Randhawa, 2015). Maintaining digital evidence traceability is particularly important in cases where the evidence may be challenged or contested, such as cases involving intellectual property theft, data breaches, or cybercrime. If the chain of custody and history of the evidence cannot be accurately documented and presented in court, the evidence may be deemed inadmissible or less credible, and the case may be compromised (Horsman, 2022).

However, to maintain digital evidence traceability, it is important to follow established protocols and guidelines for digital forensic investigations, including those issued by professional organizations such as the International Association of Computer Investigative Specialists, the National Institute of Standards and Technology (NIST), and the Scientific Working Group on Digital Evidence. These guidelines provide best practices for collecting, preserving, analysing, and presenting digital evidence, including recommendations for documentation and record-keeping to ensure the traceability of evidence throughout the investigation. In today’s society, the traceability process has become a crucial component of many aspects of our life, including the digital investigative process.

This is confirmed by Karie et al. (2016), who believedthat traceability may identify occurrences of an event from several sources, assisting in the collection of evidence to be used in a court of law or for any other investigative purposes. The primary purpose of evidence traceability is generally to uncover potential digital evidence and link meaningful connections between the evidence that has been located. Given the origin of an artifact, traceability allows for the tracking of a chain of events as well as the prediction of process outcomes (Casino et al., 2021). As a result, investigators and LEAs may track all components of digital evidence based on its origin and history. The following table shows the evidence traceability guidelines (Table 2).

7.1. Computer Forensics

Digital forensics, or computer forensics, is the application of legal and computer science principles to computer resources to determine the state of a digital artifact, such as a computer system or digital records and other associated information that might assist in the ongoing investigation (Freiling & Schwittay, 2007). To discover evidence of a crime, computer forensics experts investigate digital artifacts such as the data stored on computers and other electronic devices. The time-sensitive nature of digital data means that it must be extracted quickly (Black et al., 2015; Javed et al., 2022). Since the late 1980s, there have been significant advances in the investigation of computer-related crime. Alongside scientific advances, developments in legislation, computer crime classification systems, and digital forensics methodology and theory have been enhanced and shown to be successful. Since digital forensics is still an emerging field, more study and development are required. Even while digital investigative software is rigorously tested to guarantee it is error-free, mistakes can still happen and result in overlooked or misinterpreted evidence.

Digital investigators need to know how to validate their findings to make sure they are correct, and they also need to know which tools are best for a certain task (National Institute of Standards and Technology, 2019). To validate a tool, it must be compared to another tool and its results recorded. This can be done to confirm that the two tools produce consistent results or to guarantee that one instrument correctly understood low-level data. For instance, all tools should reliably derive date-time stamps, and two programs should be able to recover the same deleted data from the same file system. Computer Forensic Tool Testing is a program run by the NIST that can help forensic investigators check the quality of their work and the reliability of their tools (NIST) (Kumar Raju et al., 2016). Forensic tools’ ability to acquire digital evidence from storage media and retrieve deleted information is being actively evaluated as part of this endeavor. When performing these tests, we are not attempting to retrieve deleted data using superior gear. By using “spin stand testers,” or hard drive testing equipment, some forensic labs can retrieve data that was only partially destroyed (Holt & Bossler, 2015). With this innovation, operators can instruct the read head to retrieve information from the outer portions of a track that has not been overwritten by more recent data recorded in the track’s center.

7.2. Network Forensics

Network forensics is a subfield of digital forensics that focuses on detecting and preventing cyberattacks on networks through the analysis and monitoring of network traffic. Network forensics analysis tools may provide services such as network forensics and security investigation, data integrity from many sources, target prediction for future attacks, network traffic analysis, and recording different forms of traffic analysis based on user demands. Here are a few examples of how the network forensics technique may be implemented at various network levels (McCullough et al., 2021). Sniffing tools, also known as monitoring tools, may be used to eavesdrop on bit streams at the Ethernet layer in network forensics, allowing the network forensics process to be completed at this level. Wireshark and the tcpdump are well-known tools for this purpose; tcpdump is especially beneficial for Unix-based computers and can help the investigator collect a variety of evidence at the Ethernet layer.

Internet Protocol (IP) is responsible for transferring transmission control protocol-generated packets across the network by attaching the addresses of their corresponding source and destination nodes (Choo et al., 2017). Every packet traveling from a source node to a sink node must traverse a sequence of routers, each of which maintains a routing table. In network forensics, one type of evidence is the routing tables, which can be used to track the origin of a packet to a specific machine (Javed et al., 2022). When addressing network forensics, the term “additional evidentiary resources” typically refers to the logs maintained by network devices that include information about network activities. Various network device logs can be correlated to reconstruct what transpired during an attack. Due to their limited memory, network devices can be configured to transfer logs to a central server for storage (National Institute of Standards and Technology, 2019).

7.3. IoT Forensics

The use of IoT technologies has recently increased significantly. Smart gadgets are employed in almost every major domain, including healthcare, transportation, smart homes, smart cities, and others (Kebande & Ray, 2016; Nik Zulkipli et al., 2017). However, this technology has several flaws that could lead to cybercrime via the devices. An alternative approach to investigation is required when dealing with crimes using IoT devices because of their alarming frequency (Awasthi et al., 2018). The amount of CIs employing this technology is anticipated to increase, according to Symantec’s Internet Security Threat Report 2016.

There is evidence that fraud, ransomware, malicious attacks, node manipulation, phishing, and Structured Querry Language injections are committed utilizing IoT devices and applications, or that devices are used to perpetrate these crimes. Static digital forensics is far more difficult to undertake than conventional computer forensics on these devices because of their network connectivity (Oriwoh et al., 2013; Zawoad & Hasan, 2015). In addition, IoT forensics necessitates real-time investigation because of the limitations of IoT devices and the characteristics of digital evidence that demand proper management (Oriwoh et al., 2013). Fig. 4 depicts the many functions of the IoT environment and their interdependence.

새창으로 보기

Fig. 4

Internet of Things (IoT) environment operations. A, actuators.

These modules are supported by different processes including storage and timers which display the whole IoT system and how various entities are linked.

i. Sensor Module. Local environmental conditions may be detected and responded to by IoT entities. Sensing modules are classified into two types: controlled sensing and event-driven sensing. The first types detect only when the user or other sensors request the sensor’s data at any point during execution (Nik Zulkipli et al., 2017). The latter is called event-driven sensing, and it occurs when the sensor senses change in its surroundings. The major function of this sensor is to collect and transmit data (or maybe both). The data is subsequently sent to the processing module, which processes it for the next phase. Each sensor in the IoT system requires a unique identifier and physical location to be identified and communicated with.

ii. The Module for Processing. This module is the IoT system’s heart, serving as the local brain for the whole system of sensors and applications. The major function is to evaluate and transmit sensor data and information (Nik Zulkipli et al., 2017). Furthermore, by utilizing an application software command-control system, this module may be readily maintained and monitored. Data encryption and decryption are used in processing to safeguard communication. It is not, however, a ready-made device, and this module must be developed individually for the application.

iii. The Actuation Module. This module is in charge of turning on physical equipment and transmitting conditions to IoT entities through the environment. The processed data (also known as the result) will trigger the actuator to execute the result after the raw data has been processed by the processing module. In this module, there is no communication data or computer activity (Chourabi et al., 2012).

iv. The Communication Module. This component is required by all network systems. IoT devices, like any other sort of communication, have an IP address and a location. Because it is a critical module, data or results may be sent from the processing module to the network environment, such as a local area network or a wide area network. Because it links to or from the channel of communication between application software and local devices, the network connection is always in duplex mode (Nik Zulkipli et al., 2017).

v. The Energy Component. The amount of energy available for each IoT component has constrained the energy consumption of IoT devices (Nik Zulkipli et al., 2017). Each action requires a certain amount of energy, since each step from sensing through actuation, transmission, processing, and storage uses energy (Chourabi et al., 2012).

7.4. Mobile Forensics

Mobile device forensics, also known as MF, is a rapidly expanding field that encompasses a range of disciplines and focuses on extracting digital evidence from mobile devices for use in forensic investigations (Fernando, 2021; Zareen & Baig, 2010). In recent years, the majority of studies on mobile device platforms, data acquisition methods, and data extraction techniques have been carried out (Barmpatsalou et al., 2013). Researchers have extensively examined mobile apps to determine where and how private information is accessed. Choi et al. (2019), for example, analysed the database files of three popular Windows IM programs (KakaoTalk, NateOn, and QQ Messenger) to determine how the apps saved and encrypted their data and whether the databases could be decrypted without the mobile user’s password.

Digital forensics, especially in the context of cybercrime investigations, has become increasingly dependent on digital evidence as society becomes more digitally advanced and incorporates technologies such as smart cities, smart buildings, and Industry 4.0. Surveillance cameras, IoT devices, and mobile devices are some examples of potential evidence sources in investigations such as drug or sex trafficking investigations (Zhang et al., 2021). Live memory forensics is a computer forensic technique that involves extracting temporary information from Random Access Memory, which remains effective even if the mobile device is turned off.

However, when conducting mobile forensics, it is common practice to examine both the subscriber identification module card and the phone’s internal storage (Sharma et al., 2020). However, in another approach van Zandwijk and Boztas (2019) investigated data from the most popular health app on the iPhone 6, iPhone 7, and iPhone 8. They were able to properly determine the user’s walking lengths, walking style, and walking speed using this data, giving a digital footprint that might be used as digital evidence. However, there are numerous unanswered questions and challenges in mobile device and app forensics. This is due, at least in part, to the fast development of mobile devices and apps, as well as the proliferation of available mobile devices during the previous decade. In their different literature analyses on mobile devices and app forensics, both Barmpatsalou et al. (2019) and Manral et al. (2020) recognized that data acquisition from mobile devices remained a major operational and research concern.

The challenge highlighted by Servida and Casey (2019) is evident in the utilization of encryption techniques for data-at-rest and data-in-transit, as well as in dealing with newer devices like IoT devices that lack support from existing commercial solutions. Investigating users’ encrypted backup data on mobile devices is also deemed critical, as emphasized by Park et al. (2019). In their study, they examined the KoBackup and HiSuite applications, which are associated with Huawei smartphones, to illustrate how forensic investigators can decrypt encrypted backup data and gain access to sensitive user information.

7.5. Social Media Forensics

Social media evidence is now at the forefront of both conventional and cyber-criminal prosecutions. However, this presents digital forensics with distinct legal and technological challenges (Basumatary & Kalita, 2022). Traditional techniques for the extraction and preservation of forensic evidence are inappropriate for social media forensics. Social media evidence is not self-authenticating; thus, further circumstantial and corroboration evidence is required for authenticity. However, the technological challenges are typically a result of the complexity and diversity of information stored on networks, and the legal issues involve the admissibility of evidence and data collection issues (Arshad et al., 2018).

The majority of social media research has focused on the extraction of data artifacts from devices and online social networks. In addition, integrating and correlating social media data to get insights into a crime is a challenge. In a recent study by Tommasel and Godoy (2019), in a single investigation, often hundreds or even thousands of diverse bits of information are forensically acquired for examination since the data is typically utilized to establish a connection between the suspects, the crime, and the victim. The process of correlating the data is often quite complex and might cause investigators or detectives to experience information overload. Furthermore, the information may not make much sense or benefit the investigation until investigators can manage the data into a unified and coherent representation (Nivedha & Sairam, 2015). Therefore, consistent data representation is vital for efficiently eliminating irrelevant data and gaining useful information and insight. Nevertheless, existing methodologies and tools within the domain do not provide these capabilities.

8.1. Data Collection

The process of identifying, acquiring, and securing electronic data for use as evidence in a civil or criminal legal proceeding is known as digital forensic acquisition (Arshad et al., 2019). Although following the formal acquisition procedure and following legal standards is required for utilizing this information as evidence in court, this process is mainly performed by a person with sufficient skills in legal and technical aspects to assure legally sound acquisition (Karie & Karume, 2017). On social media, forensic artifacts are acknowledged as an important source of evidence. As a result, the majority of research efforts are focused on acquiring forensic evidence. The first research on social media forensic extraction focused on device-specific identification and recovery of traces left on devices by social network applications and web browsers. Typically, the requirements for forensic collection from social networks consists of obtaining pertinent data or content from diverse social media platforms, collecting metadata for social media content, and ensuring data integrity throughout the forensic collection process. (Khanafseh et al., 2019).

8.2. Timeline and Data Analysis Techniques

Several studies (Dadvar et al., 2013; Nandhini & Sheeba, 2015) have presented research on crime detection on social media to automate the identification of cybercrime, such as research on crime detection on social media published in several papers, to automate the identification of cybercrime.

Similarly, a keyword-based strategy for detecting cyberbullying has reportedly been presented by Hon and Varathan (2015) for effective detection of cyber-bullies. A similar approach (Chatzakou et al., 2017) proposes natural language processing (NLP) techniques combined with user behavior and their activities to identify hostile and harassing behaviors. According to Dani et al. (2017), sentiment analysis was employed to identify cyberbullying on social media. Similarly, there are just a few approaches to identifying malware and cyberbullying (Arshad et al., 2019; Dadvar et al., 2013; Nandhini & Sheeba, 2015).

These authors present an approach for detecting cyberbullying on Twitter based on keyword searches (Hon & Varathan, 2015). Similarly, some techniques are devoted to tracking illegal activity and criminal tendencies on social networks such as Facebook and Twitter (Alami & Elbeqqali, 2015). The evidence collection and analysis of online social media content is very crucial because multi-tenancy and virtualized environments create a serious challenge. However, cyber-criminals take this advantage in launching their attacks (Arshad et al., 2019; Kazaure et al., 2019). Although the social media data is sorted in chronological order, manual examination is not viable to uncover this diverse evidence. A typical chronology may include information over many years, including thousands of actions that are irrelevant to the current investigation.

Consequently, it is vital to develop ways for efficiently detecting cyber-criminals and find a suitable approach that can help to easily identify pertinent data, so that sensitive information that can reveal important findings after the investigation can be realized (Park et al., 2018). On the hand, NLP methods and data mining approaches are appropriate for the automated identification of illegal activities and cybersecurity analysis. They are, nevertheless, unsuitable for forensic investigation and legal presentation for two primary reasons. Initially, legal presentation necessitates the explanation of the logical process used to reach the outcomes of the data mining techniques used (Rossy & Ribaux, 2020).

However, it is challenging to explain the sequence of events that led to the evidence acquired during pre-processing and normalization phases of these approaches, since data provenance may likely be lost. Therefore, it is not possible to link the outcome to the source data (Han, 2016). Second, NLP and data mining approaches rely heavily on data processing techniques based on clustering and probability, which enable rapid identification of illegal conduct with high false positive rates. In automated detection systems, false positives are accepted as a necessary evil, yet they are unacceptable in court rulings (Du et al., 2017). Because real-world data is scarce in cybersecurity research, integrating rigorous analytical procedures with passive and active measurement techniques may provide information on a subject’s security posture. Protocols, devices, apps, technologies, platforms, users, and threats are also rapidly expanding on the Internet. Meanwhile, in response to the increasing concern for users’ and other organizations’ privacy in cyberspace, numerous countermeasures to avoid information breaches have been developed (Servida & Casey, 2019). Although these steps are commendable and necessary, they undoubtedly complicate the collection and analysis of empirical cybersecurity data. As a consequence, adopting Internet evaluation is sometimes challenging and demands the development of novel approaches to assure its correctness and completeness (Valjarevic & Venter, 2013).

10.1. Machine Learning Techniques

Cybercrime detection using ML techniques has gained significant attention in recent years (Sharma et al., 2021). ML algorithms can be used to analyse large amounts of data and identify patterns, anomalies, and potential threats in various cyber activities. ML incorporates the process of making predictions based on input data, commonly known as training data (Sandoval-Orozco et al., 2020). Through this process, computers acquire the ability to accurately predict suitable outputs for specific inputs using the provided training data.

The learning process can be categorized as either supervised or unsupervised. In supervised learning, the training data consists of input-output pairs, with the outputs referred to as labeled outputs due to their predetermined correctness. In a study conducted by Fortuna and Nunes (2018), they utilized three supervised ML methods (JRip, J48, and Support Vector Machine) to detect instances of cyberbullying in YouTube comments. They also compared a binary classifier and a multi-classifier. Conversely, Al-garadi et al. (2016) proposed a tool for identifying cyberbullying in tweets, where they extracted various features from each tweet to be used in the classifier. They experimented with different classifiers, including support vector machines, naive Bayes, K nearest neighbor, and decision trees, to determine the most effective one. The authors concluded that naive Bayes demonstrated superior performance and sufficient strength, based on the findings of Al-garadi et al. (2016). In a similar approach, Uzel et al. (2018) employed text classification to recognize cyber terror and extremism (CTE). Their method involved assigning numerical weights to terms to identify CTE-related vocabulary within texts, followed by converting the document into a vector representation.