DOI: 10.3390/jcp6040116 ISSN: 2624-800X

Digital Forensics and Phishing Defense: A Literature Review and Gap Analysis

Indah Octaviani Laleb, John Le, Chau Nguyen

Phishing remains a widespread and evolving cyber threat that targets human and technical vulnerabilities across email, web, mobile, and social media. Meanwhile, digital forensics has developed into a standards-driven discipline dedicated to identifying, preserving, analysing, and presenting digital evidence. Despite overlapping goals, phishing detection research and digital forensics typically operate separately. Detection efforts emphasise classification accuracy and rapid mitigation, while forensic practices prioritise evidential integrity and incident reconstruction. The analysis suggests that incorporating forensic-quality artefacts, such as Simple Mail Transfer Protocol (SMTP) headers, Domain Name System (DNS) and Transport Layer Security (TLS) traces, memory dumps, behavioural logs, metadata, and provenance records, may support attribution analysis, interpretability, and more evidentially robust incident reporting. It covers email, network, endpoint, behavioural, and legal areas to identify common shortcomings in forensic readiness, provenance preservation, and reproducibility. Based on these insights, we propose a conceptual framework that redefines digital forensics as a proactive, ongoing capability integrated into operational phishing defences. The review highlights gaps in research, such as the limited availability and validation of AI-generated phishing datasets, privacy-aware evidence management and deanonymization risks in evidence correlation, and automated workflows for handling evidence. It also suggests future directions for integrating forensic reasoning into advanced phishing mitigation systems.

More from our Archive