A Unified Forensics Analysis Approach to Digital Investigation





data correlation, data heterogeneity, digital forensics, digital forensics tools


Digital forensics is now essential in addressing cybercrime and cyber-enabled crime but potentially it can have a role in almost every other type of crime. Given technology's continuous development and prevalence, the widespread adoption of technologies among society and the subsequent digital footprints that exist, the analysis of these technologies can help support investigations. The abundance of interconnected technologies and telecommunication platforms has significantly changed the nature of digital evidence. Subsequently, the nature and characteristics of digital forensic cases involve an enormous volume of data heterogeneity, scattered across multiple evidence sources, technologies, applications, and services. It is indisputable that the outspread and connections between existing technologies have raised the need to integrate, harmonise, unify and correlate evidence across data sources in an automated fashion. Unfortunately, the current state of the art in digital forensics leads to siloed approaches focussed upon specific technologies or support of a particular part of digital investigation. Due to this shortcoming, the digital investigator examines each data source independently, trawls through interconnected data across various sources, and often has to conduct data correlation manually, thus restricting the digital investigator’s ability to answer high-level questions in a timely manner with a low cognitive load. Therefore, this research paper investigates the limitations of the current state of the art in the digital forensics discipline and categorises common investigation crimes with the necessary corresponding digital analyses to define the characteristics of the next-generation approach. Based on these observations, it discusses the future capabilities of the next-generation unified forensics analysis tool (U-FAT), with a workflow example that illustrates data unification, correlation and visualisation processes within the proposed method.

Author Biographies

Ali Alshumrani, University of Plymouth

Ali Alshumrani is a PhD student in Digital Forensics at the Centre for Cyber Security, Communications and Network Research (CSCAN) at the University of Plymouth. His research interests reside in digital forensics, cyber security and knowledge graph.

Nathan Clarke, University of Plymouth

Professor Clarke is a Professor in Cyber Security and Digital Forensics at the University of Plymouth. He is also an adjunct Professor at Edith Cowan University in Australia. His research interests reside in the areas of cyber security, biometrics, and digital forensics.

Prof Clarke has over 200 outputs consisting of journal papers, conference papers, books, edited books, book chapters and patents. He created and co-chairs the IFIP 11.12 Symposium on the Human Aspects of Information Security & Assurance. Prof Clarke is a chartered engineer, a fellow of the British Computing Society (BCS), a senior member of the IEEE and a full member of the Chartered Institute of Information Security. He is the author of Transparent Authentication: Biometrics, RFID and Behavioural Profiling published by Springer. Prof Clarke has been involved in a variety of national and international research projects, to the value of £20 million. He has graduated over 42 doctoral students.

Bogdan Ghita, University of Plymouth

Dr Bogdan Ghita is an Associate Professor in Computer Networks at Plymouth University and leads the networking area within the Centre for Cyber Security, Communications and Network Research (CSCAN). His research interests include computer networking and security, focusing on the areas of network performance profiling and optimisation, wireless and mobile networking, and network security.