Designing and Validating an Evaluation Digital Forensic for Selective Seizure Capabilities in Windows Forensic Tools

The increasing volume and complexity of digital evidence pose significant challenges to its lawful collection and admissibility, particularly in on-site investigative contexts. Selective seizure has emerged as a critical approach for minimizing unnecessary data acquisition while ensuring procedural legality, privacy protection, and investigative efficiency. However, despite its growing importance, systematic evaluation criteria for selective seizure capabilities in digital forensic tools remain underdeveloped. This study proposes a structured evaluation framework for assessing selective seizure functions in Windows-based forensic tools, with a focus on live-response environments. Essential selective seizure functions were identified and organized into three investigative phases—search, selection, and seizure—reflecting practical field procedures. Based on this framework, a dedicated evaluation dataset was constructed, and six representative portable forensic tools were empirically evaluated under a controlled Windows 10 (NTFS) environment simulating active system conditions. The experimental results demonstrate notable differences in tool capabilities across investigative phases. In the search phase, variations were observed in NTFS parsing and Windows artifact analysis, while the selection phase revealed disparities in file filtering, keyword search, encrypted file handling, and preview functions. In the seizure phase, only a subset of tools sufficiently supported evidence collection, integrity verification, and reporting requirements necessary for selective seizure. These findings highlight that no single tool uniformly satisfies all functional requirements, underscoring the need for context-dependent tool selection.　The proposed framework and evaluation results provide practical guidance for digital forensic practitioners in selecting appropriate tools for selective seizure in field investigations. Moreover, this study contributes a reproducible methodological foundation for future research on selective seizure evaluation, supporting the development of more precise, proportionate, and legally robust digital evidence collection practices in Windows-based forensic investigations.